Compare commits

..

104 Commits

Author SHA1 Message Date
claude code agent 227 3f7d96e09d fix(git-sync): gate stale-lock removal by mtime + cover preflight self-heals (#119 F1-F4)
clearStaleGitLocks() removed a hardcoded list of 9 git lock files
UNCONDITIONALLY — despite its name it never checked staleness. In a
multi-replica TTL-lapse window (a documented engine limitation), replica B's
preflight could rm a LIVE index.lock held by replica A mid `git add`/`commit`,
turning a safe fail-fast ("index.lock: File exists") into concurrent
index/ref writes and corruption.

F1: gate each removal by file age. A live git op is bounded by
GIT_EXEC_TIMEOUT_MS (120s), after which git is killed and the lock's mtime
freezes — so a lock older than 3× that (STALE_LOCK_MIN_AGE_MS = 360s) provably
has no live holder and is a genuine crash-leftover. Fresh locks (mtime within
the window) are preserved; missing locks are a no-op. Strictly safer than the
prior unconditional rm (the gate can only prevent removals, never add them).

F4: move clearStaleGitLocks (doc + body) below isMergeInProgress so the
mid-merge jsdoc re-attaches to its real owner; soften the doc (it clears a
fixed list of the engine's own index/ref locks, not "any *.lock").

F2: cycle.test.ts pins the preflight order
ensureRepo < clearStaleGitLocks < ensureMainBranch < ensureBranch (a refactor
that moved clearStaleGitLocks before ensureRepo — deleting ensureRepo's own
transient lock — would now fail the test).

F3: git.test.ts covers ensureMainBranch's HEAD-fallback branch (both main and
docmost gone → main recreated from HEAD) and the no-commit no-op.

Also: the D3-N3 test now backdates the planted lock's mtime so it is stale (and
still removed), plus a new test asserts a FRESH lock is PRESERVED (the
corruption-safety property — this would fail against the old code). cycle.ts's
preflight comment softened to match the mtime gating.

git-sync vitest: 711 passed | 1 expected-fail (+4 new tests). tsc clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 08:19:04 +03:00
agent_qa d218b3a39e fix(git-sync): self-heal a missing 'main' branch that wedged a space (D3-N1)
Ref-store damage (a deleted refs/heads/main, an interrupted ref update) can leave an
existing vault repo without a 'main' branch. The cycle's ensureBranch('docmost','main')
+ checkout then throw every poll ("pathspec 'main' did not match"), wedging the space
forever with no self-heal — ensureRepo only creates branches on a FRESH git init
(found via web-test corruption charter, reproduced deterministically).

Add VaultGit.ensureMainBranch() and call it in the cycle preflight (after
clearStaleGitLocks, before the branch setup): if 'main' is missing, re-create it from
the 'docmost' mirror branch (they track each other) else from HEAD. Same
wedge-forever family as D3-N3.

Verified on the stand: deleting refs/heads/main now self-heals (main restored, the
edit reaches the vault, 0 pathspec errors) — was wedged forever. Unit test (real temp
repo: delete main -> ensureMainBranch restores it from docmost). git-sync suite green (708).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 07:34:17 +03:00
agent_qa f0778cb85a fix(git-sync): self-heal a stale .git lock that wedged a space forever (D3-N3)
An interrupted git operation (a hard crash / OOM-kill / abrupt container stop mid
`git add`/`commit`/`checkout`) leaves a `.git/index.lock` (or a ref `*.lock`).
Git then refuses EVERY subsequent operation ("Unable to create '…/index.lock':
File exists"), so every poll cycle failed and the space's sync wedged INDEFINITELY
with no self-heal — the whole space stopped syncing until a human ran `rm` on the
lock (found via web-test restart/corruption charter, reproduced deterministically).

The daemon holds the per-space Redis lock and is the vault's ONLY writer, so any
`*.lock` reaching a fresh cycle is necessarily stale (no live git process holds it).
Add `VaultGit.clearStaleGitLocks()` and call it in the cycle preflight, right after
ensureRepo and before the mid-merge recovery — clearing index/HEAD/config/packed-refs/
MERGE_HEAD/ORIG_HEAD and the engine's ref locks (best-effort, missing = no-op).

Verified on the stand: a planted stale index.lock is now cleared and the space
recovers (edit reaches the vault, 0 "File exists" errors) — was wedged forever.
Unit test (real temp repo: index.lock blocks git add -> clear -> git add works);
git-sync suite green (707).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 07:25:48 +03:00
claude code agent 227 8f7da77939 fix(git-sync): correct stale S2-gate comment + drop vestigial currentPage narrowing (#119 F1)
The N1-D1 fix added an early `return {}` when `currentPage == null` in
importPageMarkdown. `currentPage` is a const, never reassigned, so from that
guard onward it is provably non-null — which made the cross-space (S2) gate's
comment false ("a not-found page still proceeds as before": a not-found page
now returns early above) and left dead null-handling around it.

- Rewrite the S2-gate comment: the null case is handled by the N1-D1 guard
  above; here currentPage is guaranteed non-null. Confused-deputy / cross-space /
  mirror-deletePage explanation kept intact.
- Drop the dead `currentPage &&` conjunct from the S2 condition (always true).
- Collapse downstream vestigial `currentPage?.` / `currentPage!` / the
  `currentPage ? … : undefined` ternary to plain `currentPage.` — all
  behavior-preserving (currentPage non-null after the guard). The unrelated
  `page ? … : undefined` ternary (fresh findById that can be null) is untouched.

No runtime behavior change. jest gitmost-datasource.service.spec.ts: 34 passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 07:16:49 +03:00
agent_qa e6a861bdaf fix(git-sync): a valid-but-nonexistent gitmost_id no longer wedges a space's sync (N1-D1)
A vault file whose `gitmost_id` is a WELL-FORMED UUID that matches no page (a stale
id from a restored-from-backup file, or a copied/foreign id) fell through
importPageMarkdown to writeBody() on a non-existent page, throwing "Page … not
found". The push apply recorded that as a per-cycle failure that never cleared —
refs never advance, so the whole space's sync looped on the failure indefinitely
(observed live: a leftover orphan file kept a space stuck at "1 failure" every ~5s).
Same user-visible impact as C9-D1, but the id is a valid uuid so the 22P02 guard
does not catch it.

Add the missing `currentPage == null` branch in importPageMarkdown: skip the
unknown id as an inert no-op so the cycle succeeds and the rest of the space keeps
syncing. Verified on the stand: pushing a valid-but-nonexistent gitmost_id now stays
at 0 failures (was 1/cycle forever), logs a skip warn, and a concurrent legit edit
still syncs. Unit test added; server suite green (2146).

NOTE (separate design follow-up, not this commit): the reconcile still cleans the
orphan file (it maps to no live page). ADOPTING such a file as a fresh page (the
restore-from-backup use case, preserving the git-authored content) needs the title
from the filename, which lives in the engine classifier, not this method.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 06:49:12 +03:00
claude code agent 227 5b835fc185 fix(git-sync): coerce malformed parentPageId to root in createPage/movePage (#119 F1)
A non-UUID gitmost_id on a parent folder-note, used as parentPageId for a
git-sync createPage (or as a movePage destination), wedged the entire space:
the throw landed in `failures`, and push only advances refs when
failures.length === 0, so the space re-attempted forever.

createPage was the only user-influenced-uuid op left unguarded. The throw is a
NotFoundException, not a 22P02 error: PageRepo.findById falls back to a slugId
lookup for non-UUID input, finds no row, and PageService.create raises
NotFoundException — so skipIfMalformedId (22P02-only) would NOT have caught it.
Coerce-to-root is the correct fix: a non-UUID parentPageId is rewritten to root
(undefined/null) so the page is created/moved at the space root instead of
wedging. No data loss (page still created) and no duplication (push.ts writes
the assigned id back to frontmatter, so the next sync matches by id, and the
retry-adopt map re-parents once the vault id is fixed).

Applied to both createPage and movePage (the move destination is reachable via
two paths, one 22P02-swallowed-but-mislogged and one NotFound-wedging). The
child pageId stays guarded by skipIfMalformedId.

F2: softened the skipIfMalformedId comment (parentPageId is a second
user-influenced uuid in create/move) and made the swallow log op-generic.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 06:44:57 +03:00
agent_qa cec50c3ce4 fix(git-sync): a git edit that drops the gitmost_id frontmatter is no longer lost (C10-D1)
If a git-side edit rewrote a page file WITHOUT its `gitmost_id` frontmatter (e.g.
a tool that regenerates the whole file), the push planner's M (modify) branch found
no pageId in the current meta and SKIPPED the file — then the next Docmost->git push
overwrote it with the DB content, silently reverting the edit (data loss, found via
web-test).

Mirror the D (delete) branch: recover the identity from the PRE-IMAGE meta (the
last-pushed version at the same path, which still carried the id) before skipping,
and apply the body edit as an update. The pushed-back re-serialize restores the
frontmatter next cycle, so the file self-heals. Only when the pre-image ALSO lacks
an id (a never-tracked page) is it genuinely skipped.

Verified on the stand: editing a synced page's file with the frontmatter removed now
applies the edit (was reverted). Unit test: a modified file with no current pageId
recovers it from the pre-image -> update. git-sync suite green (705).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 05:41:42 +03:00
agent_qa f36a2def73 fix(git-sync): a malformed non-UUID gitmost_id no longer wedges a space's sync (C9-D1)
A vault file with a broken/hand-edited `gitmost_id` frontmatter (e.g.
`gitmost_id: [unclosed` or a non-uuid token) fed that value into a Postgres
`uuid` predicate (page update/delete), throwing 22P02 "invalid input syntax for
type uuid". The push apply recorded it as a per-cycle failure that never cleared —
refs never advance when failures>0, so the WHOLE space's sync looped on the same
failure indefinitely and no further legitimate change synced (found via web-test).

Wrap the id-scoped write ops (import/delete/move/rename/restore) at the bind()
seam: swallow exactly the 22P02 as an inert no-op so the cycle succeeds and the
rest of the space keeps syncing; re-throw anything else. pageId is the only
user-influenced uuid in these ops, so a 22P02 there unambiguously means it.

Verified on the stand: pushing a non-UUID gitmost_id now logs a skip warn and the
space stays at 0 failures (was 1 failure/cycle forever); a concurrent legit edit
to another page still syncs. Unit tests: import/delete swallow 22P02, non-22P02
re-throws. Full server suite green (2145).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 05:33:36 +03:00
agent_qa 67dca8c10e fix(git-sync): complete A1 heading alignment — green suite + nested path (on 5d45f5a8)
QA follow-up on 5d45f5a8: that commit taught the converter to export heading
textAlign (<hN style>) but left the converter-gate heading test still asserting
the OLD dropped behavior (expects a bare '## text'), so jest was RED — the G1
green-suite gate was not actually met. Two gaps closed:

1. Flip the heading KNOWN-DIVERGENCE gate test to assert the round trip now
   PRESERVES alignment (exported as <h2 style="text-align:center"> and recovered
   on import), matching the shipped converter behavior. Suite is green again.

2. blockToHtml (the nested-container path: heading/paragraph inside a
   column/table/callout) still emitted bare <hN>/<p>, dropping textAlign for
   nested blocks. Carry the style there too, symmetric with the processNode path.

Also add #7 (table inside a column) and #8 (multi-block table cell) to the
lossless round-trip CORPUS so both survive export->import through the real
editor-ext schema (columns widthMode pre-authored at its normalize fixpoint).

Verified: server jest 193 suites / 2142 tests green, git-sync vitest 704 green,
no type errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 00:25:52 +03:00
agent_coder 5d45f5a85e fix(git-sync): close #119 blockers — dead edit-revert guard, cross-space guard, red suite (F5/S2/G1/A1/F7)
F5 (HIGH data-loss): guard #2 (GS-EDIT-REVERT) called a local key-sorting equality that
never matched a real page (block ids + materialized defaults differ), so the guard was
dead and a web edit on a git-sync space was silently reverted within one poll cycle. Use
the package's authoritative docsCanonicallyEqual (strips block id + normalizes
KNOWN_DEFAULTS), wired through the git-sync loader like sanitizeTitle; delete the dead
local canonicalize/canonicalJsonEqual.
S2 (security): importPageMarkdown targeted a page by the vault-file id without a spaceId
check (deletePage had one) — a space-A vault file carrying space-B's page id could
resurrect/overwrite/clear B's page. Mirror deletePage's guard: skip when the loaded page
lives in a different space than ctx.spaceId.
G1 (jest green): add sanitizeTitle + docsCanonicallyEqual to the loadGitSync mock; update
the converter-gate + package golden expectations to the genuinely-fixed output (paragraph
textAlign now round-trips, multi-block table cells emit HTML tables); fix the orchestrator
spec's stale mock so the per-space enabled gate (added later) is satisfied.
A1: the converter dropped heading textAlign on export (bare '## text'); emit a styled
<hN> when aligned, symmetric to paragraphs — round-trips losslessly (level + align), no
churn for unaligned headings.
F7 (docs): reword the false 'single choke point' title-strip comment; correct push.ts
docstrings that still described the removed standalone-CLI/daemon model.

Adds regression tests: the F5 acceptance test (canonically-equal content with real uuids
=> writePageBody NOT called), the S2 cross-space import guard, and the A1 heading
round-trip.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 00:13:08 +03:00
claude-stand 320b200ac8 test(collab): mechanical attribute-level schema contract (#293)
The existing name-level contract (packages/git-sync schema-editor-ext-contract)
only compares node/mark TYPE NAMES, so a new attribute added to an existing node
upstream slips through and is silently dropped on every git-sync round trip -- a
repeatedly-hit data-loss class (image caption #221, paragraph align #10).

This closes the attribute gap by comparing the RESOLVED ProseMirror Schema
objects (getSchema has already merged all addGlobalAttributes spreads into
concrete per-node attrs) of the server's canonical tiptapExtensions vs the
git-sync mirror, asserting equal attribute-key sets per shared node/mark modulo
a committed, self-checking allowlist of the 6 understood divergences. A forgotten
attribute now fails CI loudly instead of losing data. Comparing resolved schemas
(not raw extension configs) is what makes this stable rather than the fragile
config-shape compare the name-level test deferred.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 23:03:34 +03:00
claude-stand 539512c4c8 fix(git-sync): render tables as HTML inside columns (#7) and for multi-block cells (#8)
Two table round-trip losses from review #4404:
- #7: a table inside a column was emitted as a GFM pipe table INSIDE the raw-HTML
  <div data-type="column"> wrapper. marked does not parse markdown inside a raw
  HTML block, so on re-import the table became literal "| a | b |" text.
- #8: a table cell holding block content (a list, code block, multiple paragraphs)
  only used the HTML <table> form when a cell had colspan/rowspan; otherwise the
  GFM pipe path flattened the cell's blocks onto one line and lost the structure.

Extract a shared tableToHtml() helper and use the HTML <table> form when: a cell
is merged (existing), a cell is multi-block (#8), OR the table is rendered in a
raw-HTML context — blockToHtml's table case now routes through tableToHtml (#7).

Verified on stand: a table-in-column exports as <table> inside data-type=column;
a cell with a bullet list exports as <table> with <ul><li>, and a git-side edit
+ re-import keeps the bulletList + both items in the DB content (was flattened).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 19:29:00 +03:00
claude-stand edc5dae103 fix(git-sync): honor a git-side page clear instead of diverging (review warning)
Clearing a page's body in git advanced the vault ref past the empty commit, but
the persistence store-side empty-guard rejected the empty write (reloading the
non-empty DB content) — so Docmost kept the old body while the vault held the
empty one, a permanent silent vault<->Docmost divergence that never re-detects.
A git-sync write is authoritative and its content IS the vault file, so an empty
incoming doc there is a DELIBERATE clear (no transient-glitch empties for a
file-sourced write). Allow it (lastUpdatedSource==='git-sync'), mirroring the
#251 intentional-clear allowance for the user-signalled source.

Verified on stand: a git-side body clear takes the page body 28 -> 0 (page not
trashed); previously it stayed 28 (diverged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 19:21:21 +03:00
claude-stand 67fa0d1a28 fix(git-sync): a git-revert of a page delete restores the page (review warning)
A git-side revert of a delete commit re-adds the page's .md; the push classifier
saw an add carrying a known pageId and emitted an UPDATE, writing the body to the
still-trashed page. It stayed in Trash and the next pull re-deleted the file, so
the revert was silently nullified (permanent vault<->Docmost divergence). In
importPageMarkdown, if the target page is soft-deleted, restorePage() it first
(restorePage was already in the client seam but never called), then apply the
body — so a git revert actually brings the page back.

Verified on stand: git rm -> page trashed; git revert -> deleted_at cleared
(page restored).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 19:12:15 +03:00
claude-stand 91d674fea6 chore(git-sync): remove dead Settings REST fields, warn on inert REMOTE_TEMPLATE, fix stale docstrings (review)
Dead code / doc-vs-code cleanup from review #4404:
- Drop the unused Settings.docmostApiUrl/Email/Password fields (the native
  in-process datasource never reads them; the engine only used docmostSpaceId).
  Removed from the type, buildSettings, and the 4 engine test suites that
  fabricated them.
- Warn ONCE at startup when GIT_SYNC_REMOTE_TEMPLATE is set — remote push is
  deferred (SPEC §7) so the value is currently inert; the operator now gets a
  log line instead of a silent no-op.
- Correct stale docstrings that claimed live-destructive code was 'FAKES only /
  NEXT increment / no live wiring' (applyPushActions runs LIVE via
  runCycle->orchestrator); that importPageMarkdown receives a 'self-contained
  file (meta+body)' (it receives the stripped body); and that the Yjs body merge
  is '2-way' (3-way runs end-to-end when the base is present).

No behavior change (except the new warning); build + git-sync smoke verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 19:03:57 +03:00
claude-stand bb5bb52244 fix(git-sync): round-trip paragraph/heading text alignment (review #10)
Aligned paragraphs were exported as <div align="…"> which had NO matching
import parse rule — the div was unwrapped and the alignment lost on every
round trip. Emit a styled <p style="text-align:…"> instead, and give the
textAlign global attribute (docmost-schema) an explicit parseHTML that reads
element.style.textAlign (and legacy align=) plus a renderHTML that writes the
style. Now heading/paragraph alignment survives Docmost->git->Docmost.

Verified on stand: a textAlign=center paragraph exports as
<p style="text-align:center">, and after a git-side edit + re-import the
paragraph still has textAlign=center in the DB (was null before).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 18:36:53 +03:00
claude-stand f9cd3e6318 fix(git-sync): forward gzip encoding (#4) + catch read-advertise reject after hijack (#5); fix Export 500 on pages with inline comments
- Review #4: forward HTTP_CONTENT_ENCODING to git http-backend so it inflates
  gzip'd RPC bodies — a non-trivial `git pull` no longer fails with
  `fatal: expected 'packfile'`. (git-http-backend + git-http.service)
- Review #5: the read-advertisement branch runs under the space lock AFTER
  reply.hijack(); a reject there (e.g. Redis down) previously left the socket
  open forever, hanging every clone/fetch. Mirror the push branch: catch, 500 if
  unwritten, always end the socket. (git-http.service)
- GS-EXPORT-500 (QA): a page with an inline comment mark returned HTTP 500 on
  Export/copy-as-markdown. The Comment mark's renderHTML took the imperative
  document.createElement branch server-side (the DOM shim used by generateHTML
  defines window/document), returning a live node with no content hole that
  crashed prosemirror-model's DOMSerializer under happy-dom. Gate the imperative
  branch on a real browser (navigator.userAgent contains 'Mozilla'); the server
  now uses the static DOMOutputSpec form. Verified: export 200 (was 500).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 18:16:59 +03:00
claude-stand c838fdeebe fix(git-sync): review #4404 batch — sanitize-title echo, per-space gate, move-echo, merge-agreement, fence-aware conflict scan, e2e asserts
Addresses reviewer comment #4404 (critical + blocking):

- Critical #2: renamePage skips the echo where the incoming title equals
  sanitizeTitle(current title) — a Docmost title with FS-hostile chars (: / " |,
  newlines, double-space, >120) was pulled to a sanitized stem then written back,
  permanently corrupting the real title. (datasource)
- Blocking #3: runOnce enforces per-space settings.gitSync.enabled (the event
  path bypassed opt-in; any edited space would git-init + export). (orchestrator)
- Blocking #6: movePage no-ops the position-less same-parent echo that clobbered
  the user's chosen sibling order. (datasource)
- Blocking #9: hasConflictMarkers is fence-aware — '<<<<<<< HEAD' inside a code
  block (git-tutorial page) no longer trips the all-or-nothing gate that froze
  the whole space's refs. (push.ts)
- Blocking #11: three-way tryMergeRegion short-circuits when live==target (diff3
  agreement) instead of logging a false 'same-block conflict resolved to git' —
  the echo noise that masked real data-loss signals. (three-way-merge)
- Blocking #12/#13: e2e-advanced — drop the delete-cap block (no such feature;
  failed with a scary '(data loss!)'); non-member assert now expects 404 (existence
  not leaked), not 403.

Verified on stand: sanitized-title rename preserves DB title (vault file
sanitized); non-enabled space creates no vault; fenced conflict markers ingest
without jamming; build clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 17:52:07 +03:00
claude-stand f2d12fd2cd fix(git-sync): make body ingest idempotent to stop idle churn + silent edit-revert (GS-EDIT-REVERT)
On a git-sync space, a page's web edit was silently reverted within ~1 poll,
and idle spaces showed dozens of 'update' actions per cycle with no real change.

Root cause: the vault->Docmost body ingest (importPageMarkdown) is re-run every
poll for pages the upstream change-detection mis-flags as changed (the
markdown<->ProseMirror round-trip is not byte-stable: JSON key order / default
attrs differ though the content is identical). Each call re-imports the SAME body
into the live collab doc -- a no-op at idle, but it CLOBBERS a concurrent human
edit still in the debounced (not-yet-flushed) Yjs doc.

Fix: skip the ingest when it is genuinely a no-op --
  1) baseMarkdown byte-identical to the current file (vault unchanged), or
  2) the parsed incoming body is canonically-JSON-equal (key-order-insensitive)
     to the page's current Docmost content.
A real git-side change is neither, so legitimate git->Docmost ingests still apply.

Verified: idle churn 38 update/cycle -> 0; web edit on an affected page 0/3 -> 3/3
persisted; genuine git-side edit still ingests. Found by autonomous QA
(web-test-orchestrator) + independent verifier.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 16:11:34 +03:00
agent_coder fcc9ae0c24 test(git-sync): fix #119 review F1-F4 (bind assert, cross-move + strip tests, comment)
F1: git-sync.orchestrator.spec bind assertion now includes spaceId ('space-1'),
matching driveCycle's dataSource.bind({workspaceId,userId,spaceId}).
F2: add 4 non-vacuous tests for the cross-space move data-loss guard in deletePage
(CTX_SPACE with spaceId): move-out skips removePage (returns skipped:'moved-to-other-space');
same-space / not-found / already-deleted all still call removePage.
F3: add 2 tests for the ~<slugId> title-strip guard in renamePage (own slugId stripped;
a foreign ~<slugId> tail left intact).
F4: reword the gitmost-datasource 'single choke point' comment — the strip covers the
rename/update path, not every git-sync title write (createPage's filename-derived title
does not funnel through here).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 15:34:43 +03:00
agent_coder e4ff146ab0 Merge branch 'develop' into feat/git-sync
# Conflicts:
#	CHANGELOG.md
#	apps/server/src/collaboration/extensions/persistence.extension.ts
#	packages/mcp/build/client.js
2026-07-02 15:23:26 +03:00
claude-stand c7e034cab9 fix(git-sync): don't trash a page on cross-space move (move-to-space data loss)
A page moved to another space with git-sync enabled was sent to Trash and
vanished from BOTH vaults. The source space's push phase sees the moved-away
page's file gone from its vault and calls deletePage -> soft-delete, even though
the page still lives in the destination space.

Thread the reconciling spaceId into the bind context and, in deletePage, skip the
soft-delete when the page's CURRENT space differs from the space being reconciled
(a move-out): only the vault file is dropped, the page is preserved. Genuine
in-space deletions are unaffected (space matches).

Found by autonomous QA (web-test-orchestrator). Control: with git-sync OFF the
move keeps deleted_at NULL; with it ON the page was trashed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 13:47:48 +03:00
claude-stand 123e981808 fix(git-sync): strip cosmetic ~<slugId> disambiguation suffix from ingested title
Two sibling pages that share a title collide on one vault filename, so the
layout appends a cosmetic ` ~<slugId>` suffix (engine disambiguate()). That
suffix is a local filesystem artifact and must never become the page's real
Docmost title, but on ingest the filename-derived title carried it back into
the DB on some paths (observed: intermittent same-title collision left a page
permanently titled "Title ~<slugId>"). Strip it in renamePage() — the single
choke point every git-sync title write funnels through — but only when the
trailing token equals THIS page's own slugId, so a genuine user title that
legitimately ends in ` ~token` is never corrupted (slugId is a random nanoid).

Repro: create two pages with the same title; ~1 in 4 the second page's title
is permanently polluted. After fix: 0/6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 12:57:12 +03:00
claude code agent 227 7abce93543 fix(git-sync): round-trip the spoiler mark and image caption
After merging develop, git-sync's markdown converter still predated two
editor features and silently dropped them on every sync:

- Spoiler mark (#259): had no schema entry, so `<span data-spoiler>` from
  the canonical lossless form re-parsed as plain text and the mark was
  lost. Register a Spoiler mark mirroring @docmost/editor-ext + the MCP
  schema, and emit `<span data-spoiler="true">…</span>` on PM->MD.
- Image caption (#221): the converter assumed no caption attribute existed
  (the branch was dead). The image schema now carries a plain-text caption
  (data-caption); register it and route a captioned image through the raw
  <img> form (same lossless convention as the other Docmost image attrs).
  Caption-less images keep the lighter `![](src)` form.

Both survive PM->MD->PM unchanged; raw `<span data-spoiler>` / `<img
data-caption>` in incoming markdown parse back. New round-trip tests in
markdown-roundtrip-spoiler-caption.test.ts; schema-surface snapshot updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 02:53:43 +03:00
claude code agent 227 0750a6fd34 Merge remote-tracking branch 'gitea/develop' into HEAD
# Conflicts:
#	CHANGELOG.md
#	packages/mcp/build/index.js
#	packages/mcp/build/lib/auth-utils.js
#	packages/mcp/build/lib/docmost-schema.js
#	packages/mcp/build/lib/markdown-converter.js
2026-06-30 02:43:04 +03:00
claude code agent 227 d833e5adb1 Merge remote-tracking branch 'gitea/develop' into HEAD
# Conflicts:
#	apps/server/src/app.module.ts
#	apps/server/src/integrations/environment/environment.service.spec.ts
#	apps/server/src/integrations/environment/environment.service.ts
#	apps/server/src/integrations/environment/environment.validation.ts
#	packages/mcp/build/client.js
#	packages/mcp/build/index.js
#	packages/mcp/build/tool-specs.js
2026-06-29 18:56:40 +03:00
claude code agent 227 f3dbcec0fd refactor(git-sync): DRY the move+body emission; cover M-side ghost-move (F7,F8)
F8: extract emitMoveWithBody helper (renamesMoves + body update with
    basePath=oldPath) and call it at all three rename emission sites (ghost-move
    A, ghost-move M, R/C) — byte-identical behavior, single F4 rationale. Helper
    placed above computePushActions so the planner JSDoc stays attached.
F7: add an M-side ghost-move test (D+M same pageId) asserting the move and the
    body update carry basePath=oldPath — the previously-untested branch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 16:10:59 +03:00
claude code agent 227 63f948df10 fix(git-sync): deliver body on rename+edit via honest 3-way merge; cover CREATE strip; fix env doc (F4-F6)
F4: a rename/move + body edit in one diff used to lose the edit (renamed pages
    went only into renamesMoves, never updates). Now computePushActions also
    emits an updates entry for renames, AND threads the OLD path via a new
    UpdateAction.basePath so applyPushActions resolves the 3-way merge base from
    the pre-rename file. Without it the base lookup at the new path returns null
    and degrades to a 2-way merge that rolls back concurrent Docmost edits; with
    it the edited block wins while a concurrent edit to another block survives.
    A plain (status M) update carries no basePath and is byte-identical to before.
F5: test the CREATE path stripping conflict markers (autoMergeConflicts on).
F6: .env.example documents GIT_SYNC_REMOTE_TEMPLATE as deferred/inert scaffolding.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 14:40:02 +03:00
claude code agent 227 fbaaa84419 test(git-sync): accurate null-edge docstring + fill round placeholder (F2/F3)
F2: the real-git modify/delete null-edge test docstring overclaimed it
caught loss of the `?? theirs` fallback end-to-end. git itself leaves
theirs in the working tree (stage 3) so commitMerge's `git add -A` would
stage it even with the bug — the assertions pass on broken logic. Reword
to state it verifies the clean-merge happy path; the real F1 regression
guard lives in the fake-fs apply-pull-actions.test.ts.

F3: fill the `round-?` placeholder with `round-2` in both new blocks to
match the file convention (header: 'QA #119 round-2').

Comment-only; no production or test-logic changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 02:04:47 +03:00
claude code agent 227 32cb9eb1e3 test(git-sync): cover null-edge conflict resolution in applyPullActions (F1)
The genuine-conflict branch in applyPullActions resolves to `ours ?? theirs`,
but the two stages where a side is ABSENT had NO test — the existing conflict
tests only fed stages where both ours and theirs are non-null. This is the
data-preservation core on the published `main`: a regression (dropping the
`?? theirs`, or wrongly writing on both-null) would silently lose a surviving
Docmost edit or resurrect a both-deleted page.

Adds four tests:
- apply-pull-actions.test.ts (fake-git, controlled stages): modify/delete
  (ours=null, theirs!=null -> keep THEIRS) and delete/delete (both null ->
  write nothing, deletion staged by commitMerge's `git add -A`).
- pull-conflict-normalize.test.ts (real-git 3-way): modify/delete built by
  deleting on main + modifying on docmost (stage 2 absent -> theirs kept,
  committed clean, no markers); delete/delete built via a rename/rename(1to2)
  on the shared base file, which records the original path as both-deleted
  (stages 2 AND 3 absent -> nothing written, deletion committed off main).

Production logic at pull.ts:487-497 held — pure test-coverage fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 00:23:55 +03:00
claude code agent 227 b47751349f fix(git-sync): kill spurious marker-leaking conflict, concurrent-edit loss, flapping HEAD
Three more git-sync QA defects from the 2nd live pass on PR #119, plus a
callout-fidelity nit:

1. SPURIOUS conflict leaked raw markers into canonical main (root cause). On an
   ordinary round-trip the only difference between the docmost mirror (normalize-
   on-write) and a user's raw push is trailing/empty-line normalization, which made
   git's line-based docmost->main merge CONFLICT, and the wedge fix then committed
   the file WITH literal <<<<<<< / ======= / >>>>>>> markers onto main (git and the
   DB silently diverged for cycles). Fix: on a conflict, normalize trailing/empty
   lines on BOTH sides (showStage :2:/:3:) before comparing — a trailing-only diff
   is recognized as spurious and resolved to the clean normalized form. A GENUINE
   same-block conflict is auto-resolved to OURS (git wins, mirroring the live-doc
   3-way rule); the docmost side stays on the `docmost` branch + page history. Raw
   markers NEVER reach main again.

2. Concurrent UI<->git edit silently lost the UI side. The git->Docmost 3-way merge
   ran against a live Y.Doc that hadn't yet received the user's debounced in-flight
   edit, so git clean-applied (no conflict detected) and the edit vanished even on a
   different block. Fix: flush the pending debounced store before the merge so the
   in-flight edit is drained into the live doc first — a different-block edit is
   merged, a same-block one is detected and pinned to history (recoverable).

3. Smart-HTTP HEAD flapped to the read-only `docmost` mirror (~1/4 of clones). The
   engine transiently checks out `docmost` mid-pull and the host advertises whatever
   HEAD resolves to. Fix: VaultGit.pinHeadToMain(); the cycle restores HEAD->main in
   a finally; and the upload-pack ref advertisement is served HEAD-pinned under the
   per-space lock so it can never observe a mid-cycle HEAD.

4. (callout) clampCalloutType now mirrors the editor's GITHUB_ALERT_TYPE_MAP for
   non-schema aliases (tip->success, caution->danger, important->info) instead of
   flatly collapsing to info. The editor schema genuinely supports only the six
   banner types, so unknown types still fall back to info (by design).

Tests: deterministic real-git trailing-blank round-trip (no conflict, no markers,
in sync over 2 cycles) + genuine-conflict no-marker-leak; HEAD advertisement
stability; pre/post-flush concurrent-edit survival; serveReadAdvertisement lock
pin; widened callout-alias coverage. Engine vitest + server tsc + collaboration /
git-http / orchestrator specs all green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 22:05:32 +03:00
claude code agent 227 b7e5cb6970 fix(git-sync): push 503 starvation + concurrent-edit marker leak/silent loss
Bug #1 (push 503 starvation): an external receive-pack that briefly overlapped
a poll cycle immediately 503'd because the per-space single-writer lock was
held. Add a BOUNDED retry-acquire on the PUSH path only (SpaceLockService
.withSpaceLock acquireRetry: capped exponential backoff up to ~5s); a transient
overlap now waits and succeeds, a genuinely stuck cycle still 503s after the
bound. The poll cycle passes no retry (immediate skip). Push result stays
deterministic: the receive-pack only runs once the lock is held, so a 503 never
leaves a half-applied ref.

Bug #2 (concurrent-edit marker leak + silent same-block loss):
- Marker leak (a): the push UPDATE path stripped markers for the body sent to
  Docmost but left raw <<<<<<</>>>>>>> committed on the published `main` vault
  forever (autoMergeConflicts ON). Now the cleaned body is written back to the
  vault file + recorded in writtenBack so runPush commits it on `main` and the
  vault converges to clean bytes.
- Marker leak (b): pin merge.conflictStyle=merge in ensureRepo and teach
  stripConflictMarkers/hasConflictMarkers about the diff3 `|||||||` base section
  (drop the marker AND the stale base region) so diff3/zdiff3 conflicts can
  never leak `|||||||` + base content into a page. Also scrub the 3-way merge
  BASE markdown.
- Silent same-block loss: the block 3-way merge still resolves same-block
  conflicts deterministically to git, but it is no longer silent: diff3Plan now
  reports a conflict count (mergeXmlFragments3WayWithStats), gitSyncWriteBody
  logs it, and the persistence boundary-snapshot now fires for git-sync writes
  over a non-git-sync baseline so the human's pre-merge content is preserved in
  page history (recoverable). Full both-preserved persisted-conflict UI remains
  the deferred redesign.

Tests: space-lock bounded-retry (success/stuck/poll-immediate); push vault-clean
+ diff3 |||||||  strip; ensureRepo conflictStyle pin; diff3Plan/3-way conflict
counts; persistence git-sync boundary snapshot. Server tsc clean; git-sync
vitest + server collaboration/git-sync jest all green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:03:21 +03:00
claude code agent 227 906733b5c8 fix(git-sync): address PR #119 review #4 — symlink guard, dead-code cull, changelog + warnings/suggestions
Blocking (review id 2514):
- [security] Forbid symlinks in vaults. ensureServable now sets
  core.symlinks=false in each vault's local git config (a pushed symlink is
  checked out as a plain file, never a real link), and the engine cycle wraps
  every read/write/mkdir in an lstat/realpath guard (new path-guard.ts) that
  refuses a path that is — or traverses — a symlink, or whose realpath escapes
  the vault root. Prevents a writer from publishing /etc/passwd or the server
  .env, or writing outside the vault. Adds unit tests (path-guard.test.ts) +
  a read-guard integration test (cycle.test.ts) + real lstat/realpath in the
  roundtrip integration test.
- [simplification] Delete dead lib/diff.ts + test/diff.test.ts and drop the
  now-unused @fellow/prosemirror-recreate-transform dependency.
- [documentation] Add a CHANGELOG [Unreleased] → Added entry for git-sync.

Warnings:
- [test-coverage] Cover the CREATE-branch conflict-markers guard (a new .md with
  markers and no gitmost_id is recorded as a create failure, never created).

Suggestions:
- [stability] Bound each `git config` in ensureServable with a timeout.
- [authz] Trigger endpoint resolves spaceId workspace-scoped and 404s a foreign
  space before any vault directory is created.
- [stability] Attribute git-initiated moves to the service account
  (lastUpdatedById), via an optional actor param on PageService.movePage.
- [documentation] Document the per-space autoMergeConflicts toggle in AGENTS.md.
- [test-coverage] Cover the unterminated `:::` callout fence fallback.
- [simplification] Move test-only roundtrip-helpers.ts out of src/ into test/.

Architecture:
- Move the Yjs/ProseMirror merge primitives (yjs-body-merge, three-way-merge,
  lcs + specs) into collaboration/merge/, breaking the collaboration →
  integrations/git-sync dependency cycle this PR introduced.
- Port the schema-surface drift gate to packages/mcp (the mcp schema mirror had
  none); pins 52 entries.

Deferred (with rationale in the review thread): the incremental-pull perf
warning (correctness-neutral; needs a high-water-mark design + its own tests on
the data-loss-critical path) and the redis-sync rolling-deploy mixed-version
edge (the deficient behavior is in already-released old-instance code; the new
code is correct on both sides; impact is a transient rollout-window artifact).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:39:12 +03:00
a f020739bfd refactor(git-sync): address PR #119 review #3 — honest gitRemote scaffolding comments, env example, shared ESM bridge
1. gitRemote is NOT yet consumed (the vendored engine has no remote-push path,
   SPEC §7). Corrected the buildSettings docstring (it wrongly called gitRemote
   "load-bearing") and marked the env -> validation -> getter -> buildSettings
   chain as inert SCAFFOLDING for the deferred remote-push feature at all three
   sites. Kept the wiring (harmless; removing only churns).

2. .env.example: document that GIT_SYNC_REMOTE_TEMPLATE substitutes the literal
   "{spaceId}" per-space (with the example), so an operator doesn't point every
   space at one remote.

3. Extracted the copy-pasted CJS->ESM dynamic-import bridge
   (`new Function('s','return import(s)')`) into one shared
   common/helpers/esm-import.ts; git-sync.loader, docmost-client.loader and
   mcp.service now import it and keep their own typed loadX() wrappers.

Deferred (notes only, not implemented):
- lcs.ts + three-way-merge.ts could move into packages/git-sync, but that engine
  is vendored (manual re-sync) — added a one-line note at three-way-merge.ts to
  revisit once the re-sync story is settled.
- schema-core single source + BullMQ/fencing remain documented from prior rounds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
a 22e3fcdeba fix(git-sync): address PR #119 review #2 — throttle /git Basic auth, fix mcp schema drift + warnings/tests
Must-fix:
- Throttle the raw /git HTTP-Basic path: it bypasses Nest/ThrottlerGuard, so
  verifyUserCredentials (bcrypt) ran unthrottled. Wrap it in the SAME
  FailedLoginLimiter the /mcp path uses (5/60s; per-IP, per-IP+email, global
  per-email keys; atomic tryReserve BEFORE bcrypt; success resets, non-credential
  errors release). The (threshold+1)-th attempt now gets 429 pre-bcrypt. Sweep
  timer + onModuleDestroy mirror McpService.
- Fix the mcp schema mirror drift: packages/mcp details `open` attr now reads via
  hasAttribute (matches editor-ext canon + git-sync copy); getAttribute dropped a
  bare `<details open>` state. (build/ is gitignored — rebuilt locally.)

Tests added:
- /git brute-force throttle: pre-bcrypt 429 on the 6th failure; success resets;
  non-credential error releases the budget.
- git-http-backend lost-lock AbortSignal: already-aborted -> no spawn + 500;
  live abort mid-request -> SIGTERM + response closed.
- orchestrator divergentDocmost -> WARN + flag surfaced in status (+ clean case).
- pollTick re-entrancy guard skips an overlapping tick.
- datasource NotFound early-throws (getPageJson/move/rename) + updatedAt:undefined
  stale-read branch (importPageMarkdown/createPage).

Suggestions:
- space.repo updateGitSyncSettings: parameterize the jsonb key (`${prefKey}::text`)
  instead of sql.raw (latent-injection footgun); value stays sql.lit. Spec updated.
- pollTick re-entrancy guard (private `polling` flag).
- page-change.listener docstring: honest about the move/rename/delete over-skip
  (loop-guard keys only on lastUpdatedSource) -> ~poll-interval latency, not loss.
- AGENTS.md: document the root /git smart-HTTP route + GitSyncModule.
- Remove redundant redteam-provenance.spec.ts (covered e2e in
  persistence.extension.spec.ts:145).
- Extract the duplicated SIGTERM->SIGKILL+finish block (watchdog + abort) into
  terminateChild; centralize watchdog-timer teardown in done().

Architecture (deferred, documented): mcp schema header now carries the three-copy
keep-in-sync + schema-core note; the editor-ext contract test documents that the
mcp copy and attribute-behaviour drift (details `open`) are not mechanically
covered yet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
a 7179f8a5b2 fix(git-sync): address PR #119 review — close 403/404 space-existence leak + warnings/tests/arch
Security (must-fix):
- /git smart-HTTP gate: an authenticated NON-member of a git-sync space now gets
  404 (not 403), so the 403<->404 difference can no longer be used to brute-force
  which spaces exist / have git-sync enabled. 403 is reserved for a MEMBER who
  lacks the required role (existence already known). New gate input
  userIsSpaceMember; decision-table + service specs extended.

Config (must-fix):
- Remove the dead GIT_SYNC_SSH_KEY_PATH knob (getter + validation field + two
  .env.example lines) — it had zero consumers and advertised a nonexistent push
  capability.

Stability/docs (warnings):
- Wire the lost-lock AbortSignal into runReceivePack -> git http-backend so the
  receive-pack child is killed if the per-space lock lapses mid-write.
- Raise the divergent-`docmost` (invariant §5) push refusal from info -> warn and
  surface divergentDocmost in the run status (/status).
- Comment the stale read-after-debounced-collab-write updatedAt in
  importPageMarkdown (deferred §10 loop-guard must not trust it).
- Fix the Dockerfile comment: the loader uses require.resolve + dynamic import(),
  it deliberately does NOT require('@docmost/git-sync').
- Merge the two near-identical space toggle handlers into one parameterized
  handler; add the 2 missing en-US i18n keys for the auto-merge switch (ru-RU not
  maintained for these git-sync strings, mirrored).

Tests:
- isGitSyncHttpEnabled() default-branch (unset -> isGitSyncEnabled fallback).
- agentSourceFields 'git-sync' case (source stamped, chat key omitted).
- editor-ext name-level schema contract (vendored mirror superset of editor-ext
  node/mark types) + the new shared resolver + non-member 404 gate cases.

Architecture:
- Extract resolveRequestWorkspace shared by DomainMiddleware + GitHttpService
  (the two real self-hosted/cloud copies; McpService has no cloud branch).
- Document the in-process setInterval multi-replica limitation + BullMQ/fencing
  future direction (deferred, not implemented).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
a fe4adf23a0 fix(git-sync): unwedge per-page conflicts, preserve callout types, flush collab on disconnect
Addresses QA findings on PR #119 (issues #235/#236).

SYNC-WEDGE (HIGH): one same-line conflict on one page froze sync for the
WHOLE space in both directions forever. The pull's docmost->main merge left
the vault mid-merge, so every later cycle's isMergeInProgress() check returned
skipped:"merge-in-progress" and skipped the entire space with no recovery.
- pull.ts now COMMITS a conflicting merge with markers in place (commitMerge):
  cleanly-merged pages land, the conflicted page carries its markers on main and
  is isolated by the existing push-side conflict-marker skip (markers never reach
  Docmost), and the next cycle is no longer wedged. conflictedPaths is surfaced.
- cycle.ts now RECOVERS a vault left mid-merge by a prior/pre-fix cycle: it
  aborts the stale merge (merge --abort, hard-reset fallback) and continues,
  instead of skipping the space forever.
- git.ts: listUnmergedPaths / commitMerge / abortMerge / resetHardToHead.

CALLOUT TYPE FIDELITY: git-sync's CALLOUT_TYPES was missing "note" and "default"
(editor-canonical types), so [!note]/[!default] callouts flattened to [!info] on
every round-trip. Aligned the list with @docmost/editor-ext getValidCalloutType.

LOSS-ON-FAST-CLOSE: editing a page then closing the tab inside the collab
debounce window (~3-18s) lost the edit, because with unloadImmediately:false
Hocuspocus does not flush the debounced onStoreDocument on the last-client
disconnect. PersistenceExtension.onDisconnect now flushes the pending store
(debouncer.executeNow) on the last disconnect only, with no redundant write.

DUPLICATION re-verify (#1): the schema-default merge-key normalization is intact;
faithful toYdoc-based reproduction shows callout + rich content resync with 0 ops
and no growth/strip across cycles -> the re-report was leftover vault data, not a
live regression. Locked with a callout regression spec.

Tests: git-sync 688 pass (incl. real-VaultGit wedge-recovery integration); server
git-sync+collaboration 285 pass; new callout merge/fidelity + onDisconnect-flush
specs. tsc --noEmit clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 eefe17600c test(git-sync): mock db.transaction in movePage provenance specs
After rebasing onto develop, movePage runs its cycle-check + UPDATE inside
executeTx(this.db) (develop #207 advisory-lock/atomic cycle-guard). The
git-sync provenance specs still passed a bare `{}` db, so executeTx hit
`db.transaction is not a function`. Reuse the same trxStub Proxy + transaction
mock the develop movePage specs use so both the advisory-lock `sql.execute(trx)`
and updatePage resolve. Production movePage keeps BOTH develop's lock/cycle
guard AND git-sync's provenance stamping; this only updates the test harness.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 32e99c6e42 fix(editor,git-sync): parse details open as a boolean so open state survives render/round-trip
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 e48d7720e9 fix(git-sync): propagate nested details open; drop dead delete-cap wiring; cover lost-lock abort + lose-prone atom round-trips
Addresses review 1863 (delta) on PR #119.

MUST-FIX:
- detailsToHtml (the raw-HTML path used for a details nested inside
  columns/spanned cells) now emits `<details${open}>`, mirroring the
  top-level case, so `open` no longer silently drops every round trip.
- Remove the dead `resolveApplyClient` delete-cap hook from the engine
  `runCycle`: the orchestrator stopped passing it, so the hook + its
  dry-run pass were inert. Deletes are soft (Trash) + always logged and
  engine convergence is the guard, so no cap is re-added — just the dead
  wiring removed.

TEST COVERAGE:
- space-lock: heartbeat refresh CAS-miss (eval -> 0) and Redis-error
  (eval throws) both abort the in-flight fn's signal.
- cycle: a pre-aborted signal (and an abort during the pull read) throws
  before the push apply / first destructive phase.
- converter: htmlEmbed source VALUE + height survive; encode/decode
  UTF-8 symmetry and '' -> ''; footnote definition body + ref/def id
  match; transclusionReference both ids survive; fix the bad
  transclusionSource fixture (wrong `pageId` attr + empty content ->
  schema `id` + a block child); nested details `open` parity test.
- orchestrator: autoMergeConflicts:true reaches engine settings; default
  false on a missing settings row.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 42e618ec7f fix(git-sync): normalize merge key against schema defaults — cover all node/mark default-attr duplication triggers (image, link, highlight, …)
The point-fix (7a7b840e) excluded only `indent: 0` via a hardcoded one-attribute
denylist (`DEFAULT_KEY_ATTRS`) applied solely to ELEMENT attributes. The same
divergence recurs for every attribute whose editor-ext (server) schema default the
LIVE Yjs doc materializes (`TiptapTransformer.toYdoc(tiptapExtensions)`) but the
git round-trip does not: the engine's `markdownToProseMirror` emits those attrs as
explicit `null` (verified live: link mark `internal: null`, heading/paragraph
`indent: null`), which `y-prosemirror` then drops — so the same block keys
differently on the two sides, the three-way merge anchors on nothing, and the body
is re-appended every reconcile cycle (unbounded, no client connected). The denylist
also could not reach MARK attributes at all (marks are serialized raw in the
XmlText delta), so the link mark's `internal` mismatch survived.

Replace the denylist with a normalization derived from the ACTUAL ProseMirror
schema (`getSchema(tiptapExtensions)`, memoized): in `serializeXmlNode`, drop any
ELEMENT attribute whose value equals its node's schema default (or is
null/undefined), and normalize each XmlText delta op's MARK attributes the same way
against `schema.marks[name].spec.attrs`. The volatile block `id` stays excluded and
genuine non-default values (a real `indent: 2`, `align: "left"`, `link.href`,
highlight color) stay in the key. This is general — it covers indent, image.align,
link.internal, highlight.colorName, youtube/pdf and any future node/mark — not
another per-attribute denylist. Schema build is wrapped so a degenerate test stub
(`tiptapExtensions: []`) degrades to dropping only null/undefined.

Tests: new `yjs-body-merge.schema-defaults.spec.ts` models image/link/highlight
both hand-built and through the REAL `TiptapTransformer.toYdoc` materialization
(live defaults vs engine-style explicit nulls, base stale-by-one) — RED before
(4 ops / growth), GREEN after (0 ops). Existing idempotency + open-editor
convergence suites still pass (261 server collab+git-sync tests, tsc clean).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 857a0064f7 fix(git-sync): make reconcile import truly idempotent — stop runaway whole-body duplication
The live Yjs document materializes the editor-schema default `indent: 0` on
every paragraph/heading (and on the paragraph inside every list item, callout,
and table cell), but a body re-imported from git — parsed from clean markdown —
carries no indent attribute. So every live block's merge key differed from the
same block coming back from git: the three-way merge could anchor on nothing,
and the trailing unit that git's export already contained (but the merge could
not match against the byte-identical live tail) was re-appended on every
reconcile cycle. Each grown export then diverged from the last-pushed base by one
more unit — a self-sustaining, unbounded whole-body duplication loop with no
client connected.

The prior fix (0c7b73f7) excluded the volatile block `id` from the key, which
was necessary but not sufficient: `indent: 0` is a CONTENT attribute the editor
stamps as a default, so it was never stripped. Normalize editor-materialized
schema defaults (`indent: 0`) out of the block key — only the default value, so a
genuine `indent: 2` still diffs and lands — so a live block compares equal to its
git-round-tripped twin and the resync is a true no-op.

Regression test (yjs-body-merge.idempotency.spec.ts) encodes the invariant on a
body of byte-identical units (heading + paragraph + callout + table with empty
cells): a live fragment carrying indent:0 + ids merged against the git-derived
fragment (neither) with a stale-by-one base applies 0 ops and does not grow — RED
before, GREEN after.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 daf6c9ea16 fix(git-sync): propagate remote custom-event handler errors instead of 30s timeout
When a git-sync body write (gitSyncWriteBody) is routed to the collab instance
that owns the doc, the handler runs remotely inside handleRedisMessage and CAN
throw (markdown->ProseMirror transform). Previously the throw was uncaught: the
customEventComplete reply was never published, so the origin's writePageBody
promise only rejected after customEventTTL (~30s) as a generic 'TIMEOUT', and an
unhandledRejection escaped the async messageBuffer listener on the owning
instance.

Now the owner wraps handleEventLocally in try/catch and, on throw, publishes a
customEventComplete carrying an `error` field on the same correlation channel.
The origin's pendingReplies holds {resolve, reject} and rejects promptly with the
real Error. The TTL TIMEOUT remains as the fallback for a genuinely lost reply.
The no-throw and local (same-instance) paths are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 9e69d917ee fix(git-sync): converge git-ingest with open editor sessions — stop silent revert/data-loss on live pages
A git push to a page with an OPEN editor was silently reverted: the git
commit landed and the DB body updated, but the page in the browser stayed
on the old content and the editor's next autosave overwrote the git change.

Root cause (distributed, not in the merge): writeBody applied the body
merge via collabGateway.openDirectConnection on whichever instance/process
runs git-sync (the api/worker). When an editor is connected to a DIFFERENT
collab instance/process, that opens a SEPARATE, detached Y.Doc. The merge
landed in the detached doc + DB, but the live editor's Y.Doc never received
the Yjs update; its debounced autosave then persisted its STALE state over
the DB, reverting the git change (and, for concurrent edits to different
paragraphs, losing the git side). In one process the bug is invisible
because the direct connection already shares the editor's doc.

Fix: route the body write through the existing custom-event channel (the
same mechanism comment-marks and updatePageContent use) so the merge runs
on the instance that OWNS the live doc. Its update is then broadcast to
every connection (Document.handleUpdate) and the editor's CRDT converges on
the merged result. New CollaborationGateway.writePageBody dispatches to a
new gitSyncWriteBody handler (builds incoming/base docs before opening the
connection — crash-safe — then 3-way/2-way merges into the live fragment);
without redis it runs locally on the single (owning) instance. writeBody
now just forwards the converted ProseMirror bodies + service userId.

Evidence:
- git-ingest-convergence.spec.ts: deterministic two-Y.Doc repro. PATH B
  (undelivered update) asserts the LOSS (the bug); PATH A (update delivered,
  as the owner-routed write does) asserts the git change SURVIVES and that
  concurrent edits to different paragraphs both survive.
- collaboration.handler.git-sync.spec.ts: exercises the real gitSyncWriteBody
  against a shared doc wired to a connected "editor" doc (models the
  owning-instance broadcast) — editor converges, concurrent edit preserved,
  crash-safe on transform failure.
- gitmost-datasource.service.spec.ts: writeBody now routes via writePageBody
  (RED before this change — it called openDirectConnection).

Honest scope: the failure is cross-instance; full multi-instance convergence
needs a live Hocuspocus + redis and is not provable in a unit test, so the
convergence invariant is captured at the Yjs update-exchange level.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 2594828758 fix(git-sync): idempotent first-block reconciliation — stop start-of-doc content duplicating every sync cycle
The block-level body merge keyed each block by its full attribute set,
including the per-block UniqueID the editor stamps on every heading/paragraph.
A body arriving from git is parsed from clean markdown and carries no block
ids, so a live block (id present) never matched the same block coming from git
(no id). The three-way merge's LCS could not anchor on it, and an incoming
block with no matching anchor — content inserted at the TOP of the page — was
re-added on every push/pull cycle: a non-convergent, unbounded duplication loop.

Exclude the volatile 'id' attribute from the block comparison key
(serializeXmlNode) so blocks compare by content across the git round-trip.
The merge keeps the live block INSTANCE (and its id, and any in-flight edit)
for an anchor — picks are by index, not key — so identity is preserved while
reconciliation becomes idempotent. Mirrors canonicalize.ts, which already
strips the regenerated block id from the round-trip idempotency comparison.

Adds a RED-before-fix repro modelling the live-id vs git-no-id asymmetry and
asserting no block growth across cycles.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 b5ce63a956 feat(git-sync): Obsidian-native callouts (> [!type]) instead of :::type
Callouts now export as Obsidian's blockquote-callout syntax — `> [!type]` opener
plus a `>`-prefixed body — so they render as real callouts when the vault is
opened in Obsidian, instead of `:::type` (Docusaurus-style) which Obsidian shows
as a plain blockquote.

- Export (markdown-converter `case "callout"`): `> [!type]` + each body line
  blockquote-prefixed (a blank line becomes a bare `>` so the callout is not
  split). Nested callouts naturally become `> > [!type]`.
- Import (preprocessCallouts): a new branch recognizes `> [!type]` openers and
  the contiguous `>`-prefixed body, strips one blockquote level and recurses (so
  nested callouts work), emitting the same callout div the `:::` path produces.
  The legacy `:::type` parser is KEPT so existing vaults keep importing. A plain
  blockquote (no `[!type]`) stays a blockquote.

Tests: 4 converter golden tests updated to the new `> [!type]` output; 4 new
import tests (simple, nested, round-trip, plain-blockquote-untouched). The §13.1
gate still round-trips callout losslessly through the real server schema.
git-sync vitest 675 (+1 expected-fail), gate 27.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 e777ebcf4f feat(git-sync): remove the per-cycle delete cap; deletes apply + are logged every cycle
The delete cap (GIT_SYNC_MAX_DELETES_PER_CYCLE, default 5) was a defense-in-depth
guard that SUPPRESSED a cycle's deletions when the planned count exceeded the
limit. In practice it was a crutch over engine correctness that also blocked
legitimate deletes: deleting a folder with many child pages is a normal action,
and git-sync deletes are SOFT (Trash, reversible), so a blocking limit has little
upside and real downside. There is also no user-facing surface to "confirm" a
large delete from a background sync — the only channel is the operator log.

So: drop the cap entirely. Deletes apply unconditionally; every cycle already
logs its full push plan, per-action `delete: <pageId>` lines, and completion
counts through the engine `log`, so what was deleted (and what was skipped) is
always recorded. Engine correctness (the reconcile/layout/round-trip tests) is
what prevents phantom deletions — not a blocking cap.

Removed: orchestrator `resolveApplyClient` cap hook + `maxDeletes`,
`getGitSyncMaxDeletesPerCycle`, the `GIT_SYNC_MAX_DELETES_PER_CYCLE` env/validation/.env.example,
and the cap tests. (The engine's generic optional `resolveApplyClient` hook is
left as an unused extension point.)

server tsc clean, git-sync + environment jest 174.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 abd6e3948b fix(git-sync): preserve subpages.recursive and details.open on round trip
Found proactively by deepening the round-trip test from node-TYPE survival to
ATTRIBUTE fidelity (distinctive attr values per node). Two real losses (the
other 3 candidates — mathInline/mathBlock/pageEmbed — were verified to be
correct; the probe had used wrong attr names):

- subpages `recursive`: the converter emitted a bare div and the schema mirror
  didn't model the attr, so a recursive subpages reverted to non-recursive on a
  round trip. Now emits `data-recursive="true"` and the mirror parses it back
  (matching @docmost/editor-ext).
- details `open`: the `open` (collapsed/expanded) state lives on the details
  node, but the converter emitted the `<details>` wrapper from the summary case
  without it, so the state was dropped. The wrapper now carries `open`.

The round-trip test now also asserts attribute fidelity (12 cases) so these are
locked. Schema-surface snapshot updated for the new subpages attr.

git-sync vitest 671 (+1 expected-fail), §13.1 gate 27.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 5125296bfa fix(git-sync): subpages round-trips (was {{SUBPAGES}} literal) + exhaustive all-node round-trip test
subpages exported to the literal `{{SUBPAGES}}`, which has no markdown/HTML
inverse, so on re-import it came back as a plain paragraph holding the visible
text "{{SUBPAGES}}" — the embed rendered as that literal string on the page
after a sync (round-trip data loss, seen live). It now emits the schema-matching
`<div data-type="subpages">` like every other embed node, so the schema's
parseHTML rebuilds the subpages node. Also dropped the leaf-atom content-hole
in the subpages renderHTML.

New committed regression coverage:
- packages/git-sync/test/roundtrip-all-nodes.test.ts — exhaustive serialize ->
  deserialize round trip for ALL 40 node/mark types; each asserts the node/mark
  survives and no `{{...}}` literal leaks. This is the test that caught subpages.
- §13.1 gate (git-sync-converter-gate.spec.ts): subpages added to the green
  corpus (round-trips through the REAL server schema).
- Corrected two PR-authored tests that asserted the old {{SUBPAGES}} loss as
  "by design" — they now assert the fixed round trip.

Also folds in review #1679 coverage-gap tests (no prod change): orchestrator
pollTick/enabledSpaces, datasource 3-way merge dispatch, page.repo
last_updated_source provenance SQL.

git-sync vitest 659 (+1 expected-fail), server tsc clean, server specs green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 452a752264 fix(git-sync): don't run a Docmost cycle on receive-pack info/refs (fixes deterministic push 503)
A git push is a two-request exchange: GET info/refs?service=git-receive-pack
(ref advertisement) then POST git-receive-pack (the pack). The git-HTTP host
classified BOTH as serviceKind 'write' and routed both through
ingestExternalPush, which takes the per-space lock and runs a FULL Docmost
reconcile cycle. So the read-only info/refs advertisement held the lock while a
cycle ran, and the client's immediately-following POST git-receive-pack collided
with that still-running cycle and got 503 — deterministically, every push (and
Obsidian Git's "scan" failed for the same reason, since it probes push
capability via the same receive-pack info/refs).

Fix: only the actual pack-receiving write (POST git-receive-pack) runs under the
lock + cycle. Everything else streams the http-backend directly with no lock and
no cycle — a fetch/clone (read) AND the write-AUTHORIZED but read-only
info/refs?service=git-receive-pack advertisement. Authz is unchanged (the gate
still requires write permission for receive-pack refs); only the side effect of
running a cycle on a read-only request is removed.

Verified end-to-end on a live stand: clone, then `git push` of a new file lands
the page in Docmost (was 503 on every push before). Regression test added.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 a40a00d5c5 feat(git-sync): per-space toggle for conflict-marker handling on push (#13)
Red-team #13 (conflict markers reaching Docmost) is now a per-space policy
exposed as a UI toggle, instead of a hardcoded behavior. New boolean
`gitSync.autoMergeConflicts` (default FALSE), mirroring the existing per-space
`gitSync.enabled` flag end-to-end (jsonb space settings -> update-space DTO ->
space.service -> client types -> space settings form switch):

- OFF (default, safe): a page whose committed body still has unresolved git
  conflict markers is NOT pushed — it is recorded as a per-page push FAILURE
  ("unresolved conflict markers — resolve in git first"). Recording a failure
  (not a soft skip) deliberately HOLDS refs/docmost/last-pushed so the conflict
  commit is never marked pushed and a later pull cannot clobber the user's
  in-progress resolution; the page retries until the conflict is resolved in git.
- ON: the marker lines are stripped and both sides' content is pushed (the prior
  behavior), so the conflict becomes visible/fixable inside Docmost.

The engine Settings carries `autoMergeConflicts`; runPush threads it into the
update AND create paths. The orchestrator's buildSettings reads the per-space
flag from jsonb (strict opt-in like `enabled`, default false).

