Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| db9f29c16b |
@@ -72,10 +72,7 @@ git log -1 --format='Author: %an <%ae>%nCommitter: %cn <%ce>'
|
||||
|
||||
### 4. Push and PR to develop
|
||||
|
||||
PRs always target `develop`. Two different mechanisms are involved: **pushing
|
||||
commits is git-native** (the Gitea MCP cannot push local git history, so the
|
||||
branch is still pushed with `git push`), while **the PR itself is opened through
|
||||
the Gitea MCP** (see below). The `claude_code` password lives in the macOS
|
||||
PRs always target `develop`. The `claude_code` password lives in the macOS
|
||||
keychain as a **generic password** under service `gitea-claude-code` (do not
|
||||
duplicate it as an internet-password for `gitea.vvzvlad.xyz` — that creates a
|
||||
conflict with the owner's account in the git credential helper):
|
||||
@@ -97,24 +94,18 @@ git remote set-url gitea "$ORIG_URL"
|
||||
unset AGENT_PASS SAFE_PASS
|
||||
```
|
||||
|
||||
The PR is opened through the **Gitea MCP** (server `gitea`), not `curl`/`tea` —
|
||||
the MCP authenticates in-process, so no keychain lookup or Basic-Auth is needed.
|
||||
Call `pull_request_write` with:
|
||||
The PR is created via the Gitea REST API (Basic Auth as `claude_code`):
|
||||
|
||||
- `method: "create"`
|
||||
- `owner: "vvzvlad"`, `repo: "gitmost"`
|
||||
- `base: "develop"`, `head: "<branch>"`
|
||||
- `title`, `body` — in the body: what was done, what is out of scope,
|
||||
verification results (tsc/lint/tests).
|
||||
```bash
|
||||
curl -s -X POST \
|
||||
-u "claude_code:$(security find-generic-password -s gitea-claude-code -w)" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d @pr_body.json \
|
||||
"https://gitea.vvzvlad.xyz/api/v1/repos/vvzvlad/gitmost/pulls"
|
||||
```
|
||||
|
||||
Manage and read PRs through the same server: `list_pull_requests`,
|
||||
`pull_request_read` (`get`, `get_diff`, `get_files`, `get_status`),
|
||||
`pull_request_review_write`.
|
||||
|
||||
**Identity note:** the MCP acts under its **own** configured Gitea token (verify
|
||||
with `get_me`), a different account from the `claude_code` used for git
|
||||
commits/pushes in §3. Only the forge API calls (PR / issue / review) go through
|
||||
the MCP account; the commits themselves stay authored as `claude_code`.
|
||||
`base: develop`, `head: <branch>`. In the PR body: what was done, what is out
|
||||
of scope, verification results (tsc/lint/tests).
|
||||
|
||||
> If push fails with `User permission denied for writing`, then `claude_code`
|
||||
> lacks collaborator rights on the repo. Ask the owner to add them (once, via
|
||||
@@ -161,25 +152,23 @@ below.
|
||||
| Agent user (Gitea/git) | `claude_code` |
|
||||
| Agent email | `claude_code@vvzvlad.xyz` |
|
||||
| Keychain password | `security find-generic-password -s gitea-claude-code -w` |
|
||||
| Forge API (PR / issue / review / reads) | **Gitea MCP** — server `gitea` (`pull_request_write`, `issue_write`, `list_pull_requests`, `pull_request_read`, `label_read`, …). Authenticated in-process; acts under its own token — check with `get_me`. Repo slug on the server is `gitmost`. |
|
||||
| PR API | `https://gitea.vvzvlad.xyz/api/v1/repos/vvzvlad/gitmost/pulls` (here `gitmost` is the repo's real slug on the server) |
|
||||
| Base branch | `develop` |
|
||||
| `origin` | GitHub mirror `vvzvlad/gitmost` — **do not push**, updated by the owner's CI |
|
||||
| `upstream` | The original Docmost — **never push** |
|
||||
|
||||
## Creating issues (Gitea MCP)
|
||||
## Creating issues (Gitea `tea` CLI)
|
||||
|
||||
File issues through the **Gitea MCP** (server `gitea`), not a CLI — call
|
||||
`issue_write` with:
|
||||
Issues are filed with the official Gitea CLI `tea`, already logged in as
|
||||
`claude_code` (`tea logins list` shows the `gitea` login as default):
|
||||
|
||||
- `method: "create"`
|
||||
- `owner: "vvzvlad"`, `repo: "gitmost"`
|
||||
- `title`, `body`
|
||||
- `labels` — an array of label **IDs** (numbers), *not* names. Resolve a name
|
||||
such as `feature` to its id first with `label_read` (`method: "list"`), then
|
||||
pass e.g. `labels: [<id>]`.
