test(ai-chat): cover crypto/SSRF/assistant-parts; a11y + refactors

Closes the ai-chat code-review follow-ups. Tests (security-critical paths previously uncovered): - secret-box.spec: AES-256-GCM round-trip, random-salt uniqueness, tampered blob / wrong APP_SECRET throw the expected message. - ssrf-guard.spec: isIpAllowed blocks loopback/link-local/private/CGNAT/ULA/ unspecified/IPv4-mapped, allows public; isUrlAllowed blocks bad scheme, invalid URL, IP literals, and DNS-rebinding (mocked dns.lookup). - ai-chat.service.spec: assistantParts emits output-error for an UNPAIRED tool call (guards the MissingToolResultsError fix), output-available when paired, skips malformed calls; serializeSteps/rowToUiMessage. - ai-chat-tools.service.spec: JSON-string node/content coercion + invalid-JSON throws; updatePageJson title-only vs object. - page-embedding.repo.spec: empty spaceIds early-returns [] with no DB call. a11y: - Chat history toggle and conversation rows are now keyboard-operable (role=button, tabIndex, Enter/Space), matching history-item.tsx. Refactors: - onError on useChat adopts the server chat id when the first turn errors (AI SDK v6 onFinish doesn't fire on error). - isToolPart exported once from tool-parts and shared (was duplicated). - buildInitialValues() dedups the ai-mcp-server-form initial values. - describeProviderError replaces two inline statusCode/message snippets. - tool-parts stale tool-list comment refreshed. Implements docs/backlog/ai-chat-review-followups.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 05:51:52 +03:00
parent c8af637654
commit e2d180ab0b
14 changed files with 595 additions and 50 deletions
--- a/apps/client/src/features/ai-chat/components/ai-chat-window.tsx
+++ b/apps/client/src/features/ai-chat/components/ai-chat-window.tsx
@@ -400,7 +400,16 @@ export default function AiChatWindow() {
          >
            <div
              className={classes.historyHeader}
+              role="button"
+              tabIndex={0}
+              aria-expanded={historyOpen}
              onClick={() => setHistoryOpen((o) => !o)}
+              onKeyDown={(event) => {
+                if (event.key === "Enter" || event.key === " ") {
+                  event.preventDefault();
+                  setHistoryOpen((o) => !o);
+                }
+              }}
            >
              <IconChevronDown
                size={12}
--- a/apps/client/src/features/ai-chat/components/chat-thread.tsx
+++ b/apps/client/src/features/ai-chat/components/chat-thread.tsx
@@ -134,6 +134,13 @@ export default function ChatThread({
    messages: initialMessages,
    transport,
    onFinish: () => onTurnFinished(),
+    // In AI SDK v6 `onFinish` does NOT fire when the stream errors, so a brand
+    // new chat that fails on its first turn would never invalidate the chat list
+    // nor adopt the server-created chat id (the server still creates the row and
+    // saves the error message). Run the same post-turn path on error so the
+    // failed chat appears in history immediately instead of after a manual
+    // refresh. The error itself is still surfaced via `error` below.
+    onError: () => onTurnFinished(),
  });

  const isStreaming = status === "submitted" || status === "streaming";
--- a/apps/client/src/features/ai-chat/components/conversation-list.tsx
+++ b/apps/client/src/features/ai-chat/components/conversation-list.tsx
@@ -115,7 +115,17 @@ export default function ConversationList({
              classes.conversationItem,
              isActive && classes.conversationItemActive,
            )}
+            role="button"
+            tabIndex={0}
            onClick={() => onSelect(chat.id)}
+            onKeyDown={(e) => {
+              // Activate on Enter/Space like a native button; the inner menu
+              // button stops propagation so its own keys never reach this row.
+              if (e.key === "Enter" || e.key === " ") {
+                e.preventDefault();
+                onSelect(chat.id);
+              }
+            }}
          >
            <Text size="sm" lineClamp={1} style={{ flex: 1 }}>
              {chat.title || t("Untitled chat")}
--- a/apps/client/src/features/ai-chat/components/message-item.tsx
+++ b/apps/client/src/features/ai-chat/components/message-item.tsx
@@ -3,7 +3,7 @@ import { IconAlertTriangle } from "@tabler/icons-react";
 import { useTranslation } from "react-i18next";
 import type { UIMessage } from "@ai-sdk/react";
 import ToolCallCard from "@/features/ai-chat/components/tool-call-card.tsx";
-import { ToolUiPart } from "@/features/ai-chat/utils/tool-parts.tsx";
+import { ToolUiPart, isToolPart } from "@/features/ai-chat/utils/tool-parts.tsx";
 import { renderChatMarkdown } from "@/features/ai-chat/utils/markdown.ts";
 import { describeChatError } from "@/features/ai-chat/utils/error-message.ts";
 import classes from "@/features/ai-chat/components/ai-chat.module.css";
@@ -12,11 +12,6 @@ interface MessageItemProps {
  message: UIMessage;
 }