Tests: redteam-push-cycle #13 rewritten (default -> not pushed + failure + refs
held; ON -> strip-and-push); space.service + edit-space-form + orchestrator
specs extended. git-sync vitest 618, server jest space+git-sync 163, client
edit-space-form 11, server/client tsc clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 81c0226be7 docs(git-sync): document GIT_SYNC_BACKEND_TIMEOUT_MS, drop dead consts, fix dangling plan refs
Address the non-red-team documentation/cleanup items from review #1679:
- Document the GIT_SYNC_BACKEND_TIMEOUT_MS watchdog (git http-backend) in
  .env.example and add it to the environment validation schema — it was used
  (getGitSyncBackendTimeoutMs, default 120000) but undocumented/unvalidated.
- Remove the dead GIT_SYNC_DEBOUNCE_MS_DEFAULT / GIT_SYNC_POLL_INTERVAL_MS_DEFAULT
  exports (never imported; environment.service is the single source of defaults).
- Redirect the dangling `plan §X.Y` comment references to issue #194 (the
  git-sync spec moved there when docs/git-sync-plan.md was deleted by this PR).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 d5079aa1d8 fix(git-sync): red-team hardening — 12 confirmed sync-breaking bugs + regression tests
A 10-agent red-team pass on the two-way Docmost<->git sync surfaced 16 ranked
findings (9 others triaged out as already-defended). Wrote a reproduction test
per finding (each asserts the CORRECT behavior, so it fails on the bug), then
fixed the production code so every repro goes green. All confirmed bugs:

Round-trip data loss (markdown-converter.ts + docmost-schema.ts mirror):
- #1 editor-ext node types silently dropped on export — ported the 8 missing
  canon nodes (footnoteReference/footnotesList/footnoteDefinition, htmlEmbed,
  status, pageEmbed, transclusionSource/Reference) into the git-sync schema
  mirror and added converter cases that emit their schema-matching HTML instead
  of flattening unknown nodes to '' (this was the critical data-loss flagged in
  review #1679: footnotes/htmlEmbed lost on sync). Snapshot surface updated.
- #2 top-level image lost width/height/align/attachmentId — now emits an HTML
  <img> (like video/diagrams) when it carries layout attrs; bare images stay
  ![](src). Image node parses width/height as strings so they re-import.
- #3 code block containing a ``` fence corrupted on round-trip — outer fence is
  now widened to (longest-inner-backtick-run + 1).
- #16 deep nesting threw RangeError (page never synced) — added a depth guard
  (MAX_NODE_DEPTH=400) so the converter never overflows the stack.

Push/layout/cycle (engine):
- #4 disambiguation ' ~slugId' suffix corrupted Docmost titles + order-dependent
  layout — deterministic, order-independent sibling disambiguation; suffix is
  stripped from a path-derived title ONLY when the new name is exactly the old
  title plus the suffix (never a genuine retitle ending in ' ~token').
- #6 retry-adopt by (parent,title) clobbered the wrong duplicate-title sibling —
  ambiguous (parent,title) is no longer adopted (falls back to fresh create).
- #12 a new child under a new parent was created at ROOT — creates are ordered
  parent-before-child with an in-memory created-id map for parent resolution.
- #13 git conflict markers could reach Docmost — bodies are scanned and the
  marker lines stripped (a '=======' line is only treated as a conflict
  separator inside a <<<<<<< ... >>>>>>> block, so setext headings are safe).
- #15 a divergent `docmost` mirror was escalated by runPush but dropped by
  runCycle — RunCycleResult now forwards divergentDocmost to the orchestrator.

Server (merge / lock / provenance):
- #9 3-way merge lost a human's block edit when git inserted an adjacent block —
  finer-grained diff3 region merge (via lcs) preserves non-overlapping human
  edits; genuine same-block conflicts still resolve git-wins.
- #10 single-writer race — module-static liveLocks closes the same-process TOCTOU
  window, and a heartbeat refresh that cannot confirm the lock now aborts the
  cycle at its next write checkpoint (cooperative AbortSignal threaded through
  runCycle). Cross-process fencing tokens remain a follow-up.
- #14 sticky-agent provenance overrode an explicit actor='git-sync' write,
  blinding the listener loop-guard — resolveSource now lets an explicit actor
  win over the sticky-agent fallback (explicit agent still wins).

Verified: git-sync vitest 617 pass (+1 expected-fail), server unit jest 1541
pass, server tsc clean. A review pass over the fixes caught and corrected a
title-suffix over-strip, an inert abort signal, a document-wide conflict-marker
strip, and two leaf-atom content-holes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 b536a41ad3 chore(git-sync): drop stray build/ artifacts re-introduced during rebase
build/ is gitignored and compiled in CI/Docker; a few files leaked back into
the tree while replaying commits onto develop. Remove them so the package keeps
a single source of truth (src/).
2026-06-28 15:10:10 +03:00
claude_code 28d2560dfd fix(git-sync): address PR #119 review (#1571)
Resolve the code-review findings from comment #1571 on PR #119.

Engine (packages/git-sync):
- Idempotent CREATE on retry: before createPage, look the page up in the
  live Docmost tree by (parentPageId, title) and ADOPT it instead of
  duplicating when a prior cycle created it but failed to persist the
  pageId back to disk. Only trust a COMPLETE tree for the lookup; fall
  back to createPage otherwise. Covered by new tests incl. a complete=false
  regression-lock.
- Route applyPullActions diagnostics through an injected logger instead of
  bare console (thread log from the cycle).
- Add a timeout to the git execFile chokepoint (runRaw) so a hung git
  subprocess cannot wedge a sync cycle.
- Translate remaining Russian code comments to English.
- Remove dead standalone-CLI code (parseArgs/PushParsedArgs,
  parseSettings/envSchema, loadSettingsOrExit + config-errors.ts) and the
  matching index exports/specs; keep the Settings type.
- Fix the dangling docs link in package.json.
- Add a schema-surface snapshot guard so any drift in the vendored
  document schema is a loud, must-review CI failure (+ provenance header).

Server (apps/server):
- Add a configurable watchdog timeout to the spawned git http-backend so a
  stalled push cannot hold the per-space lock forever
  (GIT_SYNC_BACKEND_TIMEOUT_MS).
- Close the in-process TOCTOU window in SpaceLockService.withSpaceLock by
  reserving the slot synchronously before acquire.
- Add tests: removePage git-sync provenance (both branches), ensureServable
  force-push-protection git configs, and the phase-B+ datasource methods.

Docs / build:
- AGENTS.md: list git-sync as the fifth workspace package and note the
  three schema mirrors; fix the dangling git-sync-plan.md backlog link.
- pnpm-lock.yaml: add the missing @docmost/git-sync workspace link so
  pnpm install --frozen-lockfile (CI default) succeeds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 52959de2f3 chore(mcp): drop build/ + node_modules leftovers after rebase
These files (build/lib/footnote-analyze.js, build/lib/footnote-lex.js from the
merged footnote work, and the y-prosemirror node_modules symlink) survived the
rebase because this branch's earlier "stop committing build/ and node_modules"
commit predated them. They are gitignored (packages/mcp/build/) and generated /
symlinked, so untrack them to keep the branch consistent with that decision.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 5da12e89f9 refactor(git-sync): internalize the engine — first-class ESM, no vendoring bridge (#119 review)
Closes the architecture item from the #119 review: drop the "vendored from
docmost-sync" framing and the CJS↔ESM `Function('import()')` bridge so the engine
is a normal first-class gitmost package.

Part 1 — vendoring markers removed (prose only, zero behavior change): reworded
"VENDORED into gitmost" / "vendored from docmost-sync" / "Engine LOGIC is
byte-identical" / "it's a port" comments across the engine. Behavior-bearing
strings are untouched: BOT_AUTHOR_NAME/EMAIL and the `Docmost-Sync-Source:`
provenance trailers (changing them would break git authorship + the loop-guard).

Part 2 — the package is now ESM (matching the sibling @docmost/mcp): `type: module`,
tsconfig Node16, `.js` extensions on relative imports, and a static
`import { marked }` replacing the `new Function('return import(...)')` /
`loadMarked` hack — the bridge is GONE from the package. The CommonJS NestJS
server loads the now-ESM engine via a new `git-sync.loader.ts` that mirrors the
existing `docmost-client.loader.ts` mcp loader exactly (Function-indirected
dynamic import + cached promise + retry-on-reject). The 4 server consumers
(orchestrator/datasource/vault-registry/git-http-backend) call `await loadGitSync()`
for value exports; types stay `import type` (erased). The converter-gate spec —
which needs the real converter — loads the package's TS source via a jest
moduleNameMapper + isolatedModules (documented in that spec); the other git-sync
specs mock the loader.

Verified: engine builds pure ESM (no Function/require leftover), vitest 614,
editor-ext build, server + client tsc, full server jest 1397/0. Live stand
smoke-test: server starts clean on the ESM engine (no ERR_REQUIRE_ESM), a real
sync cycle runs through the loader, and the basic e2e suite is 12/12 (clone via
git-http-backend, push, pull, delete, 3-way merge — all through the new loader).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 3a91e0eca9 test(git-sync): add missing DTO/User imports for the rebased git-sync provenance spec block
The rebase folded develop's agent-provenance PageService spec and the git-sync
provenance spec into one file; the appended git-sync block needs CreatePageDto /
UpdatePageDto / User imports that develop's spec (which used inline `as any`) did
not have. Server tsc + the suite (158 tests, both provenance blocks) green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 2e83c9cebf fix(git-sync): git-http stream error handlers + close test gaps (#119 review)
Addresses the stability + test-coverage warnings from the #119 review:

- git-http-backend.service.ts: add `'error'` handlers to child.stdout/stderr. An
  EventEmitter 'error' with no listener (e.g. EPIPE when the client aborts
  mid-response) is rethrown by Node as an uncaught exception and crashes the
  process; now swallowed + logged (never echoed to the client).
- TEST INFRA: a jest setupFile shims `navigator`/`MessageChannel` for the `node`
  testEnvironment. react-dom@18 reads `navigator` at module-init (pulled in via
  @docmost/editor-ext -> @tiptap/react), so every spec transitively importing the
  conversion engine — including git-http.service.spec.ts — previously FAILED TO
  LOAD ("navigator is not defined") and ran ZERO tests. With the shim those specs
  now run (git-sync integration: 11 suites / 133 tests green).
- git-http.service.spec.ts: cover the 503 lock-held push path — `ingestExternalPush`
  rejecting `GitSyncLockHeldError` -> 503 + Retry-After + "git-sync busy, retry",
  no double header write (+ the already-headers-sent no-rewrite path).
- git-http-backend.service.spec.ts: unit-test run() — child 'error'/'close' before
  headers -> 500; normal CGI parse+stream; stdout/stderr 'error' (EPIPE) swallowed;
  synchronous spawn throw -> 500.
- page-change.listener.ts: implement OnModuleDestroy to clearTimeout all pending
  debounce timers on shutdown (+ test).
- .env.example: vaults are non-bare working repos, not "bare repos".

(Docs deleted by the stray commit were restored in 9cdbce54.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 f6d22a59a6 fix(git-sync): screen non-page files out of PUSH (CRITICAL — review)
Self-review of phase 3 caught a data-corruption regression: nativeMeta always
supplies the run's spaceId, so the planner's 'create-without-spaceId' skip — which
had doubled as the only filter for non-page files — went dead. An ADDED
.obsidian/*.json, attachment, or dotfile (committed to the vault, no .gitignore)
would then be classified as a CREATE: a junk Docmost page, plus a gitmost_id
frontmatter written INTO the file, corrupting it.

Fix: isPageFile(path) — a .md file with NO dot-segment anywhere — and filter the
diff to page files at the very top of computePushActions, BEFORE any
classification, so non-page A/M/D/R are ignored (design §Адопция). 2 unit tests
pin it (.obsidian/json, attachment, dotfile, dot-segment, .md dotfile all ignored;
real pages still created). 614 engine tests green.

Also: refreshed stale docmost:meta comments to gitmost_id (review SUGGESTION), and
documented the deferred adoption frontmatter-preservation gap (review WARNING) in
page-file.ts + the design doc (do NOT roll native onto a real vault with Obsidian
properties until phase 4 round-trips them).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 6baad935f9 docs(git-sync): mark thin-meta phases 2 + 3 done in the plan
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 d255afa611 feat(git-sync): phase 3 — PUSH reads native gitmost_id + derives title/parent from path
PUSH now consumes the native-Obsidian format end-to-end:
- identity from the gitmost_id frontmatter (parsePageFile), not docmost:meta;
- title from the FILENAME, parentPageId from the enclosing folder's folder-note
  (parentFolderFile is now FOLDER-NOTE aware: a child's parent is dir/dir.md, and
  a folder-note's own parent is one level up), spaceId from the run (every vault
  file belongs to the vault's space);
- CREATE derives title/parent/space from path + run and writes the assigned
  pageId back as gitmost_id frontmatter (serializePageFile);
- UPDATE pushes the STRIPPED body (current + 3-way-merge base), so the frontmatter
  never leaks into Docmost content; the loop-guard hashes the body.

The PURE delete-sensitive classifier (computePushActions/classifyRenameMoves) is
UNCHANGED — only the injected IO resolvers (metaAt, parent, create write-back)
switched source. nativeMeta always carries the run spaceId, so the legacy
'create-without-spaceId' skip no longer fires through runPush.

Tests rewritten to native fixtures + folder-note parent paths; the noop case is
now a child under a renamed parent folder (filename=title, so a path-only-noop
needs an ancestor rename). parentFolderFile tests cover leaf/folder-note/nested/
dotted. 612 engine tests green; engine rebuilt.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 73c5c44301 feat(git-sync): phase 2b — PULL writes native gitmost_id frontmatter
PULL now serializes each page as the native-Obsidian format (serializePageFile:
a minimal gitmost_id frontmatter + the fixpoint markdown body) instead of the
heavy docmost:meta envelope. title/parent/space are derived (filename / folder /
repo), so only the pageId is persisted. readExisting recovers identity from the
gitmost_id frontmatter (parsePageFile) instead of docmost:meta.

Extracted stabilizePageBody() (the export->import->export fixpoint, no meta) so
the native writer and the legacy serializer share the same deterministic body —
re-pulls of an unchanged page stay byte-identical (loop-guard).

Tests: read-existing fixtures rewritten to gitmost_id; apply-pull asserts the
written text is native frontmatter and carries NO docmost:meta (regression
guard). 611 engine tests green.

NOTE: PUSH still reads docmost:meta — the end-to-end cycle is intentionally NOT
runnable until phase 3 (PUSH reads frontmatter + derives title/parent from path)
lands; no vault is wiped/deployed until then.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 8c42c4f0d6 feat(git-sync): phase 2a — folder-note layout (parent -> Folder/Folder.md)
Native-Obsidian structure: a page WITH children now lives at its folder-note
<name>/<name>.md (LostPaul Folder Notes convention) with its children alongside;
a leaf stays <name>.md. Folder-notes claim their canonical path before a
same-named child, so the child (a leaf) is the one disambiguated, never the
folder-note — a folder X/ always contains its own note X.

Format-agnostic and safe in isolation: only the destination PATH changes, the
file content/serialization is untouched, so an existing parent relocates via the
move-by-id path (no delete). The frontmatter format flip (pull+push) is next.

6 new layout unit tests (leaf / parent / nested / child-named-as-parent /
twin-parents / childless). 611 engine tests green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 071eae4e2a feat(git-sync): drop legacy docmost:meta back-compat (vaults wipe+rebuild)
Per owner: test data, no migration. parsePageFile no longer reads the old
docmost:meta block — a file without a gitmost_id frontmatter is simply un-tracked
(adopt). Vaults are a cache: rm -rf on the transition, rebuilt native from
Docmost. Simplifies the format work (no fallback). Doc updated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 a91405632e feat(git-sync): native-Obsidian format — phase 1 = page-file (frontmatter gitmost_id)
Pivot the thin-meta design to "the vault IS a native Obsidian vault": clean
markdown + a minimal YAML frontmatter `gitmost_id:` (the durable pageId, travels
with the file so identity survives any move); folders mirror the page tree with
the parent's body as a folder-note `<Folder>/<Folder>.md` (LostPaul Folder Notes
convention); links as `[[wikilinks]]` (basename-resolved → reparent never breaks a
link, only retitle does); collisions disambiguated Obsidian-style; `.obsidian/`
and non-page files left untouched (no .gitignore). Verified the conventions
against the Obsidian/Folder-Notes docs.

Replaces the abandoned `.gitmost/index.json` sidecar (path-keyed → fragile to
git-undetected renames; the in-file id is self-sufficient): removes vault-index.ts.
Adds lib/page-file.ts — parsePageFile/serializePageFile (frontmatter id + clean
body) with a LEGACY `docmost:meta` fallback for migration. 6 unit tests; engine
suite green. Not yet wired into pull/push — no behavior change. Design doc
rewritten to the native-Obsidian format.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 5d4eb8ede2 docs(git-sync): thin-meta design — identity must travel with the file (B/C) + link-sync phase
Captures the design discussion: a path-keyed sidecar is NOT a safe source of
truth (a git-undetected rename loses the page), so the id must travel WITH the
file — either as a slugId suffix in the filename (B) or a minimal YAML frontmatter
`id:` (C); both robust, B/C is the open UX decision (author leans C for clean
names). The sidecar may remain an optional path->id cache. Adds phase 6 — link
sync between notes: Docmost links are by pageId (survive rename), vault markdown
links are by path (rewrite on rename, Obsidian-style); independent of B/C and the
format phases.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 aa1ee64b7a feat(git-sync): thin-meta phase 1 — the .gitmost/index.json sidecar module
Pure read/write/lookup for the vault sidecar index that will hold page identity
(pageId) + collision token (slugId) keyed by file path, so the .md files can be
clean markdown. parseVaultIndex is tolerant (missing/garbage/bad entries degrade
to empty/skipped — never crashes a cycle); serializeVaultIndex is deterministic
(sorted keys -> stable diffs, no churn). Lookups (pageIdAt, pathForPageId reverse,
trackedPageIds) + mutations (set/remove/move). NOT wired into pull/push yet — no
behavior change. 5 unit tests; engine suite green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 53febfd5b9 docs(git-sync): design for thin meta + third-party-editor support
All service metadata moves into a single `.gitmost/index.json` sidecar; the `.md`
files become clean markdown (Obsidian & any editor work directly). The page tree
mirrors the folder structure (folder = parent page; the parent's body lives in
`<Folder>/index.md`); collisions disambiguate by a `~<slugId>` filename suffix
with identity tracked by pageId in the index (safe renames, never delete+create —
backed by 5133bb34). Bare files/folders from a third-party editor are adopted into
pages. Includes the migration path off the current `docmost:meta`-in-file format
and a phased plan (each phase gated by engine unit tests + the browser e2e +
isolated shell e2e). Agreed with the owner 2026-06-24.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 a2ac08c04c test(git-sync): e2e suites provision a throwaway space — never touch real data
The shell e2e suites defaulted to the General space and created/edited pages
there, polluting real content (and, when several enabled spaces raised poll
contention, flaking on 503s). Now each suite creates its OWN throwaway,
git-sync-enabled space at setup, runs everything against it, and deletes the
space (+ its vault) on exit. Set SPACE_ID explicitly to opt into an existing
space. Also gives the basic suite the 503-retry push helper the advanced one
already had. Verified isolated: basic 12/12, advanced 23/23, no spaces/users/
pages left behind, the real space untouched.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 40ca04eb08 fix(git-sync): never trash a page whose pageId still exists in the tree (cross-cycle move) + browser e2e
Follow-up to 4376c5a6, found by a real BROWSER e2e (the flow the in-diff fix
missed). When the layout reshuffle's two halves land in SEPARATE sync cycles, the
later cycle's diff has only the DELETE of the old path — the matching add was
already pushed — so in-diff D+A coalescing can't see it, and the live page was
still trashed.

Robust fix on the identity invariant the reviewer (and the user) called out: a
page EXISTS iff its pageId is in the vault, regardless of filename. runPush now
collects the pageIds present at ANY path in the current `main` tree and passes
them to computePushActions; a deleted file whose pageId is still tracked
elsewhere is a MOVE, never a deletion. (Built only when the diff has deletes.)

Adds apps/server/test/git-sync-browser-e2e.cjs — a Playwright test that drives the
REAL Docmost web UI: log in, create several untitled pages, type a title, sync,
assert NOTHING is trashed. Reproduced the data loss before this fix; 5/5 green and
stable after. Engine suite 600 green (+2 computePushActions cases:
pageId-still-present -> skip; pageId-gone -> real delete).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 393875d910 test(git-sync): e2e guard for the untitled-page + retitle data-loss reshuffle
Reproduces the browser bug at the API level: create several untitled pages (all
collapse to the `_` fallback name), retitle one, sync — assert NO page is
trashed and all survive. Caught the data-loss bug fixed in 4376c5a6.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 c3dbee9fbf fix(git-sync): never trash a page that only MOVED (pageId-identity, not git rename heuristics) — data loss
CRITICAL data-loss bug: creating pages in Docmost (which start UNTITLED) and then
typing a title could soft-delete OTHER pages. Untitled pages all serialize to the
`_` fallback filename; the layout disambiguates them (`_.md`, `_ ~slug.md`).
Retitling one frees the bare `_` and another untitled page's file relocates into
it. git's rename detection (`-M`) can't see the move (the tiny meta-only files are
too dissimilar), so `git diff` reports it as DELETE(old) + ADD/MODIFY(new). The
push took the DELETE literally and trashed a live page.

Root cause is that the push trusted git's path-level rename heuristic for page
IDENTITY. Identity is the pageId. Fix: before emitting any delete, coalesce by
pageId — a pageId that is BOTH deleted (pre-image) AND present on the surviving
side (current meta of an ADD or a MODIFY, since a relocation into an occupied path
shows as M) is one page that MOVED, classified as a rename/move and NEVER a delete.

Reproduced + verified on a live stand: 4 untitled pages + retitle one trashed a
different page before; after the fix, retitling one (and stress-retitling all)
trashes nothing. Engine suite 598 green; 3 new computePushActions cases (ghost
D+A move -> rename; real delete still deletes; unrelated D+A stay delete+update).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 ea1f8da906 test(git-sync): basic e2e operates on a dedicated page + cleans up (no real-page pollution)
The push / 3-way-merge cases edited the FIRST real `.md` in the vault, leaving
`E2E-PUSH-*` / `E2E-MERGE-*` marker headings accumulating in a real page, and the
Docmost->git case left its created page in the Trash. Now the suite creates a
dedicated `E2E-SyncTarget-*` page and targets only that, and a teardown
hard-deletes every `E2E-*` fixture page and converges the vault on exit — so runs
never mutate real content and leave the stand clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 9baaf1ea58 test(git-sync): add advanced e2e suite — authz, protocol hardening, concurrency, data-loss guard
Output of a generate→critique subagent pass on "what the feature's tests do NOT
cover", implemented + verified against the live stand (20/20). Complements the
basic two-way suite. Covers:

- protocol shape: unknown service subpath -> 400; unknown content-type -> 415
  (global allowlist); PUT/DELETE on pack endpoints -> 400;
- path-traversal: `..%2f..`, `%2e%2e%2f`, bare `.git` space-id -> 400/404, no
  escape, never a file leak;
- authz boundaries: a gitSync-DISABLED space -> 404 (existence hidden) and flips
  to 200 when enabled; a READER member can fetch (200) but is FORBIDDEN to push
  (403); a NON-member of an enabled space gets 403 (NOT 404 — the critic caught a
  wrong generator assumption here; pinned as a contract);
- concurrency: a push while the per-space Redis lock is held -> 503 + Retry-After,
  and the receive-pack does NOT mutate the vault;
- idempotency: repeated no-op cycles never churn `main` / `refs/docmost/last-pushed`;
- data-loss guard (PR #119): deleting MORE than GIT_SYNC_MAX_DELETES_PER_CYCLE is
  HELD — none trashed AND last-pushed does not advance past the delete commit
  (retry-safe, not silently dropped).

Auto-creates/tears down its fixtures (reader/non-member users, a 2nd space) and
resets the vault cache on exit so re-runs and the basic suite stay green. Needs
the vault dir + Redis container reachable (see header). A structural rename/move
case was intentionally left to the engine unit suite (git rename-similarity on
meta-only fixture pages is a fixture artifact, not a feature bug).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 71375e25ee chore(git-sync): drop now-unused dirname import (PR #119 review)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 e528988d71 test(git-sync): add a live two-way smart-HTTP e2e suite
A runnable end-to-end suite that drives a LIVE git-sync stand over the real /git
remote — the integration counterpart to the unit tests. 10 checks across the full
feature:
- the auth/authz gate: no creds -> 401, wrong password -> 401, unknown space ->
  404 (existence never revealed), valid creds on a sync space -> 200;
- fetch: git clone over HTTP returns the vault markdown;
- push: a git-side edit propagates into the Docmost page;
- Docmost -> git: a page created via the API materializes as a vault file;
- delete: `git rm` + push soft-deletes the Docmost page (Trash);
- 3-way merge: a new git edit is added without clobbering prior page content.

Parameterized via env (SERVER/SPACE_ID/EMAIL/PASSWORD/DB_CONTAINER) and isolates
its own test page. It boots nothing — see the header for the stand prerequisites
(GIT_SYNC_ENABLED + a per-space gitSync flag + a service user). This is the suite
that caught the smart-HTTP PATH_INFO 404 bug.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 dc7a0ec9f5 refactor(git-sync): move the PULL->PUSH cycle into the engine as runCycle (PR #119 review, arch #1)
The reconcile choreography (ensureRepo -> merge-check -> ensureBranch ->
checkout('docmost') -> pull -> push) was hand-rolled in the app orchestrator's
driveCycle, duplicating an order the vendored engine owns and could drift from on
upgrade — the failure mode is data clobber. Lift it into @docmost/git-sync as a
single entry point, `runCycle(deps)`. The orchestrator now calls runCycle and
keeps only the lock (its caller) and the gitmost-specific delete-cap POLICY,
injected as the `resolveApplyClient` hook (the engine does the dry-run, hands the
hook the planned delete count — Infinity if planning failed — and uses whatever
client it returns for the apply). driveCycle drops from ~150 lines to ~30.

Tests:
- engine test/cycle.test.ts: composition (merge-in-progress short-circuit;
  ensureRepo->ensureBranch->checkout staging order before the pull; the cap hook
  is consulted with the planned count; no dry-run when no hook).
- engine test/cycle-roundtrip.test.ts: runCycle against a REAL VaultGit in a temp
  repo with a faked Docmost client — a git-originated CREATE flows pull->push and
  the assigned pageId is written back; an unresolved merge short-circuits before
  any client call.
- orchestrator spec rewired to mock runCycle and assert the wiring + the
  resolveApplyClient cap policy (the engine-internal cycle-order/merge tests moved
  to the engine).

Validated end to end on a live stand (real Postgres/Redis + server): a git clone
-> edit -> push over the /git remote round-trips the change into the Docmost page
through the refactored cycle.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 969c00aaf1 fix(git-sync): drop the .git suffix from git http-backend PATH_INFO (smart-HTTP 404)
The /git smart-HTTP host 404'd EVERY fetch and push: PATH_INFO was built as
`/<spaceId>.git/<subpath>`, so `git http-backend` resolved the repo at
`<GIT_PROJECT_ROOT>/<spaceId>.git` — which does not exist. The vault is a NON-bare
working repo (the engine needs a working tree) at `<dataDir>/<spaceId>`, so the
CGI repo path must be `<spaceId>` (git http-backend serves the `.git` inside).
The URL's conventional `.git` suffix is already stripped to `spaceId` by
parseGitPath; re-appending it for PATH_INFO was the bug.

Found by standing up a full e2e stand (real Postgres/Redis + server + a real git
clone/push over the /git remote): clone and push both 404'd until this fix, after
which a clone → edit → push round-trips the change all the way into the Docmost
page.

Also extracts the CGI-env construction into a pure, exported `buildGitBackendCgiEnv`
and adds unit tests (the env build was previously untested — the gap this bug hid
in): a regression guard pinning PATH_INFO to `/<spaceId>/<subpath>` (no `.git`),
plus method/query/content-type/remote-user forwarding and the conditional
GIT_PROTOCOL.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 085a30575f test(git-sync): cover ingestExternalPush in the orchestrator spec (PR #119 review)
Closes the test-coverage warning that the smart-HTTP push ingest path was
unexercised. Adds 5 cases: receive-pack streams BEFORE the Docmost cycle; a
held lock throws GitSyncLockHeldError and runs neither the receive-pack nor the
cycle; a post-push cycle error is swallowed (the push is durable, poll retries)
while the lock is still released; a missing service user runs the receive-pack
but skips the immediate cycle; and a globally-disabled git-sync refuses without
touching the lock.

(The 503/Retry-After mapping in git-http.service is the sibling warning; its spec
is in the repo's pre-existing set of jest suites that can't load locally via the
react-dom/tiptap transform chain, so that case is left for CI.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 95bc9fe98d refactor(git-sync): extract SpaceLockService from the orchestrator (PR #119 review, arch #2)
The per-space single-writer lock — Redis CAS leader lock (SET NX PX, DEL-CAS and
PEXPIRE-CAS Lua), the in-process mutex, the per-process instanceId and the
heartbeat — lived inline in GitSyncOrchestrator. Extract it into a dedicated
@Injectable() SpaceLockService exposing one narrow surface, withSpaceLock(spaceId,
fn), so the lock is the orchestrator's only Redis-lock touch-point and is testable
in isolation. The orchestrator now injects SpaceLockService and both consumers
(runOnce, ingestExternalPush) go through spaceLock.withSpaceLock — behavior
unchanged (same sentinel returns, same 503-on-lock-held contract). Orchestrator
drops 591→472 lines.

Adds space-lock.service.spec.ts asserting the lock SEMANTICS against a fake Redis
(the test-coverage warning from the review): the SET NX/PX args, the DEL-CAS and
PEXPIRE-CAS Lua + ARGV[1]=instanceId, plus the lock-held / in-progress / throw-
still-releases paths. The orchestrator spec is unchanged in count and stays green
(it now builds the real SpaceLockService over its mock Redis).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 cca0bfe306 docs(git-sync): remove dangling references to the deleted git-sync-plan doc (PR #119 review)
The implementation spec docs/git-sync-plan.md was removed as completed, but ~44
code comments still cited it as "plan §N". Strip those citations (comments only),
keeping each comment grammatical. The vendored engine's own "SPEC §N" references
point at a different, still-present spec and are left untouched.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 0dbf85b129 refactor(git-sync): drop dead DebounceEntry.workspaceId field (PR #119 review)
The debounce map value carried `workspaceId`, but the scheduled cycle closes over
the `workspaceId` argument directly — the field was written and never read.
Replace the entry struct with `Map<string, NodeJS.Timeout>` (the timer handle is
all the map tracks). No behavior change. (page-change.listener.spec is in the
repo's pre-existing set of jest suites that can't load locally via the
react-dom/tiptap transform chain — unaffected by this change; tsc clean.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 fb357cd52e refactor(git-sync): extract shared buildLcsTable for the two block diffs (PR #119 review)
The two-way block diff (yjs-body-merge.diffBlocks) and the three-way merge
planner (three-way-merge.lcsPairs) built the identical backward-filled LCS DP
table inline. Extract it to lcs.ts (buildLcsTable); each caller keeps its own
traceback. No behavior change — merge specs unchanged and green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 177d8a31d4 fix(git-sync): hold refs on suppressed deletes + stamp delete/restore provenance (PR #119 review)
Two stability warnings from the #119 review:

1. delete-cap no longer drops deletions forever. When planned deletes exceed
   GIT_SYNC_MAX_DELETES_PER_CYCLE the apply client's deletePage now THROWS
   instead of resolving to a no-op. A throw is recorded by the engine as a
   per-page failure, so `refs/docmost/last-pushed` is NOT advanced past the
   commit that dropped the files — the next cycle re-diffs from the un-advanced
   ref and re-plans the same deletes (a transient over-cap is retried, not
   silently dropped and then recreated by the next pull). Previously a resolving
   no-op let the engine count `deleted++` with no failure, advance the ref, and
   never replay the deletions.

2. git-sync soft-delete and restore now stamp provenance. deletePage routes
   GIT_SYNC_PROVENANCE through pageService.removePage, and restorePage stamps
   lastUpdatedSource='git-sync' on the restore update — so the page-change
   listener's loop-guard (skip when lastUpdatedSource==='git-sync') recognizes
   both as its own writes instead of scheduling a wasted echo cycle. Done via a
   backward-compatible optional `lastUpdatedSource` param on
   pageRepo.removePage/restorePage (omitted for ordinary user deletes/restores).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 8fa32e8438 docs(git-sync): document GIT_SYNC_* env vars; fix stale/non-English comments (PR #119 review)
Addresses the documentation/convention warnings from the #119 review:
- .env.example: add the GIT-SYNC block (9 GIT_SYNC_* vars with defaults), noting
  GIT_SYNC_SERVICE_USER_ID is required when sync is enabled.
- yjs-body-merge.ts: translate the Russian review note in the docstring to
  English (comments-only-in-English rule).
- persistence.extension.ts: correct the stale "git-sync writes are full-body
  replaces" rationale — a git-sync write is now a block-level merge into the live
  doc, which is why it is debounced like a human edit rather than snapshotted.
- history-item.tsx: the GitSyncBadge version is created on the PUSH path (writing
  the git body back into the doc), not by the pull — fix the comment.
- edit-space-form.tsx: log the raw error in the git-sync toggle catch instead of
  swallowing it (AGENTS.md).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 807ff1f5f5 chore(mcp): stop committing build/ and node_modules; build in CI/Docker
Same hygiene fix as git-sync (review #2), applied to packages/mcp which had the
identical pre-existing problem: committed build/ (20 files) + node_modules (28,
pnpm symlinks with a baked /home/claude store path).

- git rm --cached packages/mcp/{build,node_modules}.
- .gitignore: add packages/mcp/build/ (packages/*/node_modules/ already covers it).
- Build where consumed: apps/server `pretest` and the CI Test workflow now build
  @docmost/mcp too. The Dockerfile builder already runs `pnpm build` (nx builds
  mcp) and already COPYs packages/mcp/build into the runtime image.

Verified: wiped build/, rebuilt via `pnpm --filter @docmost/mcp build`; the mcp
server suites (96 tests) pass against the freshly-built, non-committed output.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:10:10 +03:00
claude code agent 227 fa89cba023 feat(git-sync): three-way body merge using the last-synced base (no edit loss)
Upgrades the 2-way body merge to a real diff3 three-way merge (review #5), so a
block ONLY the human changed is KEPT when git changed a DIFFERENT block — the
2-way merge would revert it to git's stale version.

Engine: the push update loop reads the last-synced pre-image
(`git.showFileAtRef(refs/docmost/last-pushed, path)`) and passes it as the
optional `baseMarkdown` to `client.importPageMarkdown` (the common ancestor).

Server: gitmost-datasource converts base+incoming, and writeBody runs a block-
level diff3 (new three-way-merge.ts `diff3Plan`): live-only change -> keep live,
git-only change -> take git, both-changed -> git wins (conflict policy), inserts/
deletes from either side preserved. Without a base (createPage) it falls back to
the 2-way merge. Crash-safety unchanged (docs built before the connection opens).

Tests: three-way-merge.spec.ts (14 — every diff3 case incl. the cross-block
preservation and conflict policy), yjs-body-merge 3-way (real Y.Docs: human's
block instance preserved while git's block is applied), plus an engine test that
the base is forwarded from showFileAtRef. Existing push assertions updated for the
new base arg. git-sync 589 pass; server merge/datasource/gate 62 pass; typecheck
clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 3386bf2865 fix(git-sync): merge git body into the live doc block-by-block (no clobber)
Supersedes the active-session "defer" guard with a real merge (review #5 —
"запись делать через мерж", not skip-while-editing).

writeBody no longer does delete-all + re-insert (which discarded a concurrent
editor's in-flight changes on every sync). It now diffs the live body against the
incoming git body at TOP-LEVEL BLOCK granularity (LCS over a canonical structural
serialization) and applies only the minimal inserts/deletes:
- a block a human is editing is left UNTOUCHED when git changed a DIFFERENT block;
- an unchanged resync is a complete 0-op write;
- Yjs CRDT-merges the minimal ops with concurrent edits.

New yjs-body-merge.ts (mergeXmlFragments + cloneXmlNode + diffBlocks) is pure-Yjs
and unit-tested with real Y.Docs (8 tests): identical->0 ops, edit-one-block keeps
the other block instances, append/delete keep neighbours, marks survive the
cross-doc clone. Crash-safety kept: the incoming doc is built before the
connection opens, so a transform failure can't empty the body.

Removed: the ActiveEditSessionError defer path and the now-unused
CollaborationGateway.getActiveEditorCount.

Honest limitation: this is a 2-way merge — for a block BOTH sides changed since the
last sync, git wins (no common ancestor to decide). A full 3-way merge would need
the last-synced base plumbed from the engine; the dominant cases (unchanged
resync, edits to different blocks) are now lossless.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 98253cf614 chore(git-sync): stop committing build/ and node_modules; build in CI/Docker
Review finding #2: packages/git-sync/build/ (the COMPILED engine) and the
package's node_modules/ were committed. Prod executed the committed build/ while
CI/tests ran src/ and never rebuilt it — so a fix in src/ could pass tests while
stale compiled code shipped (a silent src/prod skew). The committed node_modules
were pnpm symlinks with a baked machine-local store path (/home/claude/...),
useless and misleading for everyone else.

- git rm --cached packages/git-sync/{build,node_modules} (42 + 31 files).
- .gitignore: ignore packages/*/node_modules/ and packages/git-sync/build/.
- Build the package where it is actually consumed: apps/server `pretest` now
  builds @docmost/git-sync (its suite imports the built build/index.js), and the
  CI Test workflow gains an explicit "Build git-sync" step. The Dockerfile builder
  already runs `pnpm build` (nx builds the package) and now COPYs the fresh build/.

Verified: wiped build/, rebuilt via `pnpm --filter @docmost/git-sync build`, then
the server converter gate (26/26, imports the rebuilt package) and the git-sync
suite (588 passed) both pass against the freshly-built, non-committed output.

NOTE: packages/mcp/ has the same committed-build/node_modules pattern (pre-existing,
out of this PR's scope) and should get the same treatment in a follow-up.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 181a8330f3 fix(git-sync): don't clobber pages with a live editing session; crash-safe body write
Review finding #5: the git -> page body write (writeBody) did a full-body replace
(delete-all + re-insert) on the shared Yjs doc. Applied while a human is editing
the page, it discarded their in-flight changes; and TiptapTransformer.toYdoc ran
AFTER the fragment was cleared, so a conversion failure could leave the page with
an empty body.

Fixes:
- Active-session guard: CollaborationGateway.getActiveEditorCount(documentName)
  reports live human (websocket) editor sessions for a doc, excluding server-side
  direct connections. writeBody now throws ActiveEditSessionError when an editor
  is connected. The engine's push loop already isolates each importPageMarkdown in
  try/catch and does not advance the loop-guard on failure, so the write is simply
  retried on the next poll once the editor disconnects — never a clobber.
- Crash-safe conversion: build the replacement Yjs update BEFORE opening the
  connection / clearing the fragment, so a transform failure can never leave the
  body empty.

Also updates the server-side converter gate spec to the corrected round-trip
shape: the block-image hoist no longer leaves a leading empty paragraph (the
git-sync converter fix in 7d39c16b, now reaching the built package).

A true merge of git content into a live Yjs session is out of scope (it needs a
real 3-way text merge with no shared update lineage); deferring the write while a
page is being edited is the safe, owner-approved minimum.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 02daccc453 fix(docker): ship packages/git-sync into the runtime image
The server requires @docmost/git-sync (main: ./build/index.js) at runtime, but
the installer stage copied only editor-ext and mcp — so the image built fine and
then crashed on startup with `Cannot find module '@docmost/git-sync'`. Copy the
package's freshly-built build/ + package.json, mirroring the mcp/editor-ext COPY
lines. (Addresses review finding #1 on PR #119.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 d06cf97ed6 test(git-sync): exhaustive converter coverage + fix 3 round-trip data-loss bugs
Coder↔reviewer design loop (9 rounds, reviewer verdict: exhaustive) produced
92 specs; implemented +123 tests (465 -> 588 passing). The new round-trip
coverage exposed three genuine data-loss bugs in the Markdown<->ProseMirror
converter, all now FIXED (round-trip is lossless for these):

1. pageBreak was lost on export (no converter case -> rendered to "" and the
   node vanished). Now emits <div data-type="pageBreak"></div>, which the schema
   parses back -> round-trips.
2. A block image between blocks left an empty <p> artifact after import-hoisting,
   producing a phantom blank-gap diff on every sync. markdownToProseMirror now
   strips content-less paragraphs after generateJSON — with a schema-validity
   guard that keeps the obligatory single empty paragraph in `content: "block+"`
   containers (tableCell/tableHeader/blockquote/column/callout/doc), so empty
   cells/quotes never become an invalid `content: []`.
3. The `code` mark combined with another mark was not byte-stable (emitted nested
   HTML that the schema's `code` `excludes:"_"` collapsed on import). The
   converter now emits code-only when `code` co-occurs, matching the editor.

New coverage spans media/diagram/details/columns/math/mention attribute
round-trips, converter emission branches, git error paths, and engine decision
branches. A dedicated test pins the empty-container schema validity (the review
catch on the bug-2 fix).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude_code 04032ae677 feat(git-sync): serve spaces over smart-HTTP (gitmost as a two-way git host)
Expose each git-sync-enabled space as a clonable/pushable git repo over HTTP,
so `git clone https://<user>:<pass>@<host>/git/<spaceId>.git` works and external
pushes flow back into Docmost pages — gitmost itself acts as the git host (no
external GitHub/Gitea, no SSH).

Transport: shell out to `git http-backend` (CGI; git is already in the runtime
image) which implements the full smart-HTTP protocol (info/refs, upload-pack,
receive-pack, protocol v2). A raw Fastify route `/git/*` (mounted at the root,
outside the `/api` prefix) bridges the request/response to the CGI; passthrough
content-type parsers for the git media types stream the raw body to stdin.

Reuse the existing engine: clients push the vault's `main` branch, whose commits
beyond `refs/docmost/last-pushed` the engine already reconciles into Docmost.

- http/git-http.service.ts — auth (HTTP Basic -> AuthService.verifyUserCredentials),
  self-resolved workspace (DomainMiddleware does not run for this raw route),
  per-space gating (global + per-space gitSync flags, 404 hides existence),
  CASL authz (Read=fetch, Manage=push), dispatch.
- http/git-http-backend.service.ts — spawn `git http-backend`, binary-safe CGI
  response parsing (Status/headers/body), stream to the socket.
- http/git-http.helpers.ts — pure path parse, service->kind mapping, gate decision
  (unit-tested); rejects literal and percent-encoded path traversal.
- orchestrator: extract reusable withSpaceLock (CAS-guarded lock heartbeat so a
  long push cannot let the lock expire mid-cycle) and add ingestExternalPush
  (receive-pack + Docmost cycle under one lock; 503 on contention).
- vault-registry: ensureServable() — ensureRepo + idempotent receive.denyCurrentBranch
  =updateInstead / denyNonFastForwards / http.receivepack / http.uploadpack.
- env: GIT_SYNC_HTTP_ENABLED (defaults to GIT_SYNC_ENABLED) + validation.
- main.ts: register the /git/* route and the git content-type parsers.

Tests: pure helpers, CGI parsing, and the GitHttpService handler (auth/gate/authz
+ workspace resolution). Server tsc + git-sync/env suites green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude_code d9d1d54aaa test(git-sync): add reviewer-requested coverage across engine, server, client
Implements the test cases called out in the PR #119 review threads
(code-review, test-strategy report, red-team) — TESTS ONLY, no production
code changes.

packages/git-sync (vitest):
- lib converter/markdown gaps: pageBreak data-loss (it.fails repro),
  subpages lossy round-trip, nested/fenced callouts, ol->taskList bridge,
  column.width number<->string drift, empty details.
- engine units: parentFolderFile, planReconciliation swap/chained move,
  buildVaultLayout last-resort-by-id, firstDivergence, applyPushActions /
  applyPullActions failure isolation.
- real temp-git integration: diffNameStatus -z rename+add/modify
  alignment, copy-line behavior, per-invocation committer identity (no
  leak into repo/global config).
- ENFORCED type-level GitSyncClient contract via vitest typecheck over a
  *.test-d.ts file (tsconfig.vitest.json; build tsconfig untouched).

apps/server (jest):
- orchestrator: delete-cap neutralization + fail-safe, Redis lock / mutex
  skip ladder + release-on-throw, merge guard, pull/push order, remote
  template substitution, poll lifecycle.
- page-change listener: loop-guard, debounce coalescing, id resolution,
  error swallowing.
- vault registry, controller authz (trigger + status), env
  validation/getters, page.service git-sync provenance stamping,
  persistence precedence (agent > git-sync > user) + no boundary snapshot,
  space.service audit-delta, space.repo jsonb-merge, converter-gate corpus
  extension (mention/math/details/marks).

apps/client (vitest + testing-library):
- history-item git-sync badge: render gating + non-clickable.
- edit-space-form toggle: initial state, optimistic payload, rollback on
  error, disabled states.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 593f181bbc fix(git-sync): address review — configurable poll, always-on loop-guard, cleanup
Comprehensive-review follow-ups (APPROVE WITH SUGGESTIONS; no critical issues):
- poll interval is now actually configurable: replaced the hardcoded
  @Interval('git-sync-poll', 15000) with a dynamic SchedulerRegistry interval
  registered in onModuleInit from getGitSyncPollIntervalMs() (cleared in
  onModuleDestroy); /status and the real cadence now share one config source.
  Boots logging 'poll interval registered (Nms)'.
- loop-guard now ALWAYS applies: the lastUpdatedSource==='git-sync' skip was
  nested inside the !spaceId/!workspaceId branch, so structural self-writes
  (CREATE/MOVE/RESTORE/SOFT_DELETE, which carry spaceId+workspaceId) bypassed it
  and re-triggered cycles. Fetch the page row once, guard unconditionally, then
  resolve space/workspace.
- remove the dead PAGE_CONTENT_UPDATED subscription (it's a BullMQ job, never an
  EventEmitter event; body edits arrive via PAGE_UPDATED).
- fix the stale datasource comment (PageService DOES stamp 'git-sync' now).
- env getters: parseInt radix 10 + NaN/<=0 fallback for poll/debounce (+ max
  deletes), with 6 new environment.service.spec tests.

tsc clean; jest 723 pass; live cycle re-verified post-refactor (ran, push
applied, unflagged 92-page space untouched).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 582e1976cc feat(git-sync): client 'Git sync' provenance badge + git in runtime image (Phase D)
- page-history history-item: a lastUpdatedSource==='git-sync' version renders a
  neutral gray 'Git sync' badge (git-merge icon), NOT the agent badge/deep-link
  (it is not an agent edit). +2 i18n keys.
- Dockerfile: install git in the installer (runtime) stage — VaultGit shells out
  to git, so assertGitAvailable() needs the binary at runtime.
Client tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 e0e01157c2 feat(git-sync): per-space 'Enable Git sync' toggle (Phase C, §7.1)
UI opt-in for git-sync, mirroring the existing sharing/comments settings pattern
(no new endpoint, no new mechanism; orchestrator read query untouched):
- UpdateSpaceDto.gitSyncEnabled?: boolean.
- SpaceRepo.updateGitSyncSettings: jsonb-merge into settings.gitSync.<key>
  (COALESCE || jsonb_build_object — never clobbers sibling sharing/comments);
  stored as a real jsonb boolean so the orchestrator's
  settings->'gitSync'->>'enabled' = 'true' matches.
- SpaceService.updateSpace handles the flag (audit diff) via the existing
  CASL-guarded space update path (Manage/Settings).
- client: Switch in edit-space-form (optimistic mutate + revert-on-error,
  readOnly-aware) + space types + 2 i18n keys.
- space.service.spec extended (calls updateGitSyncSettings; no-op when undefined).
tsc clean (server+client); jest src/core/space 4 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 8373360a67 fix(git-sync): branch choreography + strict scoping + delete cap (Phase B hardening)
Fixes found by the live pull/push e2e:
- CRITICAL: driveCycle never checked out the 'docmost' branch before
  applyPullActions, so Docmost content was written straight onto 'main',
  clobbering local file edits before push could diff them. Now checkout
  'docmost' before pull (applyPullActions commits there then checks out main +
  merges) — mirrors the engine's pull main(). Round-trip now works both ways.
- add an unresolved-merge guard (SPEC §9): skip the cycle if the vault is
  mid-merge instead of failing on checkout.
- SAFETY: enabledSpaces() is now STRICT opt-in — only spaces with
  settings.gitSync.enabled===true; removed the all-spaces fallback that synced
  every space (incl. a 92-page one) the moment GIT_SYNC_ENABLED flipped.
- SAFETY: per-cycle delete cap (GIT_SYNC_MAX_DELETES_PER_CYCLE, default 5):
  dry-run the push, and if planned deletes exceed the cap, run the apply with
  deletePage neutralized — phantom absence-deletions from a non-convergent vault
  can't soft-delete real pages. Fails safe if the dry-run throws.
- fix manual trigger: TriggerGitSyncDto.spaceId needs @IsUUID or the global
  whitelist ValidationPipe strips it (arrived undefined -> vault 'undefined').

Live-verified on an isolated flagged space: push (vault file edit -> Docmost
content, stamped lastUpdatedSource='git-sync') and pull (Docmost rename -> vault
file + meta) both work; an unrelated 92-page space stayed untouched throughout.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 e2493cafa9 feat(git-sync): GitSyncModule orchestrator + config + listener (Phase A.4b/B)
Control plane wiring (plan §5-§11):
- PageService create/update/movePage now honor provenance actor 'git-sync'
  (stamp lastUpdatedSource='git-sync'), closing the A.4a gap.
- EnvironmentService: GIT_SYNC_ENABLED / DATA_DIR / REMOTE_TEMPLATE /
  POLL_INTERVAL_MS / DEBOUNCE_MS / SERVICE_USER_ID (required-if-enabled) /
  SSH_KEY_PATH + validation.
- VaultRegistryService: per-space vault path + cached VaultGit.
- GitSyncOrchestrator: per-space Redis leader-lock (SET NX PX + CAS-Lua release,
  randomUUID instanceId) + in-process mutex; runOnce drives the vendored engine
  PULL (readExisting->computePullActions->applyPullActions) then PUSH (runPush)
  with the bound native GitSyncClient + VaultGit; @Interval poll-safety gated on
  GIT_SYNC_ENABLED; imports plain ScheduleModule (TelemetryModule owns forRoot).
- PageChangeListener: @OnEvent PAGE_* -> per-space debounce -> runOnce, with a
  best-effort lastUpdatedSource==='git-sync' loop-guard.
- GitSyncController: admin POST /api/git-sync/trigger + GET /status (ops/e2e).
- GitSyncModule registered in app.module. Enabled-space enumeration uses
  settings.gitSync.enabled, falling back to all live spaces until Phase C writes
  the flag (master gate = GIT_SYNC_ENABLED).

tsc clean; 713 tests/71 suites pass; dev server hot-reloaded the module (route
live, DI graph boots). Live pull/push round-trip verified next.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 5a4d9f84d7 feat(git-sync): native GitmostDataSource + 'git-sync' provenance (Phase A.4a)
Native data plane for git-sync (plan §3, §8.1):
- provenance: widen actor to 'user'|'agent'|'git-sync' (jwt-payload,
  auth-provenance decorator); PersistenceExtension resolves lastUpdatedSource
  with precedence agent > git-sync > user, debounced history (like a human edit,
  not the agent's immediate snapshot).
- GitmostDataSourceService implements @docmost/git-sync's GitSyncClient natively:
  reads via PageRepo/SpaceRepo (listSpaceTree complete:true, getPageJson), writes
  via PageService (create/removePage soft-delete/movePage with computed fractional
  position/update-rename/restore) + the writeBody linchpin through collab
  openDirectConnection('page.'+id, {actor:'git-sync'}) mirroring
  collaboration.handler withYdocConnection 'replace'. bind({workspaceId,userId})
  returns the context-bound client for the orchestrator.
- 10 unit/contract tests (mapping + soft-delete + move-position), tsc clean.

Known gap (closed in A.4b): PageService.create/update/movePage only branch on
actor==='agent'; git-sync provenance is already passed through so the row source
marker propagates once PageService honors 'git-sync'. Module/orchestrator/config
come next.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 70bd0dba4d feat(git-sync): vendor IO engine (pull/push/git/settings) with GitSyncClient seam (Phase A.3)
Vendor the IO engine from docmost-sync into packages/git-sync/src/engine:
- git.ts (VaultGit, execFile shell-out — verbatim)
- pull.ts (readExisting, computePullActions, applyPullActions)
- push.ts (classifyRenameMoves, computePushActions, applyPushActions, runPush)
- settings.ts adapted (pure parseSettings + Settings type; no process.env binding
  — the server builds Settings from EnvironmentService later), config-errors.ts.
CLI main()/import.meta entrypoints dropped (server drives in-process).

Client seam: new engine/client.types.ts defines GitSyncClient; pull.ts/push.ts
now use Pick<GitSyncClient, ...> instead of the non-vendored DocmostClient. Engine
logic byte-identical except a zod4-compat fix in config-errors (zod4 dropped the
issue.received==='undefined' signal; match /received undefined/ on the message).

Ported the engine unit tests (compute/apply pull+push actions, classify-rename-
moves, run-push, settings, config-errors) incl. real-git temp-repo tests: 431
pass / 3 expected-fail (was 314/3). REST/CLI-coupled upstream tests skipped
(noted). CJS build clean. No apps/server wiring yet (next step).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 b0cd4bd6cf feat(git-sync): CommonJS build + §13.1 editor-ext idempotency gate (Phase A.2)
Make @docmost/git-sync natively consumable by the CommonJS server (and jest):
build to CommonJS (tsconfig module CommonJS, drop type:module, strip .js from
relative imports), and lazy-load the only ESM-only dep (marked) via the dynamic
Function('import()') trick (mirrors docmost-client.loader.ts) with a require()
fallback so vitest's evaluator works too. git-sync tests stay green (314 pass,
3 expected fail).