|
||||
```bash
|
||||
tea issues create --repo vvzvlad/gitmost --labels feature \
|
||||
--title '<title>' --description "$(cat body.md)"
|
||||
```
|
||||
|
||||
Read issues with `list_issues`, `issue_read`, or `search_issues`. The MCP is
|
||||
authenticated in-process, so no `tea`/`curl` and no keychain lookup are needed.
|
||||
> Gotcha (tea 0.14.1): the issue body flag is `--description`/`-d`, **not**
|
||||
> `--body` — passing `--body` fails with `flag provided but not defined: -body`.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
import { describe, it, expect } from "vitest";
|
||||
import { normalizeTableColumnWidths } from "./markdown-clipboard";
|
||||
import {
|
||||
normalizeTableColumnWidths,
|
||||
classifyClipboardSelection,
|
||||
} from "./markdown-clipboard";
|
||||
|
||||
// normalizeTableColumnWidths mutates a DOM subtree (jsdom provides document).
|
||||
function root(html: string): HTMLElement {
|
||||
@@ -124,3 +127,47 @@ describe("normalizeTableColumnWidths", () => {
|
||||
).toEqual([null, null]);
|
||||
});
|
||||
});
|
||||
|
||||
describe("classifyClipboardSelection", () => {
|
||||
it("serializes a list of 2+ items as markdown", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([{ name: "bulletList", childCount: 2 }]),
|
||||
).toEqual({ asMarkdown: true, wrapBareRows: false });
|
||||
});
|
||||
|
||||
it("leaves a single-item list as plain text", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([{ name: "bulletList", childCount: 1 }]),
|
||||
).toEqual({ asMarkdown: false, wrapBareRows: false });
|
||||
});
|
||||
|
||||
it("serializes a whole table without wrapping bare rows", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([{ name: "table", childCount: 3 }]),
|
||||
).toEqual({ asMarkdown: true, wrapBareRows: false });
|
||||
});
|
||||
|
||||
it("serializes a partial cell selection (bare rows) and flags wrapping", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([
|
||||
{ name: "tableRow", childCount: 2 },
|
||||
{ name: "tableRow", childCount: 2 },
|
||||
]),
|
||||
).toEqual({ asMarkdown: true, wrapBareRows: true });
|
||||
});
|
||||
|
||||
it("leaves plain paragraphs as plain text", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([{ name: "paragraph", childCount: 1 }]),
|
||||
).toEqual({ asMarkdown: false, wrapBareRows: false });
|
||||
});
|
||||
|
||||
it("does not wrap when rows are mixed with other block types", () => {
|
||||
expect(
|
||||
classifyClipboardSelection([
|
||||
{ name: "tableRow", childCount: 2 },
|
||||
{ name: "paragraph", childCount: 1 },
|
||||
]),
|
||||
).toEqual({ asMarkdown: false, wrapBareRows: false });
|
||||
});
|
||||
});
|
||||
|
||||
@@ -27,24 +27,36 @@ export const MarkdownClipboard = Extension.create({
|
||||
key: new PluginKey("markdownClipboard"),
|
||||
props: {
|
||||
clipboardTextSerializer: (slice) => {
|
||||
const listTypes = ["bulletList", "orderedList", "taskList"];
|
||||
let topLevelCount = 0;
|
||||
let hasList = false;
|
||||
const topLevelNodes: { name: string; childCount: number }[] = [];
|
||||
slice.content.forEach((node) => {
|
||||
if (listTypes.includes(node.type.name)) {
|
||||
hasList = true;
|
||||
topLevelCount += node.childCount;
|
||||
} else {
|
||||
topLevelCount++;
|
||||
}
|
||||
topLevelNodes.push({
|
||||
name: node.type.name,
|
||||
childCount: node.childCount,
|
||||
});
|
||||
});
|
||||
|
||||
if (!hasList || topLevelCount < 2) return null;
|
||||
const { asMarkdown, wrapBareRows } =
|
||||
classifyClipboardSelection(topLevelNodes);
|
||||
if (!asMarkdown) return null;
|
||||
|
||||
const div = document.createElement("div");
|
||||
const serializer = DOMSerializer.fromSchema(this.editor.schema);
|
||||
const fragment = serializer.serializeFragment(slice.content);
|
||||
div.appendChild(fragment);
|
||||
|
||||
if (wrapBareRows) {
|
||||
// A partial table cell-selection serializes to bare <tr> nodes
|
||||
// (prosemirror-tables returns the whole `table` node only when the
|
||||
// entire table is selected). Bare <tr> would be foster-parented
|
||||
// away by the HTML parser inside htmlToMarkdown, so wrap them in
|
||||
// <table><tbody> first for the GFM turndown rule to detect them.