-/** True for AI SDK tool parts (static `tool-*` or `dynamic-tool`). */
-function isToolPart(type: string): boolean {
-  return type.startsWith("tool-") || type === "dynamic-tool";
-}
-
 /**
 * Render a single UIMessage by iterating its `parts`:
 *  - `text` parts -> sanitized markdown.
--- a/apps/client/src/features/ai-chat/components/message-list.tsx
+++ b/apps/client/src/features/ai-chat/components/message-list.tsx
@@ -4,6 +4,7 @@ import { useTranslation } from "react-i18next";
 import type { UIMessage } from "@ai-sdk/react";
 import MessageItem from "@/features/ai-chat/components/message-item.tsx";
 import TypingIndicator from "@/features/ai-chat/components/typing-indicator.tsx";
+import { isToolPart } from "@/features/ai-chat/utils/tool-parts.tsx";
 import classes from "@/features/ai-chat/components/ai-chat.module.css";

 interface MessageListProps {
@@ -11,11 +12,6 @@ interface MessageListProps {
  isStreaming: boolean;
 }

-/** True for AI SDK tool parts (static `tool-*` or `dynamic-tool`). */
-function isToolPart(type: string): boolean {
-  return type.startsWith("tool-") || type === "dynamic-tool";
-}
-
 // Distance (px) from the bottom within which the viewport still counts as
 // "pinned" — absorbs sub-pixel rounding and small content jitter.
 const BOTTOM_THRESHOLD = 40;
--- a/apps/client/src/features/ai-chat/utils/tool-parts.tsx
+++ b/apps/client/src/features/ai-chat/utils/tool-parts.tsx
@@ -5,9 +5,11 @@
 *
 * A tool part's `type` is `tool-${toolName}` (AI SDK v6 static tool parts) and
 * its `state` is one of input-streaming / input-available / output-available /
- * output-error (we only surface running / done / error). The server tools are:
- * searchPages, getPage, createPage, updatePageContent, renamePage, movePage,
- * deletePage, createComment, resolveComment — see ai-chat-tools.service.ts.
+ * output-error (we only surface running / done / error). The full toolset the
+ * server exposes lives in `ai-chat-tools.service.ts` (the agent now exposes the
+ * complete Docmost toolset); friendly action-log labels exist ONLY for the
+ * tools listed in `toolLabelKey` below — every other tool falls through to the
+ * generic "Ran tool {{name}}" label.
 */

 /** A tool UI part as it arrives from `useChat` / persisted history. */
@@ -38,6 +40,11 @@ export interface ToolCitation {
  href: string;
 }

+/** True for AI SDK tool parts (static `tool-*` or `dynamic-tool`). */
+export function isToolPart(type: string): boolean {
+  return type.startsWith("tool-") || type === "dynamic-tool";
+}
+
 /** Extract the tool name from a part `type` of `tool-${name}` (or dynamic). */
 export function getToolName(part: ToolUiPart): string {
  if (part.type === "dynamic-tool") return part.toolName ?? "";
--- a/apps/client/src/features/workspace/components/settings/components/ai-mcp-server-form.tsx
+++ b/apps/client/src/features/workspace/components/settings/components/ai-mcp-server-form.tsx
@@ -47,6 +47,21 @@ interface AiMcpServerFormProps {
  onClose: () => void;
 }

+// Build the form's field values from a (possibly undefined) server. Used both
+// for the initial mount and for re-hydration when the modal is reused for a
+// different server, so the two stay in sync. authHeader is always empty: it is
+// a write-only secret buffer never echoed back from the server.
+function buildInitialValues(server?: IAiMcpServer): FormValues {
+  return {
+    name: server?.name ?? "",
+    transport: server?.transport ?? "http",
+    url: server?.url ?? "",
+    authHeader: "",
+    toolAllowlist: server?.toolAllowlist ?? [],
+    enabled: server?.enabled ?? true,
+  };
+}
+
 // Tavily preset (§8.10): the API key goes in the Authorization HEADER, not the URL.
 const TAVILY_PRESET = {
  name: "Tavily",
@@ -72,26 +87,12 @@ export default function AiMcpServerForm({

  const form = useForm<FormValues>({
    validate: zod4Resolver(formSchema),
-    initialValues: {
-      name: server?.name ?? "",
-      transport: server?.transport ?? "http",
-      url: server?.url ?? "",
-      authHeader: "",
-      toolAllowlist: server?.toolAllowlist ?? [],
-      enabled: server?.enabled ?? true,
-    },
+    initialValues: buildInitialValues(server),
  });

  // Re-hydrate when the target server changes (e.g. reusing the modal).
  useEffect(() => {
-    form.setValues({
-      name: server?.name ?? "",
-      transport: server?.transport ?? "http",
-      url: server?.url ?? "",
-      authHeader: "",
-      toolAllowlist: server?.toolAllowlist ?? [],
-      enabled: server?.enabled ?? true,
-    });
+    form.setValues(buildInitialValues(server));
    form.resetDirty();
    setHasHeaders(server?.hasHeaders ?? false);
    setHeadersCleared(false);