Add the §13.1 idempotency gate (apps/server .../git-sync-converter-gate.spec.ts):
13 editor-ext docs (paragraphs/headings, marks, links, bullet/ordered/task lists,
blockquote, callouts, code block, hr, table, nested mix) round-trip
content(editor-ext) -> convertProseMirrorToMarkdown -> markdownToProseMirror ->
TiptapTransformer.toYdoc/fromYdoc(tiptapExtensions) -> canonicalize and assert
docsCanonicallyEqual. All green => the vendored converter's docmost-schema is
schema-compatible with editor-ext (no node/mark/attr loss), which the plan §13.1
requires before Phase B. The one intrinsic markdown-image lossiness (width/height
/align can't ride plain ![](src)) is isolated in a KNOWN DIVERGENCE block, not
hidden. Server tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
claude code agent 227 56ab17fbc2 feat(git-sync): vendor pure converter + engine into @docmost/git-sync (Phase A.1)
First step of docs/git-sync-plan.md. New workspace package @docmost/git-sync
vendoring the PURE parts from docmost-sync (HEAD b03eb35):
- lib: markdown-converter, markdown-document, canonicalize, docmost-schema,
  node-ops, diff, and an extracted markdown-to-prosemirror (only the pure
  marked->HTML->generateJSON path from upstream collaboration.ts; no websocket).
- engine (pure, no IO): reconcile, layout, sanitize, stabilize, loop-guard.
Ported the upstream pure-module + round-trip corpus tests (vitest): 314 pass,
3 expected upstream known-limitation fails. tsc clean. No server wiring yet.