|
||||
const table = document.createElement("table");
|
||||
const tbody = document.createElement("tbody");
|
||||
tbody.appendChild(fragment);
|
||||
table.appendChild(tbody);
|
||||
div.appendChild(table);
|
||||
} else {
|
||||
div.appendChild(fragment);
|
||||
}
|
||||
return htmlToMarkdown(div.innerHTML);
|
||||
},
|
||||
handlePaste: (view, event, slice) => {
|
||||
@@ -153,6 +165,55 @@ export const MarkdownClipboard = Extension.create({
|
||||
},
|
||||
});
|
||||
|
||||
/**
|
||||
* Decide whether a copied slice's plain-text clipboard payload should be
|
||||
* serialized as Markdown (instead of ProseMirror's default text serializer,
|
||||
* which joins block leaves with newlines — the "one value per line" bug for
|
||||
* tables).
|
||||
*
|
||||
* Serialize as Markdown for structured content:
|
||||
* - lists with 2+ total items (a single copied bullet stays literal text);
|
||||
* - a whole table (top-level `table` node);
|
||||
* - a partial table cell-selection, which prosemirror-tables copies as bare
|
||||
* `tableRow` nodes (only a full-table selection yields a `table` node).
|
||||
*
|
||||
* `wrapBareRows` flags the bare-rows case so the caller wraps the serialized
|
||||
* <tr> nodes in <table><tbody> before the HTML->Markdown step. Plain paragraphs
|
||||
* return asMarkdown=false so a simple text copy stays literal, and internal
|
||||
* copy/paste keeps using the richer text/html clipboard payload.
|
||||
*/
|
||||
export function classifyClipboardSelection(
|
||||
nodes: { name: string; childCount: number }[],
|
||||
): { asMarkdown: boolean; wrapBareRows: boolean } {
|
||||
const listTypes = ["bulletList", "orderedList", "taskList"];
|
||||
let topLevelCount = 0;
|
||||
let hasList = false;
|
||||
let hasTable = false;
|
||||
let tableRowCount = 0;
|
||||
let nonRowCount = 0;
|
||||
|
||||
for (const node of nodes) {
|
||||
if (listTypes.includes(node.name)) {
|
||||
hasList = true;
|
||||
topLevelCount += node.childCount;
|
||||
nonRowCount++;
|
||||
} else {
|
||||
if (node.name === "table") hasTable = true;
|
||||
if (node.name === "tableRow") tableRowCount++;
|
||||
else nonRowCount++;
|
||||
topLevelCount++;
|
||||
}
|
||||
}
|
||||
|
||||
// Bare tableRow nodes at the top level only occur for a partial cell
|
||||
// selection; a slice never mixes bare rows with other block types, so
|
||||
// "every top-level node is a row" is a safe signal to wrap-and-serialize.