docmost-schema inlines getStyleProperty (as packages/mcp does — @tiptap/core
3.20.4 doesn't export it). IO engine (pull/push/git/settings) deferred to later
Phase A/B steps; the editor-ext idempotency gate (plan §13.1) is the next step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:09:57 +03:00
341 changed files with 38510 additions and 21072 deletions
+42
View File
@@ -223,3 +223,45 @@ MCP_DOCMOST_PASSWORD=
# FAILS CLOSED if Redis is unavailable (default: 1,000,000 tokens per workspace
# per rolling day).
# SHARE_AI_WORKSPACE_TOKEN_BUDGET_PER_DAY=1000000
# --- GIT-SYNC (native two-way Docmost <-> git Markdown sync) ---
# Master switch. Off by default. When 'true', GIT_SYNC_SERVICE_USER_ID below is
# REQUIRED (the service account that git-originated create/move/rename/delete are
# attributed to) — the server refuses to boot with sync enabled and no user id.
# GIT_SYNC_ENABLED=false
#
# Serve the per-space vaults over smart-HTTP (the /git host). Defaults to
# GIT_SYNC_ENABLED when unset.
# GIT_SYNC_HTTP_ENABLED=false
#
# REQUIRED when GIT_SYNC_ENABLED=true: id of the user that git-originated page
# operations (create / move / rename / delete) are attributed to.
# GIT_SYNC_SERVICE_USER_ID=
#
# Where the per-space working vaults live (non-bare repos; the engine needs a
# working tree).
# Defaults to "<DATA_DIR or ./data>/git-sync".
# GIT_SYNC_DATA_DIR=
#
# SCAFFOLDING for the DEFERRED remote-push feature (SPEC §7) — NOT yet
# implemented and currently INERT. The vendored sync engine does not consume
# this value anywhere (git push to a remote is deferred), so setting it has NO
# effect today: vaults remain local-only regardless. It is validated and carried
# only so the wiring is ready for when remote push lands. The intended future
# shape is a per-space URL template where the literal "{spaceId}" is substituted
# per space (e.g. git@host:vault-{spaceId}.git).
# GIT_SYNC_REMOTE_TEMPLATE=
#
# Poll-safety interval in ms — the cadence of the background reconcile cycle
# (default: 15000).
# GIT_SYNC_POLL_INTERVAL_MS=15000
#
# Debounce window in ms for collapsing bursts of page edits into one sync cycle
# (default: 2000).
# GIT_SYNC_DEBOUNCE_MS=2000
#
# Watchdog timeout in ms for the spawned `git http-backend` process serving a
# git smart-HTTP push (default: 120000). A stalled/hung receive-pack is killed
# after this deadline so it cannot hold the per-space lock forever.
# GIT_SYNC_BACKEND_TIMEOUT_MS=120000
#
+7
View File
@@ -72,6 +72,13 @@ jobs:
- name: Build editor-ext
run: pnpm --filter @docmost/editor-ext build
# git-sync and mcp are no longer committed in built form (build/ is
# gitignored), so CI must compile them: the server resolves both via their
# built build/index.js. The server pretest also builds them, but building
# here keeps it explicit and independent of pnpm lifecycle ordering.
- name: Build git-sync and mcp
run: pnpm --filter @docmost/git-sync build && pnpm --filter @docmost/mcp build
- name: Run unit tests
run: pnpm -r test
+6
View File
@@ -5,6 +5,12 @@ data
# compiled output
/dist
/node_modules
# workspace package node_modules (pnpm symlinks — never commit; they bake
# machine-local store paths) and the git-sync compiled output (built in CI/Docker
# via `pnpm build`, never committed, so src/ and prod can never silently diverge).
packages/*/node_modules/
packages/git-sync/build/
packages/mcp/build/
# Logs
logs
+33 -35
View File
@@ -72,10 +72,7 @@ git log -1 --format='Author: %an <%ae>%nCommitter: %cn <%ce>'
### 4. Push and PR to develop
PRs always target `develop`. Two different mechanisms are involved: **pushing
commits is git-native** (the Gitea MCP cannot push local git history, so the
branch is still pushed with `git push`), while **the PR itself is opened through
the Gitea MCP** (see below). The `claude_code` password lives in the macOS
PRs always target `develop`. The `claude_code` password lives in the macOS
keychain as a **generic password** under service `gitea-claude-code` (do not
duplicate it as an internet-password for `gitea.vvzvlad.xyz` — that creates a
conflict with the owner's account in the git credential helper):
@@ -97,24 +94,18 @@ git remote set-url gitea "$ORIG_URL"
unset AGENT_PASS SAFE_PASS
```
The PR is opened through the **Gitea MCP** (server `gitea`), not `curl`/`tea`
the MCP authenticates in-process, so no keychain lookup or Basic-Auth is needed.
Call `pull_request_write` with:
The PR is created via the Gitea REST API (Basic Auth as `claude_code`):
- `method: "create"`
- `owner: "vvzvlad"`, `repo: "gitmost"`
- `base: "develop"`, `head: "<branch>"`
- `title`, `body` — in the body: what was done, what is out of scope,
verification results (tsc/lint/tests).
```bash
curl -s -X POST \
-u "claude_code:$(security find-generic-password -s gitea-claude-code -w)" \
-H "Content-Type: application/json" \
-d @pr_body.json \
"https://gitea.vvzvlad.xyz/api/v1/repos/vvzvlad/gitmost/pulls"
```
Manage and read PRs through the same server: `list_pull_requests`,
`pull_request_read` (`get`, `get_diff`, `get_files`, `get_status`),
`pull_request_review_write`.
**Identity note:** the MCP acts under its **own** configured Gitea token (verify
with `get_me`), a different account from the `claude_code` used for git
commits/pushes in §3. Only the forge API calls (PR / issue / review) go through
the MCP account; the commits themselves stay authored as `claude_code`.
`base: develop`, `head: <branch>`. In the PR body: what was done, what is out
of scope, verification results (tsc/lint/tests).
> If push fails with `User permission denied for writing`, then `claude_code`
> lacks collaborator rights on the repo. Ask the owner to add them (once, via
@@ -161,25 +152,23 @@ below.
| Agent user (Gitea/git) | `claude_code` |
| Agent email | `claude_code@vvzvlad.xyz` |
| Keychain password | `security find-generic-password -s gitea-claude-code -w` |
| Forge API (PR / issue / review / reads) | **Gitea MCP** — server `gitea` (`pull_request_write`, `issue_write`, `list_pull_requests`, `pull_request_read`, `label_read`, …). Authenticated in-process; acts under its own token — check with `get_me`. Repo slug on the server is `gitmost`. |
| PR API | `https://gitea.vvzvlad.xyz/api/v1/repos/vvzvlad/gitmost/pulls` (here `gitmost` is the repo's real slug on the server) |
| Base branch | `develop` |
| `origin` | GitHub mirror `vvzvlad/gitmost`**do not push**, updated by the owner's CI |
| `upstream` | The original Docmost — **never push** |
## Creating issues (Gitea MCP)
## Creating issues (Gitea `tea` CLI)
File issues through the **Gitea MCP** (server `gitea`), not a CLI — call
`issue_write` with:
Issues are filed with the official Gitea CLI `tea`, already logged in as
`claude_code` (`tea logins list` shows the `gitea` login as default):
- `method: "create"`
- `owner: "vvzvlad"`, `repo: "gitmost"`
- `title`, `body`
- `labels` — an array of label **IDs** (numbers), *not* names. Resolve a name
such as `feature` to its id first with `label_read` (`method: "list"`), then
pass e.g. `labels: [<id>]`.
```bash
tea issues create --repo vvzvlad/gitmost --labels feature \
--title '<title>' --description "$(cat body.md)"
```
Read issues with `list_issues`, `issue_read`, or `search_issues`. The MCP is
authenticated in-process, so no `tea`/`curl` and no keychain lookup are needed.
> Gotcha (tea 0.14.1): the issue body flag is `--description`/`-d`, **not**
> `--body` — passing `--body` fails with `flag provided but not defined: -body`.
---
@@ -193,7 +182,7 @@ authenticated in-process, so no `tea`/`curl` and no keychain lookup are needed.
## Monorepo layout
pnpm workspace (`pnpm@10.4.0`) orchestrated by **Nx**. Four workspace packages:
pnpm workspace (`pnpm@10.4.0`) orchestrated by **Nx**. Five workspace packages:
| Path | Name | Stack | Role |
| --- | --- | --- | --- |
@@ -201,6 +190,7 @@ pnpm workspace (`pnpm@10.4.0`) orchestrated by **Nx**. Four workspace packages:
| `apps/client` | `client` | React 18 + Vite + Mantine 8 + TanStack Query + Jotai | SPA frontend |
| `packages/editor-ext` | `@docmost/editor-ext` | Tiptap/ProseMirror | Shared Tiptap node/mark extensions, imported by both the client and the server |
| `packages/mcp` | `@docmost/mcp` | MCP SDK, Tiptap, Yjs | Standalone MCP server, also bundled into the server at `/mcp`. Does **not** import `editor-ext` — it keeps its own vendored mirror of the schema in `packages/mcp/src/lib/` |
| `packages/git-sync` | `@docmost/git-sync` | Tiptap/ProseMirror, Yjs, git | Pure ProseMirror↔Markdown converter plus the two-way Docmost↔git Markdown sync engine. Bundled into the server (loaded over the ESM bridge), built in CI and the Dockerfile. Does **not** import `editor-ext` — it keeps its own vendored mirror of the document schema (kept in sync with `editor-ext`). |
`build` targets are Nx-cached and dependency-ordered (`dependsOn: ["^build"]`), so `editor-ext` builds before the apps. `nx.json` sets `affected.defaultBase: main`.
@@ -262,8 +252,10 @@ Migration files live in `apps/server/src/database/migrations/` and are named `YY
The API server is a Fastify app with a global `/api` prefix (`main.ts` excludes `robots.txt`, public share pages, and `mcp` from the prefix). A `preHandler` hook enforces that a resolved `workspaceId` exists for most `/api` routes (multi-tenant by hostname/subdomain via `DomainMiddleware`). `GET /api/sb/:id` (the anonymous blob-sandbox read route) is listed in that preHandler's `excludedPaths`, so it is exempt from workspace resolution and carries no session auth at all (its capability is the unguessable UUID + TTL + TLS) — unlike `/api/files/public/...`, which still resolves a workspace and requires a workspace-bound attachment JWT. Auth is JWT (cookie + bearer); authorization is **CASL** (`core/casl`) — every data access is scoped to the user's abilities.
Two routes are mounted **outside** the `/api` prefix at the root, as raw Fastify routes that bypass the Nest pipeline (so neither `DomainMiddleware` nor `ThrottlerGuard` runs for them — each resolves the workspace and throttles itself): `/mcp` (the embedded MCP server, see below) and `/git/<spaceId>.git/...` (the git-sync smart-HTTP host, see below). Both share `mcp-auth.helpers.ts` (HTTP-Basic parsing, `FailedLoginLimiter`, `clientIp`) and the common `resolveRequestWorkspace` helper.
### Module structure (server)
`AppModule` wires integration modules (`integrations/*`: storage [local/S3/Azure], mail, queue [BullMQ on Redis], security, telemetry, throttle, `mcp`, `ai`) plus `CoreModule`, `DatabaseModule`, and `CollaborationModule`. `CoreModule` (`core/*`) holds the domain modules: `page`, `space`, `comment`, `workspace`, `user`, `auth`, `group`, `attachment`, `search`, `share`, `ai-chat`, etc. Each domain module follows NestJS controller → service → repo layering; DB repos live under `database/repos` and are injected app-wide from the global `DatabaseModule`.
`AppModule` wires integration modules (`integrations/*`: storage [local/S3/Azure], mail, queue [BullMQ on Redis], security, telemetry, throttle, `mcp`, `ai`, `git-sync`) plus `CoreModule`, `DatabaseModule`, and `CollaborationModule`. `CoreModule` (`core/*`) holds the domain modules: `page`, `space`, `comment`, `workspace`, `user`, `auth`, `group`, `attachment`, `search`, `share`, `ai-chat`, etc. Each domain module follows NestJS controller → service → repo layering; DB repos live under `database/repos` and are injected app-wide from the global `DatabaseModule`.
**EE removal artifact:** `app.module.ts` still contains a `try/require('./ee/ee.module')` stub. That path no longer exists, so the require fails and is swallowed (it only hard-exits when `CLOUD === 'true'`). Treat EE as gone — do not add code that depends on it.
@@ -279,10 +271,16 @@ The API server is a Fastify app with a global `/api` prefix (`main.ts` excludes
- `core/ai-chat/embedding/` — RAG indexer + a BullMQ consumer on `AI_QUEUE` that embeds pages into `page_embeddings` (vector search), complementing Postgres full-text search. Pages are (re)indexed on edit; `AI_EMBEDDING_TIMEOUT_MS` bounds a hung embeddings endpoint.
- `core/ai-chat/external-mcp/` — admins can attach external MCP servers (e.g. Tavily) to give the agent web access. **`ssrf-guard.ts` validates outbound MCP URLs against SSRF** — keep that guard in the path when touching external-MCP connection logic.
### Git-sync (native two-way Docmost ↔ git Markdown sync)
`integrations/git-sync/` (`GitSyncModule`) + the vendored pure engine in `packages/git-sync`. Off by default; gated by the `GIT_SYNC_ENABLED` master switch (and `GIT_SYNC_SERVICE_USER_ID`, the account git-originated writes are attributed to). Per-space opt-in via `space.settings.gitSync.enabled`, with a second per-space toggle `space.settings.gitSync.autoMergeConflicts` that changes PUSH behavior for a still-conflicted page (one carrying `<<<<<<<`/`>>>>>>>` markers): **off (the safe default)** records a per-page failure and holds the refs so the user resolves the git conflict first (markers never reach Docmost); **on** strips the marker lines and pushes both sides' content. Each enabled space gets an on-disk working "vault" repo; the `GitSyncOrchestrator` runs a debounced + poll-backstop reconcile cycle (PULL Docmost→vault, PUSH vault→Docmost) under a per-space Redis leader lock + in-process mutex (`SpaceLockService`). Writes go through the collaboration layer (so concurrent human edits aren't clobbered) and are stamped `lastUpdatedSource = 'git-sync'` for the listener loop-guard. The in-process `setInterval` orchestration + best-effort lock (no fencing tokens) is a known multi-replica limitation — BullMQ + fencing is the documented future direction.
- **`/git` smart-HTTP host** (`integrations/git-sync/http/`, gated additionally by `GIT_SYNC_HTTP_ENABLED`, which defaults to `GIT_SYNC_ENABLED`): a raw root-mounted Fastify route `/git/<spaceId>.git/...` (registered in `main.ts`, NOT under `/api`) that bridges `git clone`/`fetch`/`push` to `git http-backend`. It authenticates HTTP Basic against `AuthService` (throttled by a `FailedLoginLimiter` mirroring the `/mcp` path), authorizes via `SpaceAbilityFactory` (read = fetch, Manage = push), and gates existence so a non-member gets the SAME 404 as a missing/sync-disabled space (never 403 — that would leak space existence). A push runs the receive-pack under the space lock, then a reconcile cycle.
- **Schema mirror:** `packages/git-sync/src/lib/docmost-schema.ts` is one of the **three** hand-synced copies of the Tiptap document schema (see Client structure) — keep it in lockstep with `editor-ext` (canonical) and `packages/mcp`.
### Client structure
Vite SPA. Code is organized by feature under `apps/client/src/features/*` (mirrors the server domains: `page`, `space`, `comment`, `ai-chat`, `editor`, …). Conventions:
- **TanStack Query** for server state (one `queries/` file per feature), **Jotai** atoms for local/shared UI state, **Mantine 8** + CSS modules (`*.module.css`) + `postcss-preset-mantine` for UI.
- The editor is Tiptap; shared node/mark extensions live in `packages/editor-ext` and are imported by **both the client and the server** (collaboration, import/export) — editor schema changes often need to be made in `editor-ext`, not just the client. Note `packages/mcp` does *not* depend on `editor-ext`; it carries its own mirrored copy of the schema, so keep the two in sync manually when the document schema changes.
- The editor is Tiptap; shared node/mark extensions live in `packages/editor-ext` and are imported by **both the client and the server** (collaboration, import/export) — editor schema changes often need to be made in `editor-ext`, not just the client. Note neither `packages/mcp` nor `packages/git-sync` depends on `editor-ext`; each carries its own mirrored copy of the schema. There are now **three** independent copies (`editor-ext` is canonical, plus `packages/mcp` and `packages/git-sync`), so keep all three in sync manually when the document schema changes.
- API access goes through `apps/client/src/lib/api-client.ts` (axios). The `@` alias maps to `apps/client/src`.
- Runtime config is injected at build time by `vite.config.ts` via `define` (`APP_URL`, `COLLAB_URL`, `APP_VERSION`, …) — these come from the root `.env`, not from `import.meta.env`.
+16 -70
View File
@@ -12,12 +12,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- **Native two-way Docmost ↔ git Markdown sync.** Opt-in per space (Space
settings → a git-sync toggle, plus an `autoMergeConflicts` toggle that controls
whether a still-conflicted page is held back or pushed with its conflict
markers stripped): each enabled space is mirrored to an on-disk git "vault" of
Markdown files and reconciled in both directions (Docmost → vault and vault →
Docmost) on a debounced + poll-backstop cycle, under a per-space lock, writing
through the collaboration layer so concurrent human edits aren't clobbered.
Git-originated changes are attributed to a configurable service account and
carry a "git-sync" provenance badge in page history. Optionally exposes a `/git`
smart-HTTP host so you can `git clone`/`fetch`/`push` a space directly (HTTP
Basic auth, space-permission authorized). Off by default and configured via the
`GIT_SYNC_*` environment variables, including `GIT_SYNC_ENABLED`,
`GIT_SYNC_SERVICE_USER_ID`, and `GIT_SYNC_HTTP_ENABLED` (see `.env.example`).
(#119)
- **Place several images side by side in a row.** A new "Inline (side by
side)" alignment mode in the image bubble menu renders consecutive inline
images as a row that wraps onto the next line on narrow screens. The row is
centered horizontally by default in modern browsers (CSS `:has()`), falling
back to start-aligned rows in browsers without support. Unlike the float
modes, text does not wrap around inline images. The mode round-trips
images as a row that wraps onto the next line on narrow screens. Unlike the
float modes, text does not wrap around inline images. The mode round-trips
losslessly through markdown as `data-align`, like the other alignment
values.
@@ -86,53 +98,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
with the `||text||` input rule; the rendered span blurs until clicked to reveal.
The mark is preserved losslessly through Markdown export/import (as a raw
`<span data-spoiler="true">…</span>`) and on public shares. (#259)
- **Dock the AI chat window into the side menu.** The floating chat window can
be pinned to the sidebar — drag it onto the navbar (a drop-zone highlight
shows where it lands) or use the new "Dock to sidebar" header button; while
docked it fills the sidebar area and follows its live size. "Undock" (or
dragging it back out) restores the floating window, a collapsed/absent
sidebar falls back to floating, and the docked state survives a reload.
(#276, #282)
- **Hovering commented text shows the comment thread in a tooltip.** Pointing
at a highlighted comment mark pops a small card with the author and plain
text of the root comment and its replies, so a thread can be skimmed without
opening the side panel. The card appears after a short delay (no flicker on a
passing glance), skips resolved and text-less threads, and dismisses on
scroll or click — clicking a mark still opens the comments panel. (#268,
#271)
- **"Move to trash" button in the temporary-note banner.** Besides "Make
permanent", the banner on an open temporary note now also offers to trash the
note immediately instead of waiting out its lifetime. It reuses the regular
soft-delete path, so the "Page moved to trash" undo toast is the safety net —
no confirmation dialog. (#273, #277)
- **Code-block controls float as an overlay instead of taking a row above the
code.** The language selector and copy button now sit in the block's top-right
corner, and the selector stays invisible until the block is hovered or the
selector is focused, so reading code is chrome-free. In read-only views only
the copy button renders. (#275, #278)
- **The AI agent is told about your page edits between turns.** The server
snapshots the open page's Markdown at the end of every agent turn and, on the
next turn, injects a unified diff of what changed in between, so the agent
knows its earlier copy of the page is stale and builds on the user's edits
instead of reverting or overwriting them. The diff is whitespace-normalized
(pure formatting churn injects nothing) and size-capped, with a hint to
re-read the full page via `getPage` when truncated. (#274, #281)
- **Stress-accent button (U+0301) in the bubble menu.** Select a vowel and
toggle a combining acute accent over it — a Russian-style stress mark. The
accent is stored as plain text (no custom mark), so it survives Markdown/HTML
export, full-text search and public shares unchanged; the toggle is a single
undo step and re-clicking removes the accent. (#270, #280)
- **Reading position survives a reload.** The editor remembers how far you
scrolled in each page (per tab, in `sessionStorage`) and restores that
position after an F5 or reopening the document, waiting for the collaborative
content to finish laying out first. A URL `#hash` anchor still wins — restore
is a no-op then. (#266, #267)
- **The slash menu finds commands typed in the wrong keyboard layout.** A query
typed with the wrong layout active (e.g. `/сщву` for `/code`, or `/cyjcrf`
for the Cyrillic «сноска» → Footnote) is additionally remapped ЙЦУКЕН↔QWERTY
by physical key position and matched against the commands; genuine Cyrillic
search terms keep priority over remapped candidates, and short wrong-layout
prefixes match by command title. (#283, #285, #287)
### Changed
@@ -198,25 +163,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
emits a single-use "intentional clear" signal that lets exactly that one empty
write through the guard, so genuinely emptying a page is persisted while
accidental empties are blocked. (#248, #251)
- **Ctrl+Z works again right after using a table menu.** Closing a table
row/column menu (grip or chevron) left focus on the menu's portaled target
outside the editor, so undo keystrokes went nowhere until you clicked back
into a cell. The editor is now refocused after the menu closes — unless you
deliberately moved focus to another input or editable (e.g. the page title).
(#269, #279)
- **The AI reindex progress counter no longer freezes at 0.** Right after
"Reindex now" the client could read the stale pre-reindex snapshot of an
already-indexed workspace (`reindexing=false`, all pages counted) as
"finished" and stop polling on the very first tick, leaving the counter
frozen until a manual reload. Polling now keeps going until it has actually
observed the active run. (#262, #264)
- **An MCP edit can no longer be silently lost to a duplicate collab document.**
When the agent addressed a page by its short slugId, the MCP opened a
collaboration document named after that slugId while the web editor always
uses the page's canonical UUID — two independent live documents for one page,
whose debounced stores clobbered each other. The MCP now resolves every page
id to the canonical UUID before opening the collab doc (a UUID input
short-circuits locally; a slugId is resolved once and cached). (#260, #265)
### Security
+10 -1
View File
@@ -17,8 +17,9 @@ RUN pnpm build
FROM base AS installer
# git: required by the git-sync VaultGit (shells out to git)
RUN apt-get update \
&& apt-get install -y --no-install-recommends curl bash \
&& apt-get install -y --no-install-recommends curl bash git \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
@@ -38,6 +39,14 @@ COPY --from=builder /app/packages/editor-ext/dist /app/packages/editor-ext/dist
COPY --from=builder /app/packages/editor-ext/package.json /app/packages/editor-ext/package.json
COPY --from=builder /app/packages/mcp/build /app/packages/mcp/build
COPY --from=builder /app/packages/mcp/package.json /app/packages/mcp/package.json
# git-sync: the server loads @docmost/git-sync at runtime via the loader
# (git-sync.loader.ts), which deliberately does NOT `require()` it — the package is
# ESM-only, so the loader uses `require.resolve` + a dynamic `import()`. Without
# these copied build artifacts that resolve/import fails and the server crashes on
# first use. Built fresh by the builder's `pnpm build` (nx builds the package's tsc
# `build` target).
COPY --from=builder /app/packages/git-sync/build /app/packages/git-sync/build
COPY --from=builder /app/packages/git-sync/package.json /app/packages/git-sync/package.json
# Copy root package files
COPY --from=builder /app/package.json /app/package.json
+3 -6
View File
@@ -104,7 +104,7 @@ community feature, with no enterprise license. Open it from the page header; the
- ✅ **Page templates** — flag a page as a template and embed its whole content live into other pages; edits to the template propagate to every place it is inserted (whole-page transclusion on top of the existing synced blocks).
- ✅ **Public-share AI assistant** — anonymous visitors of a shared page can ask the AI agent, scoped strictly to that share's page tree (read-only, share-scoped search), behind a workspace toggle.
- ✅ **Footnotes** — academic-style footnotes: a numbered superscript reference inline (read it in place via a hover popover), with the note text living as a real, editable block at the bottom of the page; auto-numbered, collaboration-safe, and round-trips through Markdown export/import and the AI agent / MCP.
- ✅ **Temporary notes**create a note as temporary and it auto-moves to Trash after a configurable per-workspace lifetime (default 24h) unless made permanent first; create one in a click from the Home screen, any space overview.
- ✅ **Temporary notes**mark a note as temporary and it auto-moves to Trash after a configurable per-workspace lifetime (default 24h) unless made permanent first; create one in a click from the Home screen, any space overview, or the space sidebar, with a "Make permanent" rescue banner on the open note.
### In progress
@@ -187,17 +187,14 @@ start the new migrations apply on top of your existing schema (`CREATE EXTENSION
- Spaces
- Permissions management
- Groups
- Comments (with resolve / re-open and hover tooltips showing the comment text)
- Comments (with resolve / re-open)
- Page history
- Search
- File attachments
- Embeds (Airtable, Loom, Miro and more)
- Translations (10+ languages)
- Embedded MCP server (`/mcp`)
- AI agent chat over your wiki (read + write, RAG search, external MCP / web access); the chat window docks into the side menu, and the agent is told about your in-page edits between turns
- Code-block buttons as an overlay, with the language selector revealed on hover
- Stress-accent button (U+0301) in the bubble menu
- Reading scroll position restored on reload
- AI agent chat over your wiki (read + write, RAG search, external MCP / web access)
### Screenshots
+3 -7
View File
@@ -105,7 +105,7 @@ real-time-коллаборации Docmost, поэтому запись нико
- ✅ **Шаблоны страниц** — пометить страницу шаблоном и вставлять её содержимое живой ссылкой в другие страницы; правки шаблона распространяются на все места вставки (whole-page-транслюзия поверх существующих synced-блоков).
- ✅ **AI-ассистент на публичных шарах** — анонимный зритель расшаренной страницы может спросить AI-агента, который ищет строго по дереву этой шары (read-only, share-scoped поиск), за тумблером воркспейса.
- ✅ **Сноски** — сноски академического вида: нумерованная ссылка-надстрочник прямо в тексте (читается на месте во всплывающем окне по наведению), а текст сноски живёт реальным редактируемым блоком внизу страницы; авто-нумерация, безопасна для совместного редактирования, переживает экспорт/импорт Markdown и доступна AI-агенту / MCP.
- ✅ **Временные заметки**создайте временную заметку, и она автоматически уедет в корзину по истечении настраиваемого срока жизни (по умолчанию 24 ч); создать такую можно в один клик с домашнего экрана, с обзора любого пространства или из сайдбара пространства.
- ✅ **Временные заметки**пометьте заметку временной, и она автоматически уедет в корзину по истечении настраиваемого срока жизни воркспейса (по умолчанию 24 ч), если её предварительно не сделать постоянной; создать такую можно в один клик с домашнего экрана, с обзора любого пространства или из сайдбара пространства, а на открытой заметке есть баннер «Сделать постоянной».
### В процессе
@@ -174,18 +174,14 @@ dump/restore, существующий каталог данных переис
- Пространства (Spaces)
- Управление правами доступа
- Группы
- Комментарии (с резолвом / переоткрытием и всплывающими подсказками с текстом комментария при наведении)
- Комментарии (с резолвом / переоткрытием)
- История страниц
- Поиск
- Вложения файлов
- Встраивания (Airtable, Loom, Miro и другие)
- Переводы (10+ языков)
- Встроенный MCP-сервер (`/mcp`)
- Чат с AI-агентом по вики (чтение + запись, RAG-поиск, внешние MCP / доступ в интернет); окно чата закрепляется в боковом меню, а агент узнаёт о ваших правках страницы между ходами
- Кнопки код-блока оверлеем, селектор языка появляется при наведении
- Кнопка «Ударение» (U+0301) в bubble-меню
- Позиция чтения (прокрутка) восстанавливается после перезагрузки
- Slash-меню терпимо к неправильной раскладке (ЙЦУКЕН↔QWERTY)
- Чат с AI-агентом по вики (чтение + запись, RAG-поиск, внешние MCP / доступ в интернет)
### Скриншоты
@@ -1224,6 +1224,8 @@
"Ran tool {{name}}": "Ran tool {{name}}",
"AI-agent": "AI-agent",
"Edited by AI agent on behalf of {{name}}": "Edited by AI agent on behalf of {{name}}",
"Git sync": "Git sync",
"Synced from Git on behalf of {{name}}": "Synced from Git on behalf of {{name}}",
"Endpoints": "Endpoints",
"where we fetch models": "where we fetch models",
"All endpoints are OpenAI-compatible. Point the Base URL at OpenAI, OpenRouter, a local Ollama, or any self-hosted server.": "All endpoints are OpenAI-compatible. Point the Base URL at OpenAI, OpenRouter, a local Ollama, or any self-hosted server.",
@@ -1248,6 +1250,10 @@
"MCP server": "MCP server",
"expose the workspace": "expose the workspace",
"Enable MCP server": "Enable MCP server",
"Enable Git sync": "Enable Git sync",
"Sync this space's pages to a Git repository.": "Sync this space's pages to a Git repository.",
"Auto-merge conflicts on push": "Auto-merge conflicts on push",
"When off (recommended), a page whose content still has unresolved Git conflict markers is skipped on push until you resolve the conflict in Git. When on, the markers are stripped and both sides' content is pushed.": "When off (recommended), a page whose content still has unresolved Git conflict markers is skipped on push until you resolve the conflict in Git. When on, the markers are stripped and both sides' content is pushed.",
"Exposes the workspace as an MCP server at /mcp — this provides a capability, it doesn't consume a model.": "Exposes the workspace as an MCP server at /mcp — this provides a capability, it doesn't consume a model.",
"Resolves to {{url}}": "Resolves to {{url}}",
"Model": "Model",
@@ -14,22 +14,6 @@ import { notifications } from "@mantine/notifications";
import { exportSpace } from "@/features/space/services/space-service";
import { useTranslation } from "react-i18next";
// The export request uses `responseType: "blob"`, so a server error body arrives
// as a Blob rather than parsed JSON — `err.response?.data.message` is therefore
// always undefined. Read and parse the blob to surface the real error message.
async function extractExportError(err: any): Promise<string> {
const data = err?.response?.data;
if (data instanceof Blob) {
try {
const json = JSON.parse(await data.text());
return json?.message ?? "";
} catch {
return "";
}
}
return data?.message ?? err?.message ?? "";
}
interface ExportModalProps {
id: string;
type: "space" | "page";
@@ -68,9 +52,8 @@ export default function ExportModal({
});
onClose();
} catch (err) {
const message = await extractExportError(err);
notifications.show({
message: t("Export failed") + (message ? `: ${message}` : ""),
message: "Export failed:" + err.response?.data.message,
color: "red",
});
console.error("export error", err);
@@ -12,7 +12,6 @@ import TopMenu from "@/components/layouts/global/top-menu.tsx";
import { Link } from "react-router-dom";
import { useAtom } from "jotai";
import {
NAVBAR_COLLAPSE_BREAKPOINT,
desktopSidebarAtom,
mobileSidebarAtom,
} from "@/components/layouts/global/hooks/atoms/sidebar-atom.ts";
@@ -54,13 +53,7 @@ export function AppHeader() {
aria-label={t("Sidebar toggle")}
opened={mobileOpened}
onClick={toggleMobile}
// Must match the AppShell navbar breakpoint (md). The navbar
// collapses to the MOBILE drawer below md, so the mobile toggle
// (which flips mobileOpened) must be the one visible across the
// whole <md band — otherwise at 768-991 the desktop toggle showed
// but flipped the wrong atom, leaving the drawer unopenable (the
// regression from the initial sm->md navbar change).
hiddenFrom={NAVBAR_COLLAPSE_BREAKPOINT}
hiddenFrom="sm"
size="sm"
/>
</Tooltip>
@@ -70,7 +63,7 @@ export function AppHeader() {
aria-label={t("Sidebar toggle")}
opened={desktopOpened}
onClick={toggleDesktop}
visibleFrom={NAVBAR_COLLAPSE_BREAKPOINT}
visibleFrom="sm"
size="sm"
/>
</Tooltip>
@@ -6,7 +6,6 @@ import SettingsSidebar from "@/components/settings/settings-sidebar.tsx";
import { useAtom } from "jotai";
import {
APP_NAVBAR_ID,
NAVBAR_COLLAPSE_BREAKPOINT,
asideStateAtom,
desktopSidebarAtom,
mobileSidebarAtom,
@@ -89,13 +88,7 @@ export default function GlobalAppShell({
header={{ height: 45 }}
navbar={{
width: isSpaceRoute ? sidebarWidth : 300,
// `md` (not `sm`): below 992px the fixed ~300px sidebar leaves too little
// room for content — the settings tables (Members/…) overflow the offset
// content area on tablet (~768px) and clip the Role/actions columns
// off-screen with no horizontal scroll. Collapsing the navbar to a toggle
// drawer across the whole tablet band frees the full width for content
// (the mobile drawer is closed by default, so nothing overlaps on load).
breakpoint: NAVBAR_COLLAPSE_BREAKPOINT,
breakpoint: "sm",
collapsed: {
mobile: !mobileOpened,
desktop: !desktopOpened,
@@ -104,7 +97,7 @@ export default function GlobalAppShell({
aside={
isPageRoute && {
width: 420,
breakpoint: "md",
breakpoint: "sm",
collapsed: { mobile: !isAsideOpen, desktop: !isAsideOpen },
}
}
@@ -7,13 +7,6 @@ import { atom } from "jotai";
// would create a shell -> chat-window -> shell import cycle).
export const APP_NAVBAR_ID = "app-shell-navbar";
// Single source of truth for the navbar collapse breakpoint. The AppShell navbar
// `breakpoint` and BOTH burger toggles' `hiddenFrom`/`visibleFrom` MUST use this
// exact value: if they drift, the sidebar becomes unreachable on tablet widths
// (the round-1 regression of #292). Kept here so the shell and the header share
// one constant the compiler enforces, instead of three hand-synced string literals.
export const NAVBAR_COLLAPSE_BREAKPOINT = "md";
export const mobileSidebarAtom = atom<boolean>(false);
export const desktopSidebarAtom = atomWithWebStorage<boolean>(
@@ -0,0 +1,37 @@
import { Badge, Tooltip } from "@mantine/core";
import { IconGitMerge } from "@tabler/icons-react";
import { useTranslation } from "react-i18next";
interface GitSyncBadgeProps {
authorName?: string;
}
/**
* Badge marking a version produced by git-sync (provenance §8.1). The history
* version is created on the PUSH path when an incoming git body is written back
* into the Docmost doc not by the pull itself. Like {@link AiAgentBadge} it is
* ADDITIVE shown next to the human author, never replacing them but a git-sync
* edit is NOT an agent edit and has no chat to deep-link into, so it is a small,
* neutral, non-clickable label.
*/
export function GitSyncBadge({ authorName }: GitSyncBadgeProps) {
const { t } = useTranslation();
const tooltip = t("Synced from Git on behalf of {{name}}", {
name: authorName ?? "",
});
return (
<Tooltip label={tooltip} withArrow>
<Badge
size="sm"
variant="light"
color="gray"
radius="sm"
leftSection={<IconGitMerge size={12} stroke={2} />}
>
{t("Git sync")}
</Badge>
</Tooltip>
);
}
@@ -1,14 +1,7 @@
import { describe, it, expect, vi } from "vitest";
import { render, screen, fireEvent } from "@testing-library/react";
import { render, screen } from "@testing-library/react";
import { MantineProvider } from "@mantine/core";
// Spy on the markdown renderer so we can assert it is NOT called while the block
// is collapsed (the #302 fix) and IS called once on expand. The count/fallback
// tests don't depend on real markdown, so a light stub is safe.
vi.mock("@/features/ai-chat/utils/markdown.ts", () => ({
renderChatMarkdown: vi.fn((md: string) => `<p>${md}</p>`),
}));
// Stub react-i18next so `t` returns the key with `{{count}}` interpolated. This
// keeps the assertions on the component's OWN count logic (authoritative vs
// estimate) rather than on translation, and mirrors the t-mock pattern used by
@@ -24,7 +17,6 @@ vi.mock("react-i18next", () => ({
import ReasoningBlock from "./reasoning-block";
import { estimateTokens } from "@/features/ai-chat/utils/count-stream-tokens.ts";
import { renderChatMarkdown } from "@/features/ai-chat/utils/markdown.ts";
// matchMedia (read by MantineProvider) is stubbed globally in vitest.setup.ts.
@@ -70,18 +62,4 @@ describe("ReasoningBlock", () => {
// either way the text is present in the document.
expect(screen.getByText(/reasoning/)).toBeDefined();
});
it("does not parse the reasoning markdown while collapsed; parses on expand (#302)", () => {
const renderSpy = vi.mocked(renderChatMarkdown);
renderSpy.mockClear();
renderBlock({ text: "**bold** reasoning", tokens: 5 });
// Collapsed is the default. The expensive markdown parse (marked + DOMPurify)
// must NOT run for the hidden body — that O(n^2) re-parse on every streamed
// delta is exactly what froze the chat (#302). The collapsed body shows the
// cheap raw-text fallback instead.
expect(renderSpy).not.toHaveBeenCalled();
// Expanding parses the current text exactly once (a user-initiated click).
fireEvent.click(screen.getByRole("button"));
expect(renderSpy).toHaveBeenCalledTimes(1);
});
});
@@ -34,19 +34,15 @@ function ReasoningBlock({ text, tokens }: ReasoningBlockProps) {
// Authoritative count wins; otherwise estimate live from the streamed text.
const count = tokens && tokens > 0 ? tokens : estimateTokens(text);
const trimmed = text.trim();
// Parse the reasoning markdown ONLY while the block is expanded. Collapsed is the
// default and the common case during a long "thinking" stream: reasoning text
// streams in and grows with every throttled delta (~20Hz), so a `[trimmed]`-only
// memo re-parses the whole, ever-growing text (marked + DOMPurify) on every delta
// — an O(n²) storm that pins the main thread and freezes the chat, all for a block
// the user isn't even looking at (the html is only shown inside <Collapse in={open}>
// below). Gating on `open` skips that hidden parsing entirely; expanding parses the
// current text once (an instant, user-initiated click), and further streaming while
// open is the normal per-delta append render, like the answer.
// Memoize the markdown render so toggling `open` (or a parent re-render caused
// by an unrelated streamed delta) does not re-parse the reasoning text; it
// recomputes only when the reasoning text itself changes (while it streams in).
// collapseBlankLines collapses the blank-line gaps the model emits between every
// list item / paragraph so the reasoning renders compactly (tight lists, joined
// paragraphs) — ONLY here, not in the normal answer.
const html = useMemo(
() =>
open && trimmed ? renderChatMarkdown(collapseBlankLines(trimmed), {}) : "",
[open, trimmed],
() => (trimmed ? renderChatMarkdown(collapseBlankLines(trimmed), {}) : ""),
[trimmed],
);
return (
@@ -23,7 +23,6 @@ import { acceptInvitation } from "@/features/workspace/services/workspace-servic
import APP_ROUTE, { getPostLoginRedirect } from "@/lib/app-route.ts";
import { RESET } from "jotai/utils";
import { useTranslation } from "react-i18next";
import { clearPersistedTreeCaches } from "@/features/page/tree/atoms/tree-data-atom";
export default function useAuth() {
const { t } = useTranslation();
@@ -123,11 +122,6 @@ export default function useAuth() {
const handleLogout = async () => {
setCurrentUser(RESET);
// Purge the persisted sidebar tree caches (they contain page titles) so the
// cached page titles aren't left readable in localStorage on a shared
// machine. (Only the tree caches are swept; other localStorage entries
// remain.)
clearPersistedTreeCaches();
await logout();
window.location.replace(`${APP_ROUTE.AUTH.LOGIN}?logout=1`);
};
@@ -1,231 +0,0 @@
import { describe, it, expect } from "vitest";
import { Editor } from "@tiptap/core";
import { Document } from "@tiptap/extension-document";
import { Paragraph } from "@tiptap/extension-paragraph";
import { Text } from "@tiptap/extension-text";
import { ySyncPluginKey } from "@tiptap/y-tiptap";
import {
CustomTypography,
undoGuardKey,
findChangedRange,
mapRangeThroughChange,
} from "./custom-typography";
/**
* PR #296 the collab-safe typography undo-guard is exercised through the REAL
* editor path: a fresh Editor with the CustomTypography extension, transactions
* tagged exactly the way prosemirror-history / y-tiptap tag undo & remote
* changes (`setMeta("history$", …)` and `setMeta(ySyncPluginKey, …)`), plus
* direct unit tests of the two pure diff helpers. No hand-poke of plugin state.
*
* ARMING MECHANISM (verified against custom-typography.ts source):
* - A transaction arms the guard only when it is BOTH history/remote
* (`getMeta("history$")` truthy, or `isChangeOrigin` via the ySync meta)
* AND an undo/redo (`getMeta("history$")` truthy, or ySync
* `isUndoRedoOperation`), AND its whole-doc diff is a REPLACE
* (change.oldTo > change.from && change.newTo > change.from).
* - `history$` is the stringified PluginKey of the single prosemirror-history
* plugin; ProseMirror stores meta under `key.key`, so setMeta("history$")
* in a test is read identically by the extension's getMeta("history$").
*/
const singlePara = (text: string) => ({
type: "doc",
content: [{ type: "paragraph", content: [{ type: "text", text }] }],
});
const makeEditor = (text: string) =>
new Editor({
extensions: [Document, Paragraph, Text, CustomTypography],
content: singlePara(text),
});
// Build a before/after EditorState pair by applying one plain transaction.
const mutate = (text: string, apply: (tr: any, schema: any) => void) => {
const editor = new Editor({
extensions: [Document, Paragraph, Text],
content: singlePara(text),
});
const before = editor.state;
const tr = before.tr;
apply(tr, before.schema);
editor.view.dispatch(tr);
const after = editor.state;
return { before, after, editor };
};
describe("findChangedRange", () => {
it("returns null for identical docs", () => {
const editor = new Editor({
extensions: [Document, Paragraph, Text],
content: singlePara("hello"),
});
expect(findChangedRange(editor.state, editor.state)).toBeNull();
editor.destroy();
});
it("returns the minimal range for a normal middle insertion", () => {
// "hello world" (text at 1..12); insert "there " at pos 6.
const { before, after, editor } = mutate("hello world", (tr) =>
tr.insertText("there ", 6),
);
expect(findChangedRange(before, after)).toEqual({
from: 6,
oldTo: 6,
newTo: 12,
});
editor.destroy();
});
it("normalizes the INSERTION overlapping-bounds branch (repeated content)", () => {
// Insert one more 'a' into "aaaaa" at pos 3. findDiffStart lands at the end
// (6) while findDiffEnd reports an end BEFORE it ({a:1,b:2}); both ends must
// be pushed forward by the same delta -> a non-degenerate range.
const { before, after, editor } = mutate("aaaaa", (tr) =>
tr.insertText("a", 3),
);
const change = findChangedRange(before, after)!;
expect(change).toEqual({ from: 6, oldTo: 6, newTo: 7 });
// Invariant the guard logic relies on: never degenerate.
expect(change.from).toBeLessThanOrEqual(change.oldTo);
expect(change.from).toBeLessThanOrEqual(change.newTo);
editor.destroy();
});
it("normalizes the DELETION overlapping-bounds branch (F2 fix)", () => {
// Delete one repeated 'a' from the middle of "aaaaa" ([3,4)). Here
// findDiffEnd reports newTo < start, the symmetric case the old one-sided
// normalization missed -> it used to yield a degenerate range (newTo < from).
const { before, after, editor } = mutate("aaaaa", (tr) => tr.delete(3, 4));
const change = findChangedRange(before, after)!;
expect(change).toEqual({ from: 5, oldTo: 6, newTo: 5 });
// The whole point of F2: from <= newTo (and from <= oldTo) still holds.
expect(change.from).toBeLessThanOrEqual(change.newTo);
expect(change.from).toBeLessThanOrEqual(change.oldTo);
editor.destroy();
});
it("normalizes a multi-char repeated deletion (F2 fix)", () => {
const { before, after, editor } = mutate("aaaaa", (tr) => tr.delete(2, 4));
const change = findChangedRange(before, after)!;
expect(change).toEqual({ from: 4, oldTo: 6, newTo: 4 });
expect(change.from).toBeLessThanOrEqual(change.newTo);
editor.destroy();
});
});
describe("mapRangeThroughChange", () => {
const range = { from: 5, to: 10 };
it("RELEASES on a strict intersection (edit inside the guarded range)", () => {
// change straddles the interior of the guard.
expect(
mapRangeThroughChange(range, { from: 6, oldTo: 8, newTo: 7 }),
).toBeNull();
});
it("does NOT release on a boundary touch at the guard END", () => {
// Edit begins exactly at range.to (10): from < to is false -> no intersect.
expect(
mapRangeThroughChange(range, { from: 10, oldTo: 10, newTo: 12 }),
).toEqual(range);
});
it("does NOT release on a boundary touch at the guard START", () => {
// Edit ends exactly at range.from (5): oldTo > from is false -> no intersect;
// it is treated as a change fully before, shifting the guard.
expect(
mapRangeThroughChange(range, { from: 3, oldTo: 5, newTo: 8 }),
).toEqual({ from: 8, to: 13 });
});
it("SHIFTS the guard for a change fully before it", () => {
// Insert 2 chars entirely before the range (oldTo 3 <= from 5): +2 delta.
expect(
mapRangeThroughChange(range, { from: 2, oldTo: 3, newTo: 5 }),
).toEqual({ from: 7, to: 12 });
});
it("leaves the guard untouched for a change fully after it", () => {
expect(
mapRangeThroughChange(range, { from: 12, oldTo: 14, newTo: 16 }),
).toBe(range);
});
});
describe("undo-guard arming (integration)", () => {
it("arms {from, to:newTo} on a LOCAL undo-replace (history meta)", () => {
// Undo of an em-dash substitution: "a—b" restored to "a--b" — the em-dash
// (pos 2..3) is REPLACED by "--", tagged with the history plugin's meta.
const editor = makeEditor("a—b");
const { state } = editor;
const tr = state.tr
.replaceWith(2, 3, state.schema.text("--"))
.setMeta("history$", { redo: false });
editor.view.dispatch(tr);
expect(editor.state.doc.textContent).toBe("a--b");
// from = diff start (2), to = newTo = end of the inserted "--" (4).
expect(undoGuardKey.getState(editor.state)).toEqual({ from: 2, to: 4 });
editor.destroy();
});
it("does NOT arm on a REMOTE change-origin replace (no undo meta)", () => {
// Same replace, but tagged only as a y-sync remote change: history/remote
// yes, undo/redo NO -> must not arm.
const editor = makeEditor("a—b");
const { state } = editor;
const tr = state.tr
.replaceWith(2, 3, state.schema.text("--"))
.setMeta(ySyncPluginKey, { isChangeOrigin: true });
editor.view.dispatch(tr);
expect(editor.state.doc.textContent).toBe("a--b");
expect(undoGuardKey.getState(editor.state)).toBeNull();
editor.destroy();
});
it("does NOT arm on an ordinary local edit", () => {
const editor = makeEditor("a—b");
editor.view.dispatch(
editor.state.tr.replaceWith(2, 3, editor.state.schema.text("--")),
);
expect(undoGuardKey.getState(editor.state)).toBeNull();
editor.destroy();
});
});
describe("undo-guard release / shift (integration)", () => {
it("RELEASES when a later edit lands inside the guarded region", () => {
const editor = makeEditor("a—b");
editor.view.dispatch(
editor.state.tr
.replaceWith(2, 3, editor.state.schema.text("--"))
.setMeta("history$", { redo: false }),
);
const guard = undoGuardKey.getState(editor.state)!;
expect(guard).toEqual({ from: 2, to: 4 });
// Type a character inside the restored region -> guard is dropped.
editor.view.dispatch(editor.state.tr.insertText("x", guard.from + 1));
expect(undoGuardKey.getState(editor.state)).toBeNull();
editor.destroy();
});
it("keeps and SHIFTS the guard when a later edit lands before it", () => {
const editor = makeEditor("zz a—b");
// "zz a—b": em-dash at pos 5; replace the 'a' at 4..5 with "--" to arm.
editor.view.dispatch(
editor.state.tr
.replaceWith(4, 5, editor.state.schema.text("--"))
.setMeta("history$", { redo: false }),
);
const guard = undoGuardKey.getState(editor.state)!;
expect(guard).toEqual({ from: 4, to: 6 });
// Insert one char at the very start (before the guard) -> guard shifts +1.
editor.view.dispatch(editor.state.tr.insertText("Q", 1));
expect(undoGuardKey.getState(editor.state)).toEqual({ from: 5, to: 7 });
editor.destroy();
});
});
@@ -1,193 +0,0 @@
import { InputRule } from "@tiptap/core";
import {
Plugin,
PluginKey,
type EditorState,
type Transaction,
} from "@tiptap/pm/state";
import { Typography } from "@tiptap/extension-typography";
import { isChangeOrigin } from "@tiptap/extension-collaboration";
import { ySyncPluginKey } from "@tiptap/y-tiptap";
// Region restored by the latest undo — while it is intact, typography
// input rules overlapping it must not fire again.
interface UndoGuardRange {
from: number;
to: number;
}
// Exported for tests: the plugin key lets a test read the armed guard state,
// and the two pure helpers below are unit-tested directly.
export const undoGuardKey = new PluginKey<UndoGuardRange | null>(
"typographyUndoGuard",
);
// prosemirror-history does not export its plugin key, so template-editor
// undo/redo is detected via the stable stringified key. Only one
// PluginKey("history") exists in the dependency tree, so "history$" is stable.
const HISTORY_META = "history$";
const isUndoRedoTransaction = (tr: Transaction): boolean => {
if (tr.getMeta(HISTORY_META)) {
return true;
}
// Read yjs undo/redo meta via the real ySyncPluginKey object (imported, not
// a fragile stringified key), which y-tiptap sets on Y.UndoManager changes.
const ySyncMeta = tr.getMeta(ySyncPluginKey) as
| { isUndoRedoOperation?: boolean }
| undefined;
return !!ySyncMeta?.isUndoRedoOperation;
};
interface DocChange {
from: number;
oldTo: number;
newTo: number;
}
// Compute the minimal changed region between two docs. yjs undo/redo (and any
// remote change) arrives as a whole-document replace step, so the transaction
// step maps are useless — diff the docs to recover the real minimal change.
// Returns null when the docs are identical.
export const findChangedRange = (
oldState: EditorState,
newState: EditorState,
): DocChange | null => {
const start = oldState.doc.content.findDiffStart(newState.doc.content);
const end = oldState.doc.content.findDiffEnd(newState.doc.content);
if (start == null || end == null) {
return null;
}
let { a: oldTo, b: newTo } = end;
// findDiffEnd can report an end BEFORE the diff start when the changed text
// abuts repeated content (insertion -> oldTo<start, deletion -> newTo<start).
// Push both ends forward by the same delta so the range stays non-degenerate
// (from <= oldTo and from <= newTo), matching ProseMirror's own diff bounds.
const minTo = Math.min(oldTo, newTo);
if (minTo < start) {
const delta = start - minTo;
oldTo += delta;
newTo += delta;
}
return { from: start, oldTo, newTo };
};
// Map an armed guard range across a single document change described by a diff.
// Returns null when the change touches the guarded text itself (the restored
// substitution was edited, so the guard must be released).
export const mapRangeThroughChange = (
range: UndoGuardRange,
change: DocChange,
): UndoGuardRange | null => {
// Strict intersection: an edit exactly at a guard boundary (e.g. the user
// typing the suppressed space right after the restored text, or deleting it)
// must NOT drop the guard.
if (change.from < range.to && change.oldTo > range.from) {
return null;
}
// Change fully before the guard: shift the guard by the length delta.
if (change.oldTo <= range.from) {
const delta = change.newTo - change.oldTo;
return { from: range.from + delta, to: range.to + delta };
}
// Change fully after the guard: positions are unaffected.
return range;
};
// Detect history/remote transactions that may arrive as a whole-document
// replace step: prosemirror-history undo/redo, or any yjs remote-origin change
// (isChangeOrigin is the canonical predicate already used across the app).
const isHistoryOrRemoteTransaction = (tr: Transaction): boolean =>
!!tr.getMeta(HISTORY_META) || isChangeOrigin(tr);
export const CustomTypography = Typography.extend({
addProseMirrorPlugins() {
return [
...(this.parent?.() ?? []),
new Plugin({
key: undoGuardKey,
state: {
init: () => null,
apply(tr, prev, oldState, newState): UndoGuardRange | null {
if (tr.docChanged && isHistoryOrRemoteTransaction(tr)) {
const change = findChangedRange(oldState, newState);
if (change == null) {
// Attribute-only or otherwise content-neutral change: keep the
// guard.
return prev;
}
// Arm the guard only when the LOCAL user's undo/redo REPLACED text
// (deleted + inserted) — the signature of reverting an input-rule
// substitution. Pure insertions/deletions and remote peer edits
// must not arm it.
if (
isUndoRedoTransaction(tr) &&
change.oldTo > change.from &&
change.newTo > change.from
) {
return { from: change.from, to: change.newTo };
}
// Non-arming history/remote change: map the existing guard through
// the real diff instead of the (whole-document) step map.
if (!prev) {
return null;
}
return mapRangeThroughChange(prev, change);
}
if (!prev) {
return null;
}
if (!tr.docChanged) {
return prev;
}
// Ordinary local edit: minimal step maps are accurate and cheap.
let range: UndoGuardRange | null = prev;
for (const stepMap of tr.mapping.maps) {
const { from: rangeFrom, to: rangeTo } = range;
let touched = false;
stepMap.forEach((fromA, toA) => {
if (fromA < rangeTo && toA > rangeFrom) {
touched = true;
}
});
if (touched) {
range = null;
break;
}
range = {
from: stepMap.map(rangeFrom, 1),
to: stepMap.map(rangeTo, -1),
};
}
return range && range.to > range.from ? range : null;
},
},
}),
];
},
addInputRules() {
// Wrap every typography rule: skip it when its match overlaps the text
// just restored by undo, so an undone substitution is not re-applied.
return (this.parent?.() ?? []).map(
(rule) =>
new InputRule({
find: rule.find,
undoable: rule.undoable,
handler: (props) => {
const guard = undoGuardKey.getState(props.state);
if (
guard &&
props.range.from < guard.to &&
props.range.to > guard.from
) {
// Returning null skips this rule and lets the typed character
// be inserted as plain text.
return null;
}
return rule.handler(props);
},
}),
);
},
});
@@ -6,7 +6,7 @@ import { TaskList, TaskItem } from "@tiptap/extension-list";
import { Placeholder, CharacterCount, UndoRedo } from "@tiptap/extensions";
import { Superscript } from "@tiptap/extension-superscript";
import SubScript from "@tiptap/extension-subscript";
import { CustomTypography } from "./custom-typography";
import { Typography } from "@tiptap/extension-typography";
import { TextStyle } from "@tiptap/extension-text-style";
import { Color } from "@tiptap/extension-color";
import { Youtube } from "@tiptap/extension-youtube";
@@ -245,9 +245,7 @@ export const mainExtensions = [
return ReactMarkViewRenderer(SpoilerView);
},
}),
// Typography with an undo guard: does not re-apply a substitution the user
// just undid (e.g. Ctrl+Z on "1/2" -> "½" followed by another space).
CustomTypography,
Typography,
TrailingNode,
GlobalDragHandle.configure({
customNodes: ["transclusionSource", "transclusionReference", "pageEmbed"],
@@ -1,9 +1,5 @@
import { describe, it, expect } from "vitest";
import { htmlToMarkdown } from "@docmost/editor-ext";
import {
normalizeTableColumnWidths,
classifyClipboardSelection,
} from "./markdown-clipboard";
import { normalizeTableColumnWidths } from "./markdown-clipboard";
// normalizeTableColumnWidths mutates a DOM subtree (jsdom provides document).
function root(html: string): HTMLElement {
@@ -128,171 +124,3 @@ describe("normalizeTableColumnWidths", () => {
).toEqual([null, null]);
});
});
describe("classifyClipboardSelection", () => {
it("serializes a list of 2+ items as markdown", () => {
expect(
classifyClipboardSelection([{ name: "bulletList", childCount: 2 }]),
).toEqual({ asMarkdown: true, wrapBareRows: false });
});
it("leaves a single-item list as plain text", () => {
expect(
classifyClipboardSelection([{ name: "bulletList", childCount: 1 }]),
).toEqual({ asMarkdown: false, wrapBareRows: false });
});
it("serializes a whole table without wrapping bare rows", () => {
expect(
classifyClipboardSelection([{ name: "table", childCount: 3 }]),
).toEqual({ asMarkdown: true, wrapBareRows: false });
});
it("serializes a partial cell selection (bare rows) and flags wrapping", () => {
expect(
classifyClipboardSelection([
{ name: "tableRow", childCount: 2 },
{ name: "tableRow", childCount: 2 },
]),
).toEqual({ asMarkdown: true, wrapBareRows: true });
});
it("leaves plain paragraphs as plain text", () => {
expect(
classifyClipboardSelection([{ name: "paragraph", childCount: 1 }]),
).toEqual({ asMarkdown: false, wrapBareRows: false });
});
it("does not wrap when rows are mixed with other block types", () => {
expect(
classifyClipboardSelection([
{ name: "tableRow", childCount: 2 },
{ name: "paragraph", childCount: 1 },
]),
).toEqual({ asMarkdown: false, wrapBareRows: false });
});
});
// Output-level tests for the table clipboard regression: copying a table must
// yield a real GFM pipe table, NOT one-value-per-line concatenated cells.
// These exercise the actual markdown produced by htmlToMarkdown (the same
// serializer step the clipboardTextSerializer runs), so they pin the OUTPUT
// shape that the classifier-flag tests above do not cover.
describe("table clipboard markdown output (htmlToMarkdown)", () => {
// Trim each line and drop blanks so structural assertions are whitespace-robust.
function lines(md: string): string[] {
return md
.split("\n")
.map((l) => l.trim())
.filter((l) => l.length > 0);
}
// A GFM separator row like "| --- | --- |" (any number of columns), tolerant
// of the padding turndown emits.
function isSeparatorRow(line: string): boolean {
const compact = line.replace(/\s+/g, "");
return /^\|(?:-{3,}\|)+$/.test(compact);
}
// Split a pipe-delimited row into trimmed cell values.
function cells(line: string): string[] {
return line
.replace(/^\|/, "")
.replace(/\|$/, "")
.split("|")
.map((c) => c.trim());
}
it("serializes a header-less partial cell selection (bare rows) as a valid GFM pipe table", () => {
// Mirror the serializer's `wrapBareRows` branch exactly: bare <tr> nodes are
// wrapped in <table><tbody> and htmlToMarkdown(div.innerHTML) is called.
// See markdown-clipboard.ts clipboardTextSerializer:
// const table = document.createElement("table");
// const tbody = document.createElement("tbody");
// tbody.appendChild(fragment); table.appendChild(tbody);
// div.appendChild(table);
// return htmlToMarkdown(div.innerHTML);
const div = document.createElement("div");
const table = document.createElement("table");
const tbody = document.createElement("tbody");
for (const [c1, c2] of [
["a", "b"],
["c", "d"],
]) {
const tr = document.createElement("tr");
const td1 = document.createElement("td");
td1.textContent = c1;
const td2 = document.createElement("td");
td2.textContent = c2;
tr.appendChild(td1);
tr.appendChild(td2);
tbody.appendChild(tr);
}
table.appendChild(tbody);
div.appendChild(table);
const md = htmlToMarkdown(div.innerHTML);
const ls = lines(md);
// Valid GFM: a header/data separator row is present (an empty header is
// synthesized by the GFM turndown plugin for a header-less table — fine).
expect(ls.some(isSeparatorRow)).toBe(true);
// NOT the old broken "one value per line" shape: every line is pipe-delimited
// and no line is a bare cell value on its own.
expect(ls.every((l) => l.includes("|"))).toBe(true);
expect(md).not.toMatch(/^\s*(a|b|c|d)\s*$/m);
// The cell values land in real pipe-delimited data rows.
const dataRows = ls.filter((l) => !isSeparatorRow(l)).map(cells);
expect(dataRows).toContainEqual(["a", "b"]);
expect(dataRows).toContainEqual(["c", "d"]);
});
it("serializes a whole table with a header row as a proper GFM table (headline regression)", () => {
// Mirror the serializer's non-wrap branch: the full <table> node is appended
// directly (div.appendChild(fragment)) and htmlToMarkdown(div.innerHTML) runs.
const div = document.createElement("div");
const table = document.createElement("table");
const thead = document.createElement("thead");
const headerRow = document.createElement("tr");
for (const h of ["Name", "Age"]) {
const th = document.createElement("th");
th.textContent = h;
headerRow.appendChild(th);
}
thead.appendChild(headerRow);
table.appendChild(thead);
const tbody = document.createElement("tbody");
for (const [name, age] of [
["Alice", "30"],
["Bob", "25"],
]) {
const tr = document.createElement("tr");
const td1 = document.createElement("td");
td1.textContent = name;
const td2 = document.createElement("td");
td2.textContent = age;
tr.appendChild(td1);
tr.appendChild(td2);
tbody.appendChild(tr);
}
table.appendChild(tbody);
div.appendChild(table);
const md = htmlToMarkdown(div.innerHTML);
const ls = lines(md);
// Proper GFM structure: separator row + all rows pipe-delimited.
expect(ls.some(isSeparatorRow)).toBe(true);
expect(ls.every((l) => l.includes("|"))).toBe(true);
const rows = ls.filter((l) => !isSeparatorRow(l)).map(cells);
// Header row comes first, followed by both data rows.
expect(rows[0]).toEqual(["Name", "Age"]);
expect(rows).toContainEqual(["Alice", "30"]);
expect(rows).toContainEqual(["Bob", "25"]);
// Headline regression: the table is NOT concatenated one-value-per-line.
expect(md).not.toMatch(/^\s*(Name|Age|Alice|Bob|30|25)\s*$/m);
});
});
@@ -27,36 +27,24 @@ export const MarkdownClipboard = Extension.create({
key: new PluginKey("markdownClipboard"),
props: {
clipboardTextSerializer: (slice) => {
const topLevelNodes: { name: string; childCount: number }[] = [];
const listTypes = ["bulletList", "orderedList", "taskList"];
let topLevelCount = 0;
let hasList = false;
slice.content.forEach((node) => {
topLevelNodes.push({
name: node.type.name,
childCount: node.childCount,
});
if (listTypes.includes(node.type.name)) {
hasList = true;
topLevelCount += node.childCount;
} else {
topLevelCount++;
}
});
const { asMarkdown, wrapBareRows } =
classifyClipboardSelection(topLevelNodes);
if (!asMarkdown) return null;
if (!hasList || topLevelCount < 2) return null;
const div = document.createElement("div");
const serializer = DOMSerializer.fromSchema(this.editor.schema);
const fragment = serializer.serializeFragment(slice.content);
if (wrapBareRows) {
// A partial table cell-selection serializes to bare <tr> nodes
// (prosemirror-tables returns the whole `table` node only when the
// entire table is selected). Bare <tr> would be foster-parented
// away by the HTML parser inside htmlToMarkdown, so wrap them in
// <table><tbody> first for the GFM turndown rule to detect them.
const table = document.createElement("table");
const tbody = document.createElement("tbody");
tbody.appendChild(fragment);
table.appendChild(tbody);
div.appendChild(table);
} else {
div.appendChild(fragment);
}
div.appendChild(fragment);
return htmlToMarkdown(div.innerHTML);
},
handlePaste: (view, event, slice) => {
@@ -165,55 +153,6 @@ export const MarkdownClipboard = Extension.create({
},
});
/**
* Decide whether a copied slice's plain-text clipboard payload should be
* serialized as Markdown (instead of ProseMirror's default text serializer,
* which joins block leaves with newlines the "one value per line" bug for
* tables).
*
* Serialize as Markdown for structured content:
* - lists with 2+ total items (a single copied bullet stays literal text);
* - a whole table (top-level `table` node);
* - a partial table cell-selection, which prosemirror-tables copies as bare
* `tableRow` nodes (only a full-table selection yields a `table` node).
*
* `wrapBareRows` flags the bare-rows case so the caller wraps the serialized
* <tr> nodes in <table><tbody> before the HTML->Markdown step. Plain paragraphs
* return asMarkdown=false so a simple text copy stays literal, and internal
* copy/paste keeps using the richer text/html clipboard payload.
*/
export function classifyClipboardSelection(
nodes: { name: string; childCount: number }[],
): { asMarkdown: boolean; wrapBareRows: boolean } {
const listTypes = ["bulletList", "orderedList", "taskList"];
let topLevelCount = 0;
let hasList = false;
let hasTable = false;
let tableRowCount = 0;
let nonRowCount = 0;
for (const node of nodes) {
if (listTypes.includes(node.name)) {
hasList = true;
topLevelCount += node.childCount;
nonRowCount++;
} else {
if (node.name === "table") hasTable = true;
if (node.name === "tableRow") tableRowCount++;
else nonRowCount++;
topLevelCount++;
}
}
// Bare tableRow nodes at the top level only occur for a partial cell
// selection; a slice never mixes bare rows with other block types, so
// "every top-level node is a row" is a safe signal to wrap-and-serialize.
const wrapBareRows = tableRowCount > 0 && nonRowCount === 0;
const asMarkdown =
(hasList && topLevelCount >= 2) || hasTable || wrapBareRows;
return { asMarkdown, wrapBareRows };
}
/**
* Reorder/dedup the footnotes of a SELF-CONTAINED pasted markdown block to the
* canonical invariant (the live footnoteSyncPlugin never reorders an existing
@@ -100,7 +100,7 @@ describe("useScrollPosition", () => {
expect(window.scrollTo).toHaveBeenCalledWith({ top: 500, behavior: "auto" });
});
it("(a3) is idempotent: re-asserting the same target does not scroll again", () => {
it("(a3) restores at most once per mount even if called again", () => {
vi.useFakeTimers();
window.sessionStorage.setItem(`${KEY_PREFIX}once`, "500");
setScrollHeight(2000); // tall enough to restore synchronously
@@ -111,12 +111,8 @@ describe("useScrollPosition", () => {
});
expect(window.scrollTo).toHaveBeenCalledTimes(1);
// Simulate the browser now being at the restored position.
setScrollY(500);
// A second call (e.g. the wiring effect re-running on [showStatic, editor,
// restoreScrollPosition]) must NOT scroll again: the redundancy guard sees
// the window is already at the target and does nothing.
// restoreScrollPosition]) must NOT scroll again and yank the reader.
act(() => {
result.current.restoreScrollPosition();
});
@@ -166,84 +162,6 @@ describe("useScrollPosition", () => {
expect(window.scrollTo).not.toHaveBeenCalled();
});
it("(g) does not restore if the reader scrolled (wheel) before restore fires", () => {
window.sessionStorage.setItem(`${KEY_PREFIX}g1`, "500");
setScrollHeight(2000); // tall enough to restore synchronously
const { result } = renderHook(() => useScrollPosition("g1"));
// The reader shows scroll intent before restore is triggered.
act(() => {
window.dispatchEvent(new Event("wheel"));
});
act(() => {
result.current.restoreScrollPosition();
});
expect(window.scrollTo).not.toHaveBeenCalled();
});
it("(h) aborts an in-flight restore poll when the reader scrolls", () => {
vi.useFakeTimers();
window.sessionStorage.setItem(`${KEY_PREFIX}h1`, "500");
setInnerHeight(800);
setScrollHeight(100); // maxScroll = -700: target not reachable yet, so it polls.
const { result } = renderHook(() => useScrollPosition("h1"));
act(() => {
result.current.restoreScrollPosition();
});
expect(window.scrollTo).not.toHaveBeenCalled(); // still polling
// The reader takes over mid-poll: this cancels the in-flight poll.
act(() => {
window.dispatchEvent(new Event("wheel"));
});
// Content of the page grows tall enough and time passes: the cancelled poll
// must NOT resurrect and yank the reader.
setScrollHeight(2000);
act(() => {
vi.advanceTimersByTime(5000);
});
expect(window.scrollTo).not.toHaveBeenCalled();
});
it("(i) a non-scroll keydown does NOT abort restore", () => {
window.sessionStorage.setItem(`${KEY_PREFIX}i1`, "500");
setScrollHeight(2000); // tall enough to restore synchronously
const { result } = renderHook(() => useScrollPosition("i1"));
// A non-scroll key (e.g. typing, a shortcut) must NOT count as scroll intent.
act(() => {
window.dispatchEvent(new KeyboardEvent("keydown", { key: "a" }));
});
act(() => {
result.current.restoreScrollPosition();
});
// Restore still happens: the innocuous keypress did not disable it.
expect(window.scrollTo).toHaveBeenCalledWith({ top: 500, behavior: "auto" });
});
it("(j) a scroll keydown (Space) DOES abort restore", () => {
window.sessionStorage.setItem(`${KEY_PREFIX}j1`, "500");
setScrollHeight(2000); // tall enough to restore synchronously
const { result } = renderHook(() => useScrollPosition("j1"));
// Space scrolls the page: this is real scroll intent and must abort restore.
act(() => {
window.dispatchEvent(new KeyboardEvent("keydown", { key: " " }));
});
act(() => {
result.current.restoreScrollPosition();
});
expect(window.scrollTo).not.toHaveBeenCalled();
});
it("(c) does nothing when nothing is saved or the saved value is <= 0", () => {
// Nothing saved.
const a = renderHook(() => useScrollPosition("nope"));
@@ -303,55 +221,6 @@ describe("useScrollPosition", () => {
expect(window.scrollTo).toHaveBeenCalledWith({ top: 200, behavior: "auto" });
});
it("(k) shares ONE timeout budget across re-triggers (does not restart the clock)", () => {
// The static->live editor swap re-invokes restore. The shared budget
// (restoreStartRef) must measure the MAX_RESTORE_WAIT_MS (5000) deadline
// from the FIRST trigger, not restart it on every re-trigger. This pins
// the `if (restoreStartRef.current === null)` guard: a mutant that resets
// `restoreStartRef.current = Date.now()` on every trigger would push the
// deadline out to t=8000 (3000 + 5000) and fail the t=5000 assertion below.
vi.useFakeTimers();
vi.setSystemTime(0);
window.sessionStorage.setItem(`${KEY_PREFIX}k1`, "5000");
setInnerHeight(800);
setScrollHeight(1000); // maxScroll = 200, never reaches 5000 -> it polls.
const { result } = renderHook(() => useScrollPosition("k1"));
// First trigger at t=0: starts the shared budget and begins polling.
act(() => {
result.current.restoreScrollPosition();
});
expect(window.scrollTo).not.toHaveBeenCalled();
// Advance to t=3000 (still polling: content short, not yet timed out).
act(() => {
vi.advanceTimersByTime(3000);
});
expect(window.scrollTo).not.toHaveBeenCalled();
// Second trigger at t=3000 (the swap re-assert). Under the real code the
// budget is shared, so `start` stays 0; under the reset-mutant it becomes 3000.
act(() => {
result.current.restoreScrollPosition();
});
// At t=4900 the FIRST budget has not yet elapsed (4900 - 0 < 5000): no clamp.
act(() => {
vi.advanceTimersByTime(1900);
});
expect(window.scrollTo).not.toHaveBeenCalled();
// At t=5000 the shared budget (measured from t=0) times out and clamps to the
// furthest reachable position (maxScroll = 200). The reset-mutant, measuring
// from t=3000, would still be waiting (5000 - 3000 = 2000 < 5000) and would
// NOT have scrolled here -> this assertion fails against that mutant.
act(() => {
vi.advanceTimersByTime(100);
});
expect(window.scrollTo).toHaveBeenCalledWith({ top: 200, behavior: "auto" });
});
it("(e) never throws when storage access throws", () => {
const err = new Error("storage denied");
vi.spyOn(window.sessionStorage, "getItem").mockImplementation(() => {
@@ -1,5 +1,4 @@
import { useCallback, useEffect, useLayoutEffect, useRef } from "react";
import type { Editor } from "@tiptap/react";
import { useCallback, useEffect, useRef } from "react";
// Throttle interval for persisting the scroll position while the user reads.
const SAVE_THROTTLE_MS = 250;
@@ -14,18 +13,6 @@ const RESTORE_POLL_MS = 100;
// "remember where I was reading" feature (self-limiting, no cross-tab leak).
const STORAGE_PREFIX = "gitmost:scroll-position:";
// Keys that scroll the window. Only these count as scroll intent for keydown;
// other keys (shortcuts, modifiers, typing) must NOT disable scroll restore.
const SCROLL_KEYS = new Set([
"ArrowUp",
"ArrowDown",
"PageUp",
"PageDown",
"Home",
"End",
" ", // Space (and Shift+Space) scroll the page
]);
function storageKey(pageId: string): string {
return `${STORAGE_PREFIX}${pageId}`;
}
@@ -61,41 +48,32 @@ function writeStorage(pageId: string, scrollY: number): void {
* Persists and restores the window scroll position per page so a reader keeps
* their place across a reload (F5) or reopening the document.
*
* Returns `restoreScrollPosition`, which the page editor calls from two triggers
* (early, while the static/cached content is laid out, and again after the
* static->live editor swap); it is idempotent, so re-asserting the same target is
* a no-op. The two scroll mechanisms are mutually exclusive: if the URL has a
* `#hash` anchor, the existing anchor-scroll logic wins and restore is a no-op.
* Returns `restoreScrollPosition`, which the page editor calls once the live
* (non-static) content is laid out. The two scroll mechanisms are mutually
* exclusive: if the URL has a `#hash` anchor, the existing anchor-scroll logic