|
||||
const wrapBareRows = tableRowCount > 0 && nonRowCount === 0;
|
||||
const asMarkdown =
|
||||
(hasList && topLevelCount >= 2) || hasTable || wrapBareRows;
|
||||
return { asMarkdown, wrapBareRows };
|
||||
}
|
||||
|
||||
/**
|
||||
* Reorder/dedup the footnotes of a SELF-CONTAINED pasted markdown block to the
|
||||
* canonical invariant (the live footnoteSyncPlugin never reorders an existing
|
||||
|
||||
@@ -303,11 +303,6 @@ describe('buildSystemPrompt page-changed note (#274)', () => {
|
||||
expect(prompt).toContain(NOTE_MARKER);
|
||||
expect(prompt).toContain('-old line');
|
||||
expect(prompt).toContain('+new line');
|
||||
// Strengthened note (#274): instructs a fresh re-read via getPage and steers
|
||||
// the agent toward small, targeted edits instead of a full-page overwrite.
|
||||
expect(prompt).toContain('getPage');
|
||||
expect(prompt.toLowerCase()).toContain('targeted');
|
||||
expect(prompt).toContain('editPageText');
|
||||
// Inside the safety sandwich: the trailing SAFETY block follows the note.
|
||||
expect(prompt.lastIndexOf(SAFETY_MARKER)).toBeGreaterThan(
|
||||
prompt.indexOf(NOTE_MARKER),
|
||||
|
||||
@@ -85,17 +85,11 @@ const INTERRUPT_NOTE =
|
||||
const PAGE_CHANGED_NOTE =
|
||||
'NOTE: The user edited the open page AFTER your last response in this ' +
|
||||
'conversation, so any copy of that page you produced or remember from earlier ' +
|
||||
'is now STALE and must not be reused. Before you edit the page, you MUST first ' +
|
||||
're-read its current content with the getPage tool and base your work on that ' +
|
||||
'live version — never on your earlier copy or on the transcript. The unified ' +
|
||||
'diff below shows exactly what the user changed since you last spoke (lines ' +
|
||||
'starting with "-" were removed, "+" were added) and is the source of truth. ' +
|
||||
'Preserve every one of the user\'s edits: make the smallest change that ' +
|
||||
'satisfies the request using the targeted edit tools (editPageText, patchNode, ' +
|
||||
'insertNode, deleteNode) rather than replacing the whole page, and do not ' +
|
||||
'revert, drop, or overwrite anything the user changed. If a full rewrite is ' +
|
||||
'truly unavoidable, start from the current getPage content and carry over all ' +
|
||||
'of the user\'s edits.';
|
||||
'is now STALE. The unified diff below shows exactly what changed since you last ' +
|
||||
'spoke (lines starting with "-" were removed, "+" were added) and is the source ' +
|
||||
'of truth. Preserve the user\'s edits: build on the current page, do not revert ' +
|
||||
'or overwrite their changes. If you need the full up-to-date page, re-read it ' +
|
||||
'with the getPage tool before editing.';
|
||||
|
||||
/**
|
||||
* Sanitize a value interpolated into a prompt XML-ish attribute (e.g.
|
||||
|
||||
@@ -356,32 +356,6 @@ describe('flushAssistant', () => {
|
||||
expect(flushed.toolCalls).not.toBeNull();
|
||||
expect(flushed.metadata.error).toBe('boom');
|
||||
});
|
||||
|
||||
// #274 observability: the page-change diff the agent saw this turn is persisted
|
||||
// to metadata.pageChanged when a non-empty diff was injected, and omitted when
|
||||
// the diff is empty/whitespace or the arg is not supplied.
|
||||
it('persists metadata.pageChanged when a non-empty diff was injected', () => {
|
||||
const f = flushAssistant([], '', 'completed', {
|
||||
pageChanged: { title: 'Doc', diff: '@@ -1 +1 @@\n-old\n+new' },
|
||||
});
|
||||
expect(f.metadata.pageChanged).toEqual({
|
||||
title: 'Doc',
|
||||
diff: '@@ -1 +1 @@\n-old\n+new',
|
||||
});
|
||||
});
|
||||
|
||||
it('omits metadata.pageChanged for an empty/whitespace diff or a missing arg', () => {
|
||||
const whitespace = flushAssistant([], '', 'completed', {
|
||||
pageChanged: { title: 'Doc', diff: ' \n ' },
|
||||
});
|
||||
expect('pageChanged' in whitespace.metadata).toBe(false);
|
||||
|
||||
const nullArg = flushAssistant([], '', 'completed', { pageChanged: null });
|
||||
expect('pageChanged' in nullArg.metadata).toBe(false);
|
||||
|
||||
const omitted = flushAssistant([], '', 'streaming');
|
||||
expect('pageChanged' in omitted.metadata).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
/**
|
||||
|
||||
@@ -685,7 +685,7 @@ export class AiChatService implements OnModuleInit {
|
||||
// no-op (guarded below) so the turn still streams to the user.
|
||||
let assistantId: string | undefined;
|
||||
try {
|
||||
const seed = flushAssistant([], '', 'streaming', { pageChanged });
|
||||
const seed = flushAssistant([], '', 'streaming');
|
||||
const seeded = await this.aiChatMessageRepo.insert({
|
||||
chatId,
|
||||
workspaceId: workspace.id,
|
||||
@@ -720,7 +720,7 @@ export class AiChatService implements OnModuleInit {
|
||||
await this.aiChatMessageRepo.update(
|
||||
assistantId,
|
||||
workspace.id,
|
||||
flushAssistant(capturedSteps, '', 'streaming', { pageChanged }),
|
||||
flushAssistant(capturedSteps, '', 'streaming'),
|
||||
{ onlyIfStreaming: true },
|
||||
);
|
||||
} catch (err) {
|
||||
@@ -860,7 +860,6 @@ export class AiChatService implements OnModuleInit {
|
||||
// resolved from the admin-configured provider settings (in
|
||||
// closure scope here). Omitted/0 = no limit.
|
||||
maxContextTokens: resolved?.chatContextWindow,
|
||||
pageChanged,
|
||||
}),
|
||||
);
|
||||
// Lifecycle: release the external MCP clients leased for this turn.
|
||||
@@ -912,7 +911,6 @@ export class AiChatService implements OnModuleInit {
|
||||
await finalizeAssistant(
|
||||
flushAssistant(capturedSteps, inProgressText, 'error', {
|
||||
error: errorText,
|
||||
pageChanged,
|
||||
}),
|
||||
);
|
||||
await closeExternalClients();
|
||||
@@ -942,9 +940,7 @@ export class AiChatService implements OnModuleInit {
|
||||
`steps=${steps.length}`,
|
||||
);
|
||||
await finalizeAssistant(
|
||||
flushAssistant(capturedSteps, inProgressText, 'aborted', {
|
||||
pageChanged,
|
||||
}),
|
||||
flushAssistant(capturedSteps, inProgressText, 'aborted'),
|
||||
);
|
||||
await closeExternalClients();
|
||||
// Advance the page snapshot even on abort (#274): an agent edit that
|
||||
@@ -1510,7 +1506,6 @@ export function flushAssistant(
|
||||
contextTokens?: number;
|
||||
maxContextTokens?: number;
|
||||
error?: string;
|
||||
pageChanged?: { title: string; diff: string } | null;
|
||||
},
|
||||
): AssistantFlush {
|
||||
const finished = capturedSteps ?? [];
|
||||
@@ -1543,15 +1538,6 @@ export function flushAssistant(
|
||||
if (extra?.maxContextTokens)
|
||||
metadata.maxContextTokens = extra.maxContextTokens;
|
||||
if (extra?.error) metadata.error = extra.error;
|
||||
// Persist the page-change diff the agent saw this turn (#274 observability),
|
||||
// so history / the Markdown export can show what the user changed. Only when
|
||||
// a non-empty diff was actually injected into the prompt this turn.
|
||||
if (extra?.pageChanged && extra.pageChanged.diff?.trim().length) {
|
||||
metadata.pageChanged = {
|
||||
title: extra.pageChanged.title,
|
||||
diff: extra.pageChanged.diff,
|
||||
};
|
||||
}
|
||||
|
||||
return {
|
||||
content: stepsText + trailing,
|
||||
|
||||
@@ -269,168 +269,6 @@ describe('buildChatMarkdown (server) — structure', () => {
|
||||
expect(md).toContain('**⚠️ Error:** 401: Unauthorized');
|
||||
});
|
||||
|
||||
// #274 observability: an assistant row whose turn started with a user edit to
|
||||
// the open page carries metadata.pageChanged = { title, diff }; the export
|
||||
// renders the diff the agent saw, before the message body.