* wins and restore is a no-op.
*/
export function useScrollPosition(pageId: string): {
restoreScrollPosition: () => void;
} {
// CONTRACT: this hook assumes PageEditor REMOUNTS per page — page.tsx renders
// `<MemoizedFullEditor key={page.id} ...>`, so switching pages creates a fresh
// hook instance with fresh refs. Restore is idempotent and interaction-gated
// (not single-shot): it may be called from several triggers and re-asserts the
// SAME captured target, which is a no-op once the window is already positioned.
// The per-mount refs that latch are `initialTargetRef` (the captured target)
// and `userInteractedRef` (the reader has taken over scrolling). They are NOT
// reset when `pageId` changes in place (only the effect re-runs on [pageId]).
// If that `key={page.id}` is ever removed, restore would silently break on the
// 2nd page (refs would hold the first page's target / interaction flag) — in
// that case the refs must be reset on a pageId change.
// hook instance with fresh refs. These refs latch per-mount and are NOT reset
// when `pageId` changes in place (only the effect re-runs on [pageId]). If that
// `key={page.id}` is ever removed, restore would silently break on the 2nd page
// (refs would hold the first page's target / already-restored flag) — in that
// case the refs must be reset on a pageId change.
//
// The target Y captured synchronously at mount, BEFORE any scroll/visibility
// handler can overwrite the stored value with a fresh 0 (the page starts
// scrolled to top on load). `null` means "not yet captured".
const initialTargetRef = useRef<number | null>(null);
// Set once the reader shows unambiguous scroll intent; restore must never yank
// a reader who has already started scrolling.
const userInteractedRef = useRef(false);
// Guards so restore runs at most once per page mount.
const hasRestoredRef = useRef(false);
// Holds the in-flight restore poll timer so the cleanup can cancel it: without
// this, a fast SPA navigation away mid-poll would let the old page's poll fire
// window.scrollTo against the NEW page's document (visible wrong-page scroll).
const pollTimerRef = useRef<number | null>(null);
// Timestamp of the FIRST restore attempt so re-triggers (e.g. the static→live
// editor swap) share ONE bounded timeout budget instead of restarting it.
const restoreStartRef = useRef<number | null>(null);
// Capture the previously-saved value synchronously during render, before the
// effect below registers handlers that would persist the current (0) scrollY.
@@ -136,43 +114,14 @@ export function useScrollPosition(pageId: string): {
}
};
// User scroll-intent signals. wheel and touch are unconditional scroll
// intent; keydown is filtered to actual scroll keys only (SCROLL_KEYS) so
// shortcuts, lone modifiers, and typing do not abort restore. Our own
// window.scrollTo does NOT emit these, so restore can never self-abort via
// them. Once the reader shows intent we mark it and cancel any in-flight
// restore poll so restore can never yank them back. (Scrollbar-drag via
// pointer is an accepted small gap — it is not covered here.)
const onUserIntent = (event: Event) => {
// wheel/touchstart are unambiguous scroll intent; for keydown, only real
// scroll keys count — a shortcut or typing must not abort restore.
if (
event.type === "keydown" &&
!SCROLL_KEYS.has((event as KeyboardEvent).key)
) {
return;
}
userInteractedRef.current = true;
if (pollTimerRef.current !== null) {
window.clearTimeout(pollTimerRef.current);
pollTimerRef.current = null;
}
};
window.addEventListener("scroll", onScroll, { passive: true });
window.addEventListener("pagehide", onPageHide);
document.addEventListener("visibilitychange", onVisibilityChange);
window.addEventListener("wheel", onUserIntent, { passive: true });
window.addEventListener("touchstart", onUserIntent, { passive: true });
window.addEventListener("keydown", onUserIntent);
return () => {
window.removeEventListener("scroll", onScroll);
window.removeEventListener("pagehide", onPageHide);
document.removeEventListener("visibilitychange", onVisibilityChange);
window.removeEventListener("wheel", onUserIntent);
window.removeEventListener("touchstart", onUserIntent);
window.removeEventListener("keydown", onUserIntent);
if (throttleTimer !== null) {
window.clearTimeout(throttleTimer);
throttleTimer = null;
@@ -188,8 +137,9 @@ export function useScrollPosition(pageId: string): {
}, [pageId]);
const restoreScrollPosition = useCallback(() => {
// The reader took over — never yank them back.
if (userInteractedRef.current) return;
// Run at most once per page mount.
if (hasRestoredRef.current) return;
hasRestoredRef.current = true;
// Anchor priority: a `#hash` in the URL is handled by useEditorScroll.
if (window.location.hash) return;
@@ -198,26 +148,9 @@ export function useScrollPosition(pageId: string): {
// Nothing meaningful to restore to.
if (targetY <= 0) return;
// Cancel any in-flight poll before (re)starting, so overlapping triggers can
// never run two concurrent polls against the same target.
if (pollTimerRef.current !== null) {
window.clearTimeout(pollTimerRef.current);
pollTimerRef.current = null;
}
// Share one timeout budget across re-triggers instead of restarting it.
if (restoreStartRef.current === null) {
restoreStartRef.current = Date.now();
}
const start = restoreStartRef.current;
const start = Date.now();
const tryRestore = () => {
// Bail mid-poll if the reader started scrolling while we were waiting.
if (userInteractedRef.current) {
pollTimerRef.current = null;
return;
}
const maxScroll =
document.documentElement.scrollHeight - window.innerHeight;
const timedOut = Date.now() - start >= MAX_RESTORE_WAIT_MS;
@@ -225,12 +158,10 @@ export function useScrollPosition(pageId: string): {
// Restore once the content is tall enough to reach the target, or bail out
// after the timeout and scroll as far as currently possible.
if (maxScroll >= targetY || timedOut) {
const top = Math.min(targetY, Math.max(maxScroll, 0));
// Redundancy guard: re-asserting the SAME target when already positioned
// is a no-op, so this hook can be called from multiple triggers safely.
if (Math.abs(window.scrollY - top) > 1) {
window.scrollTo({ top, behavior: "auto" });
}
window.scrollTo({
top: Math.min(targetY, Math.max(maxScroll, 0)),
behavior: "auto",
});
pollTimerRef.current = null;
return;
}
@@ -244,37 +175,3 @@ export function useScrollPosition(pageId: string): {
return { restoreScrollPosition };
}
/**
* Wires `useScrollPosition` to the page editor's static->live swap lifecycle.
*
* Extracted from PageEditor so the exact restore triggers (their deps and the
* post-swap `&& editor` guard) are directly unit-testable rather than mirrored.
* Behaviour is unchanged: `restoreScrollPosition` is idempotent, so re-asserting
* the same target from either trigger is a no-op.
*
* @param pageId the page whose scroll position is persisted/restored.
* @param editor the tiptap editor instance, or `null` until it is ready.
* @param showStatic whether the static (cached) content is still shown.
*/
export function useScrollRestoreOnSwap(
pageId: string,
editor: Editor | null,
showStatic: boolean,
): void {
const { restoreScrollPosition } = useScrollPosition(pageId);
// Restore as early as the static (cached) content is laid out, before paint,
// so the reader's position is applied without a visible jump. Aborts itself if
// the reader has already started scrolling (handled inside the hook).
useLayoutEffect(() => {
restoreScrollPosition();
}, [restoreScrollPosition]);
// Re-assert once after the static -> live editor swap in case the swap reset
// the window scroll. Idempotent: a no-op when the position is already correct,
// and a no-op after the reader has interacted.
useLayoutEffect(() => {
if (!showStatic && editor) restoreScrollPosition();
}, [showStatic, editor, restoreScrollPosition]);
}
@@ -1,141 +0,0 @@
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
import { render, act } from "@testing-library/react";
import type { Editor } from "@tiptap/react";
import { useScrollRestoreOnSwap } from "./hooks/use-scroll-position";
const KEY_PREFIX = "gitmost:scroll-position:";
// NOTE ON SCOPE (F2 — reviewer-approved lighter variant).
//
// The real UX wiring lives in the exported `useScrollRestoreOnSwap` hook (two
// useLayoutEffects around useScrollPosition), which PageEditor calls with the
// same signature. A FULL PageEditor component test is impractical here and has no
// precedent in this client: PageEditor directly constructs a
// HocuspocusProviderWebsocket + IndexeddbPersistence, a tiptap `useEditor` with
// collab extensions, reads jotai atoms, react-router params, the shared
// `queryClient` from main.tsx, i18n, and mounts ~12 editor menu children. Worse,
// the static->live swap (`showStatic` -> false) is gated on
// `isCollabSynced(status, isLocalSynced && isRemoteSynced)`, which can only flip
// by driving the mocked collab provider's async sync callbacks. The heaviest
// component-test precedent in the repo (comment-hover-preview.test.tsx) mounts a
// single leaf component with ONE mocked query; nothing mounts a feature root of
// this weight. Reproducing all of that would test the mocks, not the wiring.
//
// So this file tests the REAL `useScrollRestoreOnSwap` hook — the exact code
// PageEditor imports and calls — driving its `showStatic`/`editor` inputs the way
// the swap does. Because it exercises the real hook (not a copy), dropping the
// `&& editor` guard or changing the effect deps makes these tests fail; they
// guard the production code directly (verified: removing `&& editor` reddens the
// first test).
//
// Both tests observe the real effect via `window.scrollTo`. The stubbed
// `window.scrollTo` never mutates `window.scrollY`, and the target is left
// unreached, so every restore invocation that passes the guard yields exactly one
// `scrollTo` call — making the call count a faithful proxy for restore invocations.
function setScrollY(value: number): void {
Object.defineProperty(window, "scrollY", { configurable: true, value });
}
function setScrollHeight(value: number): void {
Object.defineProperty(document.documentElement, "scrollHeight", {
configurable: true,
value,
});
}
function setInnerHeight(value: number): void {
Object.defineProperty(window, "innerHeight", { configurable: true, value });
}
// Minimal stand-in for the tiptap editor: the hook only truthiness-checks it.
const fakeEditor = { id: "editor" } as unknown as Editor;
// Thin host that calls the REAL hook so a rerender drives showStatic/editor
// exactly like the page-editor swap does.
function Host({
pageId,
showStatic,
editor,
}: {
pageId: string;
showStatic: boolean;
editor: Editor | null;
}) {
useScrollRestoreOnSwap(pageId, editor, showStatic);
return null;
}
describe("PageEditor scroll-restore wiring (useScrollRestoreOnSwap)", () => {
beforeEach(() => {
window.sessionStorage.clear();
setScrollY(0);
setScrollHeight(0);
setInnerHeight(800);
window.scrollTo = vi.fn();
window.location.hash = "";
});
afterEach(() => {
vi.restoreAllMocks();
vi.useRealTimers();
window.location.hash = "";
});
it("re-invokes restore after the swap, with the [showStatic, editor] deps/guard", () => {
// Target is immediately reachable, so each restore that passes the guard
// scrolls synchronously. `window.scrollY` stays 0 (stubbed scrollTo never
// updates it), so scrollTo is called once per effective restore — a proxy for
// the restore invocation count.
window.sessionStorage.setItem(`${KEY_PREFIX}guard`, "500");
setInnerHeight(800);
setScrollHeight(2000); // maxScroll = 1200 >= 500: reachable, no polling.
// Pre-swap: static content shown, live editor not ready. Only the early
// pre-paint restore fires; the post-swap effect's guard (!showStatic) blocks it.
const { rerender } = render(
<Host pageId="guard" showStatic={true} editor={null} />,
);
expect(window.scrollTo).toHaveBeenCalledTimes(1);
// Collab reports synced (showStatic flips false) but the editor is not ready
// yet: the swap effect re-runs (deps [showStatic, editor] changed) but the
// `&& editor` guard must keep it a no-op. The early effect does NOT re-fire
// (its dep [restoreScrollPosition] is a stable useCallback([])).
// (Pins the guard: dropping `&& editor` would restore against a null editor,
// producing a 2nd scrollTo and failing this expectation.)
rerender(<Host pageId="guard" showStatic={false} editor={null} />);
expect(window.scrollTo).toHaveBeenCalledTimes(1);
// The static -> live swap completes (showStatic false AND editor present): the
// post-swap effect re-asserts the restore exactly once more, driven solely by
// the [showStatic, editor] deps changing.
rerender(<Host pageId="guard" showStatic={false} editor={fakeEditor} />);
expect(window.scrollTo).toHaveBeenCalledTimes(2);
});
it("the post-swap re-assert drives a REAL restore (window.scrollTo) via the hook", () => {
// End-to-end through the real useScrollPosition (inside the hook): the swap
// re-invocation is the CAUSE of the scroll (nothing scrolls before it).
vi.useFakeTimers();
window.sessionStorage.setItem(`${KEY_PREFIX}peg`, "500");
setInnerHeight(800);
setScrollHeight(100); // maxScroll = -700: target not reachable yet -> polls.
// Pre-swap: the early restore runs but content is too short, so it starts
// polling (a pending timer) without scrolling. We never advance timers, so the
// early poll cannot fire on its own — isolating the swap as the sole cause.
const { rerender } = render(
<Host pageId="peg" showStatic={true} editor={null} />,
);
expect(window.scrollTo).not.toHaveBeenCalled();
// The live content is now laid out tall enough to reach the target.
setScrollHeight(2000); // maxScroll = 1200 >= 500
// The static -> live swap: the post-swap useLayoutEffect re-invokes the real
// hook, whose synchronous tryRestore now reaches the target and scrolls.
act(() => {
rerender(<Host pageId="peg" showStatic={false} editor={fakeEditor} />);
});
expect(window.scrollTo).toHaveBeenCalledWith({ top: 500, behavior: "auto" });
});
});
@@ -78,7 +78,7 @@ import { PageEditMode } from "@/features/user/types/user.types.ts";
import { jwtDecode } from "jwt-decode";
import { searchSpotlight } from "@/features/search/constants.ts";
import { useEditorScroll } from "./hooks/use-editor-scroll";
import { useScrollRestoreOnSwap } from "./hooks/use-scroll-position";
import { useScrollPosition } from "./hooks/use-scroll-position";
import { EditorLinkMenu } from "@/features/editor/components/link/link-menu";
import ColumnsMenu from "@/features/editor/components/columns/columns-menu.tsx";
import { TransclusionLookupProvider } from "@/features/editor/components/transclusion/transclusion-lookup-context";
@@ -143,6 +143,7 @@ export default function PageEditor({
[isComponentMounted],
);
const { handleScrollTo } = useEditorScroll({ canScroll });
const { restoreScrollPosition } = useScrollPosition(pageId);
// Providers only created once per pageId
const providersRef = useRef<{
local: IndexeddbPersistence;
@@ -481,10 +482,10 @@ export default function PageEditor({
}
}, [yjsConnectionStatus, isSynced]);
// Restore the reader's scroll position across the static -> live editor swap.
// The wiring (early pre-paint restore + post-swap re-assert) lives in the hook
// so its triggers/guard are directly unit-testable.
useScrollRestoreOnSwap(pageId, editor, showStatic);
// Restore the saved reading position once the live content is laid out.
useEffect(() => {
if (!showStatic && editor) restoreScrollPosition();
}, [showStatic, editor, restoreScrollPosition]);
return (
<TransclusionLookupProvider>
@@ -71,22 +71,3 @@
}
}
/* Inline image rows (#284): center the anonymous line boxes formed by
consecutive [data-image-align="inline"] node-view containers. A row has no
DOM wrapper of its own, so its horizontal placement is controlled by the
text-align of the nearest block ancestor (the editor root or a nested
block container: blockquote, callout, list item, table cell, details).
Centering is enabled only in containers that actually hold an inline
image (:has), and every other child of such a container gets its default
alignment back so ordinary text is unaffected. Explicit per-block
alignment from the toolbar is an inline style and still wins. Browsers
without :has() degrade to left-pinned rows. */
.ProseMirror:has(> [data-image-align="inline"]),
.ProseMirror :has(> [data-image-align="inline"]) {
text-align: center;
}
.ProseMirror:has(> [data-image-align="inline"]) > :not([data-image-align="inline"]),
.ProseMirror :has(> [data-image-align="inline"]) > :not([data-image-align="inline"]) {
text-align: start;
}
@@ -0,0 +1,227 @@
import { describe, it, expect, vi, afterEach, beforeAll } from "vitest";
import { render, screen, cleanup, within } from "@testing-library/react";
import { MantineProvider } from "@mantine/core";
// Mantine Tooltip mounts its label lazily on hover via Floating UI, which is
// flaky under jsdom. Replace ONLY the Tooltip with a thin wrapper that renders
// the label inline (keeping Badge/Switch/etc. real), so the provenance label —
// the contract we care about — is deterministically queryable.
vi.mock("@mantine/core", async () => {
const actual =
await vi.importActual<typeof import("@mantine/core")>("@mantine/core");
const Tooltip = ({
label,
children,
}: {
label?: React.ReactNode;
children?: React.ReactNode;
}) => (
<>
{children}
<span data-testid="tooltip-label">{label}</span>
</>
);
Tooltip.Group = ({ children }: { children?: React.ReactNode }) => (
<>{children}</>
);
return { ...actual, Tooltip };
});
// jsdom lacks matchMedia, which MantineProvider's color-scheme hook needs.
beforeAll(() => {
if (!window.matchMedia) {
window.matchMedia = (query: string) =>
({
matches: false,
media: query,
onchange: null,
addListener: () => {},
removeListener: () => {},
addEventListener: () => {},
removeEventListener: () => {},
dispatchEvent: () => false,
}) as unknown as MediaQueryList;
}
});
// --- Mocks for the heavy / networked module graph ---------------------------
// HistoryItem pulls in i18n, jotai atoms (ai-chat / history), a config-backed
// avatar and a time formatter. The provenance-badge contract is the unit under
// test, so we stub everything else down to inert, deterministic renders and
// keep the real Mantine Badge/Tooltip so role/label queries are meaningful.
// i18n: interpolate {{name}} so the git-sync tooltip carries the author name,
// letting us assert provenance attribution without a real i18n backend.
vi.mock("react-i18next", () => ({
useTranslation: () => ({
t: (key: string, vars?: Record<string, unknown>) =>
vars && typeof vars.name !== "undefined"
? key.replace("{{name}}", String(vars.name))
: key,
}),
}));
// jotai setters: the badges call useSetAtom; return inert setters so a click on
// the (deep-linkable) AiAgentBadge would fire these — proving the git-sync badge
// does NOT wire any of them.
const setAiChatWindowOpen = vi.fn();
const setActiveChatId = vi.fn();
const setDraft = vi.fn();
const setHistoryModalOpen = vi.fn();
vi.mock("jotai", async () => {
const actual = await vi.importActual<typeof import("jotai")>("jotai");
return {
...actual,
useSetAtom: (atom: unknown) => {
switch (atom) {
case aiChatWindowOpenAtom:
return setAiChatWindowOpen;
case activeAiChatIdAtom:
return setActiveChatId;
case aiChatDraftAtom:
return setDraft;
case historyAtoms:
return setHistoryModalOpen;
default:
return vi.fn();
}
},
};
});
// Atoms are imported only as identity tokens for the useSetAtom switch above.
vi.mock("@/features/ai-chat/atoms/ai-chat-atom.ts", () => ({
activeAiChatIdAtom: { __tag: "activeAiChatIdAtom" },
aiChatWindowOpenAtom: { __tag: "aiChatWindowOpenAtom" },
aiChatDraftAtom: { __tag: "aiChatDraftAtom" },
}));
vi.mock("@/features/page-history/atoms/history-atoms.ts", () => ({
historyAtoms: { __tag: "historyAtoms" },
}));
// Avatar reaches into config (getAvatarUrl) — stub to a plain element.
vi.mock("@/components/ui/custom-avatar.tsx", () => ({
CustomAvatar: ({ name }: { name?: string }) => (
<span data-testid="avatar">{name}</span>
),
}));
// Deterministic, locale-free date string.
vi.mock("@/lib/time", () => ({
formattedDate: () => "2026-06-21",
}));
import HistoryItem from "./history-item";
import {
activeAiChatIdAtom,
aiChatWindowOpenAtom,
aiChatDraftAtom,
} from "@/features/ai-chat/atoms/ai-chat-atom.ts";
import { historyAtoms } from "@/features/page-history/atoms/history-atoms.ts";
import type { IPageHistory } from "@/features/page-history/types/page.types";
function makeItem(overrides: Partial<IPageHistory> = {}): IPageHistory {
return {
id: "h1",
pageId: "p1",
title: "Title",
slug: "slug",
icon: "",
coverPhoto: "",
version: 1,
lastUpdatedById: "u1",
workspaceId: "w1",
createdAt: "2026-06-21T00:00:00.000Z",
updatedAt: "2026-06-21T00:00:00.000Z",
lastUpdatedBy: { id: "u1", name: "Alice", avatarUrl: "" },
...overrides,
};
}
function renderItem(item: IPageHistory) {
return render(
<MantineProvider>
<HistoryItem
historyItem={item}
index={0}
onSelect={vi.fn()}
isActive={false}
/>
</MantineProvider>,
);
}
afterEach(() => {
cleanup();
vi.clearAllMocks();
});
describe("HistoryItem git-sync provenance badge", () => {
// Test 1: the git-sync badge renders ONLY for lastUpdatedSource === 'git-sync'.
it("renders the Git sync badge only when lastUpdatedSource is 'git-sync'", () => {
renderItem(makeItem({ lastUpdatedSource: "git-sync" }));
expect(screen.getByText("Git sync")).toBeTruthy();
});
it.each([
["agent", "agent"],
["user", "user"],
["undefined", undefined],
])(
"does NOT render the Git sync badge when lastUpdatedSource is %s",
(_label, source) => {
renderItem(makeItem({ lastUpdatedSource: source }));
expect(screen.queryByText("Git sync")).toBeNull();
},
);
// Test 2: provenance attribution + the git-sync badge is NOT interactive.
it("attributes the git-sync provenance to the correct author and is not clickable", () => {
renderItem(
makeItem({
lastUpdatedSource: "git-sync",
lastUpdatedBy: { id: "u2", name: "Bob", avatarUrl: "" },
}),
);
const badge = screen.getByText("Git sync");
// Provenance attribution: the tooltip label carries the author name (the
// git-sync badge passes authorName -> "Synced from Git on behalf of {{name}}").
expect(screen.getByText("Synced from Git on behalf of Bob")).toBeTruthy();
// The git-sync badge must NOT behave like AiAgentBadge: the badge element
// itself is not a button, carries no role=button and no tabIndex, and
// clicking it must not trigger any ai-chat deep-link. (The surrounding
// history-row IS an UnstyledButton — that is the row's own select affordance,
// not the badge — so we scope these checks to the badge element.)
const badgeRoot = (badge.closest("[class*='mantine-Badge-root']") ??
badge) as HTMLElement;
expect(badgeRoot.getAttribute("role")).not.toBe("button");
expect(badgeRoot.getAttribute("tabindex")).toBeNull();
expect(badgeRoot.tagName.toLowerCase()).not.toBe("button");
// No interactive descendant button lives inside the badge itself.
expect(within(badgeRoot).queryByRole("button")).toBeNull();
badgeRoot.dispatchEvent(new MouseEvent("click", { bubbles: true }));
expect(setActiveChatId).not.toHaveBeenCalled();
expect(setAiChatWindowOpen).not.toHaveBeenCalled();
expect(setDraft).not.toHaveBeenCalled();
expect(setHistoryModalOpen).not.toHaveBeenCalled();
});
// Sanity contrast: the agent badge (the copy-paste source) IS interactive when
// it carries an aiChatId — proving the not-clickable assertion above is real.
it("contrast: the AI-agent badge is a deep-link button when it has an aiChatId", () => {
renderItem(
makeItem({
lastUpdatedSource: "agent",
lastUpdatedAiChatId: "chat-1",
}),
);
const agentBadge = screen.getByText("AI-agent");
const root = agentBadge.closest("[role='button']");
expect(root).not.toBeNull();
within(root as HTMLElement).getByText("AI-agent");
});
});
@@ -1,6 +1,7 @@
import { Text, Group, UnstyledButton, Avatar, Tooltip } from "@mantine/core";
import { CustomAvatar } from "@/components/ui/custom-avatar.tsx";
import { AiAgentBadge } from "@/components/ui/ai-agent-badge.tsx";
import { GitSyncBadge } from "@/components/ui/git-sync-badge.tsx";
import { formattedDate } from "@/lib/time";
import classes from "./css/history.module.css";
import clsx from "clsx";
@@ -41,6 +42,7 @@ const HistoryItem = memo(function HistoryItem({
const contributors = historyItem.contributors;
const hasContributors = contributors && contributors.length > 0;
const isAgentEdit = historyItem.lastUpdatedSource === "agent";
const isGitSyncEdit = historyItem.lastUpdatedSource === "git-sync";
return (
<UnstyledButton
@@ -108,6 +110,10 @@ const HistoryItem = memo(function HistoryItem({
onActivate={() => setHistoryModalOpen(false)}
/>
)}
{isGitSyncEdit && (
<GitSyncBadge authorName={historyItem.lastUpdatedBy?.name} />
)}
</Group>
</UnstyledButton>
);
@@ -13,30 +13,20 @@ export type OpenMap = Record<string, boolean>;
// `OpenMap | Promise<OpenMap>` and break the functional-updater setter below).
const openTreeNodesStorage = createJSONStorage<OpenMap>(() => localStorage);
// Single source of truth for the open-map localStorage key prefix. Exported so
// the logout cache sweep (tree-data-atom.ts) removes keys by the SAME prefix
// used to write them — a rename here can never silently desync the cleanup.
export const OPEN_TREE_NODES_KEY_PREFIX = "openTreeNodes:";
// One persisted open/closed map per (workspace, user). Scoping the localStorage
// key prevents accounts that share a browser origin from leaking tree state.
// `getOnInit: true` reads localStorage synchronously at atom init (not on mount),
// so the first render already has the saved state — no collapse-then-expand
// flicker on reload, and writes never run against an un-hydrated empty map.
const openTreeNodesFamily = atomFamily((scopeKey: string) =>
atomWithStorage<OpenMap>(
`${OPEN_TREE_NODES_KEY_PREFIX}${scopeKey}`,
{},
openTreeNodesStorage,
{ getOnInit: true },
),
atomWithStorage<OpenMap>(`openTreeNodes:${scopeKey}`, {}, openTreeNodesStorage, {
getOnInit: true,
}),
);
// Resolve the storage scope from the current user. Fall back to "anon" for the
// workspace/user parts when nothing is loaded yet (logged out / first paint).
// Shared by the open-map atom below and the persisted tree-data atom
// (tree-data-atom.ts) so both caches are scoped identically.
export const scopeKeyAtom = atom((get) => {
const scopeKeyAtom = atom((get) => {
const currentUser = get(currentUserAtom);
const workspaceId = currentUser?.workspace?.id ?? "anon";
const userId = currentUser?.user?.id ?? "anon";
@@ -1,265 +0,0 @@
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
import type { SpaceTreeNode } from "@/features/page/tree/types";
import type { ICurrentUser } from "@/features/user/types/user.types";
// The persisted tree-data atom hydrates from localStorage ONCE, at family-atom
// creation (`getOnInit: true`). To exercise hydration deterministically each
// test imports a FRESH module instance (fresh atomFamily) after seeding the
// storage stub from vitest.setup.ts. jotai itself is externalized by vitest, so
// `createStore` can stay a static import — atoms are plain objects and any
// store works with any module instance.
import { createStore } from "jotai";
// Storage key for the default scope: no currentUser -> "anon:anon" (see
// scopeKeyAtom in open-tree-nodes-atom.ts) with the `v1` cache-shape version.
const ANON_KEY = "treeData:v1:anon:anon";
const DEBOUNCE_MS = 500;
async function freshImport() {
vi.resetModules();
const treeDataModule = await import("./tree-data-atom");
const userModule = await import(
"@/features/user/atoms/current-user-atom"
);
return {
treeDataAtom: treeDataModule.treeDataAtom,
flushPendingTreeDataWrites: treeDataModule.flushPendingTreeDataWrites,
clearPersistedTreeCaches: treeDataModule.clearPersistedTreeCaches,
currentUserAtom: userModule.currentUserAtom,
};
}
function node(id: string): SpaceTreeNode {
return {
id,
slugId: `slug-${id}`,
name: id,
position: "a0",
spaceId: "space-1",
parentPageId: null as unknown as string,
hasChildren: false,
children: [],
};
}
// Every persisted tree key currently in storage — asserting on the whole
// prefix (not one known key) catches writes that resurrect under ANY scope.
function persistedTreeDataKeys(): string[] {
const keys: string[] = [];
for (let i = 0; i < localStorage.length; i++) {
const key = localStorage.key(i);
if (key !== null && key.startsWith("treeData:v1:")) keys.push(key);
}
return keys;
}
function currentUser(workspaceId: string, userId: string): ICurrentUser {
return {
user: { id: userId },
workspace: { id: workspaceId },
} as unknown as ICurrentUser;
}
beforeEach(() => {
localStorage.clear();
});
afterEach(() => {
vi.useRealTimers();
vi.restoreAllMocks();
});
describe("treeDataAtom (localStorage-persisted)", () => {
it("reads [] from a fresh store with empty storage", async () => {
const { treeDataAtom } = await freshImport();
const store = createStore();
expect(store.get(treeDataAtom)).toEqual([]);
});
it("persists through the debounced setItem and hydrates a fresh module back", async () => {
vi.useFakeTimers();
const setItemSpy = vi.spyOn(localStorage, "setItem");
const { treeDataAtom } = await freshImport();
const store = createStore();
store.set(treeDataAtom, [node("a")]);
// Second write inside the debounce window — must coalesce into ONE flush
// carrying only the latest value.
vi.advanceTimersByTime(DEBOUNCE_MS / 2);
store.set(treeDataAtom, [node("a"), node("b")]);
// Nothing flushed yet: the write is trailing-debounced.
expect(localStorage.getItem(ANON_KEY)).toBeNull();
vi.advanceTimersByTime(DEBOUNCE_MS + 100);
expect(setItemSpy).toHaveBeenCalledTimes(1);
expect(JSON.parse(localStorage.getItem(ANON_KEY)!)).toEqual([
node("a"),
node("b"),
]);
// A fresh module (fresh atom family -> getOnInit re-reads storage) and a
// fresh store hydrate the persisted tree back — the reload scenario.
const second = await freshImport();
const store2 = createStore();
expect(store2.get(second.treeDataAtom)).toEqual([node("a"), node("b")]);
});
it("reads [] (without throwing) when storage holds corrupted JSON", async () => {
localStorage.setItem(ANON_KEY, "{definitely not JSON!!!");
const { treeDataAtom } = await freshImport();
const store = createStore();
expect(store.get(treeDataAtom)).toEqual([]);
});
it("reads [] when storage holds valid JSON of a non-array shape", async () => {
localStorage.setItem(ANON_KEY, JSON.stringify({ id: "not-a-tree" }));
const { treeDataAtom } = await freshImport();
const store = createStore();
expect(store.get(treeDataAtom)).toEqual([]);
});
it("supports functional-updater writes", async () => {
const { treeDataAtom } = await freshImport();
const store = createStore();
store.set(treeDataAtom, [node("a")]);
store.set(treeDataAtom, (prev) => [...prev, node("b")]);
expect(store.get(treeDataAtom).map((n) => n.id)).toEqual(["a", "b"]);
});
it("isolates trees between (workspace, user) scopes", async () => {
const { treeDataAtom, currentUserAtom } = await freshImport();
const store = createStore();
store.set(currentUserAtom, currentUser("w1", "u1"));
store.set(treeDataAtom, [node("a")]);
expect(store.get(treeDataAtom).map((n) => n.id)).toEqual(["a"]);
// Another account on the same browser origin must NOT see u1's tree.
store.set(currentUserAtom, currentUser("w2", "u2"));
expect(store.get(treeDataAtom)).toEqual([]);
store.set(treeDataAtom, [node("b")]);
expect(store.get(treeDataAtom).map((n) => n.id)).toEqual(["b"]);
// Switching back resolves the original scope's tree untouched.
store.set(currentUserAtom, currentUser("w1", "u1"));
expect(store.get(treeDataAtom).map((n) => n.id)).toEqual(["a"]);
});
it("clearPersistedTreeCaches removes all tree keys and discards pending writes", async () => {
vi.useFakeTimers();
// Stale caches across scopes plus an UNRELATED key that must survive.
localStorage.setItem("treeData:v1:a:b", JSON.stringify([node("stale")]));
localStorage.setItem("openTreeNodes:a:b", JSON.stringify({ p1: true }));
localStorage.setItem("currentUser", JSON.stringify({ user: { id: "b" } }));
const { treeDataAtom, clearPersistedTreeCaches } = await freshImport();
const store = createStore();
// Queue a debounced write (not flushed yet) for the anon scope.
store.set(treeDataAtom, [node("pending")]);
expect(localStorage.getItem(ANON_KEY)).toBeNull();
clearPersistedTreeCaches();
// Both prefixed caches are swept; the unrelated key is untouched.
expect(localStorage.getItem("treeData:v1:a:b")).toBeNull();
expect(localStorage.getItem("openTreeNodes:a:b")).toBeNull();
expect(localStorage.getItem("currentUser")).toBe(
JSON.stringify({ user: { id: "b" } }),
);
// The queued write was DISCARDED, not merely delayed: the debounce timer
// firing later must not resurrect a tree key after logout.
vi.advanceTimersByTime(DEBOUNCE_MS + 100);
expect(localStorage.getItem(ANON_KEY)).toBeNull();
});
it("clearPersistedTreeCaches discards queued writes even when flushed DIRECTLY", async () => {
vi.useFakeTimers();
const { treeDataAtom, clearPersistedTreeCaches, flushPendingTreeDataWrites } =
await freshImport();
const store = createStore();
// Queue a debounced write, then clear. Calling the flush directly (not via
// the debounce timer) isolates the pending-queue discard from the timer
// cancel: if the queue survived, this flush would resurrect the key even
// though the timer never fired.
store.set(treeDataAtom, [node("pending")]);
clearPersistedTreeCaches();
flushPendingTreeDataWrites();
expect(localStorage.getItem(ANON_KEY)).toBeNull();
expect(persistedTreeDataKeys()).toEqual([]);
});
it("skips persisting a tree over the size cap and warns exactly once", async () => {
vi.useFakeTimers();
const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
const setItemSpy = vi.spyOn(localStorage, "setItem");
const { treeDataAtom, flushPendingTreeDataWrites } = await freshImport();
const store = createStore();
// One node whose name alone serializes to > MAX_SERIALIZED_LENGTH (~4M).
const huge = node("big");
huge.name = "x".repeat(4_000_001);
store.set(treeDataAtom, [huge]);
vi.advanceTimersByTime(DEBOUNCE_MS + 100);
// The oversized serialization is skipped: the key is never written.
expect(localStorage.getItem(ANON_KEY)).toBeNull();
expect(setItemSpy).not.toHaveBeenCalled();
// Editing the still-oversized tree fires another debounced write, but the
// "too large" warn is gated by the once-flag — no per-tick console spam.
store.set(treeDataAtom, [huge, node("big2")]);
vi.advanceTimersByTime(DEBOUNCE_MS + 100);
flushPendingTreeDataWrites();
expect(localStorage.getItem(ANON_KEY)).toBeNull();
expect(warnSpy).toHaveBeenCalledTimes(1);
expect(warnSpy).toHaveBeenCalledWith(
"[tree] cached tree too large to persist; skipping",
ANON_KEY,
);
});
it("disables persistence after clearPersistedTreeCaches: NEW writes never reach storage", async () => {
vi.useFakeTimers();
const { treeDataAtom, clearPersistedTreeCaches, flushPendingTreeDataWrites } =
await freshImport();
const store = createStore();
clearPersistedTreeCaches();
// The resurrection scenario: a websocket tree event lands while `await
// logout()` is still in flight, AFTER the sweep. The write must not be
// queued, must not arm a new debounce timer, and must not survive the
// beforeunload flush fired by the logout redirect.
store.set(treeDataAtom, [node("late")]);
vi.advanceTimersByTime(DEBOUNCE_MS + 100);
flushPendingTreeDataWrites(); // what the beforeunload handler runs
expect(persistedTreeDataKeys()).toEqual([]);
// Only PERSISTENCE is disabled: the in-memory atom keeps working, so the
// UI stays intact during the brief pre-redirect window.
expect(store.get(treeDataAtom).map((n) => n.id)).toEqual(["late"]);
});
});
@@ -1,206 +1,8 @@
import { atom } from "jotai";
import { atomFamily, atomWithStorage } from "jotai/utils";
import { SpaceTreeNode } from "@/features/page/tree/types";
import { appendNodeChildren } from "../utils";
import {
OPEN_TREE_NODES_KEY_PREFIX,
scopeKeyAtom,
} from "./open-tree-nodes-atom";
// The sidebar tree is persisted to localStorage so a page reload can paint the
// last-known tree IMMEDIATELY (no blank sidebar while the root query runs) and
// then reconcile with the server in the background. localStorage is a BOOT
// CACHE only — the in-memory atom stays the source of truth while the app runs.
// Trailing-debounce machinery for the localStorage writes. The tree is
// rewritten on every lazy load / drag / socket event; serializing a large tree
// on each update would burn CPU and thrash the storage quota, so writes are
// coalesced (~500 ms per burst) and only the latest value per key is flushed.
const WRITE_DEBOUNCE_MS = 500;
// Single source of truth for the tree-cache localStorage key prefix. The `v1`
// segment versions the cached node shape (bump it when SpaceTreeNode changes
// incompatibly). Shared by the storage key construction below AND the logout
// sweep in clearPersistedTreeCaches() so the two can never drift apart.
export const TREE_DATA_KEY_PREFIX = "treeData:v1:";
// Size guard: skip persisting trees whose JSON exceeds ~4M chars. localStorage
// quota is typically ~5 MB per origin; a huge tree must not evict everything
// else or spam QuotaExceededError on every debounce tick.
const MAX_SERIALIZED_LENGTH = 4_000_000;
const pendingWrites = new Map<string, SpaceTreeNode[]>();
let flushTimer: ReturnType<typeof setTimeout> | null = null;
let writeFailureWarned = false;
// Persistence kill-switch, armed by clearPersistedTreeCaches(). Once set, the
// debounced setItem and the flush become no-ops so nothing can be written back
// to localStorage AFTER the logout sweep: a websocket tree event landing while
// `await logout()` is still in flight would otherwise re-queue a write that
// the `beforeunload` flush (fired by the redirect) silently resurrects.
// Intentionally never reset: every caller of clearPersistedTreeCaches()
// immediately navigates away with a full page load
// (window.location.replace/href), so this module instance is torn down anyway.
// Only PERSISTENCE stops — the in-memory atoms keep working, so the UI stays
// intact during the brief pre-redirect window.
let persistenceDisabled = false;
function writeNow(key: string, value: SpaceTreeNode[]): void {
try {
const serialized = JSON.stringify(value);
if (serialized.length > MAX_SERIALIZED_LENGTH) {
// Warn ONCE, like the quota branch below: a >4M-char tree re-serializes on
// every ~500ms debounce tick while it's edited, so an un-gated warn would
// spam the console on each flush.
if (!writeFailureWarned) {
writeFailureWarned = true;
console.warn("[tree] cached tree too large to persist; skipping", key);
}
return;
}
localStorage.setItem(key, serialized);
} catch (err) {
// QuotaExceededError, private mode, jsdom shims without working storage…
// The cache is best-effort: warn once, keep the in-memory tree working.
if (!writeFailureWarned) {
writeFailureWarned = true;
console.warn("[tree] failed to persist tree cache", err);
}
}
}
// Exported so tests can force the debounced write synchronously; production
// code must never need it (the beforeunload hook below covers reloads).
export function flushPendingTreeDataWrites(): void {
if (flushTimer !== null) {
clearTimeout(flushTimer);
flushTimer = null;
}
if (persistenceDisabled) {
// Belt-and-braces: after logout nothing may reach localStorage, even via
// the beforeunload flush racing the redirect. Drop anything queued.
pendingWrites.clear();
return;
}
for (const [key, value] of pendingWrites) {
writeNow(key, value);
}
pendingWrites.clear();
}
// Logout hygiene: the tree cache stores PAGE TITLES, so leaving it behind
// would keep them readable in localStorage on a shared machine after logout.
// Sweep by key prefix (not just the current scope) so stale scopes — old
// users, the `anon:anon` fallback — are purged too. Pending debounced writes
// are DISCARDED first (not flushed): a queued write firing after the sweep
// would silently resurrect a removed key.
export function clearPersistedTreeCaches(): void {
// Disable persistence FIRST so no write can be queued (or flushed) between
// the sweep below and the full-page navigation every caller performs next.
persistenceDisabled = true;
if (flushTimer !== null) {
clearTimeout(flushTimer);
flushTimer = null;
}
pendingWrites.clear();
try {
// Collect matching keys BEFORE removing: deleting while iterating
// `localStorage.key(i)` shifts the indices and skips entries.
const keysToRemove: string[] = [];
for (let i = 0; i < localStorage.length; i++) {
const key = localStorage.key(i);
if (
key !== null &&
(key.startsWith(TREE_DATA_KEY_PREFIX) ||
key.startsWith(OPEN_TREE_NODES_KEY_PREFIX))
) {
keysToRemove.push(key);
}
}
for (const key of keysToRemove) {
localStorage.removeItem(key);
}
} catch {
// Best-effort: disabled storage / jsdom shims must never break logout.
}
}
// Flush the pending debounced write on unload so a reload right after a tree
// change doesn't lose the newest state (the debounce would otherwise eat it).
if (
typeof window !== "undefined" &&
typeof window.addEventListener === "function"
) {
window.addEventListener("beforeunload", flushPendingTreeDataWrites);
}
// Custom sync storage for the tree cache. Deliberately NO `subscribe` key:
// cross-tab sync would REPLACE this tab's tree wholesale and clobber in-flight
// lazy loads; websockets already keep every open tab live. Each tab keeps its
// own in-memory tree — localStorage only seeds the next boot.
const treeDataStorage = {
getItem: (key: string, initialValue: SpaceTreeNode[]): SpaceTreeNode[] => {
// Defensive: jsdom test shims may lack methods, stored JSON may be
// corrupted or of a wrong shape. Any failure falls back to the empty tree.
try {
const raw = localStorage.getItem(key);
if (raw === null) return initialValue;
const parsed = JSON.parse(raw);
return Array.isArray(parsed) ? (parsed as SpaceTreeNode[]) : initialValue;
} catch {
return initialValue;
}
},
setItem: (key: string, newValue: SpaceTreeNode[]): void => {
// After logout the cache must stay purged: neither queue the write nor arm
// a new flush timer (see persistenceDisabled above). The in-memory atom
// value is unaffected — only the localStorage mirror is frozen.
if (persistenceDisabled) return;
pendingWrites.set(key, newValue);
if (flushTimer !== null) clearTimeout(flushTimer);
flushTimer = setTimeout(flushPendingTreeDataWrites, WRITE_DEBOUNCE_MS);
},
removeItem: (key: string): void => {
pendingWrites.delete(key);
try {
localStorage.removeItem(key);
} catch {
/* best-effort cache — ignore */
}
},
};
// One persisted tree per (workspace, user) — same scoping rationale as the
// open-map atom (accounts sharing a browser origin must not leak trees).
// `getOnInit: true` reads localStorage synchronously at atom init, so the very
// first render already has the cached tree — no blank-then-jump sidebar.
const treeDataFamily = atomFamily((scopeKey: string) =>
atomWithStorage<SpaceTreeNode[]>(
`${TREE_DATA_KEY_PREFIX}${scopeKey}`,
[],
treeDataStorage,
{ getOnInit: true },
),
);
// Public facade — same read value (SpaceTreeNode[]) and same setter shape
// (value OR functional updater) as the previous in-memory atom, transparently
// routed to the persisted tree of the current workspace/user.
export const treeDataAtom = atom(
(get) => get(treeDataFamily(get(scopeKeyAtom))),
(
get,
set,
update: SpaceTreeNode[] | ((prev: SpaceTreeNode[]) => SpaceTreeNode[]),
) => {
const target = treeDataFamily(get(scopeKeyAtom));
const next =
typeof update === "function"
? (update as (prev: SpaceTreeNode[]) => SpaceTreeNode[])(get(target))
: update;
set(target, next);
},
);
export const treeDataAtom = atom<SpaceTreeNode[]>([]);
// Atom
export const appendNodeChildrenAtom = atom(
@@ -1,222 +0,0 @@
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
import { createRef } from "react";
import { render, act, waitFor, cleanup } from "@testing-library/react";
// --- Mocks for the heavy / networked module graph ---------------------------
// Same isolation strategy as space-tree.expand-all.test.tsx: everything that
// would otherwise need a real server / router / DnD stack is mocked. Here we
// additionally CAPTURE the DocTree props (onToggle + data) so the test can
// drive a lazy-load expand exactly as a row click would, and we control
// fetchAllAncestorChildren to assert the fresh fetch happens.
const fetchAllAncestorChildrenMock = vi.fn();
// Holder mutated by the DocTree stub each render so the test can read the
// latest tree it was handed and invoke its onToggle callback.
const docTree: {
onToggle?: (id: string, isOpen: boolean) => void | Promise<void>;
data: unknown[];
} = { data: [] };
vi.mock("@/features/page/services/page-service.ts", () => ({
getSpaceTree: vi.fn(),
getPageBreadcrumbs: vi.fn(),
}));
vi.mock("@/features/page/queries/page-query.ts", () => ({
// No root pages and no further pages — the server data-load effect stays
// inert (isDataLoaded never flips), so refreshOpenBranches never runs and the
// test exercises ONLY the boot-prune + handleToggle lazy-load path against
// the hydrated cache we seed into the atom below.
useGetRootSidebarPagesQuery: () => ({
data: undefined,
hasNextPage: false,
fetchNextPage: vi.fn(),
isFetching: false,
}),
usePageQuery: () => ({ data: undefined }),
fetchAllAncestorChildren: (...args: unknown[]) =>
fetchAllAncestorChildrenMock(...args),
}));
vi.mock("@/features/page/tree/hooks/use-tree-mutation.ts", () => ({
useTreeMutation: () => ({ handleMove: vi.fn() }),
}));
vi.mock("@mantine/notifications", () => ({
notifications: { show: vi.fn() },
}));
vi.mock("react-i18next", () => ({
useTranslation: () => ({ t: (key: string) => key }),
}));
vi.mock("react-router-dom", () => ({
useParams: () => ({ pageSlug: undefined }),
}));
vi.mock("@/lib", () => ({
extractPageSlugId: () => undefined,
}));
vi.mock("@/lib/config.ts", () => ({
isCompactPageTreeEnabled: () => false,
}));
// Capture the props DocTree is rendered with instead of rendering anything.
vi.mock("./doc-tree", () => ({
DocTree: (props: { onToggle: (id: string, isOpen: boolean) => void; data: unknown[] }) => {
docTree.onToggle = props.onToggle;
docTree.data = props.data;
return null;
},
ROW_HEIGHT_COMPACT: 28,
ROW_HEIGHT_STANDARD: 32,
}));
vi.mock("./space-tree-row", () => ({
SpaceTreeRow: () => null,
}));
vi.mock("@mantine/core", () => ({
Text: ({ children }: { children?: unknown }) => children ?? null,
}));
// In-memory open-map (the real one is localStorage-backed and crashes under the
// jsdom shim). Empty at start of each test -> every branch is COLLAPSED, which
// is exactly the state we need to prove the boot-prune. `scopeKeyAtom` is
// re-exported because the persisted tree-data atom resolves its scope through it.
vi.mock("@/features/page/tree/atoms/open-tree-nodes-atom.ts", async () => {
const { atom } = await import("jotai");
type OpenMap = Record<string, boolean>;
const base = atom<OpenMap>({});
const openTreeNodesAtom = atom(
(get) => get(base),
(get, set, update: OpenMap | ((prev: OpenMap) => OpenMap)) => {
const next =
typeof update === "function"
? (update as (prev: OpenMap) => OpenMap)(get(base))
: update;
set(base, next);
},
);
const scopeKeyAtom = atom(() => "test-workspace:test-user");
return { openTreeNodesAtom, scopeKeyAtom };
});
import SpaceTree, { SpaceTreeApi } from "./space-tree";
import {
treeDataAtom,
flushPendingTreeDataWrites,
} from "@/features/page/tree/atoms/tree-data-atom.ts";
import { createStore, Provider } from "jotai";
import type { SpaceTreeNode } from "@/features/page/tree/types.ts";
// The scopeKeyAtom mock resolves to this fixed scope, so the persisted
// tree-data atom hydrates from exactly this localStorage key at mount
// (getOnInit + atomWithStorage's onMount both read it).
const CACHE_KEY = "treeData:v1:test-workspace:test-user";
function child(
id: string,
parentPageId: string,
hasChildren = false,
): SpaceTreeNode {
return {
id,
slugId: `slug-${id}`,
name: id,
position: "a0",
spaceId: "space-1",
parentPageId,
hasChildren,
children: [],
};
}
// A hydrated boot cache: a COLLAPSED branch (not in the open-map) that still
// carries a stale cached child — the exact shape a previous session left behind
// after the branch was expanded then collapsed then persisted.
function cachedTreeWithCollapsedBranch(): SpaceTreeNode[] {
return [
{
id: "branch",
slugId: "slug-branch",
name: "branch",
position: "a0",
spaceId: "space-1",
parentPageId: null as unknown as string,
hasChildren: true,
children: [child("stale", "branch")],
},
];
}
beforeEach(() => {
fetchAllAncestorChildrenMock.mockReset();
docTree.onToggle = undefined;
docTree.data = [];
// Flush any pending debounced write from a previous test before clearing.
flushPendingTreeDataWrites();
try {
localStorage.clear?.();
} catch {
/* fresh store per test isolates state */
}
});
afterEach(() => {
cleanup();
});
describe("SpaceTree boot-cache prune (#159 #8 stale collapsed children)", () => {
it("drops a collapsed cached branch's children on boot and fetches fresh on first expand", async () => {
// Server returns FRESH children on the lazy-load: the stale cached child is
// gone, a renamed/new one takes its place.
fetchAllAncestorChildrenMock.mockResolvedValue([child("fresh", "branch")]);
// Simulate the localStorage-hydrated boot cache: seed the persisted key
// BEFORE mount so the atom hydrates it (store.set would be clobbered by
// atomWithStorage's onMount re-reading storage — this is the real path).
localStorage.setItem(
CACHE_KEY,
JSON.stringify(cachedTreeWithCollapsedBranch()),
);
const store = createStore();
const ref = createRef<SpaceTreeApi>();
render(
<Provider store={store}>
<SpaceTree ref={ref} spaceId="space-1" readOnly={false} />
</Provider>,
);
// Boot-prune ran at mount: the COLLAPSED branch's cached children were
// dropped to the unloaded shape ([]), so the stale child is no longer there.
const branchAfterBoot = docTree.data.find(
(n) => (n as SpaceTreeNode).id === "branch",
) as SpaceTreeNode;
expect(branchAfterBoot.children).toEqual([]);
expect(branchAfterBoot.hasChildren).toBe(true);
// First expand of the collapsed branch after boot must lazy-load fresh
// children (before this fix the cached children were kept and the fetch
// was skipped, showing stale data).
await act(async () => {
await docTree.onToggle!("branch", true);
});
expect(fetchAllAncestorChildrenMock).toHaveBeenCalledTimes(1);
expect(fetchAllAncestorChildrenMock).toHaveBeenCalledWith({
pageId: "branch",
spaceId: "space-1",
});
// The fresh children replaced the stale cache in the live tree.
await waitFor(() => {
const branch = store
.get(treeDataAtom)
.find((n) => n.id === "branch")!;
expect(branch.children.map((c) => c.id)).toEqual(["fresh"]);
});
});
});
@@ -71,8 +71,7 @@ vi.mock("@mantine/core", () => ({
// getOnInit), which crashes under jsdom's localStorage shim here. Swap in a
// plain in-memory atom with the same read value (OpenMap) and the same setter
// shape (value OR functional updater) so the component's open-state logic runs
// unchanged while staying inside the test store. `scopeKeyAtom` is also
// re-exported (the real module exports it for the persisted tree-data atom).
// unchanged while staying inside the test store.
vi.mock("@/features/page/tree/atoms/open-tree-nodes-atom.ts", async () => {
const { atom } = await import("jotai");
type OpenMap = Record<string, boolean>;
@@ -87,17 +86,11 @@ vi.mock("@/features/page/tree/atoms/open-tree-nodes-atom.ts", async () => {
set(base, next);
},
);
// Fixed scope key: the tree-data atom family resolves through this, so all
// tests read/write the same (empty at start of each test) storage key.
const scopeKeyAtom = atom(() => "test-workspace:test-user");
return { openTreeNodesAtom, scopeKeyAtom };
return { openTreeNodesAtom };
});
import SpaceTree, { SpaceTreeApi } from "./space-tree";
import {
treeDataAtom,
flushPendingTreeDataWrites,
} from "@/features/page/tree/atoms/tree-data-atom.ts";
import { treeDataAtom } from "@/features/page/tree/atoms/tree-data-atom.ts";
import { openTreeNodesAtom } from "@/features/page/tree/atoms/open-tree-nodes-atom.ts";
import { createStore, Provider } from "jotai";
import type { SpaceTreeNode } from "@/features/page/tree/types.ts";
@@ -141,10 +134,6 @@ function renderTree(store: ReturnType<typeof createStore>) {
beforeEach(() => {
getSpaceTreeMock.mockReset();
notificationsShowMock.mockReset();
// The tree-data atom persists via a ~500 ms trailing debounce; flush it NOW
// (cancelling the timer) so a previous test's pending write can't land in
// storage mid-test after the clear below.
flushPendingTreeDataWrites();
// jsdom's localStorage shim here lacks `clear`; guard it. Each test uses a
// fresh jotai store anyway, so cross-test open-state never leaks.
try {
@@ -30,7 +30,6 @@ import {
openBranches,
closeIds,
loadedOpenBranchIds,
pruneCollapsedChildren,
} from "@/features/page/tree/utils/utils.ts";
import { SpaceTreeNode } from "@/features/page/tree/types.ts";
import { treeModel } from "@/features/page/tree/model/tree-model";
@@ -200,81 +199,45 @@ const SpaceTree = forwardRef<SpaceTreeApi, SpaceTreeProps>(function SpaceTree(
const openIdsRef = useRef(openIds);
openIdsRef.current = openIds;
// Boot-cache hygiene (#159 #8): the localStorage-hydrated tree carries the
// children of every branch ever expanded, including ones now COLLAPSED. Their
// first expand would skip the lazy-load and render stale children (a
// rename/move/delete missed while offline). Drop the cached children of every
// COLLAPSED branch ONCE at mount so its first expand fetches fresh via
// handleToggle — exactly as it did before the tree was cached. OPEN branches
// keep their children and are refreshed by refreshOpenBranches instead, so
// this runs before any expand and never double-fetches an open branch.
const prunedBootCacheRef = useRef(false);
useEffect(() => {
if (prunedBootCacheRef.current) return;
prunedBootCacheRef.current = true;
setData((prev) => pruneCollapsedChildren(prev, openIdsRef.current));
}, [setData]);
// Re-fetch and reconcile the children of every currently-open, already-loaded
// branch of THIS space. Shared by the socket reconnect handler and the
// post-load cache refresh below. The ROOT level is reconciled separately by
// the root-query refetch + mergeRootTrees; an UNLOADED branch is skipped
// (lazy-load fetches it fresh on expand). Reads refs so it always sees the
// latest tree/open-state/space without re-creating the callback.
const refreshOpenBranches = useCallback(async () => {
const effectSpaceId = spaceIdRef.current;
const branchIds = loadedOpenBranchIds(
dataRef.current.filter((n) => n?.spaceId === effectSpaceId),
openIdsRef.current,
);
if (branchIds.length === 0) return;
for (const id of branchIds) {
try {
// `fresh: true` bypasses the 30-min sidebar-pages cache so the
// reconcile sees the server's CURRENT children (handler-order
// independent — no reliance on the global reconnect invalidation).
const fresh = await fetchAllAncestorChildren(
{ pageId: id, spaceId: effectSpaceId },
{ fresh: true },
);
if (spaceIdRef.current !== effectSpaceId) return; // space switched
setData((prev) => treeModel.reconcileChildren(prev, id, fresh));
} catch (err) {
console.error("[tree] open branch refresh failed", err);
}
}
}, [setData]);
// Reconnect refresh (#159 #8): on a socket reconnect, refresh open branches
// Reconnect refresh (#159 #8): on a socket reconnect, re-fetch and reconcile
// the children of every currently-open, already-loaded branch of THIS space,
// so a move/rename/delete that happened INSIDE a loaded branch while events
// were missed (laptop sleep / wifi gap) is reflected instead of left stale.
// No first-connect guard is needed: space-tree usually mounts AFTER the
// initial connect, so every `connect` it sees is a reconnect; the rare
// The ROOT level is reconciled separately by the root-query refetch +
// mergeRootTrees; an UNLOADED branch is skipped (lazy-load fetches it fresh on
// expand). No first-connect guard is needed: space-tree usually mounts AFTER
// the initial connect, so every `connect` it sees is a reconnect; the rare
// initial-connect case has an empty tree, so the refresh is a harmless no-op.
useEffect(() => {
if (!socket) return;
const onConnect = () => {
refreshOpenBranches();
const onConnect = async () => {
const effectSpaceId = spaceIdRef.current;
const branchIds = loadedOpenBranchIds(
dataRef.current.filter((n) => n?.spaceId === effectSpaceId),
openIdsRef.current,
);
if (branchIds.length === 0) return;
for (const id of branchIds) {
try {
// `fresh: true` bypasses the 30-min sidebar-pages cache so the
// reconcile sees the server's CURRENT children (handler-order
// independent — no reliance on the global reconnect invalidation).
const fresh = await fetchAllAncestorChildren(
{ pageId: id, spaceId: effectSpaceId },
{ fresh: true },
);
if (spaceIdRef.current !== effectSpaceId) return; // space switched
setData((prev) => treeModel.reconcileChildren(prev, id, fresh));
} catch (err) {
console.error("[tree] reconnect branch refresh failed", err);
}
}
};
socket.on("connect", onConnect);
return () => {
socket.off("connect", onConnect);
};
}, [socket, refreshOpenBranches]);
// Post-load cache refresh: the sidebar paints instantly from the
// localStorage-cached tree, so children of open branches may be stale. Once
// the server root set has been merged for this space (isDataLoaded flips
// true), refresh every open, already-loaded branch ONCE per space per mount.
// dataRef.current is already up to date here: refs are assigned during
// render, and this effect runs after the merge-triggered re-render commit.
const refreshedSpacesRef = useRef<Set<string>>(new Set());
useEffect(() => {
if (!isDataLoaded) return;
if (refreshedSpacesRef.current.has(spaceId)) return;
refreshedSpacesRef.current.add(spaceId);
refreshOpenBranches();
}, [isDataLoaded, spaceId, refreshOpenBranches]);
}, [socket, setData]);
const handleToggle = useCallback(
async (id: string, isOpen: boolean) => {
@@ -370,17 +333,12 @@ const SpaceTree = forwardRef<SpaceTreeApi, SpaceTreeProps>(function SpaceTree(
return (
<div className={classes.treeContainer}>
{/* "No pages yet" only after the SERVER confirmed the space is empty
never while just the localStorage cache is empty. */}
{isDataLoaded && filteredData.length === 0 && (
<Text size="xs" c="dimmed" py="xs" px="sm">
{t("No pages yet")}
</Text>
)}
{/* Cache-first paint: render as soon as ANY data exists (synchronous
localStorage hydration) instead of waiting for the server round-trip;
the background merge/refresh reconciles it afterwards. */}
{filteredData.length > 0 && (
{isDataLoaded && filteredData.length > 0 && (
<DocTree<SpaceTreeNode>
data={filteredData}
openIds={openIds}
@@ -8,7 +8,6 @@ import {
closeIds,
mergeRootTrees,
loadedOpenBranchIds,
pruneCollapsedChildren,
sortPositionKeys,
pageToTreeNode,
} from "./utils";
@@ -439,62 +438,3 @@ describe("loadedOpenBranchIds (#159 #8 reconnect refresh targets)", () => {
expect(ids.sort()).toEqual(["a", "a1"]);
});
});
describe("pruneCollapsedChildren", () => {
// Signature: pruneCollapsedChildren(tree: SpaceTreeNode[], openIds:
// ReadonlySet<string>): SpaceTreeNode[]. Collapsed nodes (id NOT in openIds)
// are reset to `children: []` (hasChildren untouched); open nodes keep their
// children but are recursed into so a collapsed branch nested under an open
// one is still pruned.
//
// Fixture:
// open "p" (in openIds, hasChildren)
// └─ collapsed "c" (NOT in openIds) with STALE child "g"
// collapsed "t" (NOT in openIds) with child "t1"
// Only "p" is open.
function fixture() {
const grandchild = treeNode("g"); // stale, cached under the collapsed child
const collapsedChild = treeNode("c", [grandchild]);
const openParent = treeNode("p", [collapsedChild]);
const topCollapsed = treeNode("t", [treeNode("t1")]);
return { openParent, collapsedChild, topCollapsed };
}
it("keeps an OPEN parent's children and recurses to prune a nested collapsed branch; prunes a top-level collapsed node", () => {
const { openParent, topCollapsed } = fixture();
const tree = [openParent, topCollapsed];
const result = pruneCollapsedChildren(tree, new Set(["p"]));
// (a) OPEN parent keeps its children (not cleared) and hasChildren stays true.
const p = result[0];
expect(p.id).toBe("p");
expect(p.hasChildren).toBe(true);
expect(p.children).toHaveLength(1);
// (b) The nested COLLAPSED child under the open parent is pruned to
// `children: []` by the recursion, with hasChildren preserved. This is the
// open-keep + recurse branch that F1's empty-open-set fixture never hits.
const c = p.children[0];
expect(c.id).toBe("c");
expect(c.children).toEqual([]);
expect(c.hasChildren).toBe(true);
// (c) The top-level collapsed node is pruned to `children: []`, hasChildren kept.
const t = result[1];
expect(t.id).toBe("t");
expect(t.children).toEqual([]);
expect(t.hasChildren).toBe(true);
});
it("does not mutate the input tree (returns fresh nodes)", () => {
const { openParent, collapsedChild, topCollapsed } = fixture();
const tree = [openParent, topCollapsed];
pruneCollapsedChildren(tree, new Set(["p"]));
// Originals are untouched: the collapsed child still carries its stale grandchild.
expect(collapsedChild.children).toHaveLength(1);
expect(collapsedChild.children[0].id).toBe("g");
expect(openParent.children[0]).toBe(collapsedChild);
expect(topCollapsed.children).toHaveLength(1);
});
});
@@ -293,41 +293,6 @@ export function loadedOpenBranchIds(
return ids;
}
/**
* Boot-cache hygiene (#159 #8): the persisted tree keeps the children of EVERY
* branch ever expanded collapsing a branch never prunes them. So on reload a
* COLLAPSED branch hydrates with its old cached children, and `handleToggle`
* skips the lazy-load on first expand (children already present) it shows
* STALE children (renamed / moved / deleted while the user was offline) with no
* reconcile. `refreshOpenBranches` only refreshes OPEN branches, so collapsed
* ones slip through.
*
* Fix: drop the cached children of every node NOT in the persisted open-set,
* resetting it to the canonical UNLOADED shape (`children: []`, `hasChildren`
* untouched see pageToTreeNode). Its first expand then lazy-loads fresh, just
* as it did before the tree was cached to localStorage. OPEN branches keep
* their children (refreshOpenBranches reconciles those, so they must not be
* dropped here) and are recursed into so a collapsed branch nested under an
* open one is pruned too.
*/
export function pruneCollapsedChildren(
tree: SpaceTreeNode[],
openIds: ReadonlySet<string>,
): SpaceTreeNode[] {
return tree.map((node) => {
const hasLoadedChildren = !!node.children && node.children.length > 0;
if (!openIds.has(node.id)) {
// Collapsed: drop the whole cached subtree so it reads as unloaded.
return hasLoadedChildren ? { ...node, children: [] } : node;
}
// Open: keep it, but recurse into its children (a nested collapsed branch
// must still be pruned).
return hasLoadedChildren
? { ...node, children: pruneCollapsedChildren(node.children, openIds) }
: node;
});
}
// Collect every node id in the tree (roots, branches, leaves). Used by
// collapseAll to clear the open-state map for all current-space nodes.
export function collectAllIds(nodes: SpaceTreeNode[]): string[] {
@@ -0,0 +1,240 @@
import {
describe,
it,
expect,
vi,
beforeAll,
afterEach,
} from "vitest";
import {
render,
screen,
cleanup,
fireEvent,
waitFor,
} from "@testing-library/react";
import { MantineProvider } from "@mantine/core";
// --- Mocks for the heavy / networked module graph ---------------------------
// EditSpaceForm wires the "Enable Git sync" Switch to a TanStack-Query mutation
// (useUpdateSpaceMutation). We mock ONLY that hook so the test fully controls
// mutateAsync (resolve / reject) and isPending, and stub i18n. The real Mantine
// Switch is rendered so the checkbox role / disabled state is meaningful.
// i18n: identity translator — labels stay as their English keys for queries.
vi.mock("react-i18next", () => ({
useTranslation: () => ({ t: (key: string) => key }),
}));
// Mutation hook: a controllable mutateAsync plus a togglable isPending.
const mutateAsync = vi.fn();
let isPending = false;
vi.mock("@/features/space/queries/space-query.ts", () => ({
useUpdateSpaceMutation: () => ({
mutateAsync,
get isPending() {
return isPending;
},
}),
}));
// jsdom lacks matchMedia, which MantineProvider's color-scheme hook needs.
beforeAll(() => {
if (!window.matchMedia) {
window.matchMedia = (query: string) =>
({
matches: false,
media: query,
onchange: null,
addListener: () => {},
removeListener: () => {},
addEventListener: () => {},
removeEventListener: () => {},
dispatchEvent: () => false,
}) as unknown as MediaQueryList;
}
});
import { EditSpaceForm } from "./edit-space-form";
import type { ISpace } from "@/features/space/types/space.types.ts";
function makeSpace(overrides: Partial<ISpace> = {}): ISpace {
return {
id: "space-1",
name: "Engineering",
description: "",
slug: "eng",
hostname: "host",
creatorId: "u1",
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
...overrides,
} as ISpace;
}
function renderForm(props: { space: ISpace; readOnly?: boolean }) {
return render(
<MantineProvider>
<EditSpaceForm space={props.space} readOnly={props.readOnly} />
</MantineProvider>,
);
}
// The form now renders TWO switches (git-sync enable + auto-merge-conflicts) in
// that DOM order. Mantine renders each as an <input type="checkbox"
// role="switch"> but does NOT expose its label as the accessible name, so we
// disambiguate by DOM order (index 0 = enable, 1 = auto-merge) and assert the
// human-readable label text is present alongside.
function getToggle(): HTMLInputElement {
screen.getByText("Enable Git sync");
return screen.getAllByRole("switch")[0] as HTMLInputElement;
}
function getAutoMergeToggle(): HTMLInputElement {
screen.getByText("Auto-merge conflicts on push");
return screen.getAllByRole("switch")[1] as HTMLInputElement;
}
afterEach(() => {
cleanup();
mutateAsync.mockReset();
isPending = false;
});
describe("EditSpaceForm git-sync toggle", () => {
// Test 3: initial checked state derives from settings.gitSync.enabled ?? false.
it("derives initial checked state from space.settings.gitSync.enabled (true -> checked)", () => {
renderForm({
space: makeSpace({ settings: { gitSync: { enabled: true } } }),
});
expect(getToggle().checked).toBe(true);
});
it("defaults to unchecked when gitSync settings are missing", () => {
renderForm({ space: makeSpace() });
expect(getToggle().checked).toBe(false);
});
// Test 4: toggling fires the mutation with { spaceId, gitSyncEnabled } and
// optimistically flips the switch.
it("fires the mutation with the correct payload and optimistically flips on", async () => {
mutateAsync.mockResolvedValue(undefined);
renderForm({ space: makeSpace() });
const toggle = getToggle();
expect(toggle.checked).toBe(false);
fireEvent.click(toggle);
// Optimistic update: the switch reflects the new state immediately.
expect(toggle.checked).toBe(true);
expect(mutateAsync).toHaveBeenCalledTimes(1);
expect(mutateAsync).toHaveBeenCalledWith({
spaceId: "space-1",
gitSyncEnabled: true,
});
// Resolution leaves the toggle on.
await waitFor(() => expect(toggle.checked).toBe(true));
});
// Test 5: rollback on mutation error — the most valuable test.
it("rolls back the toggle to its prior state when the mutation rejects", async () => {
mutateAsync.mockRejectedValue(new Error("network"));
renderForm({
space: makeSpace({ settings: { gitSync: { enabled: false } } }),
});
const toggle = getToggle();
expect(toggle.checked).toBe(false);
fireEvent.click(toggle);
// Optimistically flips on before the rejection lands.
expect(toggle.checked).toBe(true);
expect(mutateAsync).toHaveBeenCalledWith({
spaceId: "space-1",
gitSyncEnabled: true,
});
// After the rejected promise settles, the component reverts to OFF so the
// user is not misled into believing sync is enabled.
await waitFor(() => expect(toggle.checked).toBe(false));
});
// Test 6: disabled when readOnly and when the mutation is pending.
it("disables the toggle when readOnly", () => {
renderForm({ space: makeSpace(), readOnly: true });
expect(getToggle().disabled).toBe(true);
});
it("disables the toggle while the mutation is pending", () => {
isPending = true;
renderForm({ space: makeSpace() });
expect(getToggle().disabled).toBe(true);
});
});
describe("EditSpaceForm auto-merge-conflicts toggle", () => {
it("derives initial checked state from space.settings.gitSync.autoMergeConflicts (true -> checked)", () => {
renderForm({
space: makeSpace({
settings: { gitSync: { autoMergeConflicts: true } },
}),
});
expect(getAutoMergeToggle().checked).toBe(true);
});
it("defaults to unchecked when autoMergeConflicts is missing (SAFE default)", () => {
renderForm({ space: makeSpace() });
expect(getAutoMergeToggle().checked).toBe(false);
});
it("fires the mutation with { spaceId, autoMergeConflicts } and optimistically flips on", async () => {
mutateAsync.mockResolvedValue(undefined);
renderForm({ space: makeSpace() });
const toggle = getAutoMergeToggle();
expect(toggle.checked).toBe(false);
fireEvent.click(toggle);
// Optimistic update.
expect(toggle.checked).toBe(true);
expect(mutateAsync).toHaveBeenCalledTimes(1);
expect(mutateAsync).toHaveBeenCalledWith({
spaceId: "space-1",
autoMergeConflicts: true,
});
await waitFor(() => expect(toggle.checked).toBe(true));
});
it("rolls back to its prior state when the mutation rejects", async () => {
mutateAsync.mockRejectedValue(new Error("network"));
renderForm({
space: makeSpace({
settings: { gitSync: { autoMergeConflicts: false } },
}),
});
const toggle = getAutoMergeToggle();
expect(toggle.checked).toBe(false);
fireEvent.click(toggle);
expect(toggle.checked).toBe(true);
expect(mutateAsync).toHaveBeenCalledWith({
spaceId: "space-1",
autoMergeConflicts: true,
});
await waitFor(() => expect(toggle.checked).toBe(false));
});
it("disables the toggle when readOnly", () => {
renderForm({ space: makeSpace(), readOnly: true });
expect(getAutoMergeToggle().disabled).toBe(true);
});
});
@@ -1,5 +1,14 @@
import { Group, Box, Button, TextInput, Stack, Textarea } from "@mantine/core";
import React from "react";
import {
Group,
Box,
Button,
TextInput,
Stack,
Textarea,
Divider,
Switch,
} from "@mantine/core";
import React, { useState } from "react";
import { useForm } from "@mantine/form";
import { zod4Resolver } from "mantine-form-zod-resolver";
import { z } from "zod/v4";
@@ -29,6 +38,37 @@ export function EditSpaceForm({ space, readOnly }: EditSpaceFormProps) {
const { t } = useTranslation();
const updateSpaceMutation = useUpdateSpaceMutation();
const [gitSyncEnabled, setGitSyncEnabled] = useState<boolean>(
space?.settings?.gitSync?.enabled ?? false,
);
const [autoMergeConflicts, setAutoMergeConflicts] = useState<boolean>(
space?.settings?.gitSync?.autoMergeConflicts ?? false,
);
// One parameterized handler for both git-sync space toggles: they differ only by
// the local state setter, the mutation payload field, and the error label. The
// update is optimistic and reverts the local state on failure (the mutation
// surfaces a toast via onError; the raw error is still logged per AGENTS.md).
const handleToggle = async (
field: "gitSyncEnabled" | "autoMergeConflicts",
value: boolean,
previous: boolean,
setLocal: (next: boolean) => void,
errorLabel: string,
) => {
setLocal(value); // optimistic update
try {
await updateSpaceMutation.mutateAsync({
spaceId: space.id,
[field]: value,
});
} catch (err) {
setLocal(previous); // revert on failure
console.error(errorLabel, err);
}
};
const form = useForm<FormValues>({
validate: zod4Resolver(formSchema),
initialValues: {
@@ -104,6 +144,43 @@ export function EditSpaceForm({ space, readOnly }: EditSpaceFormProps) {
</Group>
)}
</form>
<Divider my="lg" />
<Switch
label={t("Enable Git sync")}
description={t("Sync this space's pages to a Git repository.")}
checked={gitSyncEnabled}
disabled={readOnly || updateSpaceMutation.isPending}
onChange={(event) =>
handleToggle(
"gitSyncEnabled",
event.currentTarget.checked,
gitSyncEnabled,
setGitSyncEnabled,
"Failed to toggle git-sync for space",
)
}
/>
<Switch
mt="md"
label={t("Auto-merge conflicts on push")}
description={t(
"When off (recommended), a page whose content still has unresolved Git conflict markers is skipped on push until you resolve the conflict in Git. When on, the markers are stripped and both sides' content is pushed.",
)}
checked={autoMergeConflicts}
disabled={readOnly || updateSpaceMutation.isPending}
onChange={(event) =>
handleToggle(
"autoMergeConflicts",
event.currentTarget.checked,
autoMergeConflicts,
setAutoMergeConflicts,
"Failed to toggle git-sync auto-merge-conflicts",
)
}
/>
</Box>
</>
);
@@ -13,9 +13,15 @@ export interface ISpaceCommentsSettings {
allowViewerComments?: boolean;
}
export interface ISpaceGitSyncSettings {
enabled?: boolean;
autoMergeConflicts?: boolean;
}
export interface ISpaceSettings {
sharing?: ISpaceSharingSettings;
comments?: ISpaceCommentsSettings;
gitSync?: ISpaceGitSyncSettings;
}
export interface ISpace {
@@ -35,6 +41,8 @@ export interface ISpace {
// for updates
disablePublicSharing?: boolean;
allowViewerComments?: boolean;
gitSyncEnabled?: boolean;
autoMergeConflicts?: boolean;
}
interface IMembership {
-7
View File
@@ -1,7 +1,6 @@
import axios, { AxiosInstance } from "axios";
import APP_ROUTE from "@/lib/app-route.ts";
import { isCloud } from "@/lib/config.ts";
import { clearPersistedTreeCaches } from "@/features/page/tree/atoms/tree-data-atom";
const api: AxiosInstance = axios.create({
baseURL: "/api",
@@ -72,12 +71,6 @@ function redirectToLogin() {
"/invites",
];
if (!exemptPaths.some((path) => window.location.pathname.startsWith(path))) {
// Forced logout (401 / expired session) must purge the persisted sidebar
// tree caches too: they contain page titles, and on a shared machine most
// sessions end via cookie expiry — not the logout button — so this is the
// only cleanup that runs on that path. It also disables further cache
// persistence until the full page load below.
clearPersistedTreeCaches();
const redirectTo = window.location.pathname;
if (redirectTo === APP_ROUTE.HOME) {
window.location.href = APP_ROUTE.AUTH.LOGIN;
+15 -3
View File
@@ -23,7 +23,7 @@
"migration:reset": "tsx src/database/migrate.ts down-to NO_MIGRATIONS",
"migration:codegen": "kysely-codegen --dialect=postgres --camel-case --env-file=../../.env --out-file=./src/database/types/db.d.ts",
"lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
"pretest": "pnpm --filter @docmost/editor-ext build",
"pretest": "pnpm --filter @docmost/editor-ext build && pnpm --filter @docmost/git-sync build && pnpm --filter @docmost/mcp build",
"test": "jest",
"test:int": "jest --config test/jest-integration.json",
"test:watch": "jest --watch",
@@ -41,6 +41,7 @@
"@aws-sdk/s3-request-presigner": "3.1050.0",
"@azure/storage-blob": "12.31.0",
"@clickhouse/client": "^1.18.2",
"@docmost/git-sync": "workspace:*",
"@docmost/mcp": "workspace:*",
"@docmost/pdf-inspector": "1.9.6",
"@fastify/cookie": "^11.0.2",
@@ -189,7 +190,12 @@
]
}
],
"^.+\\.(t|j)sx?$": "ts-jest"
"^.+\\.(t|j)sx?$": [
"ts-jest",
{
"isolatedModules": true
}
]
},
"transformIgnorePatterns": [
"/node_modules/(?!(\\.pnpm/)?(nanoid|uuid|image-dimensions|marked|happy-dom|lib0)(@|/))"
@@ -199,11 +205,17 @@
],
"coverageDirectory": "../coverage",
"testEnvironment": "node",
"setupFiles": [
"<rootDir>/../test/jest.setup.ts"
],
"moduleNameMapper": {
"^@docmost/db/(.*)$": "<rootDir>/database/$1",
"^@docmost/transactional/(.*)$": "<rootDir>/integrations/transactional/$1",
"^@docmost/ee/(.*)$": "<rootDir>/ee/$1",
"^src/(.*)$": "<rootDir>/$1"
"^src/(.*)$": "<rootDir>/$1",
"^@docmost/git-sync$": "<rootDir>/../../../packages/git-sync/src/index.ts",
"^@docmost/git-sync/(.*)$": "<rootDir>/../../../packages/git-sync/src/$1",
"^(\\.{1,2}/.*)\\.js$": "$1"
}
}
}
+2
View File
@@ -28,6 +28,7 @@ import { ClsModule } from 'nestjs-cls';
import { NoopAuditModule } from './integrations/audit/audit.module';
import { ThrottleModule } from './integrations/throttle/throttle.module';
import { McpModule } from './integrations/mcp/mcp.module';
import { GitSyncModule } from './integrations/git-sync/git-sync.module';
import { SandboxModule } from './integrations/sandbox/sandbox.module';
import { AiModule } from './integrations/ai/ai.module';
import { AiChatModule } from './core/ai-chat/ai-chat.module';
@@ -90,6 +91,7 @@ try {
TelemetryModule,
ThrottleModule,
McpModule,
GitSyncModule,
SandboxModule,
AiModule,
AiChatModule,
@@ -155,6 +155,45 @@ export class CollaborationGateway {
return this.hocuspocus.openDirectConnection(documentName, context);
}
/**
* Write a git-originated body into a page, applying the merge on the instance
* that OWNS the live Y.Doc so a connected editor CONVERGES on the change.
*
* git-sync must NOT use openDirectConnection directly for this: that opens the
* document on whichever instance/process runs git-sync (the API/worker). When
* an editor is connected to a DIFFERENT collab instance/process, that is a
* SEPARATE, detached Y.Doc the merge lands in the detached doc and the DB,
* but the live editor never receives the Yjs update; its next debounced
* autosave then overwrites the DB with its stale state and SILENTLY REVERTS
* the git change (the data-loss bug). Routing through the custom-event channel
* runs the merge on the owning instance's shared Document, whose update is
* broadcast to every connection (handleUpdate), so the editor's CRDT converges
* on the merged result.
*
* Without redis there is a single instance, so the write runs locally which
* is already the owning (and only) instance the editor is connected to.
*/
async writePageBody(
documentName: string,
payload: {
prosemirrorJson: unknown;
baseProsemirrorJson?: unknown;
userId: string;
},
): Promise<void> {
if (this.redisSync) {
await this.handleYjsEvent(
'gitSyncWriteBody',
documentName,
payload as any,
);
return;
}
await this.collabEventsService
.getHandlers(this.hocuspocus)
.gitSyncWriteBody(documentName, payload as any);
}
/*
*Can be used before calling openDirectConnection directly
*/
@@ -0,0 +1,262 @@
// Exercises the REAL `gitSyncWriteBody` collab handler (the owner-routed body
// write the data-loss fix introduces). The handler imports the editor graph via
// collaboration.util / yjs.util (tiptapExtensions -> editor-ext -> react-dom,
// unloadable under jest's node env, same coupling noted in
// gitmost-datasource.service.spec.ts), so we stub those + the transformer. The
// stubbed toYdoc builds paragraph blocks straight from the ProseMirror JSON so
// we can assert convergence on real text.
jest.mock('./collaboration.util', () => ({
tiptapExtensions: [],
getPageId: (name: string) => name.replace(/^page\./, ''),
prosemirrorNodeToYElement: jest.fn(),
}));
jest.mock('./yjs.util', () => ({
setYjsMark: jest.fn(),
updateYjsMarkAttribute: jest.fn(),
}));
jest.mock('@hocuspocus/transformer', () => {
const Yjs = require('yjs');
return {
TiptapTransformer: {
toYdoc: (json: any) => {
if (json?.__throw) throw new Error('boom: malformed doc');
const d = new Yjs.Doc();
const frag = d.getXmlFragment('default');
const blocks = (json?.content ?? []).map((node: any) => {
const el = new Yjs.XmlElement(node.type || 'paragraph');
const text = (node.content ?? [])
.map((t: any) => t.text ?? '')
.join('');
const t = new Yjs.XmlText();
if (text) t.insert(0, text);
el.insert(0, [t]);
return el;
});
if (blocks.length) frag.insert(0, blocks);
return d;
},
},
};
});
import * as Y from 'yjs';
import { CollaborationHandler } from './collaboration.handler';
const pmDoc = (...paras: string[]) => ({
type: 'doc',
content: paras.map((text) => ({
type: 'paragraph',
content: text ? [{ type: 'text', text }] : [],
})),
});
const texts = (frag: Y.XmlFragment): string[] =>
frag.toArray().map((el) =>
(el as Y.XmlElement)
.toArray()
.map((c) => (c as Y.XmlText).toString())
.join(''),
);
// Build a fake Hocuspocus whose openDirectConnection yields a DirectConnection
// over a REAL shared Document, with a connected "editor" doc that receives the
// shared doc's updates (modelling Document.handleUpdate's broadcast on the
// OWNING instance). Initial content carries live block ids; the editor starts
// fully synced with the shared doc.
function fakeHocuspocus(initial: { text: string; id: string }[]) {
const shared = new Y.Doc();
const frag = shared.getXmlFragment('default');
shared.transact(() => {
frag.insert(
0,
initial.map((s) => {
const el = new Y.XmlElement('paragraph');
el.setAttribute('id', s.id);
const t = new Y.XmlText();
if (s.text) t.insert(0, s.text);
el.insert(0, [t]);
return el;
}),
);
});
const editor = new Y.Doc();
Y.applyUpdate(editor, Y.encodeStateAsUpdate(shared));
// Broadcast relay: server-originated updates flow to the connected editor.
shared.on('update', (u: Uint8Array, origin: any) => {
if (origin !== 'editor') Y.applyUpdate(editor, u, 'server');
});
const openDirectConnection = jest.fn(async () => ({
// DirectConnection.transact runs the fn directly against the Document (no
// wrapping Y transaction), exactly like @hocuspocus/server.
transact: async (fn: (doc: Y.Doc) => void) => fn(shared),
disconnect: jest.fn(async () => undefined),
}));
return { hocuspocus: { openDirectConnection } as any, shared, editor };
}
describe('CollaborationHandler.gitSyncWriteBody (owner-routed body write)', () => {
it('converges a connected editor on the git change (no silent revert)', async () => {
const { hocuspocus, shared, editor } = fakeHocuspocus([
{ text: 'alpha', id: 'p1' },
{ text: 'beta', id: 'p2' },
]);
const handler = new CollaborationHandler();
const handlers = handler.getHandlers(hocuspocus);
// git changed block 1 beta -> beta2; base is the pre-change content.
await handlers.gitSyncWriteBody('page.x', {
prosemirrorJson: pmDoc('alpha', 'beta2'),
baseProsemirrorJson: pmDoc('alpha', 'beta'),
userId: 'svc-user',
});
// The shared (owning-instance) doc holds the merge...
expect(texts(shared.getXmlFragment('default'))).toEqual(['alpha', 'beta2']);
// ...and the connected editor CONVERGED via the broadcast (the bug would
// leave it on 'beta' and revert the page on its next autosave).
expect(texts(editor.getXmlFragment('default'))).toEqual(['alpha', 'beta2']);
});
it('preserves a concurrent edit to a DIFFERENT block (3-way, finding #2)', async () => {
const { hocuspocus, shared, editor } = fakeHocuspocus([
{ text: 'alpha', id: 'p1' },
{ text: 'beta', id: 'p2' },
]);
// The editor is actively editing block 0 while the push arrives.
const eFrag = editor.getXmlFragment('default');
editor.transact(
() => (eFrag.get(0) as Y.XmlElement).get(0) instanceof Y.XmlText &&
((eFrag.get(0) as Y.XmlElement).get(0) as Y.XmlText).insert(5, ' EDIT'),
'editor',
);
Y.applyUpdate(shared, Y.encodeStateAsUpdate(editor), 'editor');
const handler = new CollaborationHandler();
await handler.getHandlers(hocuspocus).gitSyncWriteBody('page.x', {
prosemirrorJson: pmDoc('alpha', 'beta2'),
baseProsemirrorJson: pmDoc('alpha', 'beta'),
userId: 'svc-user',
});
// Human's block-0 edit AND git's block-1 change both survive on the editor.
expect(texts(editor.getXmlFragment('default'))).toEqual([
'alpha EDIT',
'beta2',
]);
});
it('FLUSHES the pending debounced store BEFORE merging so an in-flight edit survives (finding #2)', async () => {
// QA #119 finding #2: the 3-way merge must run against the latest live-doc
// state. A concurrent UI edit that is still in-flight (the store is debounced)
// must be drained into the live doc BEFORE git merges, or git clean-applies and
// the edit is silently dropped — even on a DIFFERENT block. Model the drain via
// the pending-store flush: when it runs, the in-flight block-0 edit lands.
const shared = new Y.Doc();
const frag = shared.getXmlFragment('default');
shared.transact(() => {
frag.insert(
0,
[
{ text: 'alpha', id: 'p1' },
{ text: 'beta', id: 'p2' },
].map((s) => {
const el = new Y.XmlElement('paragraph');
el.setAttribute('id', s.id);
const t = new Y.XmlText();
t.insert(0, s.text);
el.insert(0, [t]);
return el;
}),
);
});
const order: string[] = [];
const debouncer = {
isDebounced: jest.fn(() => true),
executeNow: jest.fn(async () => {
order.push('flush');
// The in-flight client edit to block 0 only lands once the pending store
// is flushed (i.e. the event loop is drained) — BEFORE the merge.
shared.transact(() =>
((frag.get(0) as Y.XmlElement).get(0) as Y.XmlText).insert(5, ' EDIT'),
);
}),
};
const openDirectConnection = jest.fn(async () => ({
transact: async (fn: (doc: Y.Doc) => void) => {
order.push('merge');
fn(shared);
},
disconnect: jest.fn(async () => undefined),
}));
const hocuspocus = { openDirectConnection, debouncer } as any;
const handler = new CollaborationHandler();
await handler.getHandlers(hocuspocus).gitSyncWriteBody('page.x', {
prosemirrorJson: pmDoc('alpha', 'beta2'), // git changes block 1
baseProsemirrorJson: pmDoc('alpha', 'beta'),
userId: 'svc-user',
});
// The flush ran, and it ran BEFORE the merge transaction.
expect(debouncer.executeNow).toHaveBeenCalledTimes(1);
expect(order).toEqual(['flush', 'merge']);
// Both the in-flight block-0 edit and git's block-1 change survive — the
// pre-flush bug would have produced ['alpha', 'beta2'] (UI edit dropped).
expect(texts(shared.getXmlFragment('default'))).toEqual([
'alpha EDIT',
'beta2',
]);
});
it('does not flush when no store is pending (isDebounced false)', async () => {
const { hocuspocus, shared } = fakeHocuspocus([{ text: 'a', id: 'p1' }]);
const executeNow = jest.fn();
(hocuspocus as any).debouncer = {
isDebounced: jest.fn(() => false),
executeNow,
};
const handler = new CollaborationHandler();
await handler.getHandlers(hocuspocus).gitSyncWriteBody('page.x', {
prosemirrorJson: pmDoc('a', 'b'),
userId: 'svc-user',
});
expect(executeNow).not.toHaveBeenCalled();
expect(texts(shared.getXmlFragment('default'))).toEqual(['a', 'b']);
});
it('crash-safe: a transform failure never opens the connection or mutates the live doc', async () => {
const { hocuspocus, shared } = fakeHocuspocus([{ text: 'alpha', id: 'p1' }]);
const before = texts(shared.getXmlFragment('default'));
const handler = new CollaborationHandler();
await expect(
handler.getHandlers(hocuspocus).gitSyncWriteBody('page.x', {
prosemirrorJson: { __throw: true } as any,
userId: 'svc-user',
}),
).rejects.toThrow('boom');
// The incoming doc is built BEFORE opening the connection, so the throw
// happens first: the live doc is untouched and no connection was opened.
expect(hocuspocus.openDirectConnection).not.toHaveBeenCalled();
expect(texts(shared.getXmlFragment('default'))).toEqual(before);
});
it('falls back to a 2-way merge when no base is supplied', async () => {
const { hocuspocus, shared, editor } = fakeHocuspocus([
{ text: 'alpha', id: 'p1' },
]);
const handler = new CollaborationHandler();
await handler.getHandlers(hocuspocus).gitSyncWriteBody('page.x', {
prosemirrorJson: pmDoc('alpha', 'gamma'),
userId: 'svc-user',
});
expect(texts(shared.getXmlFragment('default'))).toEqual(['alpha', 'gamma']);
expect(texts(editor.getXmlFragment('default'))).toEqual(['alpha', 'gamma']);
});
});
@@ -8,6 +8,10 @@ import {
import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
import * as Y from 'yjs';
import { User } from '@docmost/db/types/entity.types';
import {
mergeXmlFragments,
mergeXmlFragments3WayWithStats,
} from './merge/yjs-body-merge';
export type CollabEventHandlers = ReturnType<
CollaborationHandler['getHandlers']
@@ -112,9 +116,130 @@ export class CollaborationHandler {
},
);
},
/**
* Git-sync body write, applied as a block-level MERGE into the LIVE doc on
* the instance that OWNS it (routed here via the custom-event channel
* see CollaborationGateway.writePageBody). Running on the owning instance
* is what makes a connected editor CONVERGE: the merge mutates the shared
* Document, whose update is broadcast to every connection, so the editor's
* CRDT applies the git change instead of silently reverting it on its next
* autosave (the data-loss bug this fixes).
*
* With a `baseProsemirrorJson` (the last-synced common ancestor) it does a
* THREE-WAY merge a block only the human changed is kept, a block only
* git changed is taken (conflicts -> git). Without a base it falls back to
* the 2-way merge.
*/
gitSyncWriteBody: async (
documentName: string,
payload: {
prosemirrorJson: any;
baseProsemirrorJson?: any;
userId: string;
},
) => {
const { prosemirrorJson, baseProsemirrorJson, userId } = payload;
// Build the incoming (and base) Yjs docs BEFORE opening the connection /
// touching the live doc. If a transform throws (a malformed/unsupported
// doc) we must NOT have mutated the live body — otherwise a conversion
// failure could leave the page empty (crash-safe conversion).
const targetDoc = TiptapTransformer.toYdoc(
prosemirrorJson,
'default',
tiptapExtensions,
);
const baseDoc =
baseProsemirrorJson != null
? TiptapTransformer.toYdoc(
baseProsemirrorJson,
'default',
tiptapExtensions,
)
: null;
// CONCURRENT-EDIT FLUSH (QA #119, finding #2). The 3-way merge below runs
// against the LIVE Y.Doc, so a concurrent UI edit is only preserved if it
// is already part of that doc. A user's edit is debounced before it lands
// (the editor batches; the collab store is debounced up to 10s), so the
// merge could otherwise run against a PRE-EDIT doc: git would then
// clean-apply (no same-block conflict detected) and the in-flight UI edit
// — even on a DIFFERENT block — would be silently dropped.
//
// Flushing the pending debounced store here (a) drains the event loop so a
// just-arrived client Yjs update is applied to the live doc BEFORE we
// merge, and (b) persists the live doc so the merge baseline is current
// even on the doc-reload-from-DB path. After the flush the merge sees the
// latest state, so an edit on a different block is MERGED (not overwritten)
// and a genuine same-block edit is detected as a conflict -> the
// boundary-snapshot in PersistenceExtension pins it to page history
// (recoverable) instead of vanishing silently.
await this.flushPendingStore(hocuspocus, documentName);
// actor:'git-sync' + the service user flow into PersistenceExtension
// (lastUpdatedSource='git-sync', lastUpdatedById=userId).
await this.withYdocConnection(
hocuspocus,
documentName,
{ actor: 'git-sync', user: { id: userId } },
(doc) => {
const liveFrag = doc.getXmlFragment('default');
const targetFrag = targetDoc.getXmlFragment('default');
if (baseDoc) {
const { conflicts } = mergeXmlFragments3WayWithStats(
liveFrag,
targetFrag,
baseDoc.getXmlFragment('default'),
);
// SAME-BLOCK conflict contract (SPEC §9): a block both the human
// and git changed resolves to GIT (deterministic). Make that
// OBSERVABLE rather than silent — log it. The losing human content
// is NOT destroyed: the persistence extension's boundary snapshot
// pins the pre-merge page state to history on this user->git-sync
// transition, so it stays recoverable.
if (conflicts > 0) {
this.logger.warn(
`git-sync merge for ${documentName}: ${conflicts} same-block ` +
`conflict(s) resolved to the git version; the prior page ` +
`state is preserved in page history (recoverable).`,
);
}
} else {
mergeXmlFragments(liveFrag, targetFrag);
}
},
);
},
};
}
/**
* Flush any pending DEBOUNCED store for `documentName` so the live Y.Doc and the
* DB are current BEFORE a git-sync merge reads them (QA #119, finding #2
* concurrent UI edit silently lost). Mirrors the PersistenceExtension.onDisconnect
* flush: only acts when a store is actually pending (`isDebounced`), runs the
* SAME scheduled payload (`executeNow`, preserving the edit's context/actor), and
* never throws a flush failure must not abort the git-sync write. Awaiting it
* also drains the event loop, so a client Yjs update sitting in the socket buffer
* is applied to the live doc before the merge transaction runs.
*/
private async flushPendingStore(
hocuspocus: Hocuspocus,
documentName: string,
): Promise<void> {
const debounceId = `onStoreDocument-${documentName}`;
try {
const debouncer = (hocuspocus as any)?.debouncer;
if (!debouncer?.isDebounced?.(debounceId)) return;
await debouncer.executeNow(debounceId);
} catch (err) {
this.logger.warn(
`git-sync pre-merge flush failed for ${documentName}: ` +
(err instanceof Error ? err.message : String(err)),
);
}
}
async withYdocConnection(
hocuspocus: Hocuspocus,
documentName: string,
@@ -0,0 +1,89 @@
import { PersistenceExtension } from './persistence.extension';
/**
* Regression for the QA #119 "loss-on-fast-close" data loss: editing a page then
* closing the tab within the collab debounce window (~3-18s) lost the edit
* because, with `unloadImmediately: false`, Hocuspocus does NOT flush the
* debounced onStoreDocument on a last-client disconnect. PersistenceExtension
* now flushes the pending store on the LAST disconnect (and only then).
*/
describe('PersistenceExtension.onDisconnect flush (loss-on-fast-close)', () => {
function makeExt(): PersistenceExtension {
// onDisconnect touches none of the injected deps; pass casts.
return new PersistenceExtension(
null as any,
null as any,
null as any,
null as any,
null as any,
null as any,
null as any,
null as any,
);
}
function makeData(opts: {
clientsCount: number;
isDebounced: boolean;
isLoading?: boolean;
}) {
const executeNow = jest.fn(async () => undefined);
const isDebounced = jest.fn(() => opts.isDebounced);
return {
executeNow,
isDebounced,
payload: {
clientsCount: opts.clientsCount,
context: {},
document: { isLoading: opts.isLoading ?? false } as any,
documentName: 'page.abc',
instance: { debouncer: { isDebounced, executeNow } } as any,
requestHeaders: {},
requestParameters: new URLSearchParams(),
socketId: 's',
} as any,
};
}
it('flushes the pending store when the LAST client disconnects', async () => {
const ext = makeExt();
const { executeNow, payload } = makeData({
clientsCount: 0,
isDebounced: true,
});
await ext.onDisconnect(payload);
expect(executeNow).toHaveBeenCalledTimes(1);
expect(executeNow).toHaveBeenCalledWith('onStoreDocument-page.abc');
});
it('does NOT flush while other editors remain connected', async () => {
const ext = makeExt();
const { executeNow, payload } = makeData({
clientsCount: 2,
isDebounced: true,
});
await ext.onDisconnect(payload);
expect(executeNow).not.toHaveBeenCalled();
});
it('does NOT write when nothing is pending (already persisted)', async () => {
const ext = makeExt();
const { executeNow, payload } = makeData({
clientsCount: 0,
isDebounced: false,
});
await ext.onDisconnect(payload);
expect(executeNow).not.toHaveBeenCalled();
});
it('does NOT flush a doc that is still loading (load error guard)', async () => {
const ext = makeExt();
const { executeNow, payload } = makeData({
clientsCount: 0,
isDebounced: true,
isLoading: true,
});
await ext.onDisconnect(payload);
expect(executeNow).not.toHaveBeenCalled();
});
});
@@ -0,0 +1,223 @@
// Stub collaboration.util so importing the extension does not drag in the
// editor-ext -> @tiptap/react -> react-dom graph (unloadable under jest's node
// env, same coupling the gitmost-datasource / mcp specs document). The
// extension only calls getPageId, jsonToText and isEmptyParagraphDoc from it on
// the store path; tiptapExtensions is unused by onStoreDocument.
jest.mock('../collaboration.util', () => ({
tiptapExtensions: [],
getPageId: (name: string) => name.replace(/^page\./, ''),
jsonToText: () => 'text',
isEmptyParagraphDoc: () => false,
// The post-write mention extraction walks the doc via jsonToNode().descendants;
// return a node-like stub with no descendants so no mentions are produced
// (mention handling is out of scope here — we only assert provenance).
jsonToNode: () => ({ descendants: () => undefined }),
}));
// Control the Yjs<->JSON bridge: fromYdoc returns the "incoming" doc the writer
// is storing. We keep it distinct from the page's persisted content so the
// no-op guard (isDeepStrictEqual) never short-circuits the write.
const INCOMING_JSON = { type: 'doc', content: [{ type: 'paragraph' }, { t: 1 }] };
jest.mock('@hocuspocus/transformer', () => ({
TiptapTransformer: {
fromYdoc: jest.fn(() => INCOMING_JSON),
toYdoc: jest.fn(),
},
}));
// Run the executeTx callback inline with a passthrough trx.
jest.mock('@docmost/db/utils', () => ({
executeTx: jest.fn(async (_db: any, cb: any) => cb({} as any)),
}));
import * as Y from 'yjs';
import { PersistenceExtension } from './persistence.extension';
import {
onChangePayload,
onStoreDocumentPayload,
} from '@hocuspocus/server';
/**
* Provenance-precedence coverage for PersistenceExtension.onStoreDocument
* (test-strategy Module 4 / item #2): the contract `agent > git-sync > user`,
* plus the negative that a git-sync store does NOT pin a boundary history
* snapshot. We drive the precedence through the real public method (onChange to
* arm the sticky agent marker, then onStoreDocument), mocking the repos / db /
* Yjs bridge so no real database or collab server is needed. The store's
* persisted `lastUpdatedSource` and the saveHistory call are the observable
* outputs.
*/
describe('PersistenceExtension.onStoreDocument — provenance precedence (#2)', () => {
const DOCUMENT_NAME = 'page.page-1';
const PAGE_ID = 'page-1';
// `page.content` differs from INCOMING_JSON so the write is never skipped.
const persistedPage = (overrides?: { lastUpdatedSource?: string }) => ({
id: PAGE_ID,
slugId: 'slug-1',
spaceId: 'space-1',
workspaceId: 'ws-1',
creatorId: 'creator-1',
contributorIds: ['creator-1'],
content: { type: 'doc', content: [{ type: 'paragraph', content: [] }] },
lastUpdatedSource: overrides?.lastUpdatedSource ?? 'user',
createdAt: new Date(),
});
const build = (pageOverrides?: { lastUpdatedSource?: string }) => {
const pageRepo = {
findById: jest.fn().mockResolvedValue(persistedPage(pageOverrides)),
updatePage: jest.fn().mockResolvedValue({ numUpdatedRows: 1n }),
};
const pageHistoryRepo = {
// No prior snapshot -> humanBaselineMissing is true, so the ONLY thing
// gating the boundary snapshot in these tests is the source precedence.
findPageLastHistory: jest.fn().mockResolvedValue(null),
saveHistory: jest.fn().mockResolvedValue(undefined),
};
const aiQueue = { add: jest.fn().mockResolvedValue(undefined) };
const historyQueue = { add: jest.fn().mockResolvedValue(undefined) };
const notificationQueue = { add: jest.fn().mockResolvedValue(undefined) };
const collabHistory = {
addContributors: jest.fn().mockResolvedValue(undefined),
};
const transclusionService = {
syncPageTransclusions: jest.fn().mockResolvedValue(undefined),
syncPageReferences: jest.fn().mockResolvedValue(undefined),
syncPageTemplateReferences: jest.fn().mockResolvedValue(undefined),
};
const ext = new PersistenceExtension(
pageRepo as any,
pageHistoryRepo as any,
{} as any, // db
aiQueue as any,
historyQueue as any,
notificationQueue as any,
collabHistory as any,
transclusionService as any,
);
return { ext, pageRepo, pageHistoryRepo, historyQueue };
};
// A real Y.Doc is required for Y.encodeStateAsUpdate(document); broadcastStateless
// is a no-op spy. The fromYdoc bridge is mocked, so the doc's contents are
// irrelevant to the JSON path.
const makeStorePayload = (context: any): onStoreDocumentPayload =>
({
documentName: DOCUMENT_NAME,
document: Object.assign(new Y.Doc(), {
broadcastStateless: jest.fn(),
}),
context,
}) as any;
const makeChangePayload = (actor: string): onChangePayload =>
({
documentName: DOCUMENT_NAME,
context: { user: { id: 'user-1' }, actor },
}) as any;
const sourceOf = (pageRepo: { updatePage: jest.Mock }) =>
pageRepo.updatePage.mock.calls[0][0].lastUpdatedSource;
it("tags 'user' for a plain write (no agent touch, no git-sync actor)", async () => {
const { ext, pageRepo } = build();
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'user-1' }, actor: 'user' }),
);
expect(sourceOf(pageRepo)).toBe('user');
});
it("tags 'git-sync' when the writer's actor is 'git-sync' and no agent touched the window", async () => {
const { ext, pageRepo } = build();
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'svc-user' }, actor: 'git-sync' }),
);
expect(sourceOf(pageRepo)).toBe('git-sync');
});
it("keeps 'git-sync' for an explicit git-sync store even with a sticky agent marker (#14 loop-guard)", async () => {
const { ext, pageRepo } = build();
// An agent edit landed earlier in the coalescing window (sticky marker),
// then a git-sync writer performs the store. Red-team finding #14: an
// EXPLICIT current-write actor is authoritative for THIS write, so the
// store must stay 'git-sync' — otherwise the PageChangeListener loop-guard
// (keyed on lastUpdatedSource === 'git-sync') fails to recognize git-sync's
// own write and re-exports it. Explicit 'agent' still wins (see below); the
// sticky marker only promotes a plain human writer to 'agent'.
await ext.onChange(makeChangePayload('agent'));
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'svc-user' }, actor: 'git-sync' }),
);
expect(sourceOf(pageRepo)).toBe('git-sync');
});
it("tags 'agent' when the storing writer itself is the agent (no prior onChange)", async () => {
const { ext, pageRepo } = build();
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'agent-user' }, actor: 'agent' }),
);
expect(sourceOf(pageRepo)).toBe('agent');
});
// --- boundary snapshot for a git-sync store over a HUMAN baseline -----------
// SPEC §9 observable-loss guard (bug #2): a git-sync body write is a block-level
// 3-way merge whose same-block rule is "git wins". To keep a concurrent human
// edit RECOVERABLE rather than silently overwritten, a git-sync store over a
// prior NON-git-sync baseline pins that prior state to page history first —
// exactly like the agent path. So saveHistory MUST be called here.
it('DOES pin a boundary snapshot for a git-sync store over a prior human state', async () => {
const { ext, pageHistoryRepo } = build({ lastUpdatedSource: 'user' });
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'svc-user' }, actor: 'git-sync' }),
);
expect(pageHistoryRepo.saveHistory).toHaveBeenCalledTimes(1);
});
// --- negative: a git-sync store over a git-sync baseline does NOT re-pin -----
// The boundary is pinned once on the transition INTO git-sync; a subsequent
// git-sync store over an already-git-sync baseline must not churn history.
it('does NOT re-pin a boundary snapshot for a git-sync store over a git-sync baseline', async () => {
const { ext, pageHistoryRepo } = build({ lastUpdatedSource: 'git-sync' });
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'svc-user' }, actor: 'git-sync' }),
);
expect(pageHistoryRepo.saveHistory).not.toHaveBeenCalled();
});
it('DOES pin a boundary snapshot for an agent store over a prior human state (control)', async () => {
// Confirms the negative above is meaningful: under the SAME mocks, an agent
// store over a 'user' baseline DOES trigger the boundary snapshot.
const { ext, pageHistoryRepo } = build({ lastUpdatedSource: 'user' });
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'agent-user' }, actor: 'agent' }),
);
expect(pageHistoryRepo.saveHistory).toHaveBeenCalledTimes(1);
});
it('does NOT pin a boundary snapshot for a plain user store', async () => {
const { ext, pageHistoryRepo } = build({ lastUpdatedSource: 'user' });
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'user-1' }, actor: 'user' }),
);
expect(pageHistoryRepo.saveHistory).not.toHaveBeenCalled();
});
});
@@ -2,6 +2,7 @@ import {
afterUnloadDocumentPayload,
Extension,
onChangePayload,
onDisconnectPayload,
onLoadDocumentPayload,
onStatelessPayload,
onStoreDocumentPayload,
@@ -82,7 +83,17 @@ export function resolveSource(
stickyTouched: boolean,
contextActor?: string,
): ProvenanceSource {
return stickyTouched || contextActor === 'agent' ? 'agent' : 'user';
// An EXPLICIT current-write actor is authoritative for THIS write and wins
// over the sticky-agent fallback. Order: explicit 'agent' > explicit
// 'git-sync' > sticky agent marker > plain human 'user'. The git-sync case
// must NOT be masked by the sticky marker, or the PageChangeListener
// loop-guard (which keys on lastUpdatedSource === 'git-sync') would re-export
// git-sync's own writes (#14). Explicit agent still wins so a window that
// mixed an agent edit stays tagged 'agent'.
if (contextActor === 'agent') return 'agent';
if (contextActor === 'git-sync') return 'git-sync';
if (stickyTouched) return 'agent';
return 'user';
}
/**
@@ -191,6 +202,40 @@ export class PersistenceExtension implements Extension {
return new Y.Doc();
}
/**
* LOSS-ON-FAST-CLOSE FIX (QA #119). When the LAST editor disconnects, FLUSH any
* pending (debounced) store to the DB IMMEDIATELY instead of waiting out the
* up-to-10s `debounce` window.
*
* The collab server runs with `unloadImmediately: false` (collaboration.gateway),
* so on a last-client disconnect Hocuspocus does NOT flush the debounced
* onStoreDocument it relies on the timer firing later. A quick edit-then-close
* (closing the tab within the debounce window, ~3-18s) therefore left the edit
* only in the soon-to-be-unloaded in-memory Y.Doc; meanwhile git-sync mirrored
* the STALE/empty DB body to the vault (the reported "59-byte frontmatter-only"
* data loss). Running the already-scheduled store now closes that window.
*
* Gated tightly so it never adds a redundant write: only on the LAST disconnect
* (`clientsCount === 0`), only for a fully-loaded doc, and only when a store is
* actually pending (`isDebounced`). `executeNow` runs the SAME payload Hocuspocus
* scheduled (preserving the edit's context/actor) and clears the timer.
*/
async onDisconnect(data: onDisconnectPayload) {
const { instance, document, documentName, clientsCount } = data;
if (clientsCount > 0) return;
if (!document || document.isLoading) return;
const debounceId = `onStoreDocument-${documentName}`;
if (!instance?.debouncer?.isDebounced(debounceId)) return;
try {
await instance.debouncer.executeNow(debounceId);
} catch (err) {
this.logger.error(
`onDisconnect flush failed for ${documentName}: ` +
(err instanceof Error ? err.message : String(err)),
);
}
}
async onStoreDocument(data: onStoreDocumentPayload) {
const { documentName, document, context } = data;
@@ -213,6 +258,11 @@ export class PersistenceExtension implements Extension {
// Sticky agent marker: 'agent' if any agent edit landed in this window, OR
// if the current writer is the agent (covers a store with no prior onChange
// agent event in the same window). §15 H2.
// Provenance precedence: agent > git-sync > user (see resolveSource). A
// 'git-sync' store is NOT given an immediate history snapshot — it is
// debounced like a human edit (a git-sync write is a block-level merge into
// the live doc, so it reads like an incremental human edit, not a bulk
// import that would warrant its own immediate snapshot).
const lastUpdatedSource = resolveSource(
this.consumeAgentTouched(documentName),
context?.actor,
@@ -279,17 +329,25 @@ export class PersistenceExtension implements Extension {
// flag via that same hoisted consume (a "cleared then retyped"
// sequence can't leave a usable one behind).
const incomingEmpty = isEmptyParagraphDoc(tiptapJson as any);
// A git-sync write is authoritative and its content IS the vault file:
// an empty incoming doc there means the user DELIBERATELY cleared the
// page's markdown in git (there is no "transient glitch empty" for a
// file-sourced write). Honor it, otherwise the empty-guard rejects the
// clear, the vault ref has already advanced past the empty commit, and
// vault<->Docmost diverge permanently (review warning). This mirrors the
// #251 intentional-clear allowance for a different authoritative source.
const gitSyncClear = lastUpdatedSource === 'git-sync';
if (
incomingEmpty &&
page.content &&
!isEmptyParagraphDoc(page.content as any)
) {
if (allowIntentionalClear) {
if (allowIntentionalClear || gitSyncClear) {
this.logger.debug(
`Intentional clear for ${pageId}: persisting empty doc over ` +
`non-empty content (user-signalled)`,
`non-empty content (${gitSyncClear ? 'git-sync' : 'user-signalled'})`,
);
// fall through — the empty write is allowed exactly once.
// fall through — the empty write is allowed.
} else {
this.logger.warn(
`Skipping store for ${pageId}: empty live doc would overwrite ` +
@@ -314,21 +372,30 @@ export class PersistenceExtension implements Extension {
//this.logger.debug('Contributors error:' + err?.['message']);
}
// Approach A — boundary snapshot before the agent's first edit.
// When this store is the agent's and the page's currently persisted
// state was authored by a human, pin that human state as its own
// history version BEFORE the agent overwrites it. `page` still holds
// the OLD content/provenance here, so saveHistory(page) captures the
// pre-agent state tagged 'user'. The agent's new content is
// snapshotted later by the debounced PAGE_HISTORY job ('agent'). Skip
// if the prior state is already agent-authored (boundary already
// pinned on the user->agent transition), if the page is effectively
// empty, or if the latest existing snapshot already equals this human
// state (avoid duplicates).
if (
lastUpdatedSource === 'agent' &&
page.lastUpdatedSource !== 'agent'
) {
// Approach A — boundary snapshot before a MACHINE write overwrites a
// human (or other-source) baseline. When this store is from a machine
// source — the AGENT or GIT-SYNC — and the page's currently persisted
// state was authored by a DIFFERENT source, pin that prior state as its
// own history version BEFORE the machine write overwrites it. `page`
// still holds the OLD content/provenance here, so saveHistory(page)
// captures the pre-write state. The machine's new content is snapshotted
// later by the debounced PAGE_HISTORY job.
//
// For GIT-SYNC this is the OBSERVABLE-LOSS guard (SPEC §9 conflict
// contract): a git-sync body write is a block-level 3-way merge whose
// same-block rule is "git wins". Without this pin, a concurrent human
// edit to a block git also changed would be overwritten with NO trace.
// Pinning the pre-merge state here means the human's content is always
// RECOVERABLE via page history rather than silently lost — git still
// wins the live doc deterministically, but nothing is destroyed.
//
// Skip if the prior state was already authored by THIS machine source
// (boundary already pinned on the transition into it), if the page is
// effectively empty, or if the latest existing snapshot already equals
// the prior state (avoid duplicates).
const isMachineWrite =
lastUpdatedSource === 'agent' || lastUpdatedSource === 'git-sync';
if (isMachineWrite && page.lastUpdatedSource !== lastUpdatedSource) {
// pageHistory.pageId is uuid-typed; use page.id (never the doc-name
// slugId) so a `page.<slugId>` doc cannot throw 22P02 here (#260).
const lastHistory = await this.pageHistoryRepo.findPageLastHistory(
@@ -0,0 +1,208 @@
// Regression coverage for the custom-event request/reply protocol in the
// RedisSyncExtension. git-sync routes its body write through a custom event
// (`gitSyncWriteBody`) which, when the target doc is owned by a DIFFERENT collab
// instance, runs REMOTELY inside `handleRedisMessage` on the owning instance. The
// remote handler can THROW (markdown->ProseMirror transform on a malformed body).
//
// Before the fix the throw was uncaught: (1) no `customEventComplete` reply was
// published, so the origin's awaiting promise only rejected after `customEventTTL`
// (~30s) as a generic 'TIMEOUT', and (2) an unhandledRejection escaped the async
// `messageBuffer` listener on the owning instance. These tests assert the throw is
// turned into an error-carrying reply that rejects the origin PROMPTLY with the
// real message, with the no-throw and local paths unchanged.
import { RedisSyncExtension } from './redis-sync.extension';
type Listener = (channel: Buffer, message: Buffer) => unknown;
// Minimal in-memory pub/sub + lock store shared across FakeRedis duplicates,
// modelling the two-instance topology (origin + owner) over one Redis.
class FakeRedisBus {
instances: FakeRedis[] = [];
locks = new Map<string, string>();
published: { channel: string; message: Buffer }[] = [];
register(inst: FakeRedis) {
this.instances.push(inst);
}
publish(channel: string, message: Buffer) {
this.published.push({ channel, message });
for (const inst of this.instances) {
if (!inst.subscribed.has(channel)) continue;
for (const listener of inst.messageListeners) {
// ioredis delivers async; `void` mirrors the production listener
// registration (`sub.on('messageBuffer', ...)`), whose rejection would
// surface as an unhandledRejection if the handler did not catch.
void listener(Buffer.from(channel), message);
}
}
}
}
class FakeRedis {
subscribed = new Set<string>();
messageListeners: Listener[] = [];
constructor(private bus: FakeRedisBus) {
bus.register(this);
}
duplicate() {
return new FakeRedis(this.bus);
}
subscribe(...channels: string[]) {
for (const c of channels) this.subscribed.add(c);
return Promise.resolve();
}
on(event: string, cb: any) {
if (event === 'messageBuffer') this.messageListeners.push(cb as Listener);
return this;
}
publish(channel: string, message: Buffer) {
this.bus.publish(channel, message);
return Promise.resolve(1);
}
// Models `SET key val PX ttl NX GET`: only writes when absent (NX); returns the
// previous value (GET) so the origin observes the owner already holding the lock.
set(key: string, val: string, ...args: any[]) {
const hasNX = args.includes('NX');
const hasGET = args.includes('GET');
const old = this.bus.locks.get(key) ?? null;
if (!hasNX || old === null) this.bus.locks.set(key, val);
return Promise.resolve(hasGET ? old : 'OK');
}
del(key: string) {
this.bus.locks.delete(key);
return Promise.resolve(1);
}
disconnect() {}
}
const pack = (m: any) => Buffer.from(JSON.stringify(m));
const unpack = (b: Buffer) => JSON.parse(b.toString());
function makeExtension(
bus: FakeRedisBus,
serverId: string,
customEvents: Record<string, (doc: string, payload: any) => Promise<any>>,
) {
const ext = new RedisSyncExtension({
redis: new FakeRedis(bus) as any,
pack: pack as any,
unpack: unpack as any,
serverId,
customEvents: customEvents as any,
customEventTTL: 30_000,
});
// Doc is NOT loaded on this instance -> handleEvent takes the remote/proxy path.
(ext as any).instance = { documents: new Map() };
return ext;
}
describe('RedisSyncExtension custom-event error propagation', () => {
let unhandled: unknown[];
let onUnhandled: (e: unknown) => void;
beforeEach(() => {
// Fake timers so the 30s TTL fallback timer never fires (and never dangles).
jest.useFakeTimers();
unhandled = [];
onUnhandled = (e) => unhandled.push(e);
process.on('unhandledRejection', onUnhandled);
});
afterEach(() => {
process.off('unhandledRejection', onUnhandled);
jest.useRealTimers();
});
const flush = async () => {
for (let i = 0; i < 10; i++) await Promise.resolve();
};
it('owner publishes an error-carrying reply (no unhandledRejection) when the remote handler throws', async () => {
const bus = new FakeRedisBus();
const owner = makeExtension(bus, 'owner', {
boom: async () => {
throw new Error('kaboom');
},
});
// Drive the remote branch directly, as if the origin's customEventStart arrived.
await (owner as any).handleRedisMessage(
Buffer.from('collabMsg:owner'),
pack({
type: 'customEventStart',
documentName: 'page.x',
eventName: 'boom',
payload: {},
replyTo: 'collabMsg:origin',
replyId: 7,
}),
);
await flush();
const replies = bus.published
.filter((p) => p.channel === 'collabMsg:origin')
.map((p) => unpack(p.message));
expect(replies).toHaveLength(1);
expect(replies[0]).toMatchObject({
type: 'customEventComplete',
replyId: 7,
error: 'kaboom',
});
expect(unhandled).toHaveLength(0);
});
it('origin rejects PROMPTLY with the real error (not a TTL TIMEOUT) when the remote handler throws', async () => {
const bus = new FakeRedisBus();
// Owner already holds the document lock.
bus.locks.set('collabLock:page.x', 'owner');
makeExtension(bus, 'owner', {
boom: async () => {
throw new Error('kaboom');
},
});
const origin = makeExtension(bus, 'origin', {
boom: async () => undefined,
});
const promise = (origin as any).handleEvent('boom', 'page.x', { foo: 1 });
// Attach a catch immediately so a rejection is never momentarily unhandled.
const settled = promise.then(
() => ({ ok: true as const }),
(e: unknown) => ({ ok: false as const, error: e }),
);
await flush();
// Resolves WITHOUT advancing any timer -> the 30s TIMEOUT fallback did not fire.
const result = await settled;
expect(result.ok).toBe(false);
expect((result as any).error).toBeInstanceOf(Error);
expect(((result as any).error as Error).message).toBe('kaboom');
expect(unhandled).toHaveLength(0);
});
it('origin resolves with the payload when the remote handler succeeds (unchanged behavior)', async () => {
const bus = new FakeRedisBus();
bus.locks.set('collabLock:page.x', 'owner');
makeExtension(bus, 'owner', {
ok: async (_doc: string, payload: any) => ({ echoed: payload }),
});
const origin = makeExtension(bus, 'origin', {
ok: async () => undefined,
});
const promise = (origin as any).handleEvent('ok', 'page.x', { foo: 1 });
await flush();
await expect(promise).resolves.toEqual({ echoed: { foo: 1 } });
expect(unhandled).toHaveLength(0);
});
});
@@ -51,9 +51,15 @@ export class RedisSyncExtension<TCE extends CustomEvents> implements Extension {
private instance!: Hocuspocus;
private readonly customEvents: TCE;
private replyIdCounter: number = 0;
// @ts-ignore
private pendingReplies: Record<number, PromiseWithResolvers<any>['resolve']> =
{};
private pendingReplies: Record<
number,
{
// @ts-ignore
resolve: PromiseWithResolvers<any>['resolve'];
// @ts-ignore
reject: PromiseWithResolvers<any>['reject'];
}
> = {};
constructor(configuration: Configuration<TCE>) {
const {
@@ -176,25 +182,45 @@ export class RedisSyncExtension<TCE extends CustomEvents> implements Extension {
}
if (type === 'customEventStart') {
const { documentName, eventName, payload, replyTo, replyId } = msg;
const res = await this.handleEventLocally(
eventName as Extract<keyof TCE, string>,
documentName,
payload,
);
const reply: RSAMessageCustomEventComplete = {
type: 'customEventComplete',
replyId,
payload: res,
};
let reply: RSAMessageCustomEventComplete;
try {
const res = await this.handleEventLocally(
eventName as Extract<keyof TCE, string>,
documentName,
payload,
);
reply = {
type: 'customEventComplete',
replyId,
payload: res,
};
} catch (err) {
// The remote handler threw (e.g. the markdown->ProseMirror transform in
// gitSyncWriteBody can throw on a malformed body). Reply with the error on
// the SAME correlation channel so the origin rejects promptly with the real
// message instead of waiting out customEventTTL as a generic 'TIMEOUT'.
// Catching here also keeps the throw from escaping this async messageBuffer
// listener as an unhandledRejection on the owning instance.
reply = {
type: 'customEventComplete',
replyId,
payload: undefined,
error: err instanceof Error ? err.message : String(err),
};
}
this.pub.publish(`${replyTo}`, this.pack(reply));
return;
}
if (type === 'customEventComplete') {
const { replyId, payload } = msg;
const resolveFn = this.pendingReplies[replyId];
if (!resolveFn) return;
const { replyId, payload, error } = msg;
const pending = this.pendingReplies[replyId];
if (!pending) return;
delete this.pendingReplies[replyId];
resolveFn(payload);
if (error !== undefined) {
pending.reject(new Error(error));
} else {
pending.resolve(payload);
}
return;
}
const { socketId } = msg;
@@ -273,11 +299,22 @@ export class RedisSyncExtension<TCE extends CustomEvents> implements Extension {
};
const msg = this.pack(proxyMessage);
this.pub.publish(`${this.msgChannel}:${proxyTo}`, msg);
// @ts-ignore
const { promise, resolve, reject } = Promise.withResolvers();
this.pendingReplies[replyId] = resolve;
// Manual deferred (no Promise.withResolvers) so this runs on Node < 22 too.
let resolve!: (v: unknown) => void;
let reject!: (e: unknown) => void;
const promise = new Promise((res, rej) => {
resolve = res;
reject = rej;
});
this.pendingReplies[replyId] = { resolve, reject };
setTimeout(() => {
reject('TIMEOUT');
// Fallback for a genuinely lost reply. A handler that threw now rejects
// promptly via the error-carrying customEventComplete above; this TIMEOUT
// only fires when no reply ever comes back.
if (this.pendingReplies[replyId]) {
delete this.pendingReplies[replyId];
reject('TIMEOUT');
}
}, this.customEventTTL);
return promise as Promise<ReturnType<TCE[TName]>>;
}
@@ -72,6 +72,10 @@ export type RSAMessageCustomEventComplete = {
type: 'customEventComplete';
replyId: number;
payload: unknown;
// When the remote handler THREW, the owner sends back the error message here
// instead of a payload, so the origin can reject its awaiting promise promptly
// (with the real error) rather than waiting out the customEventTTL timeout.
error?: string;
};
export type RSAMessage =
@@ -0,0 +1,582 @@
/**
* JEST CONFIG NOTE (#119 ESM refactor): this is the one spec that needs the REAL
* `@docmost/git-sync` converter (not a mock). The package is now ESM, which jest
* cannot `require()` nor `import()` without --experimental-vm-modules, so the
* server jest config `moduleNameMapper`s `@docmost/git-sync` to its TS SOURCE and
* strips the ESM `.js` import suffixes. ts-jest then type-checks that source under
* the server's (looser) tsconfig and trips a benign narrowing; the global
* `isolatedModules: true` on the ts-jest transform (apps/server/package.json)
* makes it transpile-only so this spec loads. Full type-checking of the package
* is still enforced by its own `tsc`/vitest gates and the server `tsc --noEmit`.
*
* §13.1 IDEMPOTENCY GATE the blocking gate for git-sync Phase B.
*
* Proves the `@docmost/git-sync` pure converter is schema-compatible
* with the server's REAL editor-ext document schema: a representative corpus of
* editor-ext ProseMirror documents must survive a full round trip through the
* actual server write path without losing any node / mark / attribute.
*
* Pipeline per document (issue #194 §13.1):
* 1. md = convertProseMirrorToMarkdown(content) // git-sync export
* 2. doc = await markdownToProseMirror(md) // git-sync import
* 3. push `doc` through the REAL editor-ext Yjs write path the server uses:
* ydoc = TiptapTransformer.toYdoc(doc, 'default', tiptapExtensions)
* normalized = TiptapTransformer.fromYdoc(ydoc, 'default')
* This is exactly what PersistenceExtension does on store
* (apps/server/src/collaboration/extensions/persistence.extension.ts:96/115)
* with the same `tiptapExtensions` (collaboration.util.ts) and the same
* `@hocuspocus/transformer`, so the gate exercises the real schema
* validation that runs on a git-sync write (issue #194 §3.3).
* 4. assert docsCanonicallyEqual(canon(original), canon(normalized)) === true
*
* Any node / mark / attr that editor-ext drops (because the git-sync
* docmost-schema named it differently, or declares a different default) makes
* the gate FAIL for that document exactly the schema-divergence issue #194 §3.3 /
* §13.1 warn about. Genuine, irreducible divergences are isolated into the
* clearly-named `KNOWN DIVERGENCE` block at the bottom (never silently hidden).
*
* Requires the workspace packages built first:
* pnpm --filter @docmost/editor-ext build
* pnpm --filter @docmost/git-sync build
*/
import { TiptapTransformer } from '@hocuspocus/transformer';
// Import the server's real schema FIRST so `@docmost/editor-ext` resolves to its
// built CJS `dist` (its `main`). The ESM-only `@docmost/git-sync` package is
// mapped to its TS SOURCE by the jest `moduleNameMapper` (the built ESM cannot
// be `require()`d nor dynamically `import()`ed under jest's node VM), so ts-jest
// transpiles the real converter to CJS here — exercising the actual converter
// the server ships, not a stub.
import { tiptapExtensions } from './collaboration.util';
import {
convertProseMirrorToMarkdown,
markdownToProseMirror,
canonicalizeContent,
docsCanonicallyEqual,
} from '@docmost/git-sync';
/**
* Run a single editor-ext document through the full gate pipeline and return
* the canonical original vs the canonical doc as it lands after the real Yjs
* write path, plus the intermediate markdown for diagnostics.
*/
async function runGate(original: any): Promise<{
md: string;
imported: any;
normalized: any;
canonOriginal: any;
canonNormalized: any;
}> {
// 1) editor-ext JSON -> markdown (git-sync export).
const md = convertProseMirrorToMarkdown(original);
// 2) markdown -> ProseMirror JSON (git-sync import, docmost-schema).
const imported = await markdownToProseMirror(md);
// 3) push through the REAL editor-ext schema via the server's Yjs write path.
// toYdoc validates `imported` against tiptapExtensions (throws on an
// unknown node, drops unknown attrs); fromYdoc reads it back as the
// normalized editor-ext JSON the server would persist.
const ydoc = TiptapTransformer.toYdoc(imported, 'default', tiptapExtensions);
const normalized = TiptapTransformer.fromYdoc(ydoc, 'default');
return {
md,
imported,
normalized,
canonOriginal: canonicalizeContent(original),
canonNormalized: canonicalizeContent(normalized),
};
}
const doc = (...content: any[]) => ({ type: 'doc', content });
const text = (t: string, marks?: any[]) =>
marks ? { type: 'text', text: t, marks } : { type: 'text', text: t };
const para = (...content: any[]) => ({ type: 'paragraph', content });
// ---------------------------------------------------------------------------
// Corpus: editor-ext ProseMirror documents covering the common node/mark types.
// Node / mark / attr names and DEFAULTS are taken from the real schema —
// editor-ext (packages/editor-ext/src) + the server's tiptapExtensions
// (collaboration.util.ts) — NOT guessed. Where editor-ext materializes a
// non-null default on import (e.g. image.align="center", callout.type, list
// start) the fixture pre-authors that materialized value so the round trip is
// already at its fixpoint (matches how the engine normalizes-on-write, SPEC §11).
// ---------------------------------------------------------------------------
const CORPUS: Record<string, any> = {
'paragraphs + headings (h1-h3)': doc(
{ type: 'heading', attrs: { level: 1 }, content: [text('Heading one')] },
{ type: 'heading', attrs: { level: 2 }, content: [text('Heading two')] },
{ type: 'heading', attrs: { level: 3 }, content: [text('Heading three')] },
para(text('A plain paragraph of text.')),
para(text('Second paragraph.')),
),
// A non-default paragraph alignment now round-trips (item #7 fix): it exports
// as `<p style="text-align:center">` and the schema's paragraph parseHTML
// reads `style="text-align"` back onto `textAlign` on import, so the alignment
// survives the full editor-ext write path. Promoted from the old KNOWN
// DIVERGENCE block (which only heading alignment still occupies).
'aligned paragraph (textAlign center)': doc({
type: 'paragraph',
attrs: { textAlign: 'center' },
content: [text('centered')],
}),
'inline marks (bold/italic/strike/code)': doc(
para(
text('normal '),
text('bold', [{ type: 'bold' }]),
text(' '),
text('italic', [{ type: 'italic' }]),
text(' '),
text('struck', [{ type: 'strike' }]),
text(' '),
text('code', [{ type: 'code' }]),
),
),
'links': doc(
para(
text('see '),
text('the site', [
{ type: 'link', attrs: { href: 'https://example.com' } },
]),
text(' for more'),
),
),
'bullet list': doc({
type: 'bulletList',
content: [
{ type: 'listItem', content: [para(text('first'))] },
{ type: 'listItem', content: [para(text('second'))] },
{ type: 'listItem', content: [para(text('third'))] },
],
}),
'ordered list': doc({
type: 'orderedList',
attrs: { start: 1 },
content: [
{ type: 'listItem', content: [para(text('one'))] },
{ type: 'listItem', content: [para(text('two'))] },
],
}),
'task list (checkbox)': doc({
type: 'taskList',
content: [
{
type: 'taskItem',
attrs: { checked: true },
content: [para(text('done item'))],
},
{
type: 'taskItem',
attrs: { checked: false },
content: [para(text('todo item'))],
},
],
}),
'blockquote': doc({
type: 'blockquote',
content: [para(text('a quoted line')), para(text('second quoted line'))],
}),
'callout (info)': doc({
type: 'callout',
attrs: { type: 'info' },
content: [para(text('an informational callout'))],
}),
'callout (warning)': doc({
type: 'callout',
attrs: { type: 'warning' },
content: [para(text('a warning callout'))],
}),
'code block (with language)': doc({
type: 'codeBlock',
attrs: { language: 'typescript' },
// A fenced code block's body is stored with a trailing newline (the form a
// markdown ``` fence round-trips to: marked normalizes the code text to end
// in "\n"). Authoring the fixture at that fixpoint mirrors how the engine
// normalizes-on-write (SPEC §11): codeBlock + `language` round-trip exactly.
content: [text('const a: number = 1;\nconsole.log(a);\n')],
}),
'horizontal rule': doc(
para(text('before')),
{ type: 'horizontalRule' },
para(text('after')),
),
'table (header row + cells)': doc({
type: 'table',
content: [
{
type: 'tableRow',
content: [
{
type: 'tableHeader',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('Name'))],
},
{
type: 'tableHeader',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('Value'))],
},
],
},
{
type: 'tableRow',
content: [
{
type: 'tableCell',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('alpha'))],
},
{
type: 'tableCell',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('1'))],
},
],
},
],
}),
// #8 — a table with a MULTI-BLOCK cell (two paragraphs). A GFM pipe table
// cannot hold two blocks without flattening them; the converter emits a
// lossless HTML <table> instead, and the two blocks must survive the round trip.
'table (multi-block cell, #8)': doc({
type: 'table',
content: [
{
type: 'tableRow',
content: [
{
type: 'tableHeader',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('H'))],
},
],
},
{
type: 'tableRow',
content: [
{
type: 'tableCell',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('first')), para(text('second'))],
},
],
},
],
}),
// #7 — a table nested inside a column. Columns render as HTML containers, and a
// table inside one must stay an HTML <table> (a GFM pipe table cannot live
// inside an HTML block), round-tripping without being unwrapped or lost.
// `widthMode` is pre-authored at its materialized `normal` default (SPEC §11).
'table inside a column (#7)': doc({
type: 'columns',
attrs: { layout: 'two', widthMode: 'normal' },
content: [
{
type: 'column',
content: [
{
type: 'table',
content: [
{
type: 'tableRow',
content: [
{
type: 'tableHeader',
attrs: { colspan: 1, rowspan: 1, colwidth: null },
content: [para(text('C7'))],
},
],
},
],
},
],
},
{ type: 'column', content: [para(text('right'))] },
],
}),
// --- editor-ext nodes/marks beyond the original corpus (item #7) ----------
// Each of these was verified to round-trip CLEANLY through the real gate
// (export -> markdown -> import -> editor-ext Yjs write path). Fixtures are
// pre-authored at the engine's normalize-on-write fixpoint (SPEC §11), e.g.
// details carries the materialized `open:false`, and color marks use the
// `rgb(...)` form the HTML re-parser normalizes to.
'mention (user)': doc(
para(
text('hi '),
{
type: 'mention',
attrs: {
id: 'user-123',
label: 'Alice',
entityType: 'user',
entityId: 'user-123',
creatorId: 'creator-1',
},
},
text(' there'),
),
),
'inline math': doc(
para(
text('inline '),
{ type: 'mathInline', attrs: { text: 'x^2' } },
text(' math'),
),
),
'block math': doc({ type: 'mathBlock', attrs: { text: 'x^2 + y^2 = z^2' } }),
'details (collapsible)': doc({
type: 'details',
// `open:false` is the value editor-ext materializes on import; pre-authoring
// it puts the fixture at its round-trip fixpoint.
attrs: { open: false },
content: [
{ type: 'detailsSummary', content: [text('Summary line')] },
{ type: 'detailsContent', content: [para(text('hidden body'))] },
],
}),
'highlight (mark, no color)': doc(
para(
text('a '),
text('highlighted', [{ type: 'highlight' }]),
text(' word'),
),
),
'highlight (mark, with color)': doc(
para(
text('a '),
text('red', [{ type: 'highlight', attrs: { color: 'rgb(255, 0, 0)' } }]),
text(' word'),
),
),
'subscript': doc(
para(text('H'), text('2', [{ type: 'subscript' }]), text('O')),
),
'superscript': doc(
para(text('E=mc'), text('2', [{ type: 'superscript' }])),
),
'text color (textStyle)': doc(
// The HTML re-parser normalizes CSS colors to the `rgb(...)` form, so the
// fixture pre-authors that form; a `#hex` color would round-trip to the
// equivalent rgb() and is therefore a value-normalization divergence (see
// the KNOWN DIVERGENCE block below).
para(text('green', [{ type: 'textStyle', attrs: { color: 'rgb(0, 255, 0)' } }])),
),
'nested / mixed document': doc(
{ type: 'heading', attrs: { level: 1 }, content: [text('Mixed')] },
para(
text('intro with '),
text('bold', [{ type: 'bold' }]),
text(' and a '),
text('link', [{ type: 'link', attrs: { href: 'https://example.com' } }]),
text('.'),
),
{
type: 'bulletList',
content: [
{
type: 'listItem',
content: [
para(text('item with '), text('code', [{ type: 'code' }])),
],
},
{
type: 'listItem',
content: [
para(text('item with sublist')),
{
type: 'bulletList',
content: [
{ type: 'listItem', content: [para(text('nested a'))] },
{ type: 'listItem', content: [para(text('nested b'))] },
],
},
],
},
],
},
{
type: 'callout',
attrs: { type: 'success' },
content: [
para(text('callout body')),
{ type: 'codeBlock', attrs: { language: 'bash' }, content: [text('echo hi\n')] },
],
},
{
type: 'blockquote',
content: [para(text('quote at the end'))],
},
),
// Atom embeds that carry no inline text: they must round-trip via their
// schema-matching HTML (data-type div), NOT a literal that re-imports as plain
// text. `subpages` used to export as the literal "{{SUBPAGES}}" and came back
// as visible text on the page (red-team round-trip data loss) — this locks it.
// editor-ext materializes the `recursive: false` default on import, so the
// fixture pre-authors it to sit at the round-trip fixpoint (matches the other
// default-materializing fixtures above).
'subpages embed': doc({ type: 'subpages', attrs: { recursive: false } }),
};
describe('git-sync converter §13.1 idempotency gate (editor-ext schema)', () => {
for (const [name, original] of Object.entries(CORPUS)) {
it(`round-trips losslessly: ${name}`, async () => {
const { md, canonOriginal, canonNormalized } = await runGate(original);
const equal = docsCanonicallyEqual(original, canonNormalized);
if (!equal) {
// Surface a readable diff so a real divergence is actionable.
// eslint-disable-next-line no-console
console.error(
`\n[GATE FAIL] ${name}\n--- markdown ---\n${md}\n` +
`--- canonical original ---\n${JSON.stringify(canonOriginal, null, 2)}\n` +
`--- canonical round-tripped ---\n${JSON.stringify(canonNormalized, null, 2)}\n`,
);
}
expect(equal).toBe(true);
});
}
});
// ---------------------------------------------------------------------------
// KNOWN DIVERGENCE — images (isolated so it does NOT silently weaken the gate).
//
// This is NOT a schema-name divergence: the `image` NODE itself round-trips
// through editor-ext fine (it survives toYdoc under the real tiptapExtensions).
// The loss is intrinsic to MARKDOWN, the on-disk transport format git-sync uses:
//
// 1. `convertProseMirrorToMarkdown` emits a standard `![alt](src)` image
// (markdown-converter.ts case "image"). Standard markdown image syntax has
// no way to express `width` / `height` / `align`, so those attrs are
// DROPPED on export and cannot be recovered on import.
// 2. A block-level image is hoisted out of its line by the HTML re-parser,
// leaving a leading EMPTY paragraph (the same block-image-hoist limitation
// documented in packages/git-sync/test/fixtures/known-limitations).
//
// The gate documents the EXACT lossy shape below. If the converter is ever
// taught to preserve image dimensions (e.g. by emitting an HTML <img> with
// data-* attrs, as it already does for video/diagrams), these assertions flip
// and the image fixture should be promoted into the green CORPUS above.
// ---------------------------------------------------------------------------
describe('git-sync converter §13.1 image dimensions preserved (was KNOWN DIVERGENCE)', () => {
const imageDoc = doc({
type: 'image',
attrs: {
src: 'https://example.com/pic.png',
width: 640,
height: 480,
align: 'center',
},
});
it('preserves width/height/align by exporting an HTML <img> (PR #119 round-trip fix)', async () => {
const { md, canonNormalized } = await runGate(imageDoc);
// A top-level image carrying layout attrs is now exported as a schema-
// matching HTML <img> (the same path video/diagrams already use), so the
// dimensions and alignment survive the round trip instead of collapsing to
// bare `![](src)`.
expect(md.trim()).toBe(
'<img src="https://example.com/pic.png" width="640" height="480" align="center">',
);
// The round-tripped image keeps src + the layout attrs. width/height are
// re-imported as strings (matching the video/audio/pdf string convention),
// so assert the values rather than the JS type.
const imgAttrs = (canonNormalized as any).content[0].attrs;
expect((canonNormalized as any).content[0].type).toBe('image');
expect(imgAttrs.src).toBe('https://example.com/pic.png');
expect(imgAttrs.align).toBe('center');
expect(String(imgAttrs.width)).toBe('640');
expect(String(imgAttrs.height)).toBe('480');
});
});
// ---------------------------------------------------------------------------
// HEADING text alignment — now round-trips (item A1; formerly a KNOWN DIVERGENCE).
// Symmetric with the paragraph fix: a heading's non-default `textAlign` is
// exported as a styled `<hN style="text-align:…">` (was a bare ATX `## text`
// that dropped it) and re-parsed by the heading + textAlign parseHTML on import,
// so a non-default heading alignment SURVIVES a full round trip.
// ---------------------------------------------------------------------------
describe('git-sync converter §13.1 heading text alignment round-trips', () => {
it('preserves a heading textAlign across the markdown round trip', async () => {
const alignedHeading = doc({
type: 'heading',
attrs: { level: 2, textAlign: 'center' },
content: [text('centered heading')],
});
const { md, canonNormalized } = await runGate(alignedHeading);
// Export is a styled <h2> (was a lossy bare `## centered heading`).
expect(md.trim()).toBe(
'<h2 style="text-align:center">centered heading</h2>',
);
expect(docsCanonicallyEqual(alignedHeading, canonNormalized)).toBe(true);
});
});
// ---------------------------------------------------------------------------
// KNOWN DIVERGENCE — textStyle color is VALUE-NORMALIZED, not lost (item #7).
//
// The textStyle/color mark itself round-trips (the green CORPUS has the rgb()
// form). But a `#hex` color is normalized to the equivalent `rgb(...)` string
// by the HTML re-parser on import, and canonicalize.ts does NOT normalize color
// formats — so a `#hex` original is not STRING-identical to its round trip even
// though the color is semantically preserved. Locked here so the boundary is
// explicit: author color fixtures in rgb() form to stay in the green corpus.
// ---------------------------------------------------------------------------
describe('git-sync converter §13.1 KNOWN DIVERGENCE (textStyle color #hex -> rgb)', () => {
it('normalizes a #hex text color to rgb() (semantically preserved, string-divergent)', async () => {
const hexDoc = doc(
para(text('green', [{ type: 'textStyle', attrs: { color: '#00ff00' } }])),
);
const { canonNormalized } = await runGate(hexDoc);
// Color survives, but as the normalized rgb() string.
expect(canonNormalized).toEqual({
type: 'doc',
content: [
{
type: 'paragraph',
content: [
{
type: 'text',
text: 'green',
marks: [{ type: 'textStyle', attrs: { color: 'rgb(0, 255, 0)' } }],
},
],
},
],
});
// Not string-identical to the #hex original.
expect(docsCanonicallyEqual(hexDoc, canonNormalized)).toBe(false);
});
});
@@ -0,0 +1,26 @@
/**
* Backward-filled LCS length table for sequences `a` and `b`: `dp[i][j]` is the
* length of the longest common subsequence of the suffixes `a[i:]` and `b[j:]`.
* O(n*m) time/space fine for page block counts.
*
* Shared by the two-way block diff (`yjs-body-merge.diffBlocks`) and the
* three-way merge planner (`three-way-merge.lcsPairs`) so the (identical) table
* construction lives in ONE place; each caller does its own traceback over the
* returned table.
*/
export function buildLcsTable(a: string[], b: string[]): number[][] {
const n = a.length;
const m = b.length;
const dp: number[][] = Array.from({ length: n + 1 }, () =>
new Array(m + 1).fill(0),
);
for (let i = n - 1; i >= 0; i--) {
for (let j = m - 1; j >= 0; j--) {
dp[i][j] =
a[i] === b[j]
? dp[i + 1][j + 1] + 1
: Math.max(dp[i + 1][j], dp[i][j + 1]);
}
}
return dp;
}
@@ -0,0 +1,20 @@
import { diff3Plan, type Pick } from './three-way-merge';
// Materialize a plan into the merged key sequence for assertion.
function apply(plan: Pick[], live: string[], target: string[]): string[] {
return plan.map((p) => (p.src === 'live' ? live[p.index] : target[p.index]));
}
const merge = (o: string[], a: string[], b: string[]): string[] =>
apply(diff3Plan(o, a, b), a, b);
describe('diff3Plan red-team #9 (human edit + adjacent git insert)', () => {
it('keeps human block-2 edit AND applies git insert of 2.5', () => {
// base: 1 2 3
// live: 1 H 3 (human rewrote block 2)
// target: 1 2 2.5 3 (git inserted 2.5 after block 2)
expect(
merge(['1', '2', '3'], ['1', 'H', '3'], ['1', '2', '2.5', '3']),
).toEqual(['1', 'H', '2.5', '3']);
});
});
@@ -0,0 +1,159 @@
import {
diff3Plan,
diff3PlanWithConflicts,
type Pick,
} from './three-way-merge';
// Materialize a plan into the merged key sequence for assertion.
function apply(plan: Pick[], live: string[], target: string[]): string[] {
return plan.map((p) => (p.src === 'live' ? live[p.index] : target[p.index]));
}
const merge = (o: string[], a: string[], b: string[]): string[] =>
apply(diff3Plan(o, a, b), a, b);
describe('diff3Plan (block-level three-way merge)', () => {
it('identical on all three sides -> unchanged (all from live)', () => {
const plan = diff3Plan(['1', '2', '3'], ['1', '2', '3'], ['1', '2', '3']);
expect(plan.every((p) => p.src === 'live')).toBe(true);
expect(apply(plan, ['1', '2', '3'], ['1', '2', '3'])).toEqual(['1', '2', '3']);
});
it('git changed a block the human did not -> takes git', () => {
expect(merge(['1', '2', '3'], ['1', '2', '3'], ['1', '9', '3'])).toEqual([
'1',
'9',
'3',
]);
});
it('human changed a block git did not -> KEEPS the human edit (the core 3-way win)', () => {
expect(merge(['1', '2', '3'], ['1', 'H', '3'], ['1', '2', '3'])).toEqual([
'1',
'H',
'3',
]);
});
// Bug #2 observability: diff3PlanWithConflicts reports SAME-BLOCK conflicts so
// the caller can surface the "git wins" loss (log + history pin) instead of
// dropping the human side silently.
describe('diff3PlanWithConflicts (same-block conflict reporting)', () => {
it('reports 0 conflicts when sides changed DIFFERENT blocks (clean merge)', () => {
const r = diff3PlanWithConflicts(
['1', '2', '3'],
['H', '2', '3'],
['1', '2', 'G'],
);
expect(r.conflicts).toBe(0);
expect(apply(r.picks, ['H', '2', '3'], ['1', '2', 'G'])).toEqual([
'H',
'2',
'G',
]);
});
it('reports 1 conflict and git wins when BOTH rewrote the SAME block', () => {
const r = diff3PlanWithConflicts(
['1', '2', '3'],
['1', 'H', '3'], // human rewrote block 2
['1', 'G', '3'], // git rewrote block 2
);
expect(r.conflicts).toBe(1);
// Git wins the contested block; the human 'H' is NOT in the picks.
expect(apply(r.picks, ['1', 'H', '3'], ['1', 'G', '3'])).toEqual([
'1',
'G',
'3',
]);
});
it('does NOT count a git-only region (no human content to lose) as a conflict', () => {
const r = diff3PlanWithConflicts(
['1', '2', '3'],
['1', '2', '3'], // human unchanged
['1', '9', '3'], // git rewrote block 2
);
expect(r.conflicts).toBe(0);
});
});
it('human and git changed DIFFERENT blocks -> both preserved', () => {
// human rewrote block 1, git rewrote block 3.
expect(merge(['1', '2', '3'], ['H', '2', '3'], ['1', '2', 'G'])).toEqual([
'H',
'2',
'G',
]);
});
it('human inserted a block AND git changed a different block -> both preserved', () => {
expect(
merge(['1', '2', '3'], ['1', '1.5', '2', '3'], ['1', '2', 'G']),
).toEqual(['1', '1.5', '2', 'G']);
});
it('both changed the SAME block -> conflict resolves to git', () => {
expect(merge(['1', '2', '3'], ['1', 'H', '3'], ['1', 'G', '3'])).toEqual([
'1',
'G',
'3',
]);
});
it('both made the SAME edit -> that edit (no duplication)', () => {
expect(merge(['1', '2', '3'], ['1', 'X', '3'], ['1', 'X', '3'])).toEqual([
'1',
'X',
'3',
]);
});
it('human deleted a block git left alone -> deletion preserved', () => {
expect(merge(['1', '2', '3'], ['1', '3'], ['1', '2', '3'])).toEqual([
'1',
'3',
]);
});
it('git deleted a block the human left alone -> deletion applied', () => {
expect(merge(['1', '2', '3'], ['1', '2', '3'], ['1', '3'])).toEqual([
'1',
'3',
]);
});
it('both deleted the same block -> gone (no conflict)', () => {
expect(merge(['1', '2', '3'], ['1', '3'], ['1', '3'])).toEqual(['1', '3']);
});
it('git appended a trailing block -> appended', () => {
expect(merge(['1', '2'], ['1', '2'], ['1', '2', '3'])).toEqual([
'1',
'2',
'3',
]);
});
it('human appended a trailing block git did not -> kept', () => {
expect(merge(['1', '2'], ['1', '2', '3'], ['1', '2'])).toEqual([
'1',
'2',
'3',
]);
});
it('empty base, git provides content (brand-new page body) -> git content', () => {
expect(merge([], [], ['1', '2'])).toEqual(['1', '2']);
});
it('git changed block 1, human edited block 3, far apart -> both kept', () => {
expect(
merge(
['a', 'b', 'c', 'd', 'e'],
['a', 'b', 'c', 'd', 'E'],
['A', 'b', 'c', 'd', 'e'],
),
).toEqual(['A', 'b', 'c', 'd', 'E']);
});
});
@@ -0,0 +1,284 @@
/**
* Pure block-level THREE-WAY merge planner (diff3) over arrays of opaque block
* keys. Used by the git-sync body write to merge an incoming git body into the
* live page using the last-synced version as the common ancestor (review #5):
*
* - a block only the human changed (live != base, git == base) -> keep LIVE
* - a block only git changed (git != base, live == base) -> take GIT
* - a block both sides changed (a real conflict) -> GIT wins
* - inserts/deletes from either side are preserved when unambiguous
*
* Content-agnostic: it works on string keys and returns the merged block order as
* picks ({ src: 'live'|'target', index }) the caller (the Yjs applier)
* materializes them so the whole algorithm is unit-testable on plain arrays.
*
* Algorithm: anchor on base blocks present (unchanged) in BOTH live and target
* (their LCS-with-base intersection). Between consecutive anchors lies one region
* the human and/or git rewrote; resolve each region three-way. Stable anchor