|
||||
it('renders the persisted page-change diff block for an assistant row', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [
|
||||
row({
|
||||
role: 'assistant',
|
||||
content: 'answer',
|
||||
metadata: {
|
||||
pageChanged: { title: 'Doc', diff: '@@ -1 +1 @@\n-old\n+new' },
|
||||
} as never,
|
||||
}),
|
||||
],
|
||||
});
|
||||
expect(md).toContain(
|
||||
'The user edited this page before this turn; the diff the agent saw:',
|
||||
);
|
||||
expect(md).toContain('("Doc")');
|
||||
expect(md).toContain('-old');
|
||||
expect(md).toContain('+new');
|
||||
// The diff sits before the message body (chronological: change, then reply).
|
||||
expect(md.indexOf('-old')).toBeLessThan(md.indexOf('answer'));
|
||||
});
|
||||
|
||||
it('does not render the page-change block when metadata.pageChanged is absent', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [row({ role: 'assistant', content: 'answer' })],
|
||||
});
|
||||
expect(md).not.toContain(
|
||||
'The user edited this page before this turn; the diff the agent saw:',
|
||||
);
|
||||
});
|
||||
|
||||
// #288 F1/F2: an empty page title must render the BARE heading with no
|
||||
// `("…")` suffix (the `pc.title ? … : …` false branch).
|
||||
it('renders the page-change heading with no title suffix when title is empty', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [
|
||||
row({
|
||||
role: 'assistant',
|
||||
content: 'answer',
|
||||
metadata: {
|
||||
pageChanged: { title: '', diff: '@@ -1 +1 @@\n-old\n+new' },
|
||||
} as never,
|
||||
}),
|
||||
],
|
||||
});
|
||||
// Bare heading, single line, no parenthesized title.
|
||||
expect(md).toContain(
|
||||
'> **📝 The user edited this page before this turn; the diff the agent saw:**',
|
||||
);
|
||||
expect(md).not.toContain('("');
|
||||
expect(md).toContain('-old');
|
||||
});
|
||||
|
||||
// #288 F1: the page title is UNTRUSTED cross-user data, so a title carrying a
|
||||
// newline / backtick / `"` / `<`/`>` must be neutralized by escapeAttr before
|
||||
// it is interpolated into the `> **…**` blockquote heading — otherwise it
|
||||
// could break the blockquote onto multiple lines or inject markup/HTML into
|
||||
// the downloaded .md. escapeAttr strips `<>"` and collapses whitespace runs to
|
||||
// a single space, so `Ev"il\n> `x` <b>` becomes ``Evil `x` b``.
|
||||
it('escapes an untrusted page title in the page-change heading', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [
|
||||
row({
|
||||
role: 'assistant',
|
||||
content: 'answer',
|
||||
metadata: {
|
||||
pageChanged: {
|
||||
title: 'Ev"il\n> `x` <b>',
|
||||
diff: '@@ -1 +1 @@\n-old\n+new',
|
||||
},
|
||||
} as never,
|
||||
}),
|
||||
],
|
||||
});
|
||||
// The heading stays a single blockquote line with the escaped title.
|
||||
expect(md).toContain(
|
||||
'> **📝 The user edited this page before this turn; the diff the agent saw: ("Evil `x` b")**',
|
||||
);
|
||||
// No raw attribute/markup breakers survived from the title.
|
||||
expect(md).not.toContain('Ev"il');
|
||||
expect(md).not.toContain('<b>');
|
||||
});
|
||||
|
||||
// #288 review F1: escapeAttr ALONE is insufficient for this MARKDOWN sink —
|
||||
// link/image syntax survives it. A cross-user title with `` /
|
||||
// `[phish](url)` must NOT become a working remote image or clickable link in
|
||||
// the downloaded .md; markdownHeadingSafe backslash-escapes `[`/`]` so both are
|
||||
// inert. (Non-vacuous: fails against the escapeAttr-only version, which left
|
||||
// `](https://` intact.)
|
||||
it('neutralizes markdown link/image syntax in an untrusted page title', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [
|
||||
row({
|
||||
role: 'assistant',
|
||||
content: 'answer',
|
||||
metadata: {
|
||||
pageChanged: {
|
||||
title:
|
||||
' and [click](https://phish.example)',
|
||||
diff: '@@ -1 +1 @@\n-old\n+new',
|
||||
},
|
||||
} as never,
|
||||
}),
|
||||
],
|
||||
});
|
||||
// No WORKING image/link syntax survives — the `[…]` sits escaped as `\[…\]`,
|
||||
// so the unescaped ``: after escaping the
|
||||
// literal `\](https://` still contains `](https://` as a raw substring — that
|
||||
// check would false-fail even though the link is inert.)
|
||||
expect(md).not.toContain(';
|
||||
expect(md).not.toContain('[click](');
|
||||
// The brackets are backslash-escaped, so `[text](url)`/`` are inert.
|
||||
expect(md).toContain('\\[');
|
||||
expect(md).toContain('\\]');
|
||||
// The heading stays a SINGLE blockquote line (no newline injected).
|
||||
const headingLine = md
|
||||
.split('\n')
|
||||
.find((l) => l.includes('the diff the agent saw:'));
|
||||
expect(headingLine).toBeDefined();
|
||||
expect(headingLine).toContain('\\[x\\]');
|
||||
expect(headingLine).toContain('\\[click\\]');
|
||||
});
|
||||
|
||||
// #288 internal review Finding 2: a NON-empty title made up entirely of
|
||||
// escapeAttr breakers (`<>"`) escapes to '' — the ternary must then fall to the
|
||||
// BARE heading with NO `("…")` suffix. Locks the ternary-on-escaped-value
|
||||
// behavior (distinct from the empty-string input test above).
|
||||
it('renders the bare heading for a title that escapes to empty', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
chatId: 'c',
|
||||
rows: [
|
||||
row({
|
||||
role: 'assistant',
|
||||
content: 'answer',
|
||||
metadata: {
|
||||
pageChanged: { title: '<>"', diff: '@@ -1 +1 @@\n-old\n+new' },
|
||||
} as never,
|
||||
}),
|
||||
],
|
||||
});
|
||||
expect(md).toContain(
|
||||
'> **📝 The user edited this page before this turn; the diff the agent saw:**',
|
||||
);
|
||||
expect(md).not.toContain('("');
|
||||
expect(md).toContain('-old');
|
||||
});
|
||||
|
||||
it('escapes embedded triple-backtick fences with a longer delimiter', () => {
|
||||
const md = buildChatMarkdown({
|
||||
title: 'T',
|
||||
|
||||
@@ -15,7 +15,6 @@
|
||||
*/
|
||||
|
||||
import type { AiChatMessage } from '@docmost/db/types/entity.types';
|
||||
import { escapeAttr } from './ai-chat.prompt';
|
||||
|
||||
/** Supported export label languages. Defaults to English. */
|
||||
export type ExportLang = 'en' | 'ru';
|
||||
@@ -64,7 +63,6 @@ const LABELS: Record<
|
||||
tools: Record<string, string>;
|
||||
ranTool: (name: string) => string;
|
||||
stillGenerating: string;
|
||||
pageEditedByUser: string;
|
||||
}
|
||||
> = {
|
||||
en: {
|
||||
@@ -85,8 +83,6 @@ const LABELS: Record<
|
||||
ranTool: (name) => `Ran tool ${name}`,
|
||||
stillGenerating:
|
||||
'This message is still being generated — the export captured a partial, in-progress response.',
|
||||
pageEditedByUser:
|
||||
'The user edited this page before this turn; the diff the agent saw:',
|
||||
},
|
||||
ru: {
|
||||
untitled: 'Без названия',
|
||||
@@ -106,29 +102,9 @@ const LABELS: Record<
|
||||
ranTool: (name) => `Выполнил инструмент ${name}`,
|
||||
stillGenerating:
|
||||
'Это сообщение всё ещё генерируется — экспорт захватил частичный, незавершённый ответ.',
|
||||
pageEditedByUser:
|
||||
'Пользователь изменил страницу перед этим ходом; дифф, который видел агент:',
|
||||
},
|
||||
};
|
||||
|
||||
/**
|
||||
* Make an untrusted title safe to interpolate into a Markdown blockquote
|
||||
* HEADING. escapeAttr() neutralizes the XML/HTML breakers (`<` `>` `"`) and
|
||||
* collapses whitespace for the PROMPT sink (`page="…"`), but this export sink is
|
||||
* MARKDOWN — link/image syntax survives escapeAttr. So additionally backslash-
|
||||
* escape `[` and `]`: that disables both `[text](url)` links and ``
|
||||
* images, so a cross-user title like `` or `[phish](http://evil)`
|
||||
* cannot inject a remote (auto-loading) image or a clickable link into the
|
||||
* downloaded .md disguised as a trusted system annotation. A bare `(url)` with no
|
||||
* preceding `[]` is inert Markdown, so brackets are the only security-critical
|
||||
* characters here. (We leave backticks to escapeAttr's whitespace pass — a title
|
||||
* shown as inline code cannot escape the blockquote line or load a resource, so
|
||||
* it is not a security concern for this sink.)