* blocks are emitted from LIVE so the applier keeps the existing Yjs block
* instances (and the human's in-flight edits) in place.
*
* LOCATION (deferred): this and its `lcs.ts` sibling are pure, framework-free and
* could conceptually live in `packages/git-sync` (the engine). They are kept in
* the server integration on purpose: `packages/git-sync` is a VENDORED engine
* (pinned upstream, manually re-synced), so adding first-party files there
* complicates the re-sync story, and the only consumer today is the server. Move
* them into the engine only once the vendoring re-sync story is settled.
*/
import { buildLcsTable } from './lcs';
/** Matched index pairs of the longest common subsequence of `a` and `b`. */
function lcsPairs(a: string[], b: string[]): Array<[number, number]> {
const n = a.length;
const m = b.length;
const dp = buildLcsTable(a, b);
const pairs: Array<[number, number]> = [];
let i = 0;
let j = 0;
while (i < n && j < m) {
if (a[i] === b[j]) {
pairs.push([i, j]);
i++;
j++;
} else if (dp[i + 1][j] >= dp[i][j + 1]) {
i++;
} else {
j++;
}
}
return pairs;
}
/** o-index -> matched index in the other side (only for LCS-matched blocks). */
function matchMap(pairs: Array<[number, number]>): Map<number, number> {
const m = new Map<number, number>();
for (const [o, x] of pairs) m.set(o, x);
return m;
}
/**
* One change `side` made to `base` within a region: base blocks `[oStart,oEnd)`
* were replaced by the side's blocks listed in `content` (region-local indices).
* A pure insert has `oStart === oEnd`; a pure delete has empty `content`.
*/
interface Hunk {
oStart: number;
oEnd: number;
content: number[];
}
/**
* Diff `o` against one side as a list of non-overlapping hunks (the base spans
* the side rewrote/inserted/deleted), derived from their LCS alignment.
*/
function buildHunks(o: string[], side: string[]): Hunk[] {
const pairs = lcsPairs(o, side); // [oIdx, sideIdx] kept (unchanged) blocks
const hunks: Hunk[] = [];
let prevO = -1;
let prevS = -1;
const flush = (curO: number, curS: number): void => {
const oStart = prevO + 1;
const oEnd = curO;
const content: number[] = [];
for (let s = prevS + 1; s < curS; s++) content.push(s);
if (oEnd > oStart || content.length > 0) hunks.push({ oStart, oEnd, content });
};
for (const [oIdx, sIdx] of pairs) {
flush(oIdx, sIdx);
prevO = oIdx;
prevS = sIdx;
}
flush(o.length, side.length);
return hunks;
}
/**
* Do two hunks (one per side) touch the same base region? Pure inserts only
* collide when nested strictly inside the other hunk's base span (or, for two
* inserts, at the same gap); changes sitting at a shared boundary do not.
*/
function hunksOverlap(a: Hunk, b: Hunk): boolean {
const aIns = a.oStart === a.oEnd;
const bIns = b.oStart === b.oEnd;
if (aIns && bIns) return a.oStart === b.oStart;
if (aIns) return b.oStart < a.oStart && a.oStart < b.oEnd;
if (bIns) return a.oStart < b.oStart && b.oStart < a.oEnd;
return Math.max(a.oStart, b.oStart) < Math.min(a.oEnd, b.oEnd);
}
interface LocalPick {
src: 'live' | 'target';
local: number;
}
/**
* Fine-grained three-way merge of ONE inter-anchor region. Combines the human's
* and git's NON-overlapping hunks (e.g. a human edit to one block plus a git
* insert/delete of OTHER blocks in the same region) so neither change is lost.
* Returns the merged region as region-local picks, or `null` when the two sides
* changed the SAME base block a genuine conflict the caller resolves by the
* original all-or-nothing rule (git wins the whole region).
*/
function tryMergeRegion(
o: string[],
a: string[],
b: string[],
): LocalPick[] | null {
// Agreement short-circuit (review #11). When live (a) and target (b) are
// identical, both sides converged on the SAME result — diff3 "agreement", NOT
// a conflict. This is the dominant echo case (live == target != base) that
// otherwise trips the overlap check below and is logged as a false "N same-block
// conflict(s) resolved to the git version", masking REAL data-loss signals.
// Emit the region straight from live (which equals target); no conflict.
if (a.length === b.length && a.every((v, i) => v === b[i])) {
return a.map((_v, i) => ({ src: 'live', local: i }) as LocalPick);
}
const aHunks = buildHunks(o, a);
const bHunks = buildHunks(o, b);
// Any overlap between a human hunk and a git hunk is a real conflict; bail so
// the caller falls back to git-wins (preserving the original behavior).
for (const ah of aHunks) {
for (const bh of bHunks) {
if (hunksOverlap(ah, bh)) return null;
}
}
// Disjoint: live index of each base block that BOTH sides kept (stable).
const aKept = matchMap(lcsPairs(o, a)); // base index -> live index
const out: LocalPick[] = [];
let pa = 0;
let pb = 0;
let oi = 0;
while (oi < o.length || pa < aHunks.length || pb < bHunks.length) {
const ah = pa < aHunks.length ? aHunks[pa] : null;
const bh = pb < bHunks.length ? bHunks[pb] : null;
const nextStart = Math.min(
ah ? ah.oStart : o.length,
bh ? bh.oStart : o.length,
);
// Emit stable base blocks (kept by both) until the next hunk, from LIVE.
while (oi < nextStart) {
out.push({ src: 'live', local: aKept.get(oi) as number });
oi++;
}
if (!ah && !bh) break;
// Apply the hunk at oi. When both sides act here they are disjoint, so the
// pure-insert (oEnd === oi) is emitted before the side that consumes base oi.
const aHere = ah !== null && ah.oStart === oi;
const bHere = bh !== null && bh.oStart === oi;
let useA: boolean;
if (aHere && bHere) {
useA = ah!.oEnd === oi; // insert side first; otherwise either order is fine
} else {
useA = aHere;
}
const h = (useA ? ah : bh) as Hunk;
const src: 'live' | 'target' = useA ? 'live' : 'target';
for (const idx of h.content) out.push({ src, local: idx });
oi = h.oEnd;
if (useA) pa++;
else pb++;
}
return out;
}
export interface Pick {
src: 'live' | 'target';
index: number;
}
/**
* The merged block order PLUS how many regions resolved as a genuine SAME-BLOCK
* conflict (both sides rewrote the same base block `tryMergeRegion` returned
* null and git won the whole region, so the live/human version of those blocks
* is NOT in `picks`). `conflicts > 0` is the OBSERVABLE signal the caller uses to
* surface "git won a concurrent same-block edit" (log it + pin the human
* baseline to page history) instead of dropping the human side silently.
*/
export interface Diff3Result {
picks: Pick[];
conflicts: number;
}
/**
* Three-way merge of base `o`, live `a`, target `b` (arrays of block keys).
* Returns the merged block order as picks from live/target. Thin wrapper over
* `diff3PlanWithConflicts` (kept for the existing pure-array callers/tests).
*/
export function diff3Plan(o: string[], a: string[], b: string[]): Pick[] {
return diff3PlanWithConflicts(o, a, b).picks;
}
/**
* Like `diff3Plan` but also reports the SAME-BLOCK conflict count (see
* `Diff3Result`). A region where both the human and git rewrote the same base
* block cannot be merged automatically; the rule is deterministic GIT WINS the
* whole region but the human's version of those blocks is then absent from the
* picks, so we count it so the caller can make the loss observable/recoverable
* rather than silent (the documented conflict contract).
*/
export function diff3PlanWithConflicts(
o: string[],
a: string[],
b: string[],
): Diff3Result {
const oToA = matchMap(lcsPairs(o, a));
const oToB = matchMap(lcsPairs(o, b));
const res: Pick[] = [];
let conflicts = 0;
let oi = 0;
let ai = 0;
let bi = 0;
for (;;) {
// Next anchor: a base block present (unchanged) in BOTH live and target.
let anchor = oi;
while (anchor < o.length && !(oToA.has(anchor) && oToB.has(anchor))) {
anchor++;
}
const aEnd = anchor < o.length ? (oToA.get(anchor) as number) : a.length;
const bEnd = anchor < o.length ? (oToB.get(anchor) as number) : b.length;
// Resolve the region [oi,anchor) that one or both sides rewrote/inserted.
// Try a fine-grained three-way merge first so a human block-edit survives a
// git insert/delete of OTHER blocks in the same region; only a genuine
// same-block conflict (null) falls back to the original git-wins rule.
const merged = tryMergeRegion(
o.slice(oi, anchor),
a.slice(ai, aEnd),
b.slice(bi, bEnd),
);
if (merged) {
for (const p of merged) {
res.push(
p.src === 'live'
? { src: 'live', index: ai + p.local }
: { src: 'target', index: bi + p.local },
);
}
} else {
// SAME-BLOCK CONFLICT: count it ONLY when the human side actually had
// content in this region that git's win discards (live region non-empty).
// A region only git rewrote (live region empty) is not a human loss.
if (aEnd > ai) conflicts++;
for (let k = bi; k < bEnd; k++) res.push({ src: 'target', index: k });
}
if (anchor >= o.length) break;
// Emit the stable anchor block from LIVE, then advance past it on all sides.
res.push({ src: 'live', index: aEnd });
ai = aEnd + 1;
bi = bEnd + 1;
oi = anchor + 1;
}
return { picks: res, conflicts };
}
@@ -0,0 +1,171 @@
import { TiptapTransformer } from '@hocuspocus/transformer';
import * as Y from 'yjs';
import {
markdownToProseMirror,
convertProseMirrorToMarkdown,
} from '@docmost/git-sync';
import { tiptapExtensions } from '../collaboration.util';
import { mergeXmlFragments, mergeXmlFragments3Way } from './yjs-body-merge';
/**
* Regression for the QA #119 callout findings (body-duplication re-verify +
* "callout strips the whole body"). These reproduce the ACTUAL live merge path:
*
* live = TiptapTransformer.toYdoc(editor JSON, tiptapExtensions) (the
* collaboration server's materialization schema defaults stamped)
* git = toYdoc(markdownToProseMirror(convertProseMirrorToMarkdown(editor)))
* (the engine round-trip the push side feeds into writePageBody)
*
* A page containing a callout (with a neighbouring heading + paragraphs) must:
* - merge with ZERO ops on an unchanged resync (no duplication bug #1), and
* - NEVER lose blocks / collapse to empty (no strip bug #2),
* across repeated cycles, for every editor-canonical callout type.
*/
const toYdoc = (content: unknown[]) =>
TiptapTransformer.toYdoc(
{ type: 'doc', content },
'default',
tiptapExtensions as any,
);
const blockTypes = (f: Y.XmlFragment) =>
f.toArray().map((n: any) => n.nodeName);
function editorPage(calloutType: string) {
return [
{
type: 'heading',
attrs: { id: 'h1', level: 1 },
content: [{ type: 'text', text: 'Title here' }],
},
{
type: 'paragraph',
attrs: { id: 'p1' },
content: [{ type: 'text', text: 'Para before callout' }],
},
{
type: 'callout',
attrs: { type: calloutType },
content: [
{
type: 'paragraph',
attrs: { id: 'pc' },
content: [{ type: 'text', text: 'Inside the callout' }],
},
],
},
{
type: 'paragraph',
attrs: { id: 'p2' },
content: [{ type: 'text', text: 'Para after callout' }],
},
];
}
async function gitRoundTrip(content: unknown[]): Promise<any[]> {
const md = await convertProseMirrorToMarkdown({ type: 'doc', content });
const json = await markdownToProseMirror(md);
return json.content;
}
describe('git-sync callout merge is idempotent + non-destructive (QA #119)', () => {
for (const type of ['info', 'note', 'warning', 'danger', 'success', 'default']) {
it(`callout(${type}) resyncs with 0 ops and never strips the body`, async () => {
const editor = editorPage(type);
const gitContent = await gitRoundTrip(editor);
const liveDoc = toYdoc(editor);
const live = liveDoc.getXmlFragment('default');
const before = live.toArray().length;
expect(before).toBe(4);
// 2-way: live vs the git round-trip -> no-op (no dup, no strip).
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments(live, toYdoc(gitContent).getXmlFragment('default'));
});
expect(applied).toBe(0);
expect(live.toArray().length).toBe(before);
// 3-way across 4 cycles with base == git (the steady-state) -> stable.
for (let cycle = 0; cycle < 4; cycle++) {
let a = -1;
liveDoc.transact(() => {
a = mergeXmlFragments3Way(
live,
toYdoc(gitContent).getXmlFragment('default'),
toYdoc(gitContent).getXmlFragment('default'),
);
});
expect(a).toBe(0);
expect(live.toArray().length).toBe(before);
expect(blockTypes(live)).toEqual([
'heading',
'paragraph',
'callout',
'paragraph',
]);
}
});
}
it('3-way with a stale base (callout JUST added) keeps the callout + neighbours', async () => {
// base = the previously-synced version WITHOUT the callout (git round-trip);
// the human just inserted the callout -> the merge must KEEP everything.
const prev = [
{ type: 'heading', attrs: { id: 'h1', level: 1 }, content: [{ type: 'text', text: 'Title here' }] },
{ type: 'paragraph', attrs: { id: 'p1' }, content: [{ type: 'text', text: 'Para before callout' }] },
{ type: 'paragraph', attrs: { id: 'p2' }, content: [{ type: 'text', text: 'Para after callout' }] },
];
const editor = editorPage('info');
const baseContent = await gitRoundTrip(prev);
const gitContent = await gitRoundTrip(editor);
const liveDoc = toYdoc(editor);
const live = liveDoc.getXmlFragment('default');
liveDoc.transact(() => {
mergeXmlFragments3Way(
live,
toYdoc(gitContent).getXmlFragment('default'),
toYdoc(baseContent).getXmlFragment('default'),
);
});
// Body survives in full — NOT stripped to empty / a lone paragraph.
expect(blockTypes(live)).toEqual([
'heading',
'paragraph',
'callout',
'paragraph',
]);
});
});
describe('git-sync callout type fidelity (QA "callout type -> [!info]")', () => {
for (const type of ['info', 'note', 'warning', 'danger', 'success', 'default']) {
it(`preserves callout type "${type}" across the engine round-trip`, async () => {
const content = editorPage(type);
const gitContent = await gitRoundTrip(content);
const co = gitContent.find((b: any) => b.type === 'callout');
expect(co?.attrs?.type).toBe(type);
});
}
it('maps a known GitHub/Obsidian alias to the editor banner (tip -> success)', async () => {
// `tip` is not a schema callout type — it is an input alias the editor itself
// maps onto the supported set (GITHUB_ALERT_TYPE_MAP: tip -> success). git-sync
// mirrors that so the ingest lands on the closest banner instead of flatly info.
const content = editorPage('tip');
const gitContent = await gitRoundTrip(content);
const co = gitContent.find((b: any) => b.type === 'callout');
expect(co?.attrs?.type).toBe('success');
});
it('flattens a genuinely unknown callout type to info', async () => {
const content = editorPage('banana'); // not a type and not a known alias
const gitContent = await gitRoundTrip(content);
const co = gitContent.find((b: any) => b.type === 'callout');
expect(co?.attrs?.type).toBe('info');
});
});
@@ -0,0 +1,198 @@
import * as Y from 'yjs';
import { mergeXmlFragments, mergeXmlFragments3Way } from './yjs-body-merge';
/**
* Regression for the HIGH-severity runaway whole-body duplication: a page body
* was RE-APPENDED in full on every git-sync reconcile cycle, unbounded, with NO
* client connected.
*
* ROOT CAUSE (confirmed in-process against the real failing page): the LIVE Yjs
* document materializes the editor-schema default `indent: 0` on every
* paragraph/heading (and on the paragraph inside every list item, callout, and
* table cell), but a body re-imported from git parsed from clean markdown
* carries NO indent attribute. So every live block's comparison key differed from
* the same block coming back from git; the three-way merge could anchor on
* NOTHING, and the trailing unit that git's export already contained (but the
* merge could not match against the byte-identical live tail) was re-appended
* each cycle. Each grown export then diverged from the last-pushed base by one
* more unit a self-sustaining loop.
*
* The fix normalizes the materialized default (`indent: 0`) out of the block key
* (the schema-derived `serializeXmlNode` normalization in yjs-body-merge.ts drops
* every attr equal to its ProseMirror-schema default; `indent: 0` is one such),
* so a live block compares equal to its git-round-tripped twin and the resync is
* a true no-op. The sibling `yjs-body-merge.schema-defaults.spec.ts` covers the
* rest of the bug class (image.align, link mark internal, ).
*
* These tests model that EXACTLY at the Yjs level: a LIVE fragment whose blocks
* carry `indent: 0` + block ids, versus a git-derived fragment of the SAME
* content with neither for a body built from BYTE-IDENTICAL units that each
* contain a heading, a paragraph, a callout, and a table with empty cells (the
* trigger). RED before the fix (the merge applies > 0 ops and the body grows),
* GREEN after (0 ops, no growth).
*/
type Attrs = Record<string, string | number>;
function el(
name: string,
attrs: Attrs,
children: (Y.XmlElement | Y.XmlText)[],
) {
const e = new Y.XmlElement(name);
for (const [k, v] of Object.entries(attrs)) e.setAttribute(k, v as string);
if (children.length) e.insert(0, children);
return e;
}
function text(s: string): Y.XmlText {
const t = new Y.XmlText();
if (s) t.insert(0, s);
return t;
}
/**
* One byte-identical content unit (heading / paragraph / callout / table-with-
* empty-cells). `live` toggles the two things that exist ONLY in the live Yjs
* doc and NOT in a git round-trip: the materialized `indent: 0` default and the
* per-block `id`. `n` makes each unit's ids unique (as the editor would stamp)
* while keeping the visible CONTENT byte-identical across units.
*/
function unit(
live: boolean,
n: number,
headingText = 'Big Heading',
): Y.XmlElement[] {
const ind: Attrs = live ? { indent: 0 } : {};
const id = (base: string): Attrs => (live ? { id: `${base}${n}` } : {});
const para = (attrs: Attrs, s: string) =>
el('paragraph', { ...attrs, ...ind }, [text(s)]);
const cell = (name: string) =>
el(name, { colspan: 1, rowspan: 1 }, [para({}, '')]);
return [
el('heading', { ...id('h'), level: 1, ...ind }, [text(headingText)]),
para(id('p'), 'Para with the same words'),
el('callout', { type: 'info' }, [para(id('c'), 'CalloutText here')]),
el('table', {}, [
el('tableRow', {}, [cell('tableHeader'), cell('tableHeader')]),
el('tableRow', {}, [cell('tableCell'), cell('tableCell')]),
]),
];
}
function fragmentOf(units: Y.XmlElement[][]): {
doc: Y.Doc;
frag: Y.XmlFragment;
} {
const doc = new Y.Doc();
const frag = doc.getXmlFragment('default');
const blocks = units.flat();
if (blocks.length) frag.insert(0, blocks);
return { doc, frag };
}
const blockCount = (frag: Y.XmlFragment): number => frag.toArray().length;
describe('git-sync reconcile import is idempotent (no whole-body duplication)', () => {
const UNITS = 3;
it('3-way: identical content, live carries indent:0, base stale-by-one -> 0 ops, no growth', () => {
// LIVE: the editor-stamped Yjs doc (indent:0 + ids on every block).
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(true, i)),
);
// INCOMING (git export -> re-import): same content, NO indent / ids.
const { frag: incoming } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(false, i)),
);
// BASE = last-pushed file, lagging by ONE unit (the realistic divergence
// that drives the trailing insert-vs-insert).
const { frag: base } = fragmentOf(
Array.from({ length: UNITS - 1 }, (_, i) => unit(false, i)),
);
const before = blockCount(live);
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments3Way(live, incoming, base);
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
});
it('3-way is a fixpoint across repeated cycles (does not grow)', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(true, i)),
);
const incomingUnits = () =>
fragmentOf(Array.from({ length: UNITS }, (_, i) => unit(false, i))).frag;
const baseUnits = () =>
fragmentOf(Array.from({ length: UNITS - 1 }, (_, i) => unit(false, i)))
.frag;
const before = blockCount(live);
for (let cycle = 0; cycle < 5; cycle++) {
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments3Way(live, incomingUnits(), baseUnits());
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
}
});
it('2-way: identical content, live carries indent:0 -> 0 ops, no growth', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(true, i)),
);
const { frag: incoming } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(false, i)),
);
const before = blockCount(live);
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments(live, incoming);
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
});
it('does NOT regress real edits: a git change to one block still lands', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(true, i)),
);
const base = fragmentOf(
Array.from({ length: UNITS }, (_, i) => unit(false, i)),
).frag;
// git edits the heading text of the LAST unit.
const incoming = fragmentOf(
Array.from({ length: UNITS }, (_, i) =>
unit(false, i, i === UNITS - 1 ? 'EDITED Heading' : 'Big Heading'),
),
).frag;
const before = blockCount(live);
liveDoc.transact(() => {
mergeXmlFragments3Way(live, incoming, base);
});
// The edit landed, and the body did NOT grow (one block changed in place).
const headings = live
.toArray()
.filter((b) => (b as Y.XmlElement).nodeName === 'heading')
.map((b) =>
(b as Y.XmlElement)
.toArray()
.map((c) => (c as Y.XmlText).toString())
.join(''),
);
expect(headings).toContain('EDITED Heading');
expect(blockCount(live)).toBe(before);
});
});
@@ -0,0 +1,316 @@
import { TiptapTransformer } from '@hocuspocus/transformer';
import * as Y from 'yjs';
import { tiptapExtensions } from '../collaboration.util';
import { mergeXmlFragments, mergeXmlFragments3Way } from './yjs-body-merge';
/**
* Regression for the BUG CLASS behind the runaway whole-body duplication: the
* point-fix (7a7b840e) only normalized `indent: 0`, but the SAME divergence
* recurs for every attribute whose editor-ext (server) schema default the live
* Yjs doc MATERIALIZES while the git round-trip which comes through the engine
* schema (different, usually null, defaults) plus `y-prosemirror`'s null-attr
* dropping does NOT carry. Confirmed triggers beyond `indent`:
*
* - `image.align` : editor-ext default "center" (materialized) vs engine
* default null (dropped) -> element-attr divergence.
* - link mark `internal`: editor-ext default false (materialized) vs engine
* default null -> MARK-attr divergence (the prior denylist
* could not reach marks at all they are serialized raw in
* the XmlText delta).
*
* `highlight.colorName` is normalized too (defense-in-depth); it is NOT a strong
* real-world trigger because BOTH schemas default it to null, but the schema-
* derived normalization handles it for free and stays idempotent.
*
* The fix derives the defaults from the ACTUAL ProseMirror schema (getSchema of
* the server tiptapExtensions) and drops any element- OR mark-attribute equal to
* its schema default (or null/undefined) from the block comparison key so a
* live block compares equal to its git-round-tripped twin and an unchanged
* resync applies 0 ops. RED before the fix (keys diverge -> ops > 0 / growth),
* GREEN after.
*/
type Attrs = Record<string, unknown>;
function el(
name: string,
attrs: Attrs,
children: (Y.XmlElement | Y.XmlText)[],
): Y.XmlElement {
const e = new Y.XmlElement(name);
for (const [k, v] of Object.entries(attrs)) e.setAttribute(k, v as string);
if (children.length) e.insert(0, children);
return e;
}
/** Text carrying marks, as the live Yjs doc stores them (XmlText format ops). */
function markedText(s: string, marks: Record<string, unknown>): Y.XmlText {
const t = new Y.XmlText();
t.insert(0, s, marks);
return t;
}
/**
* One byte-identical RICH unit: a paragraph with a LINK, a top-level IMAGE, and
* a paragraph with a HIGHLIGHT. `live` toggles exactly what the editor
* materializes but a git round-trip does not: block `id`, `indent: 0`,
* `image.align: "center"`, the link mark's `internal: false`, and the
* highlight's `colorName: null`.
*/
function richUnit(live: boolean, n: number): Y.XmlElement[] {
const ind: Attrs = live ? { indent: 0 } : {};
const id = (base: string): Attrs => (live ? { id: `${base}${n}` } : {});
const linkMarks = live
? {
link: {
href: 'https://example.com',
target: '_blank',
rel: 'noopener noreferrer nofollow',
class: null,
title: null,
internal: false, // editor-ext default, materialized
},
}
: {
link: {
href: 'https://example.com',
target: '_blank',
rel: 'noopener noreferrer nofollow',
internal: null, // engine default
},
};
const hlMarks = live
? { highlight: { color: '#ffd43b', colorName: null } }
: { highlight: { color: '#ffd43b' } };
const imageAttrs: Attrs = live
? { src: 'https://img.example.com/a.png', align: 'center' } // materialized
: { src: 'https://img.example.com/a.png' }; // align:null dropped on git side
return [
el('paragraph', { ...id('lp'), ...ind }, [
markedText('click here', linkMarks),
]),
el('image', imageAttrs, []),
el('paragraph', { ...id('hp'), ...ind }, [markedText('hot', hlMarks)]),
];
}
function fragmentOf(units: Y.XmlElement[][]): {
doc: Y.Doc;
frag: Y.XmlFragment;
} {
const doc = new Y.Doc();
const frag = doc.getXmlFragment('default');
const blocks = units.flat();
if (blocks.length) frag.insert(0, blocks);
return { doc, frag };
}
const blockCount = (frag: Y.XmlFragment): number => frag.toArray().length;
describe('git-sync reconcile is idempotent for schema-default attrs (image/link/highlight)', () => {
const UNITS = 3;
it('3-way: live carries image.align/link.internal/indent defaults, base stale-by-one -> 0 ops', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => richUnit(true, i)),
);
const { frag: incoming } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => richUnit(false, i)),
);
const { frag: base } = fragmentOf(
Array.from({ length: UNITS - 1 }, (_, i) => richUnit(false, i)),
);
const before = blockCount(live);
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments3Way(live, incoming, base);
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
});
it('2-way: live carries the materialized defaults -> 0 ops, no growth', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => richUnit(true, i)),
);
const { frag: incoming } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => richUnit(false, i)),
);
const before = blockCount(live);
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments(live, incoming);
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
});
it('is a fixpoint across repeated cycles (does not grow)', () => {
const { doc: liveDoc, frag: live } = fragmentOf(
Array.from({ length: UNITS }, (_, i) => richUnit(true, i)),
);
const incoming = () =>
fragmentOf(Array.from({ length: UNITS }, (_, i) => richUnit(false, i)))
.frag;
const base = () =>
fragmentOf(
Array.from({ length: UNITS - 1 }, (_, i) => richUnit(false, i)),
).frag;
const before = blockCount(live);
for (let cycle = 0; cycle < 5; cycle++) {
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments3Way(live, incoming(), base());
});
expect(applied).toBe(0);
expect(blockCount(live)).toBe(before);
}
});
it('does NOT regress a genuine non-default value (a real link.href / image.align:left still diffs)', () => {
const { doc: liveDoc, frag: live } = fragmentOf([richUnit(true, 0)]);
const base = fragmentOf([richUnit(false, 0)]).frag;
// git genuinely changes the image alignment to a NON-default value.
const incomingUnit = richUnit(false, 0);
(incomingUnit[1] as Y.XmlElement).setAttribute('align', 'left');
const incoming = fragmentOf([incomingUnit]).frag;
liveDoc.transact(() => {
mergeXmlFragments3Way(live, incoming, base);
});
const img = live
.toArray()
.find((b) => (b as Y.XmlElement).nodeName === 'image') as Y.XmlElement;
expect(img.getAttribute('align')).toBe('left');
});
});
/**
* FAITHFUL end-to-end proof through the REAL server transformer: build the live
* doc the way the collaboration server does (defaults omitted in the JSON ->
* TiptapTransformer.toYdoc MATERIALIZES image.align:"center", link.internal:false,
* indent:0) versus the git-derived doc (engine-style: defaults emitted as
* explicit null, no block ids). An unchanged resync must apply 0 ops.
*/
describe('git-sync reconcile is idempotent through the real toYdoc materialization', () => {
const liveContent = [
{
type: 'paragraph',
attrs: { id: 'p1' },
content: [
{
type: 'text',
text: 'click here',
marks: [{ type: 'link', attrs: { href: 'https://example.com' } }],
},
],
},
{ type: 'image', attrs: { src: 'https://img.example.com/a.png' } },
{
type: 'paragraph',
attrs: { id: 'p2' },
content: [
{
type: 'text',
text: 'hot',
marks: [{ type: 'highlight', attrs: { color: '#ffd43b' } }],
},
],
},
];
// git/engine-style: explicit nulls for the engine-default attrs, no ids.
const gitContent = [
{
type: 'paragraph',
content: [
{
type: 'text',
text: 'click here',
marks: [
{
type: 'link',
attrs: {
href: 'https://example.com',
target: '_blank',
rel: 'noopener noreferrer nofollow',
class: null,
title: null,
internal: null,
},
},
],
},
],
},
{
type: 'image',
attrs: { src: 'https://img.example.com/a.png', align: null },
},
{
type: 'paragraph',
content: [
{
type: 'text',
text: 'hot',
marks: [
{ type: 'highlight', attrs: { color: '#ffd43b', colorName: null } },
],
},
],
},
];
const toYdoc = (content: unknown[]) =>
TiptapTransformer.toYdoc(
{ type: 'doc', content },
'default',
tiptapExtensions as any,
);
it('3-way: materialized-default live vs engine-style git, base stale-by-one -> 0 ops', () => {
const liveDoc = toYdoc(liveContent);
const targetDoc = toYdoc(gitContent);
const baseDoc = toYdoc(gitContent.slice(0, gitContent.length - 1));
const live = liveDoc.getXmlFragment('default');
const before = live.toArray().length;
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments3Way(
live,
targetDoc.getXmlFragment('default'),
baseDoc.getXmlFragment('default'),
);
});
expect(applied).toBe(0);
expect(live.toArray().length).toBe(before);
});
it('2-way: materialized-default live vs engine-style git -> 0 ops', () => {
const liveDoc = toYdoc(liveContent);
const targetDoc = toYdoc(gitContent);
const live = liveDoc.getXmlFragment('default');
const before = live.toArray().length;
let applied = -1;
liveDoc.transact(() => {
applied = mergeXmlFragments(live, targetDoc.getXmlFragment('default'));
});
expect(applied).toBe(0);
expect(live.toArray().length).toBe(before);
});
});
@@ -0,0 +1,373 @@
import * as Y from 'yjs';
import {
mergeXmlFragments,
mergeXmlFragments3Way,
mergeXmlFragments3WayWithStats,
cloneXmlNode,
diffBlocks,
} from './yjs-body-merge';
// Build a Y.XmlFragment('default') in `doc` from a list of paragraph specs.
// Each spec is the paragraph's plain text (a single XmlText child).
function buildFragment(doc: Y.Doc, paragraphs: string[]): Y.XmlFragment {
const frag = doc.getXmlFragment('default');
const blocks = paragraphs.map((text) => {
const el = new Y.XmlElement('paragraph');
const t = new Y.XmlText();
if (text) t.insert(0, text);
el.insert(0, [t]);
return el;
});
if (blocks.length) frag.insert(0, blocks);
return frag;
}
function texts(frag: Y.XmlFragment): string[] {
return frag.toArray().map((el) => (el as Y.XmlElement).toArray()
.map((c) => (c as Y.XmlText).toString())
.join(''));
}
describe('yjs-body-merge', () => {
describe('diffBlocks (LCS edit script)', () => {
it('identical sequences produce only keeps (no edits)', () => {
const ops = diffBlocks(['a', 'b', 'c'], ['a', 'b', 'c']);
expect(ops.every((o) => o.op === 'keep')).toBe(true);
});
it('a single changed middle element is one del + one ins', () => {
const ops = diffBlocks(['a', 'b', 'c'], ['a', 'B', 'c']);
expect(ops.filter((o) => o.op === 'del')).toHaveLength(1);
expect(ops.filter((o) => o.op === 'ins')).toHaveLength(1);
expect(ops.filter((o) => o.op === 'keep')).toHaveLength(2);
});
});
describe('mergeXmlFragments', () => {
it('identical content is a complete no-op (0 ops) — never clobbers an unchanged resync', () => {
const live = new Y.Doc();
const target = new Y.Doc();
const liveFrag = buildFragment(live, ['one', 'two', 'three']);
const targetFrag = buildFragment(target, ['one', 'two', 'three']);
// Capture block identities to prove they are left untouched.
const before = liveFrag.toArray();
let applied = -1;
live.transact(() => {
applied = mergeXmlFragments(liveFrag, targetFrag);
});
expect(applied).toBe(0);
// Same Y.XmlElement instances — nothing was deleted/recreated.
expect(liveFrag.toArray()).toEqual(before);
expect(texts(liveFrag)).toEqual(['one', 'two', 'three']);
});
it('a human edit to one block survives a git change to a DIFFERENT block', () => {
// Live: the human has the doc open; block 0 holds their edit. Git changed
// only block 2. The merge must touch ONLY block 2 and leave block 0 (and
// its in-flight edit) exactly as-is.
const live = new Y.Doc();
const target = new Y.Doc();
const liveFrag = buildFragment(live, ['HUMAN EDIT', 'shared', 'old tail']);
const targetFrag = buildFragment(target, [
'HUMAN EDIT',
'shared',
'new tail from git',
]);
const block0Before = liveFrag.get(0); // the human's block instance
const block1Before = liveFrag.get(1);
let applied = -1;
live.transact(() => {
applied = mergeXmlFragments(liveFrag, targetFrag);
});
// Only block 2 was replaced: one del + one ins.
expect(applied).toBe(2);
// The human's block and the shared block are the SAME instances (untouched).
expect(liveFrag.get(0)).toBe(block0Before);
expect(liveFrag.get(1)).toBe(block1Before);
// Block 2 now carries git's content.
expect(texts(liveFrag)).toEqual([
'HUMAN EDIT',
'shared',
'new tail from git',
]);
});
it('appends a new trailing block without disturbing existing ones', () => {
const live = new Y.Doc();
const target = new Y.Doc();
const liveFrag = buildFragment(live, ['a', 'b']);
const targetFrag = buildFragment(target, ['a', 'b', 'c']);
const a = liveFrag.get(0);
const b = liveFrag.get(1);
let applied = -1;
live.transact(() => {
applied = mergeXmlFragments(liveFrag, targetFrag);
});
expect(applied).toBe(1); // single insert
expect(liveFrag.get(0)).toBe(a);
expect(liveFrag.get(1)).toBe(b);
expect(texts(liveFrag)).toEqual(['a', 'b', 'c']);
});
it('deletes a removed block, keeping its neighbours', () => {
const live = new Y.Doc();
const target = new Y.Doc();
const liveFrag = buildFragment(live, ['a', 'b', 'c']);
const targetFrag = buildFragment(target, ['a', 'c']);
const a = liveFrag.get(0);
let applied = -1;
live.transact(() => {
applied = mergeXmlFragments(liveFrag, targetFrag);
});
expect(applied).toBe(1); // single delete
expect(liveFrag.get(0)).toBe(a);
expect(texts(liveFrag)).toEqual(['a', 'c']);
});
it('a fully different body is replaced (and stays valid)', () => {
const live = new Y.Doc();
const target = new Y.Doc();
const liveFrag = buildFragment(live, ['x', 'y']);
const targetFrag = buildFragment(target, ['p', 'q', 'r']);
live.transact(() => mergeXmlFragments(liveFrag, targetFrag));
expect(texts(liveFrag)).toEqual(['p', 'q', 'r']);
});
});
describe('mergeXmlFragments3Way', () => {
it('keeps a human edit to one block while applying a git change to another (3-way)', () => {
// base (last synced): [a, b, c]. Human edited block 0 in the live doc; git
// changed block 2 in the incoming file. 3-way must keep BOTH — the 2-way
// merge would instead revert the human's block 0 to git's stale version.
const base = new Y.Doc();
const live = new Y.Doc();
const target = new Y.Doc();
const baseFrag = buildFragment(base, ['a', 'b', 'c']);
const liveFrag = buildFragment(live, ['HUMAN', 'b', 'c']);
const targetFrag = buildFragment(target, ['a', 'b', 'GIT']);
const humanBlock = liveFrag.get(0); // the human's live instance
live.transact(() =>
mergeXmlFragments3Way(liveFrag, targetFrag, baseFrag),
);
// Human's block preserved as the SAME instance; git's change applied.
expect(liveFrag.get(0)).toBe(humanBlock);
expect(texts(liveFrag)).toEqual(['HUMAN', 'b', 'GIT']);
});
it('a block both sides changed resolves to git (conflict policy)', () => {
const base = new Y.Doc();
const live = new Y.Doc();
const target = new Y.Doc();
const baseFrag = buildFragment(base, ['a', 'b', 'c']);
const liveFrag = buildFragment(live, ['a', 'HUMAN', 'c']);
const targetFrag = buildFragment(target, ['a', 'GIT', 'c']);
live.transact(() =>
mergeXmlFragments3Way(liveFrag, targetFrag, baseFrag),
);
expect(texts(liveFrag)).toEqual(['a', 'GIT', 'c']);
});
// Bug #2 observability: the stats variant reports the same-block conflict so
// the handler can log it + the persistence layer can pin the human baseline.
it('reports the same-block conflict count via mergeXmlFragments3WayWithStats', () => {
const base = new Y.Doc();
const live = new Y.Doc();
const target = new Y.Doc();
const baseFrag = buildFragment(base, ['a', 'b', 'c']);
const liveFrag = buildFragment(live, ['a', 'HUMAN', 'c']);
const targetFrag = buildFragment(target, ['a', 'GIT', 'c']);
let result!: { applied: number; conflicts: number };
live.transact(() => {
result = mergeXmlFragments3WayWithStats(liveFrag, targetFrag, baseFrag);
});
expect(result.conflicts).toBe(1);
expect(texts(liveFrag)).toEqual(['a', 'GIT', 'c']);
});
it('reports 0 conflicts for a clean different-block 3-way merge', () => {
const base = new Y.Doc();
const live = new Y.Doc();
const target = new Y.Doc();
const baseFrag = buildFragment(base, ['a', 'b', 'c']);
const liveFrag = buildFragment(live, ['HUMAN', 'b', 'c']);
const targetFrag = buildFragment(target, ['a', 'b', 'GIT']);
let result!: { applied: number; conflicts: number };
live.transact(() => {
result = mergeXmlFragments3WayWithStats(liveFrag, targetFrag, baseFrag);
});
expect(result.conflicts).toBe(0);
expect(texts(liveFrag)).toEqual(['HUMAN', 'b', 'GIT']);
});
it('git change with no concurrent human edit (live == base) applies cleanly', () => {
const base = new Y.Doc();
const live = new Y.Doc();
const target = new Y.Doc();
const baseFrag = buildFragment(base, ['a', 'b']);
const liveFrag = buildFragment(live, ['a', 'b']);
const targetFrag = buildFragment(target, ['a', 'B2']);
live.transact(() =>
mergeXmlFragments3Way(liveFrag, targetFrag, baseFrag),
);
expect(texts(liveFrag)).toEqual(['a', 'B2']);
});
});
// Regression: start-of-document content duplicating on every two-way sync.
//
// The LIVE Docmost doc stamps a per-block UniqueID on every heading/paragraph;
// a body arriving FROM git is parsed from clean markdown and carries NO block
// ids. If the merge comparison key includes that `id`, an unchanged live block
// never matches the SAME block coming from git, so the three-way merge cannot
// anchor on it — and an incoming block with no anchor (content inserted at the
// TOP of the page) is RE-ADDED on every cycle, an unbounded duplication loop.
// These tests model that exact id-asymmetry and assert the reconciliation is
// IDEMPOTENT (no block growth). They are RED before excluding `id` from the
// key in `serializeXmlNode`.
describe('idempotent reconciliation with live block ids (start-of-doc dup)', () => {
// Build a fragment from block specs. `id` is set only when provided, mirroring
// the live doc (ids present) vs a git-parsed body (ids absent).
type Spec = { tag: 'heading' | 'paragraph'; text: string; id?: string };
function buildDoc(doc: Y.Doc, specs: Spec[]): Y.XmlFragment {
const frag = doc.getXmlFragment('default');
const blocks = specs.map((s) => {
const el = new Y.XmlElement(s.tag);
if (s.id) el.setAttribute('id', s.id);
if (s.tag === 'heading') el.setAttribute('level', '2');
const t = new Y.XmlText();
if (s.text) t.insert(0, s.text);
el.insert(0, [t]);
return el;
});
if (blocks.length) frag.insert(0, blocks);
return frag;
}
const textsOf = (frag: Y.XmlFragment): string[] =>
frag.toArray().map((el) =>
(el as Y.XmlElement)
.toArray()
.map((c) => (c as Y.XmlText).toString())
.join(''),
);
it('re-merging the SAME git body does NOT re-add the top block (idempotent)', () => {
// last-synced base (from git markdown): NO block ids.
const base = new Y.Doc();
const baseFrag = buildDoc(base, [
{ tag: 'heading', text: 'Title' },
{ tag: 'paragraph', text: 'Some paragraph.' },
{ tag: 'paragraph', text: 'End block.' },
]);
// live Docmost doc: SAME content, but every block carries a UniqueID.
const live = new Y.Doc();
const liveFrag = buildDoc(live, [
{ tag: 'heading', text: 'Title', id: 'ida' },
{ tag: 'paragraph', text: 'Some paragraph.', id: 'idb' },
{ tag: 'paragraph', text: 'End block.', id: 'idc' },
]);
// incoming git body: the user inserted a heading at the very TOP.
const buildTarget = (): Y.XmlFragment =>
buildDoc(new Y.Doc(), [
{ tag: 'heading', text: 'TOPDUP' },
{ tag: 'heading', text: 'Title' },
{ tag: 'paragraph', text: 'Some paragraph.' },
{ tag: 'paragraph', text: 'End block.' },
]);
// First sync: the top block is added once.
live.transact(() =>
mergeXmlFragments3Way(liveFrag, buildTarget(), baseFrag),
);
expect(textsOf(liveFrag)).toEqual([
'TOPDUP',
'Title',
'Some paragraph.',
'End block.',
]);
// Subsequent sync of the SAME git body against the SAME base must be a
// NO-OP — not a second copy of the top block. Before the fix this re-adds
// 'TOPDUP', growing the doc on every cycle.
live.transact(() =>
mergeXmlFragments3Way(liveFrag, buildTarget(), baseFrag),
);
expect(textsOf(liveFrag)).toEqual([
'TOPDUP',
'Title',
'Some paragraph.',
'End block.',
]);
expect(textsOf(liveFrag).filter((t) => t === 'TOPDUP')).toHaveLength(1);
});
it('an unchanged git body (live ids, none in git) is a complete no-op', () => {
// base == git body (no pending git change); live is the same content with
// ids. With `id` in the key the whole body looks rewritten; the merge must
// still leave live byte-identical (block instances untouched).
const base = new Y.Doc();
const baseFrag = buildDoc(base, [
{ tag: 'heading', text: 'Title' },
{ tag: 'paragraph', text: 'Body.' },
]);
const live = new Y.Doc();
const liveFrag = buildDoc(live, [
{ tag: 'heading', text: 'Title', id: 'ida' },
{ tag: 'paragraph', text: 'Body.', id: 'idb' },
]);
const before = liveFrag.toArray();
let applied = -1;
live.transact(() => {
applied = mergeXmlFragments3Way(
liveFrag,
buildDoc(new Y.Doc(), [
{ tag: 'heading', text: 'Title' },
{ tag: 'paragraph', text: 'Body.' },
]),
baseFrag,
);
});
expect(applied).toBe(0);
// Same live block instances (ids preserved) — nothing recreated.
expect(liveFrag.toArray()).toEqual(before);
});
});
describe('cloneXmlNode', () => {
it('preserves text marks (XmlText delta) across docs', () => {
const src = new Y.Doc();
const srcFrag = src.getXmlFragment('default');
const el = new Y.XmlElement('paragraph');
const t = new Y.XmlText();
t.insert(0, 'plain ');
t.insert(6, 'bold', { bold: true });
el.insert(0, [t]);
srcFrag.insert(0, [el]);
const dst = new Y.Doc();
const dstFrag = dst.getXmlFragment('default');
dstFrag.insert(0, [cloneXmlNode(srcFrag.get(0) as Y.XmlElement)]);
const clonedText = (dstFrag.get(0) as Y.XmlElement).get(0) as Y.XmlText;
expect(clonedText.toDelta()).toEqual([
{ insert: 'plain ' },
{ insert: 'bold', attributes: { bold: true } },
]);
});
});
});
@@ -0,0 +1,371 @@
import * as Y from 'yjs';
import { getSchema } from '@tiptap/core';
import type { Schema } from '@tiptap/pm/model';
import { tiptapExtensions } from '../collaboration.util';
import { diff3PlanWithConflicts } from './three-way-merge';
import { buildLcsTable } from './lcs';
/**
* Block-level merge of an incoming (git) page body into a LIVE Yjs document,
* replacing the previous full-body "delete everything + re-insert" write that
* clobbered concurrent human edits on every sync (review #5 "do the write as a
* merge").
*
* Strategy: diff the two documents at TOP-LEVEL BLOCK granularity (an LCS over a
* canonical structural serialization of each block) and apply only the minimal
* insert/delete operations. Blocks that are byte-identical on both sides are
* left UNTOUCHED in the live doc so a human editing one paragraph is unaffected
* when git changes a different paragraph, and an unchanged re-sync is a complete
* no-op (zero Yjs operations). Yjs then CRDT-merges the minimal ops with any
* concurrent edits.
*
* Merge mode: a THREE-WAY merge (live vs incoming vs base) runs whenever the
* engine plumbs the last-synced base (`baseMarkdown` from refs/docmost/last-pushed)
* which it now does end-to-end so a block both sides changed is a genuine
* conflict resolved deterministically (git wins that block; the prior state is
* preserved in page history). Only when NO base is available (a brand-new file)
* does it fall back to a 2-way merge (live vs incoming). Common cases unchanged
* resync and edits to DIFFERENT blocks are lossless in both modes.
*/
type XmlNode = Y.XmlElement | Y.XmlText | Y.XmlHook;
/**
* Node attributes that are VOLATILE identity (not content) and so must be
* excluded from the block comparison key.
*
* `id` is the per-block UniqueID the editor stamps on every heading/paragraph
* (and transclusionSource). It exists ONLY in the live Yjs document a body
* arriving from git is parsed from clean markdown, which carries no block ids
* (`markdownToProseMirror` materializes `id: null`, which the Yjs transform then
* drops). If `id` were part of the key, an UNCHANGED live block (id "abc123")
* would never match the SAME block coming from git (no id), so the three-way
* merge's LCS could not anchor on it. The merge would then treat every live
* block as deleted-and-reinserted and, when an incoming block has no matching
* anchor (e.g. content inserted at the very TOP of the page), RE-ADD a copy of
* it on every sync cycle a non-convergent, unbounded duplication loop
* (start-of-document content duplicating each push/pull cycle).
*
* Excluding `id` makes blocks compare by CONTENT, so an unchanged block matches
* across the git round-trip and the reconciliation is idempotent. Block identity
* is still preserved in the merged output: `diff3Plan` keeps the LIVE block
* INSTANCE (with its id) for an anchor picks are by index, not by key so the
* stable Yjs block (and any in-flight human edit on it) stays put. This mirrors
* `canonicalize.ts`, which already strips the regenerated block `id` from the
* round-trip idempotency comparison for exactly the same reason.
*
* Known limitation (accepted trade-off of content-based matching): two GENUINELY
* DISTINCT blocks whose content is byte-identical now collapse to the same content
* key, so when git deletes one of the duplicates the LCS may drop the OTHER live
* instance instead. The visible result is identical (one copy removed, one kept),
* but a concurrent in-flight human edit on the dropped instance could be lost.
*/
const VOLATILE_KEY_ATTRS = new Set(['id']);
/**
* The editor (ProseMirror) schema, built ONCE from the same `tiptapExtensions`
* the collaboration server uses to materialize Yjs docs. Memoized: building the
* schema is non-trivial and the block key is computed per block per cycle.
*
* Why the schema (not a hardcoded denylist): the LIVE Yjs document is produced by
* `TiptapTransformer.toYdoc(pm, 'default', tiptapExtensions)`, which STAMPS every
* schema-default attribute onto every node and mark `indent: 0` on every
* paragraph/heading, `image.align: "center"`, the link mark's `internal: false`,
* `highlight.colorName: null`, and so on for youtube/pdf/any future node. A body
* re-imported from git comes through the engine's `markdownToProseMirror`, whose
* schema declares those attrs with DIFFERENT (usually null) defaults; the
* resulting null/absent element attrs are then DROPPED by `y-prosemirror`'s
* toYdoc. So the SAME block carries materialized defaults on the live side and
* nothing on the git side, its key diverges, the three-way merge anchors on
* NOTHING, and the whole body is RE-APPENDED every reconcile cycle an unbounded
* duplication loop with no client connected.
*
* Deriving the defaults from the actual schema normalizes ALL such attributes
* generally (it is not another per-attribute denylist): any attribute whose value
* equals the schema default or is null/undefined is dropped from the key, on
* BOTH element attributes and the mark attributes inside each XmlText delta, so a
* live block compares equal to its git-round-tripped twin and an unchanged resync
* applies zero ops. Genuinely non-default values (a real `indent: 2`, an
* `align: "left"`, a real `link.href`, a real highlight color) are content and
* stay in the key, so real edits still diff and land.
*/
let memoSchema: Schema | null = null;
let memoSchemaTried = false;
function getMergeSchema(): Schema | null {
if (!memoSchemaTried) {
memoSchemaTried = true;
try {
memoSchema = getSchema(tiptapExtensions as any);
} catch {
// Defensive: if the schema can't be built (e.g. a degenerate extension
// set in a unit test that stubs `tiptapExtensions`), fall back to dropping
// only null/undefined attrs. The real server always builds it fine.
memoSchema = null;
}
}
return memoSchema;
}
/** True if `value` is the schema default for `attrName` of `attrSpecs`, or is
* null/undefined (which a git round-trip drops). Such attributes are excluded
* from the comparison key. `attrSpecs` is a ProseMirror node/mark spec attr map
* (`{ [name]: { default } }`); a missing map (unknown node/mark) only drops
* null/undefined. (A non-null value matching an attr declared without a default
* cannot occur `spec.default === value` is then `undefined === value`, false.) */
function isDefaultAttr(
attrSpecs: Record<string, any> | undefined | null,
attrName: string,
value: unknown,
): boolean {
if (value === null || value === undefined) return true;
const spec = attrSpecs?.[attrName];
return !!spec && spec.default === value;
}
/**
* Normalize one XmlText delta op's mark attributes: drop every mark-attr whose
* value equals the mark's schema default (or is null/undefined), so the link
* mark's materialized `internal: false`/`target: "_blank"` and a highlight's
* `colorName: null` no longer diverge from a git round-trip that carries neither.
* The text (op.insert) and genuinely-set mark attrs (a real `href`, a real
* highlight color) are preserved verbatim. `attributes` maps markName -> mark
* attrs object (or `true`/boolean for attr-less marks); each is handled safely.
*/
function normalizeDelta(delta: any[]): any[] {
const schema = getMergeSchema();
return delta.map((op) => {
if (!op || op.attributes == null || typeof op.attributes !== 'object') {
return op;
}
const marks: Record<string, unknown> = {};
for (const markName of Object.keys(op.attributes).sort()) {
const markVal = op.attributes[markName];
if (markVal === null || markVal === undefined) continue;
if (typeof markVal !== 'object') {
// attr-less mark stored as a primitive (e.g. `true`) — keep as-is.
marks[markName] = markVal;
continue;
}
const markSpec = schema?.marks[markName]?.spec.attrs as
| Record<string, any>
| undefined;
const cleaned: Record<string, unknown> = {};
for (const ak of Object.keys(markVal as object).sort()) {
const av = (markVal as Record<string, unknown>)[ak];
if (isDefaultAttr(markSpec, ak, av)) continue;
cleaned[ak] = av;
}
marks[markName] = cleaned;
}
return { ...op, attributes: marks };
});
}
/**
* Canonical, comparable serialization of a Yjs XML node (structure + text +
* marks + attributes), with attribute keys sorted so equal blocks always produce
* an identical string regardless of attribute insertion order. The volatile
* block `id` (see `VOLATILE_KEY_ATTRS`) and every schema-default attribute (see
* `getMergeSchema`) are excluded at every level on element attributes AND on
* the mark attributes inside each XmlText delta so a block compares equal by
* CONTENT across the git round-trip (which materializes neither), keeping the
* merge anchor-able and idempotent.
*/
export function serializeXmlNode(node: unknown): unknown {
if (node instanceof Y.XmlText) {
return { t: normalizeDelta(node.toDelta()) };
}
if (node instanceof Y.XmlElement) {
const attrs = node.getAttributes() as Record<string, unknown>;
const attrSpecs = getMergeSchema()?.nodes[node.nodeName]?.spec.attrs as
| Record<string, any>
| undefined;
const sorted: Record<string, unknown> = {};
for (const k of Object.keys(attrs).sort()) {
if (VOLATILE_KEY_ATTRS.has(k)) continue;
if (isDefaultAttr(attrSpecs, k, attrs[k])) continue;
sorted[k] = attrs[k];
}
return {
n: node.nodeName,
a: sorted,
c: node.toArray().map(serializeXmlNode),
};
}
// XmlHook / unknown: fall back to a stable string so it compares by identity
// of its serialized form (these do not occur in the Docmost block schema).
return { u: String(node) };
}
const key = (node: unknown): string => JSON.stringify(serializeXmlNode(node));
/**
* Deep-clone a detached/owned Yjs XML node into a fresh node that can be inserted
* into ANOTHER document (Yjs types are bound to their doc, so cross-doc moves are
* impossible we rebuild). Preserves nodeName, attributes, text+marks (via the
* XmlText delta) and the full child subtree.
*/
export function cloneXmlNode(node: XmlNode): Y.XmlElement | Y.XmlText {
if (node instanceof Y.XmlText) {
const t = new Y.XmlText();
const delta = node.toDelta();
if (delta.length) t.applyDelta(delta);
return t;
}
if (node instanceof Y.XmlElement) {
const el = new Y.XmlElement(node.nodeName);
const attrs = node.getAttributes() as Record<string, unknown>;
for (const k of Object.keys(attrs)) el.setAttribute(k, attrs[k] as string);
const kids = node.toArray().map((c) => cloneXmlNode(c as XmlNode));
if (kids.length) el.insert(0, kids);
return el;
}
// Best-effort for any other node type (XmlHook — does not occur in the
// Docmost block schema): an empty paragraph so the merge never crashes.
return new Y.XmlElement('paragraph');
}
type Op = { op: 'keep' } | { op: 'del' } | { op: 'ins'; bi: number };
/**
* LCS-based edit script turning sequence `a` (live block keys) into `b` (incoming
* block keys): a run of keep/del/ins ops. O(n*m) table fine for page block
* counts.
*/
export function diffBlocks(a: string[], b: string[]): Op[] {
const n = a.length;
const m = b.length;
const dp = buildLcsTable(a, b);
const ops: Op[] = [];
let i = 0;
let j = 0;
while (i < n && j < m) {
if (a[i] === b[j]) {
ops.push({ op: 'keep' });
i++;
j++;
} else if (dp[i + 1][j] >= dp[i][j + 1]) {
ops.push({ op: 'del' });
i++;
} else {
ops.push({ op: 'ins', bi: j });
j++;
}
}
while (i < n) {
ops.push({ op: 'del' });
i++;
}
while (j < m) {
ops.push({ op: 'ins', bi: j });
j++;
}
return ops;
}
/**
* Merge `target` block children into `live`, mutating `live` in place with the
* minimal set of inserts/deletes. MUST be called inside a Yjs transaction.
* Returns the number of block operations applied (0 == content already identical).
*/
export function mergeXmlFragments(
live: Y.XmlFragment,
target: Y.XmlFragment,
): number {
const liveKids = live.toArray();
const targetKids = target.toArray();
const liveKeys = liveKids.map(key);
const targetKeys = targetKids.map(key);
const ops = diffBlocks(liveKeys, targetKeys);
let cursor = 0; // index into the LIVE fragment as we mutate it
let applied = 0;
for (const op of ops) {
if (op.op === 'keep') {
cursor++;
} else if (op.op === 'del') {
live.delete(cursor, 1); // remove the live block at the cursor; do not advance
applied++;
} else {
live.insert(cursor, [cloneXmlNode(targetKids[op.bi] as XmlNode)]);
cursor++;
applied++;
}
}
return applied;
}
/** Outcome of a 3-way block merge: ops applied + same-block conflict count. */
export interface Merge3WayResult {
/** Number of block insert/delete operations spliced into `live`. */
applied: number;
/**
* Regions where the human AND git rewrote the SAME base block. The rule is
* deterministic (GIT WINS the region), so the human's version of those blocks
* is dropped from the live doc. `conflicts > 0` is the OBSERVABLE signal the
* caller uses to LOG the loss and pin the human baseline to page history (so it
* is recoverable), instead of the edit vanishing silently.
*/
conflicts: number;
}
/**
* THREE-WAY block merge: reconcile `live` toward `target` using `base` (the
* last-synced common ancestor) so a block only the human changed is KEPT and a
* block only git changed is taken instead of git's version always winning
* (review #5). Conflicts (both changed the same block) resolve to git.
*
* Implementation: diff3Plan computes the merged block ORDER (picks from live or
* target); we materialize that as a virtual target fragment and reuse the 2-way
* `mergeXmlFragments` to splice it into `live` minimally (so untouched live block
* instances and their in-flight edits stay put). MUST be called inside a Yjs
* transaction. Returns the number of block operations applied. (Use
* `mergeXmlFragments3WayWithStats` when the SAME-BLOCK conflict count is needed.)
*/
export function mergeXmlFragments3Way(
live: Y.XmlFragment,
target: Y.XmlFragment,
base: Y.XmlFragment,
): number {
return mergeXmlFragments3WayWithStats(live, target, base).applied;
}
/**
* As `mergeXmlFragments3Way`, but also returns the SAME-BLOCK conflict count so
* the caller can make a "git won a concurrent same-block edit" event OBSERVABLE
* (the documented conflict contract: git wins deterministically, but the losing
* human content is never destroyed silently it is logged and recoverable via
* page history).
*/
export function mergeXmlFragments3WayWithStats(
live: Y.XmlFragment,
target: Y.XmlFragment,
base: Y.XmlFragment,
): Merge3WayResult {
const liveKids = live.toArray();
const targetKids = target.toArray();
const liveKeys = liveKids.map(key);
const targetKeys = targetKids.map(key);
const baseKeys = base.toArray().map(key);
const { picks: plan, conflicts } = diff3PlanWithConflicts(
baseKeys,
liveKeys,
targetKeys,
);
// Build the merged block sequence in a throwaway doc, cloning from whichever
// side each pick came from, then 2-way merge it back into the live fragment.
const merged = new Y.Doc();
const mergedFrag = merged.getXmlFragment('default');
const nodes = plan.map((p) =>
cloneXmlNode(
(p.src === 'live' ? liveKids[p.index] : targetKids[p.index]) as XmlNode,
),
);
if (nodes.length) mergedFrag.insert(0, nodes);
return { applied: mergeXmlFragments(live, mergedFrag), conflicts };
}
@@ -0,0 +1,143 @@
import { getSchema } from '@tiptap/core';
import { Schema } from '@tiptap/pm/model';
import { tiptapExtensions } from './collaboration.util';
// The vendored git-sync mirror's extension set. Imported via the subpath the
// server jest config maps to the package SOURCE (moduleNameMapper
// `^@docmost/git-sync/(.*)$`), so this reads the real mirror, not a build.
import { docmostExtensions as gitSyncExtensions } from '@docmost/git-sync/lib/docmost-schema';
/**
* ATTRIBUTE-LEVEL SCHEMA CONTRACT (review #293, variant A).
*
* The document schema exists as three hand-synced copies (editor-ext =
* source-of-truth, plus the git-sync and mcp converter mirrors). The existing
* `schema-editor-ext-contract.test.ts` compares only node/mark TYPE NAMES, so a
* NEW ATTRIBUTE added to an existing node upstream slips through and its value is
* silently dropped on every git-sync round trip. That is a repeatedly-hit
* data-loss class (image caption #221, paragraph alignment #10, details `open`).
*
* This test closes the attribute gap MECHANICALLY: it builds the real canonical
* schema from the server's `tiptapExtensions` (the same set the collab write path
* uses) and the git-sync mirror schema, then asserts that for every node/mark the
* two schemas share, their ATTRIBUTE-KEY sets are equal minus a committed
* allowlist of intentional, understood divergences. A forgotten attribute now
* fails CI loudly instead of losing data in production.
*
* WHY THIS ISN'T THE "fragile attribute compare" the sibling name-level contract
* (`packages/git-sync/test/schema-editor-ext-contract.test.ts`) deferred: that
* concern was about comparing raw extension CONFIGS, where editor-ext spreads
* global attributes (textAlign, id, ) across separate extensions and StarterKit
* contributes types the mirror gets elsewhere. We instead compare the RESOLVED
* ProseMirror `Schema` objects `getSchema()` has already merged every
* addGlobalAttributes spread into concrete per-node attrs on both sides so the
* compare is apples-to-apples (57 shared nodes/marks, only a handful of
* documented divergences) rather than config-shape noise.
*/
/**
* Intentional, understood attribute divergences between the canonical schema and
* the git-sync mirror. Each entry MUST carry a reason. The test asserts the
* allowlist is not stale (every listed attr is actually still divergent), so this
* cannot rot into a silent escape hatch.
*
* Shape: { [nodeOrMarkName]: { canonicalOnly?: string[]; mirrorOnly?: string[] } }
*/
const ALLOWED_DIVERGENCES: Record<
string,
{ canonicalOnly?: string[]; mirrorOnly?: string[] }
> = {
// mirrorOnly: the converter mirror carries `align` on table cells/headers so a
// GFM column-alignment marker (:--, :-:, --:) can be reconstructed on export;
// editor-ext expresses cell alignment differently. Intentional, round-trip-used.
tableCell: { mirrorOnly: ['align'] },
tableHeader: { mirrorOnly: ['align'] },
// youtube: the mirror adds `align` (media alignment it renders as data-align)
// and does NOT carry editor-ext's `start` (video start-time). `start` is a
// PRE-EXISTING gap (a youtube embed's start offset is not preserved across a
// markdown round trip) — documented here so the contract is green for the known
// state and RED for any NEW drift. Follow-up: carry `start` through the mirror.
youtube: { mirrorOnly: ['align'], canonicalOnly: ['start'] },
// image.title: the mirror carries a `title` attr (used to round-trip the
// markdown image title `![alt](src "title")`) that editor-ext does not declare
// on its image node. Mirror-only and round-trip-used, not data loss. Intentional.
image: { mirrorOnly: ['title'] },
// highlight.colorName (a named-color alias alongside the color value) is a
// PRE-EXISTING mirror gap; the color value itself round-trips. Documented.
highlight: { canonicalOnly: ['colorName'] },
};
function attrKeys(schema: Schema): Map<string, Set<string>> {
const out = new Map<string, Set<string>>();
for (const [name, type] of Object.entries(schema.nodes)) {
out.set(name, new Set(Object.keys((type.spec as any).attrs ?? {})));
}
for (const [name, type] of Object.entries(schema.marks)) {
out.set(name, new Set(Object.keys((type.spec as any).attrs ?? {})));
}
return out;
}
function diff(a: Set<string>, b: Set<string>): string[] {
return [...a].filter((x) => !b.has(x)).sort();
}
describe('schema attribute contract: git-sync mirror vs canonical editor-ext', () => {
const canonical = attrKeys(getSchema(tiptapExtensions as never));
const mirror = attrKeys(getSchema(gitSyncExtensions as never));
it('builds meaningful schemas (guard against a vacuous pass)', () => {
expect(canonical.size).toBeGreaterThan(10);
expect(mirror.size).toBeGreaterThan(10);
});
it('every shared node/mark has matching attribute keys (modulo the allowlist)', () => {
const drift: string[] = [];
for (const [name, canonAttrs] of canonical) {
const mirrorAttrs = mirror.get(name);
if (!mirrorAttrs) continue; // name-level gaps are the other test's job
const allow = ALLOWED_DIVERGENCES[name] ?? {};
const canonicalOnly = diff(canonAttrs, mirrorAttrs).filter(
(k) => !(allow.canonicalOnly ?? []).includes(k),
);
const mirrorOnly = diff(mirrorAttrs, canonAttrs).filter(
(k) => !(allow.mirrorOnly ?? []).includes(k),
);
if (canonicalOnly.length) {
drift.push(
`${name}: attrs in editor-ext but MISSING from git-sync mirror ` +
`(silently dropped on round trip): ${canonicalOnly.join(', ')}`,
);
}
if (mirrorOnly.length) {
drift.push(
`${name}: attrs in git-sync mirror but NOT in editor-ext ` +
`(mirror invented an attribute): ${mirrorOnly.join(', ')}`,
);
}
}
expect(drift).toEqual([]);
});
it('the allowlist is not stale (every listed divergence is still real)', () => {
const stale: string[] = [];
for (const [name, allow] of Object.entries(ALLOWED_DIVERGENCES)) {
const canonAttrs = canonical.get(name);
const mirrorAttrs = mirror.get(name);
if (!canonAttrs || !mirrorAttrs) {
stale.push(`${name}: no longer a shared node/mark`);
continue;
}
for (const k of allow.canonicalOnly ?? []) {
if (!(canonAttrs.has(k) && !mirrorAttrs.has(k))) {
stale.push(`${name}.canonicalOnly '${k}' is no longer divergent`);
}
}
for (const k of allow.mirrorOnly ?? []) {
if (!(mirrorAttrs.has(k) && !canonAttrs.has(k))) {
stale.push(`${name}.mirrorOnly '${k}' is no longer divergent`);
}
}
}
expect(stale).toEqual([]);
});
});
@@ -73,6 +73,32 @@ describe('agentSourceFields', () => {
).toEqual({ lastUpdatedSource: 'agent', lastUpdatedAiChatId: null });
});
it("stamps ONLY the source column 'git-sync' (no chat key) for a git-sync write", () => {
// The git-sync data plane (issue #194 §8.1) has no internal ai_chats row, so
// it stamps the *Source column 'git-sync' and OMITS the chat key entirely
// (unlike the agent branch, which also writes aiChatId). Pinned directly here
// because the page.service.spec only exercises it indirectly.
expect(
agentSourceFields(
{ actor: 'git-sync', aiChatId: null },
'lastUpdatedSource',
'lastUpdatedAiChatId',
),
).toEqual({ lastUpdatedSource: 'git-sync' });
});
it("ignores any aiChatId on a git-sync write (chat key never written)", () => {
// Even if a non-null aiChatId is present, the git-sync branch must not emit
// the chat key.
expect(
agentSourceFields(
{ actor: 'git-sync', aiChatId: 'should-be-ignored' },
'createdSource',
'aiChatId',
),
).toEqual({ createdSource: 'git-sync' });
});
it('returns {} for a user write so the column keeps its default', () => {
expect(
agentSourceFields(
@@ -9,6 +9,8 @@ import { ProvenanceSource } from '../../core/auth/dto/jwt-payload';
* cannot fake an 'agent' marker.
*/
export interface AuthProvenanceData {
// ProvenanceSource includes 'git-sync' — set by the in-process git-sync data
// plane (issue #194 §8.1) when it drives PageService writes; never from a request token.
actor: ProvenanceSource;
aiChatId: string | null;
}
@@ -60,6 +62,14 @@ export function agentSourceFields<S extends string, C extends string>(
sourceKey: S,
chatKey: C,
): Partial<Record<S, ProvenanceSource> & Record<C, string | null>> {
// git-sync data-plane write (issue #194 §8.1): stamp the source 'git-sync' with NO
// aiChatId (it has no internal ai_chats row). Mirrors the agent branch; each
// write has a single actor, so precedence is irrelevant here.
if (provenance?.actor === 'git-sync') {
return { [sourceKey]: 'git-sync' } as Partial<
Record<S, ProvenanceSource> & Record<C, string | null>
>;
}
if (provenance?.actor !== 'agent') return {};
return {
[sourceKey]: 'agent',
@@ -0,0 +1,18 @@
/**
* Dynamic ESM import bridge for a CommonJS build.
*
* The server compiles with `module: commonjs`, and TypeScript downlevels a
* literal `import()` expression to `require()` which cannot load an ESM-only
* package (`@docmost/mcp`, `@docmost/git-sync`). Indirecting through `new
* Function` hides the `import()` from the TS downleveler so the REAL dynamic
* `import()` survives to runtime and can load ESM from CommonJS.
*
* This is the single shared copy of that bridge. The per-package typed loaders
* (git-sync.loader.ts, docmost-client.loader.ts, mcp.service.ts) import this and
* keep their own typed `loadX()` wrappers (require.resolve + pathToFileURL +
* memoization) on top.
*/
export const esmImport = new Function(
'specifier',
'return import(specifier)',
) as (specifier: string) => Promise<unknown>;
@@ -0,0 +1,71 @@
import { resolveRequestWorkspace } from './resolve-request-workspace';
// Unit tests for the shared self-hosted/cloud workspace resolver deduplicated out
// of DomainMiddleware + GitHttpService (architecture #11). They must behave
// identically, so this pins the single source of truth.
type AnyMock = jest.Mock;
function build(opts: {
selfHosted: boolean;
first?: { id: string } | null;
byHostname?: { id: string } | null;
}) {
const env = {
isSelfHosted: jest.fn(() => opts.selfHosted),
isCloud: jest.fn(() => !opts.selfHosted),
};
const repo = {
findFirst: jest.fn(async () => opts.first ?? null) as AnyMock,
findByHostname: jest.fn(async () => opts.byHostname ?? null) as AnyMock,
};
return { env, repo };
}
describe('resolveRequestWorkspace', () => {
it('self-hosted: returns the first/default workspace, ignoring the host', async () => {
const { env, repo } = build({ selfHosted: true, first: { id: 'ws-1' } });
const ws = await resolveRequestWorkspace(
env as any,
repo as any,
'anything.example.com',
);
expect(ws).toEqual({ id: 'ws-1' });
expect(repo.findFirst).toHaveBeenCalledTimes(1);
expect(repo.findByHostname).not.toHaveBeenCalled();
});
it('self-hosted: returns null when no workspace is configured', async () => {
const { env, repo } = build({ selfHosted: true, first: null });
expect(await resolveRequestWorkspace(env as any, repo as any, 'h')).toBeNull();
});
it('cloud: resolves by the host-header subdomain', async () => {
const { env, repo } = build({
selfHosted: false,
byHostname: { id: 'ws-acme' },
});
const ws = await resolveRequestWorkspace(
env as any,
repo as any,
'acme.example.com',
);
expect(ws).toEqual({ id: 'ws-acme' });
expect(repo.findByHostname).toHaveBeenCalledWith('acme');
expect(repo.findFirst).not.toHaveBeenCalled();
});
it('cloud: returns null for a blank/missing host (no throw)', async () => {
const { env, repo } = build({ selfHosted: false, byHostname: { id: 'x' } });
expect(await resolveRequestWorkspace(env as any, repo as any, undefined)).toBeNull();
expect(await resolveRequestWorkspace(env as any, repo as any, '')).toBeNull();
expect(repo.findByHostname).not.toHaveBeenCalled();
});
it('cloud: returns null when the subdomain matches no workspace', async () => {
const { env, repo } = build({ selfHosted: false, byHostname: null });
expect(
await resolveRequestWorkspace(env as any, repo as any, 'ghost.example.com'),
).toBeNull();
});
});
@@ -0,0 +1,35 @@
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
import { Workspace } from '@docmost/db/types/entity.types';
import { EnvironmentService } from '../../integrations/environment/environment.service';
/**
* The ONE canonical way to resolve the workspace for an incoming request:
* - self-hosted (single workspace) -> the first/default workspace;
* - cloud (multi-tenant) -> resolved by the host-header subdomain.
* Returns null when none resolves (no workspace configured, or a blank/unknown
* subdomain on cloud). `isSelfHosted()` is `!isCloud()`, so exactly one branch is
* always taken.
*
* Extracted so the self-hosted/cloud branch is not hand-duplicated. Shared by
* `DomainMiddleware` (the normal /api request path) and `GitHttpService` (the raw
* root-mounted /git smart-HTTP host, which Nest middleware does NOT run for) so
* the two cannot drift.
*
* This helper does NOT catch DB errors callers decide: DomainMiddleware lets a
* throw bubble (as before); GitHttpService wraps it to log + treat as
* unresolvable (-> 404). A blank/missing host on cloud resolves to null rather
* than throwing.
*/
export async function resolveRequestWorkspace(
environmentService: EnvironmentService,
workspaceRepo: WorkspaceRepo,
hostHeader: string | undefined,
): Promise<Workspace | null> {
if (environmentService.isSelfHosted()) {
return (await workspaceRepo.findFirst()) ?? null;
}
// Cloud (isSelfHosted === !isCloud, so this is the only remaining branch).
const subdomain = hostHeader ? hostHeader.split('.')[0] : '';
if (!subdomain) return null;
return (await workspaceRepo.findByHostname(subdomain)) ?? null;
}
@@ -1,7 +1,8 @@
import { Injectable, NestMiddleware, NotFoundException } from '@nestjs/common';
import { Injectable, NestMiddleware } from '@nestjs/common';
import { FastifyRequest, FastifyReply } from 'fastify';
import { EnvironmentService } from '../../integrations/environment/environment.service';
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
import { resolveRequestWorkspace } from '../helpers/resolve-request-workspace';
@Injectable()
export class DomainMiddleware implements NestMiddleware {
@@ -14,30 +15,19 @@ export class DomainMiddleware implements NestMiddleware {
res: FastifyReply['raw'],
next: () => void,
) {
if (this.environmentService.isSelfHosted()) {
const workspace = await this.workspaceRepo.findFirst();
if (!workspace) {
//throw new NotFoundException('Workspace not found');
(req as any).workspaceId = null;
return next();
}
// TODO: unify
(req as any).workspaceId = workspace.id;
(req as any).workspace = workspace;
} else if (this.environmentService.isCloud()) {
const header = req.headers.host;
const subdomain = header.split('.')[0];
const workspace = await this.workspaceRepo.findByHostname(subdomain);
if (!workspace) {
(req as any).workspaceId = null;
return next();
}
// Shared self-hosted/cloud resolution (the SAME branch the /git host uses),
// so the logic cannot drift between the two.
const workspace = await resolveRequestWorkspace(
this.environmentService,
this.workspaceRepo,
req.headers.host,
);
if (workspace) {
(req as any).workspaceId = workspace.id;
(req as any).workspace = workspace;
} else {
(req as any).workspaceId = null;
}
next();
@@ -303,11 +303,6 @@ describe('buildSystemPrompt page-changed note (#274)', () => {
expect(prompt).toContain(NOTE_MARKER);
expect(prompt).toContain('-old line');
expect(prompt).toContain('+new line');
// Strengthened note (#274): instructs a fresh re-read via getPage and steers
// the agent toward small, targeted edits instead of a full-page overwrite.
expect(prompt).toContain('getPage');
expect(prompt.toLowerCase()).toContain('targeted');
expect(prompt).toContain('editPageText');
// Inside the safety sandwich: the trailing SAFETY block follows the note.
expect(prompt.lastIndexOf(SAFETY_MARKER)).toBeGreaterThan(
prompt.indexOf(NOTE_MARKER),
+5 -11
View File
@@ -85,17 +85,11 @@ const INTERRUPT_NOTE =
const PAGE_CHANGED_NOTE =
'NOTE: The user edited the open page AFTER your last response in this ' +
'conversation, so any copy of that page you produced or remember from earlier ' +
'is now STALE and must not be reused. Before you edit the page, you MUST first ' +