|
||||
*/
|
||||
function markdownHeadingSafe(title: string): string {
|
||||
return escapeAttr(title).replace(/[[\]]/g, (m) => `\\${m}`);
|
||||
}
|
||||
|
||||
/** True for AI SDK tool parts (static `tool-*` or `dynamic-tool`). */
|
||||
function isToolPart(type: string): boolean {
|
||||
return type.startsWith('tool-') || type === 'dynamic-tool';
|
||||
@@ -232,23 +208,6 @@ function rowParts(row: AiChatMessage): ExportPart[] {
|
||||
: [{ type: 'text', text: row.content ?? '' }];
|
||||
}
|
||||
|
||||
/** The persisted page-change diff the agent saw this turn (#274), when any. */
|
||||
function pageChangedOf(
|
||||
row: AiChatMessage,
|
||||
): { title: string; diff: string } | undefined {
|
||||
const meta = (row.metadata ?? {}) as {
|
||||
pageChanged?: { title?: string; diff?: string };
|
||||
};
|
||||
const pc = meta.pageChanged;
|
||||
if (pc && typeof pc.diff === 'string' && pc.diff.trim().length > 0) {
|
||||
return {
|
||||
title: typeof pc.title === 'string' ? pc.title : '',
|
||||
diff: pc.diff,
|
||||
};
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Serialize a chat to a Markdown string from its persisted rows. Source = DB
|
||||
* ONLY (no live client state). A row whose `status` is still 'streaming' is an
|
||||
@@ -307,26 +266,6 @@ export function buildChatMarkdown(args: {
|
||||
blocks.push(`<!-- ${iso} -->`);
|
||||
}
|
||||
|
||||
// Page-change observability (#274): show the diff the agent saw at the start
|
||||
// of this turn, before its response, so the export reflects the stale-page
|
||||
// warning the model received.
|
||||
const pc = pageChangedOf(row);
|
||||
if (pc) {
|
||||
// The page title is UNTRUSTED cross-user data (a collaborative page's title
|
||||
// controllable by another user). escapeAttr() alone (the prompt sink) is
|
||||
// INSUFFICIENT here: this is a MARKDOWN sink, so we neutralize link/image
|
||||
// syntax too (backslash-escaping `[`/`]`) before interpolating it into this
|
||||
// `> **…**` blockquote heading — otherwise `` / `[phish](url)` would
|
||||
// inject a remote image or clickable link into the downloaded .md. An
|
||||
// all-`<>"` title escapes to empty and correctly falls to the bare heading.
|
||||
// The diff body is already safe via fence(). (#288 review F1.)
|
||||
const safeTitle = markdownHeadingSafe(pc.title);
|
||||
const heading = safeTitle
|
||||
? `${L.pageEditedByUser} ("${safeTitle}")`
|
||||
: L.pageEditedByUser;
|
||||
blocks.push(`> **📝 ${heading}**\n\n${fence(pc.diff, 'diff')}`);
|
||||
}
|
||||
|
||||
blocks.push(...renderMessageParts(rowParts(row), lang));
|
||||
|
||||
// A still-'streaming' row is an interrupted/in-progress turn captured by the
|
||||
|
||||
Reference in New Issue
Block a user