're-read its current content with the getPage tool and base your work on that ' +
'live version — never on your earlier copy or on the transcript. The unified ' +
'diff below shows exactly what the user changed since you last spoke (lines ' +
'starting with "-" were removed, "+" were added) and is the source of truth. ' +
'Preserve every one of the user\'s edits: make the smallest change that ' +
'satisfies the request using the targeted edit tools (editPageText, patchNode, ' +
'insertNode, deleteNode) rather than replacing the whole page, and do not ' +
'revert, drop, or overwrite anything the user changed. If a full rewrite is ' +
'truly unavoidable, start from the current getPage content and carry over all ' +
'of the user\'s edits.';
'is now STALE. The unified diff below shows exactly what changed since you last ' +
'spoke (lines starting with "-" were removed, "+" were added) and is the source ' +
'of truth. Preserve the user\'s edits: build on the current page, do not revert ' +
'or overwrite their changes. If you need the full up-to-date page, re-read it ' +
'with the getPage tool before editing.';
/**
* Sanitize a value interpolated into a prompt XML-ish attribute (e.g.
@@ -356,32 +356,6 @@ describe('flushAssistant', () => {
expect(flushed.toolCalls).not.toBeNull();
expect(flushed.metadata.error).toBe('boom');
});
// #274 observability: the page-change diff the agent saw this turn is persisted
// to metadata.pageChanged when a non-empty diff was injected, and omitted when
// the diff is empty/whitespace or the arg is not supplied.
it('persists metadata.pageChanged when a non-empty diff was injected', () => {
const f = flushAssistant([], '', 'completed', {
pageChanged: { title: 'Doc', diff: '@@ -1 +1 @@\n-old\n+new' },
});
expect(f.metadata.pageChanged).toEqual({
title: 'Doc',
diff: '@@ -1 +1 @@\n-old\n+new',
});
});
it('omits metadata.pageChanged for an empty/whitespace diff or a missing arg', () => {
const whitespace = flushAssistant([], '', 'completed', {
pageChanged: { title: 'Doc', diff: ' \n ' },
});
expect('pageChanged' in whitespace.metadata).toBe(false);
const nullArg = flushAssistant([], '', 'completed', { pageChanged: null });
expect('pageChanged' in nullArg.metadata).toBe(false);
const omitted = flushAssistant([], '', 'streaming');
expect('pageChanged' in omitted.metadata).toBe(false);
});
});
/**
@@ -685,7 +685,7 @@ export class AiChatService implements OnModuleInit {
// no-op (guarded below) so the turn still streams to the user.
let assistantId: string | undefined;
try {
const seed = flushAssistant([], '', 'streaming', { pageChanged });
const seed = flushAssistant([], '', 'streaming');
const seeded = await this.aiChatMessageRepo.insert({
chatId,
workspaceId: workspace.id,
@@ -720,7 +720,7 @@ export class AiChatService implements OnModuleInit {
await this.aiChatMessageRepo.update(
assistantId,
workspace.id,
flushAssistant(capturedSteps, '', 'streaming', { pageChanged }),
flushAssistant(capturedSteps, '', 'streaming'),
{ onlyIfStreaming: true },
);
} catch (err) {
@@ -860,7 +860,6 @@ export class AiChatService implements OnModuleInit {
// resolved from the admin-configured provider settings (in
// closure scope here). Omitted/0 = no limit.
maxContextTokens: resolved?.chatContextWindow,
pageChanged,
}),
);
// Lifecycle: release the external MCP clients leased for this turn.
@@ -912,7 +911,6 @@ export class AiChatService implements OnModuleInit {
await finalizeAssistant(
flushAssistant(capturedSteps, inProgressText, 'error', {
error: errorText,
pageChanged,
}),
);
await closeExternalClients();
@@ -942,9 +940,7 @@ export class AiChatService implements OnModuleInit {
`steps=${steps.length}`,
);
await finalizeAssistant(
flushAssistant(capturedSteps, inProgressText, 'aborted', {
pageChanged,
}),
flushAssistant(capturedSteps, inProgressText, 'aborted'),
);
await closeExternalClients();
// Advance the page snapshot even on abort (#274): an agent edit that
@@ -1510,7 +1506,6 @@ export function flushAssistant(
contextTokens?: number;
maxContextTokens?: number;
error?: string;
pageChanged?: { title: string; diff: string } | null;
},
): AssistantFlush {
const finished = capturedSteps ?? [];
@@ -1543,15 +1538,6 @@ export function flushAssistant(
if (extra?.maxContextTokens)
metadata.maxContextTokens = extra.maxContextTokens;
if (extra?.error) metadata.error = extra.error;
// Persist the page-change diff the agent saw this turn (#274 observability),
// so history / the Markdown export can show what the user changed. Only when
// a non-empty diff was actually injected into the prompt this turn.
if (extra?.pageChanged && extra.pageChanged.diff?.trim().length) {
metadata.pageChanged = {
title: extra.pageChanged.title,
diff: extra.pageChanged.diff,
};
}
return {
content: stepsText + trailing,
@@ -269,168 +269,6 @@ describe('buildChatMarkdown (server) — structure', () => {
expect(md).toContain('**⚠️ Error:** 401: Unauthorized');
});
// #274 observability: an assistant row whose turn started with a user edit to
// the open page carries metadata.pageChanged = { title, diff }; the export
// renders the diff the agent saw, before the message body.
it('renders the persisted page-change diff block for an assistant row', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [
row({
role: 'assistant',
content: 'answer',
metadata: {
pageChanged: { title: 'Doc', diff: '@@ -1 +1 @@\n-old\n+new' },
} as never,
}),
],
});
expect(md).toContain(
'The user edited this page before this turn; the diff the agent saw:',
);
expect(md).toContain('("Doc")');
expect(md).toContain('-old');
expect(md).toContain('+new');
// The diff sits before the message body (chronological: change, then reply).
expect(md.indexOf('-old')).toBeLessThan(md.indexOf('answer'));
});
it('does not render the page-change block when metadata.pageChanged is absent', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [row({ role: 'assistant', content: 'answer' })],
});
expect(md).not.toContain(
'The user edited this page before this turn; the diff the agent saw:',
);
});
// #288 F1/F2: an empty page title must render the BARE heading with no
// `("…")` suffix (the `pc.title ? … : …` false branch).
it('renders the page-change heading with no title suffix when title is empty', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [
row({
role: 'assistant',
content: 'answer',
metadata: {
pageChanged: { title: '', diff: '@@ -1 +1 @@\n-old\n+new' },
} as never,
}),
],
});
// Bare heading, single line, no parenthesized title.
expect(md).toContain(
'> **📝 The user edited this page before this turn; the diff the agent saw:**',
);
expect(md).not.toContain('("');
expect(md).toContain('-old');
});
// #288 F1: the page title is UNTRUSTED cross-user data, so a title carrying a
// newline / backtick / `"` / `<`/`>` must be neutralized by escapeAttr before
// it is interpolated into the `> **…**` blockquote heading — otherwise it
// could break the blockquote onto multiple lines or inject markup/HTML into
// the downloaded .md. escapeAttr strips `<>"` and collapses whitespace runs to
// a single space, so `Ev"il\n> `x` <b>` becomes ``Evil `x` b``.
it('escapes an untrusted page title in the page-change heading', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [
row({
role: 'assistant',
content: 'answer',
metadata: {
pageChanged: {
title: 'Ev"il\n> `x` <b>',
diff: '@@ -1 +1 @@\n-old\n+new',
},
} as never,
}),
],
});
// The heading stays a single blockquote line with the escaped title.
expect(md).toContain(
'> **📝 The user edited this page before this turn; the diff the agent saw: ("Evil `x` b")**',
);
// No raw attribute/markup breakers survived from the title.
expect(md).not.toContain('Ev"il');
expect(md).not.toContain('<b>');
});
// #288 review F1: escapeAttr ALONE is insufficient for this MARKDOWN sink —
// link/image syntax survives it. A cross-user title with `![x](url)` /
// `[phish](url)` must NOT become a working remote image or clickable link in
// the downloaded .md; markdownHeadingSafe backslash-escapes `[`/`]` so both are
// inert. (Non-vacuous: fails against the escapeAttr-only version, which left
// `](https://` intact.)
it('neutralizes markdown link/image syntax in an untrusted page title', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [
row({
role: 'assistant',
content: 'answer',
metadata: {
pageChanged: {
title:
'![x](https://attacker.example/t.png) and [click](https://phish.example)',
diff: '@@ -1 +1 @@\n-old\n+new',
},
} as never,
}),
],
});
// No WORKING image/link syntax survives — the `[…]` sits escaped as `\[…\]`,
// so the unescaped `![x](` image and `[click](` link markers are gone. (We
// deliberately do NOT assert `not.toContain('](https://')`: after escaping the
// literal `\](https://` still contains `](https://` as a raw substring — that
// check would false-fail even though the link is inert.)
expect(md).not.toContain('![x](');
expect(md).not.toContain('[click](');
// The brackets are backslash-escaped, so `[text](url)`/`![text](url)` are inert.
expect(md).toContain('\\[');
expect(md).toContain('\\]');
// The heading stays a SINGLE blockquote line (no newline injected).
const headingLine = md
.split('\n')
.find((l) => l.includes('the diff the agent saw:'));
expect(headingLine).toBeDefined();
expect(headingLine).toContain('\\[x\\]');
expect(headingLine).toContain('\\[click\\]');
});
// #288 internal review Finding 2: a NON-empty title made up entirely of
// escapeAttr breakers (`<>"`) escapes to '' — the ternary must then fall to the
// BARE heading with NO `("…")` suffix. Locks the ternary-on-escaped-value
// behavior (distinct from the empty-string input test above).
it('renders the bare heading for a title that escapes to empty', () => {
const md = buildChatMarkdown({
title: 'T',
chatId: 'c',
rows: [
row({
role: 'assistant',
content: 'answer',
metadata: {
pageChanged: { title: '<>"', diff: '@@ -1 +1 @@\n-old\n+new' },
} as never,
}),
],
});
expect(md).toContain(
'> **📝 The user edited this page before this turn; the diff the agent saw:**',
);
expect(md).not.toContain('("');
expect(md).toContain('-old');
});
it('escapes embedded triple-backtick fences with a longer delimiter', () => {
const md = buildChatMarkdown({
title: 'T',
@@ -15,7 +15,6 @@
*/
import type { AiChatMessage } from '@docmost/db/types/entity.types';
import { escapeAttr } from './ai-chat.prompt';
/** Supported export label languages. Defaults to English. */
export type ExportLang = 'en' | 'ru';
@@ -64,7 +63,6 @@ const LABELS: Record<
tools: Record<string, string>;
ranTool: (name: string) => string;
stillGenerating: string;
pageEditedByUser: string;
}
> = {
en: {
@@ -85,8 +83,6 @@ const LABELS: Record<
ranTool: (name) => `Ran tool ${name}`,
stillGenerating:
'This message is still being generated — the export captured a partial, in-progress response.',
pageEditedByUser:
'The user edited this page before this turn; the diff the agent saw:',
},
ru: {
untitled: 'Без названия',
@@ -106,29 +102,9 @@ const LABELS: Record<
ranTool: (name) => `Выполнил инструмент ${name}`,
stillGenerating:
'Это сообщение всё ещё генерируется — экспорт захватил частичный, незавершённый ответ.',
pageEditedByUser:
'Пользователь изменил страницу перед этим ходом; дифф, который видел агент:',
},
};
/**
* Make an untrusted title safe to interpolate into a Markdown blockquote
* HEADING. escapeAttr() neutralizes the XML/HTML breakers (`<` `>` `"`) and
* collapses whitespace for the PROMPT sink (`page="…"`), but this export sink is
* MARKDOWN link/image syntax survives escapeAttr. So additionally backslash-
* escape `[` and `]`: that disables both `[text](url)` links and `![text](url)`
* images, so a cross-user title like `![x](http://evil)` or `[phish](http://evil)`
* cannot inject a remote (auto-loading) image or a clickable link into the
* downloaded .md disguised as a trusted system annotation. A bare `(url)` with no
* preceding `[]` is inert Markdown, so brackets are the only security-critical
* characters here. (We leave backticks to escapeAttr's whitespace pass a title
* shown as inline code cannot escape the blockquote line or load a resource, so
* it is not a security concern for this sink.)
*/
function markdownHeadingSafe(title: string): string {
return escapeAttr(title).replace(/[[\]]/g, (m) => `\\${m}`);
}
/** True for AI SDK tool parts (static `tool-*` or `dynamic-tool`). */
function isToolPart(type: string): boolean {
return type.startsWith('tool-') || type === 'dynamic-tool';
@@ -232,23 +208,6 @@ function rowParts(row: AiChatMessage): ExportPart[] {
: [{ type: 'text', text: row.content ?? '' }];
}
/** The persisted page-change diff the agent saw this turn (#274), when any. */
function pageChangedOf(
row: AiChatMessage,
): { title: string; diff: string } | undefined {
const meta = (row.metadata ?? {}) as {
pageChanged?: { title?: string; diff?: string };
};
const pc = meta.pageChanged;
if (pc && typeof pc.diff === 'string' && pc.diff.trim().length > 0) {
return {
title: typeof pc.title === 'string' ? pc.title : '',
diff: pc.diff,
};
}
return undefined;
}
/**
* Serialize a chat to a Markdown string from its persisted rows. Source = DB
* ONLY (no live client state). A row whose `status` is still 'streaming' is an
@@ -307,26 +266,6 @@ export function buildChatMarkdown(args: {
blocks.push(`<!-- ${iso} -->`);
}
// Page-change observability (#274): show the diff the agent saw at the start
// of this turn, before its response, so the export reflects the stale-page
// warning the model received.
const pc = pageChangedOf(row);
if (pc) {
// The page title is UNTRUSTED cross-user data (a collaborative page's title
// controllable by another user). escapeAttr() alone (the prompt sink) is
// INSUFFICIENT here: this is a MARKDOWN sink, so we neutralize link/image
// syntax too (backslash-escaping `[`/`]`) before interpolating it into this
// `> **…**` blockquote heading — otherwise `![x](url)` / `[phish](url)` would
// inject a remote image or clickable link into the downloaded .md. An
// all-`<>"` title escapes to empty and correctly falls to the bare heading.
// The diff body is already safe via fence(). (#288 review F1.)
const safeTitle = markdownHeadingSafe(pc.title);
const heading = safeTitle
? `${L.pageEditedByUser} ("${safeTitle}")`
: L.pageEditedByUser;
blocks.push(`> **📝 ${heading}**\n\n${fence(pc.diff, 'diff')}`);
}
blocks.push(...renderMessageParts(rowParts(row), lang));
// A still-'streaming' row is an interrupted/in-progress turn captured by the
@@ -1,4 +1,5 @@
import { pathToFileURL } from 'node:url';
import { esmImport } from '../../../common/helpers/esm-import';
/**
* Minimal structural type for the `DocmostClient` class we consume from the
@@ -240,14 +241,8 @@ interface DocmostMcpModule {
SHARED_TOOL_SPECS: Record<string, SharedToolSpec>;
}
// TS with module:commonjs downlevels a literal `import()` to `require()`, which
// cannot load the ESM-only `@docmost/mcp` package. Indirect through Function so
// the real dynamic `import()` survives compilation and can load ESM from
// CommonJS at runtime (same trick as integrations/mcp/mcp.service.ts).
const esmImport = new Function(
'specifier',
'return import(specifier)',
) as (specifier: string) => Promise<unknown>;
// The CJS->ESM dynamic-import bridge lives in one shared helper
// (common/helpers/esm-import.ts). The typed `loadDocmostMcp()` wrapper stays here.
// Memoize the in-flight/loaded module so the dynamic import runs at most once.
let modulePromise: Promise<DocmostMcpModule> | null = null;
+9 -3
View File
@@ -3,8 +3,12 @@
* from the SIGNED token claim (never a request body), so 'agent' is unspoofable.
* Single source of truth so a typo like 'agnet' can't slip through as a bare
* string (#143 review). Distinct from `ActorType` (auth principal kind).
*
* 'git-sync' marks writes made by the git-sync data plane (issue #194 §8.1). It NEVER
* travels in a user-facing token; it is set in-process on the collab connection
* context by the native datasource, so it cannot be spoofed from a request.
*/
export type ProvenanceSource = 'user' | 'agent';
export type ProvenanceSource = 'user' | 'agent' | 'git-sync';
export enum JwtType {
ACCESS = 'access',
@@ -26,7 +30,8 @@ export type JwtPayload = {
// normal user token (treated as 'user'); set only when the internal agent
// mints a provenance access token so REST writes (create/rename/move page,
// comment create/resolve) record a non-spoofable 'agent' marker (§6.5 / §15
// C3 / §14 N2).
// C3 / §14 N2). (git-sync writes use the in-process actor, not a token — see
// the ProvenanceSource note.)
actor?: ProvenanceSource;
// Nullable: an external MCP agent has no internal ai_chats row, so it carries
// an 'agent' actor with a null aiChatId.
@@ -39,7 +44,8 @@ export type JwtCollabPayload = {
type: 'collab';
// Optional agent-edit provenance, signed into the collab token. Absent for
// the human collab path (treated as 'user'); set only when the internal agent
// mints a provenance collab token (§6.6 / §15 C2).
// mints a provenance collab token (§6.6 / §15 C2). 'git-sync' (in ProvenanceSource)
// is accepted for type-compatibility with the in-process git-sync write path.
actor?: ProvenanceSource;
// Nullable: an external MCP agent has no internal ai_chats row, so it carries
// an 'agent' actor with a null aiChatId.
@@ -1,8 +1,11 @@
import { BadRequestException } from '@nestjs/common';
import { PageService } from './page.service';
import { MovePageDto } from '../dto/move-page.dto';
import { Page } from '@docmost/db/types/entity.types';
import { CreatePageDto } from '../dto/create-page.dto';
import { UpdatePageDto } from '../dto/update-page.dto';
import { Page, User } from '@docmost/db/types/entity.types';
import { DEFAULT_TEMPORARY_NOTE_HOURS } from '../constants/temporary-note.constants';
import { AuthProvenanceData } from '../../../common/decorators/auth-provenance.decorator';
// Direct instantiation with stub deps. The Test.createTestingModule form failed
// to resolve the @InjectKysely()/@InjectQueue() tokens at compile(), and this
@@ -496,4 +499,295 @@ describe('PageService', () => {
expect(db.selectFrom).not.toHaveBeenCalled();
});
});
describe('git-sync provenance stamping (#1)', () => {
const GIT_SYNC: AuthProvenanceData = { actor: 'git-sync', aiChatId: null };
const USER_PROVENANCE: AuthProvenanceData = { actor: 'user', aiChatId: null };
describe('create()', () => {
// Build a service whose insertPage/generalQueue are observable and whose
// nextPagePosition (a DB query) is stubbed, so create() reaches insertPage
// without a real database.
const makeService = () => {
const insertedPage = { id: 'page-1', slugId: 'slug-1' };
const pageRepo = {
insertPage: jest.fn().mockResolvedValue(insertedPage),
};
// add() is fire-and-forget (the service .catch()es it); resolve so no
// unhandled rejection leaks.
const generalQueue = { add: jest.fn().mockResolvedValue(undefined) };
const svc = new PageService(
pageRepo as any, // pageRepo
{} as any, // pagePermissionRepo
{} as any, // attachmentRepo
{} as any, // db
{} as any, // storageService
{} as any, // attachmentQueue
{} as any, // aiQueue
generalQueue as any, // generalQueue
{} as any, // eventEmitter
{} as any, // collaborationGateway
{} as any, // watcherService
{} as any, // transclusionService
);
// nextPagePosition runs a kysely query; stub it so create() never hits
// the db. No DTO content is provided, so parseProsemirrorContent is
// skipped entirely (content/textContent/ydoc stay undefined).
jest.spyOn(svc, 'nextPagePosition').mockResolvedValue('a0');
return { svc, pageRepo };
};
const createDto: CreatePageDto = {
title: 'New page',
spaceId: 'space-1',
} as any;
it("stamps lastUpdatedSource:'git-sync' on the insertPage payload", async () => {
const { svc, pageRepo } = makeService();
await svc.create('user-1', 'ws-1', createDto, GIT_SYNC);
expect(pageRepo.insertPage).toHaveBeenCalledTimes(1);
expect(pageRepo.insertPage).toHaveBeenCalledWith(
expect.objectContaining({ lastUpdatedSource: 'git-sync' }),
);
// git-sync carries no aiChatId (unlike the agent branch).
const payload = pageRepo.insertPage.mock.calls[0][0];
expect(payload.lastUpdatedAiChatId).toBeUndefined();
// The human stays the responsible author.
expect(payload.creatorId).toBe('user-1');
expect(payload.lastUpdatedById).toBe('user-1');
});
it('leaves the source column unset for a plain user create', async () => {
const { svc, pageRepo } = makeService();
await svc.create('user-1', 'ws-1', createDto, USER_PROVENANCE);
const payload = pageRepo.insertPage.mock.calls[0][0];
expect(payload.lastUpdatedSource).toBeUndefined();
});
});
describe('update() (rename)', () => {
const makeService = () => {
const pageRepo = {
updatePage: jest.fn().mockResolvedValue({ numUpdatedRows: 1n }),
// update() re-reads the row at the end to return the refreshed page.
findById: jest.fn().mockResolvedValue({ id: 'page-1' }),
};
const generalQueue = { add: jest.fn().mockResolvedValue(undefined) };
const aiQueue = { add: jest.fn().mockResolvedValue(undefined) };
const svc = new PageService(
pageRepo as any, // pageRepo
{} as any, // pagePermissionRepo
{} as any, // attachmentRepo
{} as any, // db
{} as any, // storageService
{} as any, // attachmentQueue
aiQueue as any, // aiQueue
generalQueue as any, // generalQueue
{} as any, // eventEmitter
{} as any, // collaborationGateway
{} as any, // watcherService
{} as any, // transclusionService
);
return { svc, pageRepo };
};
const page: Page = {
id: 'page-1',
slugId: 'slug-1',
spaceId: 'space-1',
workspaceId: 'ws-1',
title: 'Old title',
icon: null,
parentPageId: null,
contributorIds: [],
} as any;
const user: User = { id: 'user-1' } as any;
it("stamps lastUpdatedSource:'git-sync' on the updatePage payload", async () => {
const { svc, pageRepo } = makeService();
const dto: UpdatePageDto = { title: 'New title' } as any;
await svc.update(page, dto, user, GIT_SYNC);
expect(pageRepo.updatePage).toHaveBeenCalledTimes(1);
const payload = pageRepo.updatePage.mock.calls[0][0];
expect(payload.lastUpdatedSource).toBe('git-sync');
expect(payload.lastUpdatedAiChatId).toBeUndefined();
// The acting user stays the responsible author.
expect(payload.lastUpdatedById).toBe('user-1');
});
it('leaves the source column unset for a plain user rename', async () => {
const { svc, pageRepo } = makeService();
const dto: UpdatePageDto = { title: 'New title' } as any;
await svc.update(page, dto, user, USER_PROVENANCE);
const payload = pageRepo.updatePage.mock.calls[0][0];
expect(payload.lastUpdatedSource).toBeUndefined();
});
});
describe('movePage()', () => {
const SPACE_ID = 'space-1';
const VALID_POSITION = 'a0';
const makeService = () => {
const pageRepo = {
findById: jest.fn().mockResolvedValue({
id: 'dest-parent',
deletedAt: null,
spaceId: SPACE_ID,
}),
updatePage: jest.fn().mockResolvedValue({ numUpdatedRows: 1n }),
};
const eventEmitter = { emit: jest.fn() };
// movePage now runs the cycle-check + UPDATE inside executeTx(this.db),
// i.e. this.db.transaction().execute(fn => fn(trx)). A permissive
// chainable Proxy stands in for the Kysely trx so the per-space
// advisory-lock `sql``.execute(trx)` resolves and updatePage runs.
const trxStub: any = new Proxy(function () {}, {
get: (_t, p) =>
p === 'then'
? undefined
: p === 'execute' || p === 'executeTakeFirst'
? () => Promise.resolve([])
: () => trxStub,
});
const db = {
transaction: () => ({ execute: (fn: any) => fn(trxStub) }),
};
const svc = new PageService(
pageRepo as any, // pageRepo
{} as any, // pagePermissionRepo
{} as any, // attachmentRepo
db as any, // db
{} as any, // storageService
{} as any, // attachmentQueue
{} as any, // aiQueue
{} as any, // generalQueue
eventEmitter as any, // eventEmitter
{} as any, // collaborationGateway
{} as any, // watcherService
{} as any, // transclusionService
);
// No cycle: the destination's ancestor chain does not contain the moved
// page, so movePage reaches updatePage.
jest
.spyOn(svc, 'getPageBreadCrumbs')
.mockResolvedValue([{ id: 'dest-parent' }, { id: 'root' }] as any);
return { svc, pageRepo };
};
const movedPage: Page = {
id: 'page-1',
parentPageId: 'old-parent',
spaceId: SPACE_ID,
workspaceId: 'ws-1',
slugId: 'slug-1',
title: 'Page 1',
icon: null,
} as any;
const dto: MovePageDto = {
pageId: 'page-1',
position: VALID_POSITION,
parentPageId: 'dest-parent',
};
it("stamps lastUpdatedSource:'git-sync' on the updatePage payload", async () => {
const { svc, pageRepo } = makeService();
await svc.movePage(dto, movedPage, GIT_SYNC);
expect(pageRepo.updatePage).toHaveBeenCalledTimes(1);
const payload = pageRepo.updatePage.mock.calls[0][0];
expect(payload.lastUpdatedSource).toBe('git-sync');
expect(payload.lastUpdatedAiChatId).toBeUndefined();
});
it('leaves the source column unset for a plain user move', async () => {
const { svc, pageRepo } = makeService();
await svc.movePage(dto, movedPage, USER_PROVENANCE);
const payload = pageRepo.updatePage.mock.calls[0][0];
expect(payload.lastUpdatedSource).toBeUndefined();
});
});
describe('removePage()', () => {
// removePage forwards a `source` 4th arg to pageRepo.removePage: 'git-sync'
// for a git-sync-driven soft-delete (so the change-listener loop-guard skips
// its own write), undefined otherwise.
const makeService = () => {
const pageRepo = {
removePage: jest.fn().mockResolvedValue(undefined),
};
const svc = new PageService(
pageRepo as any, // pageRepo
{} as any, // pagePermissionRepo
{} as any, // attachmentRepo
{} as any, // db
{} as any, // storageService
{} as any, // attachmentQueue
{} as any, // aiQueue
{} as any, // generalQueue
{} as any, // eventEmitter
{} as any, // collaborationGateway
{} as any, // watcherService
{} as any, // transclusionService
);
return { svc, pageRepo };
};
it("forwards 'git-sync' as the source for a git-sync soft-delete", async () => {
const { svc, pageRepo } = makeService();
await svc.removePage('page-1', 'user-1', 'ws-1', GIT_SYNC);
expect(pageRepo.removePage).toHaveBeenCalledTimes(1);
const [pageId, userId, workspaceId, source] =
pageRepo.removePage.mock.calls[0];
expect(pageId).toBe('page-1');
expect(userId).toBe('user-1');
expect(workspaceId).toBe('ws-1');
expect(source).toBe('git-sync');
});
it('forwards undefined as the source for a plain user delete', async () => {
const { svc, pageRepo } = makeService();
await svc.removePage('page-1', 'user-1', 'ws-1', USER_PROVENANCE);
const [, , , source] = pageRepo.removePage.mock.calls[0];
expect(source).toBeUndefined();
});
it('forwards undefined as the source when no provenance is given', async () => {
const { svc, pageRepo } = makeService();
await svc.removePage('page-1', 'user-1', 'ws-1');
const [, , , source] = pageRepo.removePage.mock.calls[0];
expect(source).toBeUndefined();
});
});
});
});
@@ -948,6 +948,12 @@ export class PageService {
// Optional agent-edit provenance (from the signed access claim). Stamps the
// source marker when the agent moves a page via REST (§6.6 REST path).
provenance?: AuthProvenanceData,
// Optional responsible author. When set (git-sync), the move is ATTRIBUTED
// to that account via `lastUpdatedById` — parity with create/delete/rename,
// which all stamp the service user. A normal user move omits it, leaving
// `lastUpdatedById` untouched (a reparent is not a content edit, so the
// existing author is preserved — unchanged behavior).
actorUserId?: string,
) {
// validate position value by attempting to generate a key
try {
@@ -1017,6 +1023,9 @@ export class PageService {
{
position: dto.position,
parentPageId: parentPageId,
// Attribute a git-initiated move to the service account (parity with
// create/delete/rename). Omitted for normal user moves -> unchanged.
...(actorUserId ? { lastUpdatedById: actorUserId } : {}),
// Agent-edit provenance: annotate the source on an agent move. A
// normal user request leaves the existing source value unchanged.
...agentSourceFields(
@@ -1289,8 +1298,18 @@ export class PageService {
pageId: string,
userId: string,
workspaceId: string,
// Optional provenance. A git-sync-driven soft-delete stamps
// `lastUpdatedSource = 'git-sync'` so the change-listener loop-guard skips
// its own write (mirrors the create/update/move provenance branches above).
provenance?: AuthProvenanceData,
): Promise<void> {
await this.pageRepo.removePage(pageId, userId, workspaceId);
const isGitSync = provenance?.actor === 'git-sync';
await this.pageRepo.removePage(
pageId,
userId,
workspaceId,
isGitSync ? 'git-sync' : undefined,
);
}
private async parseProsemirrorContent(
@@ -15,4 +15,12 @@ export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
@IsOptional()
@IsBoolean()
allowViewerComments: boolean;
@IsOptional()
@IsBoolean()
gitSyncEnabled?: boolean;
@IsOptional()
@IsBoolean()
autoMergeConflicts?: boolean;
}
@@ -22,4 +22,199 @@ describe('SpaceService', () => {
it('should be defined', () => {
expect(service).toBeDefined();
});
describe('updateSpace gitSyncEnabled', () => {
const workspaceId = 'ws-1';
const spaceId = 'space-1';
// executeTx runs the callback immediately with a passthrough trx so the
// repo calls happen inline; mirrors how the sibling sharing/comments flags
// are persisted.
const buildService = (settingsBefore: Record<string, any>) => {
const spaceRepo = {
findById: jest.fn().mockResolvedValue({
id: spaceId,
name: 'Space',
slug: 'space',
description: '',
settings: settingsBefore,
}),
updateGitSyncSettings: jest.fn().mockResolvedValue({}),
updateSharingSettings: jest.fn().mockResolvedValue({}),
updateCommentSettings: jest.fn().mockResolvedValue({}),
updateSpace: jest
.fn()
.mockResolvedValue({ id: spaceId, name: 'Space', slug: 'space' }),
slugExists: jest.fn().mockResolvedValue(false),
};
const auditService = { log: jest.fn() };
const svc = new SpaceService(
spaceRepo as any,
{} as any, // spaceMemberService
{} as any, // shareRepo
{} as any, // workspaceRepo
{} as any, // licenseCheckService
{} as any, // db
{} as any, // attachmentQueue
auditService as any,
);
// executeTx is invoked via the imported helper; patch it on the module.
jest
.spyOn(require('@docmost/db/utils'), 'executeTx')
.mockImplementation(async (_db: any, cb: any) => cb({} as any));
return { svc, spaceRepo, auditService };
};
it('persists gitSyncEnabled via updateGitSyncSettings(enabled)', async () => {
const { svc, spaceRepo } = buildService({});
await svc.updateSpace(
{ spaceId, gitSyncEnabled: true } as any,
workspaceId,
);
expect(spaceRepo.updateGitSyncSettings).toHaveBeenCalledWith(
spaceId,
workspaceId,
'enabled',
true,
expect.anything(),
);
});
it('does not call updateGitSyncSettings when flag is undefined', async () => {
const { svc, spaceRepo } = buildService({});
await svc.updateSpace({ spaceId } as any, workspaceId);
expect(spaceRepo.updateGitSyncSettings).not.toHaveBeenCalled();
});
// --- audit delta on the git-sync toggle (test-strategy Module 4 / item #5)
// updateSpace builds a before/after delta only when a flag's value actually
// changes, and only logs an audit event when that delta is non-empty. These
// assert that contract specifically for gitSyncEnabled.
it('writes a SPACE_UPDATED audit delta on a REAL gitSyncEnabled change (false -> true)', async () => {
// Prior persisted state: gitSync.enabled = false; the request flips it on.
const { svc, auditService } = buildService({ gitSync: { enabled: false } });
await svc.updateSpace(
{ spaceId, gitSyncEnabled: true } as any,
workspaceId,
);
expect(auditService.log).toHaveBeenCalledTimes(1);
expect(auditService.log).toHaveBeenCalledWith(
expect.objectContaining({
resourceId: spaceId,
spaceId,
changes: {
before: expect.objectContaining({ gitSyncEnabled: false }),
after: expect.objectContaining({ gitSyncEnabled: true }),
},
}),
);
});
it('also records the delta when no prior gitSync settings exist (undefined -> true defaults prev to false)', async () => {
// No gitSync key at all: prev resolves to the `?? false` default, so
// enabling it is still a real change and is audited.
const { svc, auditService } = buildService({});
await svc.updateSpace(
{ spaceId, gitSyncEnabled: true } as any,
workspaceId,
);
expect(auditService.log).toHaveBeenCalledTimes(1);
const call = auditService.log.mock.calls[0][0];
expect(call.changes.before.gitSyncEnabled).toBe(false);
expect(call.changes.after.gitSyncEnabled).toBe(true);
});
it('does NOT write an audit delta on a no-op gitSyncEnabled (same value true -> true)', async () => {
// Prior persisted state already true; the request sets the same value.
// updateGitSyncSettings still runs (idempotent persist), but nothing is
// added to the before/after delta, so no audit event is emitted.
const { svc, spaceRepo, auditService } = buildService({
gitSync: { enabled: true },
});
await svc.updateSpace(
{ spaceId, gitSyncEnabled: true } as any,
workspaceId,
);
expect(spaceRepo.updateGitSyncSettings).toHaveBeenCalledTimes(1);
expect(auditService.log).not.toHaveBeenCalled();
});
// --- autoMergeConflicts: a SECOND key in the SAME `gitSync` jsonb object,
// persisted the same way as `enabled` (the repo's jsonb-merge keeps siblings).
it('persists autoMergeConflicts via updateGitSyncSettings(autoMergeConflicts)', async () => {
const { svc, spaceRepo } = buildService({});
await svc.updateSpace(
{ spaceId, autoMergeConflicts: true } as any,
workspaceId,
);
expect(spaceRepo.updateGitSyncSettings).toHaveBeenCalledWith(
spaceId,
workspaceId,
'autoMergeConflicts',
true,
expect.anything(),
);
});
it('does not call updateGitSyncSettings when autoMergeConflicts is undefined', async () => {
const { svc, spaceRepo } = buildService({});
await svc.updateSpace({ spaceId } as any, workspaceId);
expect(spaceRepo.updateGitSyncSettings).not.toHaveBeenCalled();
});
it('writes a SPACE_UPDATED audit delta on a REAL autoMergeConflicts change (false -> true)', async () => {
// Prior persisted state: gitSync.autoMergeConflicts = false; flip it on.
const { svc, auditService } = buildService({
gitSync: { autoMergeConflicts: false },
});
await svc.updateSpace(
{ spaceId, autoMergeConflicts: true } as any,
workspaceId,
);
expect(auditService.log).toHaveBeenCalledTimes(1);
expect(auditService.log).toHaveBeenCalledWith(
expect.objectContaining({
resourceId: spaceId,
spaceId,
changes: {
before: expect.objectContaining({ autoMergeConflicts: false }),
after: expect.objectContaining({ autoMergeConflicts: true }),
},
}),
);
});
it('does NOT write an audit delta on a no-op autoMergeConflicts (same value true -> true)', async () => {
const { svc, spaceRepo, auditService } = buildService({
gitSync: { autoMergeConflicts: true },
});
await svc.updateSpace(
{ spaceId, autoMergeConflicts: true } as any,
workspaceId,
);
expect(spaceRepo.updateGitSyncSettings).toHaveBeenCalledTimes(1);
expect(auditService.log).not.toHaveBeenCalled();
});
});
});
@@ -213,6 +213,41 @@ export class SpaceService {
);
}
if (typeof updateSpaceDto.gitSyncEnabled !== 'undefined') {
const prev = settingsBefore?.gitSync?.enabled ?? false;
if (prev !== updateSpaceDto.gitSyncEnabled) {
before.gitSyncEnabled = prev;
after.gitSyncEnabled = updateSpaceDto.gitSyncEnabled;
}
await this.spaceRepo.updateGitSyncSettings(
updateSpaceDto.spaceId,
workspaceId,
'enabled',
updateSpaceDto.gitSyncEnabled,
trx,
);
}
if (typeof updateSpaceDto.autoMergeConflicts !== 'undefined') {
const prev = settingsBefore?.gitSync?.autoMergeConflicts ?? false;
if (prev !== updateSpaceDto.autoMergeConflicts) {
before.autoMergeConflicts = prev;
after.autoMergeConflicts = updateSpaceDto.autoMergeConflicts;
}
// Merges into the SAME `gitSync` jsonb object as `enabled` (the repo's
// jsonb-merge preserves sibling keys), so toggling one never clobbers the
// other.
await this.spaceRepo.updateGitSyncSettings(
updateSpaceDto.spaceId,
workspaceId,
'autoMergeConflicts',
updateSpaceDto.autoMergeConflicts,
trx,
);
}
updatedSpace = await this.spaceRepo.updateSpace(
{
name: updateSpaceDto.name,
@@ -0,0 +1,157 @@
import {
Kysely,
CamelCasePlugin,
DummyDriver,
PostgresAdapter,
PostgresIntrospector,
PostgresQueryCompiler,
CompiledQuery,
} from 'kysely';
import { PageRepo } from './page.repo';
import type { KyselyDB } from '../../types/kysely.types';
/**
* SQL-builder unit test for the git-sync provenance stamp on PageRepo's
* soft-delete / restore paths (PR #119 review). Both `removePage` and
* `restorePage` take an optional `lastUpdatedSource` arg and conditionally fold
* it into the recursive-subtree `UPDATE pages SET ...` via
* `...(lastUpdatedSource ? { lastUpdatedSource } : {})`. The change-listener
* loop-guard reads `last_updated_source = 'git-sync'` to recognize git-sync's own
* writes and skip the echo cycle; this test guards that the stamp is present when
* the arg is supplied and ABSENT when it is omitted (an ordinary user delete must
* not clobber the column).
*
* Harness: the same compile-only Kysely/DummyDriver pattern as
* space.repo.spec.ts, plus the production `CamelCasePlugin` (so the compiled SQL
* carries the real snake_case column names, e.g. `last_updated_source`) and a
* thin driver that returns ONE fixed row for every query. The fixed row is what
* lets the repo's guard reads (root snapshot / recursive descendants / restore
* target) resolve non-empty so execution reaches the subtree UPDATE we assert on
* a bare DummyDriver returns no rows and both methods short-circuit before the
* update. We never hit a real database; we capture each compiled statement via
* Kysely's `log` hook and inspect the `update "pages" set ...` SQL.
*/
describe('PageRepo — git-sync provenance on soft-delete / restore SQL', () => {
// A single row shaped to satisfy every column the repo reads off its guard
// queries. `parentPageId: null` keeps restorePage on the simple path (no
// parent-detach UPDATE), so the only `update "pages"` statement is the one we
// assert on.
const FIXED_ROW = {
id: 'p1',
slugId: 's1',
title: 'Doc',
icon: null,
position: 'a0',
spaceId: 'space-1',
parentPageId: null,
deletedAt: null,
};
class FixedRowDriver extends DummyDriver {
async acquireConnection(): Promise<any> {
return {
async executeQuery() {
return { rows: [{ ...FIXED_ROW }] };
},
// eslint-disable-next-line @typescript-eslint/no-empty-function
async *streamQuery() {},
};
}
}
interface Captured {
sql: string;
parameters: readonly unknown[];
}
// Compile-only Kysely on the Postgres dialect (CamelCasePlugin for real column
// names) whose `log` hook records every executed statement's compiled SQL.
function makeRepoCapturingSql() {
const captured: Captured[] = [];
const db = new Kysely<any>({
dialect: {
createAdapter: () => new PostgresAdapter(),
createDriver: () => new FixedRowDriver(),
createIntrospector: (d) => new PostgresIntrospector(d),
createQueryCompiler: () => new PostgresQueryCompiler(),
},
plugins: [new CamelCasePlugin()],
log: (event) => {
if (event.level === 'query') {
const q = event.query as CompiledQuery;
captured.push({ sql: q.sql, parameters: q.parameters });
}
},
});
const repo = new PageRepo(
db as unknown as KyselyDB,
{} as any,
{ emit: jest.fn() } as any,
);
// Find the single subtree UPDATE on pages (collapse whitespace for matching).
const getUpdatePagesSql = (): Captured | undefined =>
captured
.map((c) => ({ ...c, sql: c.sql.replace(/\s+/g, ' ') }))
.find((c) => /update "pages" set/i.test(c.sql));
return { repo, getUpdatePagesSql };
}
describe('removePage', () => {
it("stamps last_updated_source = 'git-sync' on the subtree soft-delete when the provenance arg is supplied", async () => {
const { repo, getUpdatePagesSql } = makeRepoCapturingSql();
await repo.removePage('p1', 'user-1', 'ws-1', 'git-sync');
const update = getUpdatePagesSql();
expect(update).toBeDefined();
// The provenance column is in the UPDATE's SET clause...
expect(update!.sql).toContain('"last_updated_source" =');
// ...with the 'git-sync' marker as the bound value.
expect(update!.parameters).toContain('git-sync');
// Sanity: it is still the soft-delete UPDATE (sets deleted_at too).
expect(update!.sql).toContain('"deleted_at" =');
});
it('OMITS last_updated_source from the soft-delete when the provenance arg is undefined', async () => {
const { repo, getUpdatePagesSql } = makeRepoCapturingSql();
await repo.removePage('p1', 'user-1', 'ws-1');
const update = getUpdatePagesSql();
expect(update).toBeDefined();
// Ordinary user delete: the column must NOT be touched (keeps prior value).
expect(update!.sql).not.toContain('last_updated_source');
expect(update!.parameters).not.toContain('git-sync');
// It is still the soft-delete UPDATE.
expect(update!.sql).toContain('"deleted_at" =');
});
});
describe('restorePage', () => {
it("stamps last_updated_source = 'git-sync' on the subtree restore when the provenance arg is supplied", async () => {
const { repo, getUpdatePagesSql } = makeRepoCapturingSql();
await repo.restorePage('p1', 'ws-1', 'git-sync');
const update = getUpdatePagesSql();
expect(update).toBeDefined();
expect(update!.sql).toContain('"last_updated_source" =');
expect(update!.parameters).toContain('git-sync');
// Sanity: it is the restore UPDATE (clears deleted_at).
expect(update!.sql).toContain('"deleted_at" =');
});
it('OMITS last_updated_source from the restore when the provenance arg is undefined', async () => {
const { repo, getUpdatePagesSql } = makeRepoCapturingSql();
await repo.restorePage('p1', 'ws-1');
const update = getUpdatePagesSql();
expect(update).toBeDefined();
expect(update!.sql).not.toContain('last_updated_source');
expect(update!.parameters).not.toContain('git-sync');
expect(update!.sql).toContain('"deleted_at" =');
});
});
});
@@ -349,6 +349,11 @@ export class PageRepo {
pageId: string,
deletedById: string,
workspaceId: string,
// Optional provenance marker. When the soft-delete is driven by an automated
// data plane (e.g. git-sync), stamp `lastUpdatedSource` so the change-listener
// loop-guard recognizes it as its own write and does not schedule an echo
// cycle. Omitted for ordinary user deletes (column keeps its prior value).
lastUpdatedSource?: string,
): Promise<void> {
const currentDate = new Date();
@@ -399,6 +404,7 @@ export class PageRepo {
.set({
deletedById: deletedById,
deletedAt: currentDate,
...(lastUpdatedSource ? { lastUpdatedSource } : {}),
})
.where('id', 'in', pageIds)
.where('deletedAt', 'is', null)
@@ -429,7 +435,14 @@ export class PageRepo {
}
}
async restorePage(pageId: string, workspaceId: string): Promise<void> {
async restorePage(
pageId: string,
workspaceId: string,
// See removePage: stamp `lastUpdatedSource` for automated (git-sync) restores
// so the change-listener loop-guard skips the echo cycle. Omitted for
// ordinary user restores.
lastUpdatedSource?: string,
): Promise<void> {
// First, check if the page being restored has a deleted parent
const pageToRestore = await this.db
.selectFrom('pages')
@@ -480,7 +493,12 @@ export class PageRepo {
// On restore, disarm the death timer: pulling a note out of trash means
// "keep it". Otherwise a deadline now in the past would re-trash it on the
// next cleanup sweep.
.set({ deletedById: null, deletedAt: null, temporaryExpiresAt: null })
.set({
deletedById: null,
deletedAt: null,
temporaryExpiresAt: null,
...(lastUpdatedSource ? { lastUpdatedSource } : {}),
})
.where('id', 'in', pageIds)
.execute();
@@ -0,0 +1,146 @@
import {
Kysely,
DummyDriver,
PostgresAdapter,
PostgresIntrospector,
PostgresQueryCompiler,
CompiledQuery,
} from 'kysely';
import { SpaceRepo } from './space.repo';
import type { KyselyDB } from '../../types/kysely.types';
/**
* SQL-builder unit test for the jsonb-merge invariant of
* SpaceRepo.updateGitSyncSettings (review comment #694 / test-strategy item #6).
*
* The merge is RAW SQL, so a behavioural test would need a live Postgres which
* is intentionally out of scope here (the reviewer's own §13.3 was deferred for
* the same reason). Instead we follow the existing repo-spec convention
* (ai-agent-roles.repo.spec.ts) of NOT executing: we compile the query with a
* DummyDriver Postgres dialect and assert the generated SQL preserves sibling
* keys. The structural invariant the SQL must encode:
*
* settings := COALESCE(settings, '{}') || jsonb_build_object('gitSync', ...)
* gitSync := COALESCE(settings->'gitSync', '{}') || jsonb_build_object(key, value)
*
* The OUTER `||` merges into the existing top-level `settings`, so a sibling
* top-level key (e.g. `sharing`) is preserved. The INNER COALESCE merges into
* the existing `gitSync` object, so a sibling key inside gitSync (e.g. `other`)
* is preserved. A naive `set settings = jsonb_build_object('gitSync', ...)`
* would clobber both this test guards exactly that regression.
*/
describe('SpaceRepo.updateGitSyncSettings — jsonb merge SQL', () => {
// A real Kysely on the Postgres dialect, but with a DummyDriver: it compiles
// queries to real Postgres SQL without ever opening a connection.
function makeCompileOnlyDb() {
return new Kysely<any>({
dialect: {
createAdapter: () => new PostgresAdapter(),
createDriver: () => new DummyDriver(),
createIntrospector: (db) => new PostgresIntrospector(db),
createQueryCompiler: () => new PostgresQueryCompiler(),
},
});
}
// Build the repo over the compile-only db. The repo terminates the query with
// `.executeTakeFirst()`, so we wrap every kysely builder in a Proxy: when the
// repo finally calls `executeTakeFirst`, we `.compile()` that same builder
// ourselves to capture the exact SQL it was about to run, then delegate.
function makeRepoCapturingSql() {
const db = makeCompileOnlyDb();
let captured: CompiledQuery | undefined;
// kysely builders are immutable — each .set()/.where()/.returningAll()
// returns a NEW builder — so re-wrap any chainable result.
const wrap = (b: any): any =>
new Proxy(b, {
get(target, prop, receiver) {
const value = Reflect.get(target, prop, receiver);
if (typeof value !== 'function') return value;
return (...callArgs: unknown[]) => {
// Capture the SQL at the terminal execute call.
if (
(prop === 'executeTakeFirst' || prop === 'execute') &&
typeof target.compile === 'function'
) {
captured = target.compile();
}
const result = value.apply(target, callArgs);
if (
result &&
typeof result === 'object' &&
typeof (result as any).compile === 'function'
) {
return wrap(result);
}
return result;
};
},
});
const originalUpdateTable = db.updateTable.bind(db);
jest
.spyOn(db, 'updateTable')
.mockImplementation((...args: Parameters<typeof originalUpdateTable>) =>
wrap(originalUpdateTable(...args)),
);
const repo = new SpaceRepo(db as unknown as KyselyDB, {} as any);
return { repo, getCaptured: () => captured };
}
it("compiles a jsonb merge that preserves sibling top-level and gitSync keys", async () => {
const { repo, getCaptured } = makeRepoCapturingSql();
// DummyDriver yields no rows; executeTakeFirst resolves to undefined. The
// SQL is fully compiled by then, which is all we assert.
await repo.updateGitSyncSettings('space-1', 'ws-1', 'enabled', true);
const compiled = getCaptured();
expect(compiled).toBeDefined();
// The raw SQL template carries newlines/indentation; collapse whitespace so
// the structural assertions are not coupled to source formatting.
const sql = compiled!.sql.replace(/\s+/g, ' ');
// OUTER merge into the existing settings object -> sibling top-level keys
// (e.g. `sharing`) survive (NOT a bare jsonb_build_object assignment).
expect(sql).toContain(`set "settings" = COALESCE(settings, '{}'::jsonb) ||`);
// INNER merge into the existing gitSync object -> sibling gitSync keys
// (e.g. `other`) survive.
expect(sql).toContain(
`jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb) ||`,
);
// The pref key is set via jsonb_build_object on the inner object, with the
// key as a BOUND, ::text-cast PARAMETER (not sql.raw) — security fix #5.
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text,/);
// Scoped to the row + workspace.
expect(sql).toContain(`where "id" =`);
expect(sql).toContain(`and "workspaceId" =`);
// Sanity: this is NOT a clobbering assignment (no top-level
// `set "settings" = jsonb_build_object(` without the COALESCE/merge).
expect(sql).not.toContain(`set "settings" = jsonb_build_object(`);
// The pref VALUE stays inlined via sql.lit, but the KEY is now a bound
// parameter, so id + workspaceId + the key are all bound (updatedAt is a Date).
expect(compiled!.parameters).toContain('space-1');
expect(compiled!.parameters).toContain('ws-1');
expect(compiled!.parameters).toContain('enabled');
});
it('binds the prefKey as a ::text parameter (no sql.raw splice) and inlines prefValue via sql.lit', async () => {
const { repo, getCaptured } = makeRepoCapturingSql();
await repo.updateGitSyncSettings('space-1', 'ws-1', 'enabled', false);
const compiled = getCaptured()!;
const sql = compiled.sql.replace(/\s+/g, ' ');
// The key is a bound `$N::text` parameter; the value is the sql.lit literal.
expect(sql).toMatch(/jsonb_build_object\(\$\d+::text, false\)/);
// The literal key must NOT be spliced into the statement text (the footgun).
expect(sql).not.toContain(`'enabled'`);
// The key rides as a bound parameter instead.
expect(compiled.parameters).toContain('enabled');
});
});
@@ -111,6 +111,34 @@ export class SpaceRepo {
.executeTakeFirst();
}
async updateGitSyncSettings(
spaceId: string,
workspaceId: string,
prefKey: string,
prefValue: string | boolean,
trx?: KyselyTransaction,
) {
const db = dbOrTx(this.db, trx);
return db
.updateTable('spaces')
.set({
// The jsonb key is a BOUND PARAMETER (`${prefKey}::text`), not
// `sql.raw(prefKey)`. The callers here only ever pass the literals
// 'enabled' / 'autoMergeConflicts', but sql.raw would splice the string
// straight into the statement — a latent SQL-injection footgun the moment
// a future caller passes a request-derived key. Parameterizing closes it
// with no behaviour change for the current literal callers.
settings: sql`COALESCE(settings, '{}'::jsonb)
|| jsonb_build_object('gitSync', COALESCE(settings->'gitSync', '{}'::jsonb)
|| jsonb_build_object(${prefKey}::text, ${sql.lit(prefValue)}))`,
updatedAt: new Date(),
})
.where('id', '=', spaceId)
.where('workspaceId', '=', workspaceId)
.returningAll()
.executeTakeFirst();
}
async updateCommentSettings(
spaceId: string,
workspaceId: string,
@@ -15,6 +15,164 @@ describe('EnvironmentService', () => {
expect(service).toBeDefined();
});
describe('getGitSyncPollIntervalMs', () => {
const withEnv = (value?: string) =>
new EnvironmentService({
get: (_key: string, fallback?: string) => value ?? fallback,
} as any);
it('defaults to 15000 when unset', () => {
expect(withEnv().getGitSyncPollIntervalMs()).toBe(15000);
});
it('parses a valid positive int', () => {
expect(withEnv('30000').getGitSyncPollIntervalMs()).toBe(30000);
});
it('falls back to 15000 for non-positive or unparseable values', () => {
expect(withEnv('0').getGitSyncPollIntervalMs()).toBe(15000);
expect(withEnv('-100').getGitSyncPollIntervalMs()).toBe(15000);
expect(withEnv('not-a-number').getGitSyncPollIntervalMs()).toBe(15000);
});
});
describe('getGitSyncDebounceMs', () => {
const withEnv = (value?: string) =>
new EnvironmentService({
get: (_key: string, fallback?: string) => value ?? fallback,
} as any);
it('defaults to 2000 when unset', () => {
expect(withEnv().getGitSyncDebounceMs()).toBe(2000);
});
it('parses a valid positive int', () => {
expect(withEnv('500').getGitSyncDebounceMs()).toBe(500);
});
it('falls back to 2000 for non-positive or unparseable values', () => {
expect(withEnv('0').getGitSyncDebounceMs()).toBe(2000);
expect(withEnv('-5').getGitSyncDebounceMs()).toBe(2000);
expect(withEnv('not-a-number').getGitSyncDebounceMs()).toBe(2000);
});
});
// getGitSyncDataDir reads two distinct keys (GIT_SYNC_DATA_DIR and DATA_DIR),
// so this builder maps each key to a supplied value (and honours the fallback
// the getter passes for DATA_DIR's `|| './data'`).
describe('getGitSyncDataDir', () => {
const withEnv = (values: Record<string, string | undefined>) =>
new EnvironmentService({
get: (key: string, fallback?: string) => values[key] ?? fallback,
} as any);
it("defaults to './data/git-sync' when neither key is set", () => {
expect(withEnv({}).getGitSyncDataDir()).toBe('./data/git-sync');
});
it('derives from DATA_DIR with the /git-sync suffix', () => {
expect(
withEnv({ DATA_DIR: '/var/lib/docmost' }).getGitSyncDataDir(),
).toBe('/var/lib/docmost/git-sync');
});
it('strips trailing slashes from DATA_DIR before appending', () => {
expect(
withEnv({ DATA_DIR: '/var/lib/docmost///' }).getGitSyncDataDir(),
).toBe('/var/lib/docmost/git-sync');
});
it('lets an explicit GIT_SYNC_DATA_DIR override the DATA_DIR derivation', () => {
expect(
withEnv({
GIT_SYNC_DATA_DIR: '/custom/vault',
DATA_DIR: '/var/lib/docmost',
}).getGitSyncDataDir(),
).toBe('/custom/vault');
});
it('returns the explicit override verbatim (no /git-sync suffix, no slash strip)', () => {
expect(
withEnv({ GIT_SYNC_DATA_DIR: '/custom/vault/' }).getGitSyncDataDir(),
).toBe('/custom/vault/');
});
});
// isGitSyncEnabled is the `.toLowerCase() === 'true'` contract: only a
// case-insensitive "true" enables it; everything else (unset, "false",
// garbage) is false.
describe('isGitSyncEnabled', () => {
const withEnv = (value?: string) =>
new EnvironmentService({
get: (_key: string, fallback?: string) => value ?? fallback,
} as any);
it('is true for "true" and "TRUE" (case-insensitive)', () => {
expect(withEnv('true').isGitSyncEnabled()).toBe(true);
expect(withEnv('TRUE').isGitSyncEnabled()).toBe(true);
});
it('is false when unset (defaults to "false")', () => {
expect(withEnv().isGitSyncEnabled()).toBe(false);
});
it('is false for "false" and garbage values', () => {
expect(withEnv('false').isGitSyncEnabled()).toBe(false);
expect(withEnv('maybe').isGitSyncEnabled()).toBe(false);
expect(withEnv('1').isGitSyncEnabled()).toBe(false);
});
});
// isGitSyncHttpEnabled is the master gate of the /git smart-HTTP trust boundary.
// When GIT_SYNC_HTTP_ENABLED is UNSET it FALLS BACK to isGitSyncEnabled(); when
// set it is honored verbatim ('true' -> on, anything else -> off). The fallback
// (default) branch is what these tests pin.
describe('isGitSyncHttpEnabled', () => {
const withEnv = (values: Record<string, string | undefined>) =>
new EnvironmentService({
get: (key: string, fallback?: string) => values[key] ?? fallback,
} as any);
it('DEFAULT branch: unset -> falls back to isGitSyncEnabled() === true', () => {
expect(
withEnv({ GIT_SYNC_ENABLED: 'true' }).isGitSyncHttpEnabled(),
).toBe(true);
});
it('DEFAULT branch: unset -> falls back to isGitSyncEnabled() === false', () => {
// Neither key set: the fallback resolves to isGitSyncEnabled() which is
// false by default.
expect(withEnv({}).isGitSyncHttpEnabled()).toBe(false);
expect(
withEnv({ GIT_SYNC_ENABLED: 'false' }).isGitSyncHttpEnabled(),
).toBe(false);
});
it('explicit "true" enables the host regardless of GIT_SYNC_ENABLED', () => {
expect(
withEnv({
GIT_SYNC_HTTP_ENABLED: 'true',
GIT_SYNC_ENABLED: 'false',
}).isGitSyncHttpEnabled(),
).toBe(true);
});
it('explicit non-"true" disables the host even when sync is enabled', () => {
expect(
withEnv({
GIT_SYNC_HTTP_ENABLED: 'false',
GIT_SYNC_ENABLED: 'true',
}).isGitSyncHttpEnabled(),
).toBe(false);
expect(
withEnv({
GIT_SYNC_HTTP_ENABLED: 'maybe',
GIT_SYNC_ENABLED: 'true',
}).isGitSyncHttpEnabled(),
).toBe(false);
});
});
describe('getSandboxTtlMs', () => {
// ConfigService stub: get(key, def) returns the configured value for the key
// (falling back to def), matching the @nestjs/config contract the service
@@ -339,6 +339,99 @@ export class EnvironmentService {
.filter(Boolean);
}
// --- git-sync (issue #194 §7.2) -------------------------------------------------
/** Global master switch for the git-sync control plane (default false). */
isGitSyncEnabled(): boolean {
return (
this.configService.get<string>('GIT_SYNC_ENABLED', 'false').toLowerCase() ===
'true'
);
}
/**
* Whether gitmost serves the per-space vaults over smart-HTTP (the /git host).
* When GIT_SYNC_HTTP_ENABLED is UNSET it DEFAULTS to isGitSyncEnabled() so
* enabling sync also enables the host unless explicitly disabled. When set, it
* is honored verbatim ('true' -> on, anything else -> off).
*/
isGitSyncHttpEnabled(): boolean {
const raw = this.configService.get<string>('GIT_SYNC_HTTP_ENABLED');
if (raw === undefined) return this.isGitSyncEnabled();
return raw.toLowerCase() === 'true';
}
/**
* Root directory holding the per-space vault repos. Defaults to
* `<DATA_DIR or ./data>/git-sync`. `DATA_DIR` is read directly (no dedicated
* getter exists in this codebase) so the vault root tracks the data volume.
*/
getGitSyncDataDir(): string {
const explicit = this.configService.get<string>('GIT_SYNC_DATA_DIR');
if (explicit) return explicit;
const dataDir = this.configService.get<string>('DATA_DIR') || './data';
return `${dataDir.replace(/\/+$/, '')}/git-sync`;
}
/**
* Optional remote template, e.g. `git@host:vault-{spaceId}.git` (`{spaceId}` is
* substituted per-space in the orchestrator). SCAFFOLDING for the deferred
* remote-push feature: the vendored engine has no remote-push path yet (SPEC
* §7), so this value is currently inert kept so the wiring is ready when the
* engine grows a push path.
*/
getGitSyncRemoteTemplate(): string | undefined {
return this.configService.get<string>('GIT_SYNC_REMOTE_TEMPLATE');
}
/**
* Poll-safety interval in ms (default 15000). A NaN / non-positive value falls
* back to the default so a bad override can never disable or zero the poll loop.
*/
getGitSyncPollIntervalMs(): number {
const parsed = parseInt(
this.configService.get<string>('GIT_SYNC_POLL_INTERVAL_MS', '15000'),
10,
);
return Number.isFinite(parsed) && parsed > 0 ? parsed : 15000;
}
/**
* Spawned `git http-backend` watchdog timeout in ms (default 120000). Bounds a
* single smart-HTTP request so a stalled `git-receive-pack` cannot hold the
* per-space lock forever (the child is killed and a 500 sent on expiry). A NaN /
* non-positive value falls back to the default so a bad override can never
* disable the watchdog.
*/
getGitSyncBackendTimeoutMs(): number {
const v = parseInt(
this.configService.get<string>('GIT_SYNC_BACKEND_TIMEOUT_MS', '120000'),
10,
);
return Number.isFinite(v) && v > 0 ? v : 120000;
}
/**
* Event debounce window in ms (default 2000). A NaN / non-positive value falls
* back to the default so a bad override can never disable the debounce.
*/
getGitSyncDebounceMs(): number {
const parsed = parseInt(
this.configService.get<string>('GIT_SYNC_DEBOUNCE_MS', '2000'),
10,
);
return Number.isFinite(parsed) && parsed > 0 ? parsed : 2000;
}
/**
* The service user id git-sync writes are attributed to. Required when sync is
* enabled (validated in environment.validation.ts); optional otherwise.
*/
getGitSyncServiceUserId(): string | undefined {
return this.configService.get<string>('GIT_SYNC_SERVICE_USER_ID');
}
// --- Blob sandbox (in-RAM ephemeral blob transfer; see SandboxModule) ---
// Base URL the sandbox `uri` is built from. It MUST be reachable over the
@@ -0,0 +1,74 @@
import { plainToInstance } from 'class-transformer';
import { validateSync } from 'class-validator';
import { EnvironmentVariables } from './environment.validation';
/**
* Validation-layer coverage for the git-sync env contract (test-strategy Module
* 4 / item #4). We drive the decorated class with `validateSync` directly the
* exported `validate()` helper calls `process.exit(1)` on failure and so cannot
* be asserted in-process. We only assert the git-sync rules, providing the
* minimal always-required fields so unrelated validators do not add noise.
*/
describe('EnvironmentVariables — git-sync validation', () => {
// A baseline config that satisfies the unconditionally-required fields
// (DATABASE_URL, REDIS_URL, APP_SECRET) so the only errors we ever see come
// from the git-sync rules under test.
const baseConfig = {
DATABASE_URL: 'postgres://user:pass@localhost:5432/docmost',
REDIS_URL: 'redis://localhost:6379',
APP_SECRET: 'x'.repeat(32),
};
const validate = (extra: Record<string, unknown>) => {
const instance = plainToInstance(EnvironmentVariables, {
...baseConfig,
...extra,
});
return validateSync(instance);
};
const errorFor = (errors: ReturnType<typeof validateSync>, property: string) =>
errors.find((e) => e.property === property);
it('flags GIT_SYNC_SERVICE_USER_ID when GIT_SYNC_ENABLED="true" and the id is absent', () => {
const errors = validate({ GIT_SYNC_ENABLED: 'true' });
const err = errorFor(errors, 'GIT_SYNC_SERVICE_USER_ID');
expect(err).toBeDefined();
// @IsNotEmpty is the failing constraint (sync is on but no attributable
// author was configured).
expect(err?.constraints).toHaveProperty('isNotEmpty');
});
it('accepts GIT_SYNC_ENABLED="true" once GIT_SYNC_SERVICE_USER_ID is present', () => {
const errors = validate({
GIT_SYNC_ENABLED: 'true',
GIT_SYNC_SERVICE_USER_ID: 'service-user-1',
});
expect(errorFor(errors, 'GIT_SYNC_SERVICE_USER_ID')).toBeUndefined();
});
it('does not require the service user id when git-sync is disabled (unset)', () => {
const errors = validate({});
// The @ValidateIf gate (GIT_SYNC_ENABLED === "true") is not met, so the
// required-if-enabled rule is skipped entirely.
expect(errorFor(errors, 'GIT_SYNC_SERVICE_USER_ID')).toBeUndefined();
});
it('does not require the service user id when git-sync is explicitly "false"', () => {
const errors = validate({ GIT_SYNC_ENABLED: 'false' });
expect(errorFor(errors, 'GIT_SYNC_SERVICE_USER_ID')).toBeUndefined();
expect(errorFor(errors, 'GIT_SYNC_ENABLED')).toBeUndefined();
});
it('rejects a GIT_SYNC_ENABLED value outside the {true,false} set via @IsIn', () => {
const errors = validate({ GIT_SYNC_ENABLED: 'maybe' });
const err = errorFor(errors, 'GIT_SYNC_ENABLED');
expect(err).toBeDefined();
expect(err?.constraints).toHaveProperty('isIn');
});
});
@@ -172,6 +172,55 @@ export class EnvironmentVariables {
)
CLICKHOUSE_URL: string;
// --- git-sync (issue #194 §7.2) — all OPTIONAL. The master switch defaults off; a
// required-if-enabled service user id is validated only when sync is on. ---
@IsOptional()
@IsIn(['true', 'false'])
@IsString()
GIT_SYNC_ENABLED: string;
// Whether to serve the per-space vaults over smart-HTTP (the /git host).
// When unset, defaults to GIT_SYNC_ENABLED (see isGitSyncHttpEnabled).
@IsOptional()
@IsIn(['true', 'false'])
@IsString()
GIT_SYNC_HTTP_ENABLED: string;
@IsOptional()
@IsString()
GIT_SYNC_DATA_DIR: string;
// SCAFFOLDING for the deferred remote-push feature: the vendored engine does
// not consume gitRemote yet (SPEC §7), so this is currently inert — validated
// here so the wiring is ready when remote push lands.
@IsOptional()
@IsString()
GIT_SYNC_REMOTE_TEMPLATE: string;
@IsOptional()
@IsString()
GIT_SYNC_POLL_INTERVAL_MS: string;
@IsOptional()
@IsString()
GIT_SYNC_DEBOUNCE_MS: string;
// Watchdog timeout (ms) for the spawned `git http-backend` process (default
// 120000): a stalled receive-pack is killed so it cannot hold the per-space
// lock forever. Optional int (validated as a string env).
@IsOptional()
@IsString()
GIT_SYNC_BACKEND_TIMEOUT_MS: string;
// Required when git-sync is enabled: the service user create/move/rename/delete
// are attributed to (issue #194 §7.2). Optional otherwise.
@ValidateIf((obj) => obj.GIT_SYNC_ENABLED === 'true')
@IsNotEmpty()
@IsString()
GIT_SYNC_SERVICE_USER_ID: string;
// --- Blob sandbox (in-RAM ephemeral blob transfer; see SandboxModule) ---
@IsOptional()
@@ -1,82 +0,0 @@
import { JSDOM } from 'jsdom';
import { jsonToHtml } from '../../collaboration/collaboration.util';
/**
* Regression test for issue #298: page/space export (Markdown/HTML) crashes on
* pages that contain inline comments.
*
* The in-process MCP module injects a jsdom `global.window` + `global.document`
* into the Node server (see packages/mcp/src/lib/collaboration.ts). Before the
* fix, the comment mark's `renderHTML` guard was only
* `typeof window === "undefined" || typeof document === "undefined"`, so with
* BOTH jsdom globals present it took the interactive browser branch and returned
* a LIVE jsdom <span> node. The export path serializes via happy-dom's
* DOMSerializer, and appending a foreign jsdom node crashed happy-dom
* ("Cannot read properties of undefined (reading 'length')").
*
* We reproduce the MCP-loaded server by injecting jsdom globals, then export a
* doc containing a comment mark and assert the serialization SUCCEEDS and emits
* the expected serializable <span data-comment-id=... class="comment-mark">.
*
* Non-vacuity: this test only exercises the buggy branch because BOTH jsdom
* `window` AND `document` are set below. If the `isNodeRuntime` condition is
* removed from the guard in packages/editor-ext/src/lib/comment/comment.ts,
* `renderHTML` returns a live jsdom node and `jsonToHtml` throws this test
* then fails. (In a plain node env without the injected globals the guard's
* `typeof window === "undefined"` clause already short-circuits, so it is the
* injected globals that make this assertion meaningful.)
*/
describe('export with inline comments (issue #298)', () => {
const originalWindow = (global as any).window;
const originalDocument = (global as any).document;
beforeAll(() => {
const dom = new JSDOM('<!DOCTYPE html><html><body></body></html>');
(global as any).window = dom.window;
(global as any).document = dom.window.document;
});
afterAll(() => {
(global as any).window = originalWindow;
(global as any).document = originalDocument;
});
const docWithComment = (resolved: boolean) => ({
type: 'doc',
content: [
{
type: 'paragraph',
content: [
{
type: 'text',
marks: [
{
type: 'comment',
attrs: { commentId: 'c-123', resolved },
},
],
text: 'commented text',
},
],
},
],
});
it('exports a page with an unresolved comment mark without crashing', () => {
let html: string;
expect(() => {
html = jsonToHtml(docWithComment(false));
}).not.toThrow();
expect(html).toContain('data-comment-id="c-123"');
expect(html).toContain('class="comment-mark"');
expect(html).toContain('commented text');
});
it('exports a resolved comment mark with the resolved class/attr', () => {
const html = jsonToHtml(docWithComment(true));
expect(html).toContain('data-comment-id="c-123"');
expect(html).toContain('comment-mark resolved');
expect(html).toContain('data-resolved="true"');
});
});
@@ -0,0 +1,62 @@
/**
* Git-sync control-plane constants.
*
* Event/job names are REUSED from the shared event contract (event.contants.ts)
* so the listener subscribes to the exact names the rest of the server emits
* never a string literal that could drift. The Redis lock-key prefix + TTLs back
* the single-writer leader lock (§9); the debounce default backs the per-space
* event coalescing (§10).
*/
import { EventName } from '../../common/events/event.contants';
/**
* The page lifecycle events the git-sync listener reacts to. A change
* to any of these in an enabled space schedules a debounced sync cycle.
* - PAGE_CREATED / PAGE_UPDATED / PAGE_MOVED structural + content edits;
* - PAGE_SOFT_DELETED / PAGE_RESTORED Trash transitions (deletes are soft);
* - PAGE_MOVED_TO_SPACE cross-space move (cross-repo).
*
* NOTE: body edits arrive via PAGE_UPDATED (emitted from persistence.extension),
* NOT via EventName.PAGE_CONTENT_UPDATED that name is a BullMQ queue-job name,
* not an EventEmitter2 event, so @OnEvent would never fire for it.
*/
export const GIT_SYNC_PAGE_EVENTS = [
EventName.PAGE_CREATED,
EventName.PAGE_UPDATED,
EventName.PAGE_MOVED,
EventName.PAGE_MOVED_TO_SPACE,
EventName.PAGE_SOFT_DELETED,
EventName.PAGE_RESTORED,
] as const;
/** Redis key prefix for the per-space leader lock. */
export const GIT_SYNC_LOCK_PREFIX = 'git-sync:lock:';
/**
* Leader-lock TTL (ms). Must exceed the maximum expected cycle duration so the
* lock is not lost mid-cycle; on a crash it expires on its own. The
* in-process mutex (orchestrator) prevents overlapping cycles on one instance,
* and the Redis lock prevents two instances racing the same space.
*/
export const GIT_SYNC_LOCK_TTL_MS = 5 * 60 * 1000;
/**
* Bounded retry budget for ACQUIRING the per-space lock on the PUSH (external
* receive-pack) path. The poll cycle holds the single-writer lock while it
* processes a whole space, so a legitimate `git push` that arrives during a
* cycle would otherwise IMMEDIATELY 503 (GitSyncLockHeldError) even though the
* cycle is about to release the lock in well under a second for most spaces.
* Under continuous polling that made a majority of pushes 503 non-
* deterministically. So the push path retries the acquire with a small capped
* backoff for up to ~`TOTAL_MS` BEFORE giving up a transient overlap with a
* cycle no longer fails the push, while a genuinely stuck/long cycle still
* surfaces a 503 after the bound (git then retries the whole push, which is
* safe: the receive-pack only runs ONCE the lock is held, so a 503 never leaves
* a half-applied ref). The POLL cycle itself does NOT retry (it just skips and
* the next tick reconciles), so this is push-only the smaller blast radius.
*/
export const GIT_SYNC_PUSH_LOCK_RETRY_TOTAL_MS = 5_000;
/** First backoff between push lock-acquire attempts (ms); doubles, capped. */
export const GIT_SYNC_PUSH_LOCK_RETRY_BASE_MS = 100;
/** Cap on the per-attempt push lock-acquire backoff (ms). */
export const GIT_SYNC_PUSH_LOCK_RETRY_MAX_MS = 500;
@@ -0,0 +1,138 @@
// Unit tests for the ops/testing controller. The orchestrator, env,
// and the workspace-ability factory are hand-built mocks. We assert the admin
// guard (non-admin -> ForbiddenException, no orchestrator call), that trigger
// uses the workspace from request context (never the body), and that status
// returns the env-derived object.
import { ForbiddenException, NotFoundException } from '@nestjs/common';
import {
WorkspaceCaslAction,
WorkspaceCaslSubject,
} from '../../core/casl/interfaces/workspace-ability.type';
import { GitSyncController } from './git-sync.controller';
type AnyMock = jest.Mock;
interface Built {
controller: GitSyncController;
orchestrator: { runOnce: AnyMock };
env: Record<string, AnyMock>;
workspaceAbility: { createForUser: AnyMock };
ability: { cannot: AnyMock };
spaceRepo: { findById: AnyMock };
}
function build(opts: { cannot?: boolean; spaceFound?: boolean } = {}): Built {
const { cannot = false, spaceFound = true } = opts;
const ability = { cannot: jest.fn(() => cannot) };
const workspaceAbility = { createForUser: jest.fn(() => ability) };
const orchestrator = {
runOnce: jest.fn(async () => ({ spaceId: 'space-1', ran: true })),
};
const env: Record<string, AnyMock> = {
isGitSyncEnabled: jest.fn(() => true),
getGitSyncDataDir: jest.fn(() => '/vaults'),
getGitSyncPollIntervalMs: jest.fn(() => 15000),
getGitSyncDebounceMs: jest.fn(() => 2000),
getGitSyncServiceUserId: jest.fn(() => 'svc-user'),
};
const spaceRepo = {
findById: jest.fn(async () => (spaceFound ? { id: 'space-1' } : undefined)),
};
const controller = new GitSyncController(
orchestrator as any,
env as any,
workspaceAbility as any,
spaceRepo as any,
);
return { controller, orchestrator, env, workspaceAbility, ability, spaceRepo };
}
const USER = { id: 'user-1' } as any;
const WORKSPACE = { id: 'ctx-ws' } as any;
beforeEach(() => {
jest.clearAllMocks();
});
describe('GitSyncController', () => {
describe('trigger', () => {
it('blocks a non-admin: throws ForbiddenException and never calls runOnce', async () => {
const { controller, orchestrator, ability } = build({ cannot: true });
await expect(
controller.trigger({ spaceId: 'space-1' } as any, USER, WORKSPACE),
).rejects.toBeInstanceOf(ForbiddenException);
expect(ability.cannot).toHaveBeenCalledWith(
WorkspaceCaslAction.Manage,
WorkspaceCaslSubject.Settings,
);
expect(orchestrator.runOnce).not.toHaveBeenCalled();
});
it('admin: calls runOnce(dto.spaceId, workspace.id) using the workspace from context', async () => {
const { controller, orchestrator, spaceRepo } = build({ cannot: false });
// The body carries an attacker-controlled workspaceId that must be ignored.
const res = await controller.trigger(
{ spaceId: 'space-1', workspaceId: 'evil-ws' } as any,
USER,
WORKSPACE,
);
// The space is resolved workspace-scoped (context workspace, not the body).
expect(spaceRepo.findById).toHaveBeenCalledWith('space-1', 'ctx-ws');
expect(orchestrator.runOnce).toHaveBeenCalledWith('space-1', 'ctx-ws');
expect(res).toEqual({ spaceId: 'space-1', ran: true });
});
it('admin: 404s a spaceId that is not in the workspace and never calls runOnce', async () => {
// A foreign/non-existent space must be rejected BEFORE buildSettings runs
// (which would otherwise create an empty per-space vault directory).
const { controller, orchestrator, spaceRepo } = build({
cannot: false,
spaceFound: false,
});
await expect(
controller.trigger({ spaceId: 'foreign' } as any, USER, WORKSPACE),
).rejects.toBeInstanceOf(NotFoundException);
expect(spaceRepo.findById).toHaveBeenCalledWith('foreign', 'ctx-ws');
expect(orchestrator.runOnce).not.toHaveBeenCalled();
});
});
describe('status', () => {
it('blocks a non-admin: throws ForbiddenException and never reads env', async () => {
const { controller, env, ability } = build({ cannot: true });
await expect(controller.status(USER, WORKSPACE)).rejects.toBeInstanceOf(
ForbiddenException,
);
expect(ability.cannot).toHaveBeenCalledWith(
WorkspaceCaslAction.Manage,
WorkspaceCaslSubject.Settings,
);
// The admin guard short-circuits before the env-derived status is built.
expect(env.isGitSyncEnabled).not.toHaveBeenCalled();
});
it('admin: returns the env-derived status object', async () => {
const { controller } = build({ cannot: false });
const res = await controller.status(USER, WORKSPACE);
expect(res).toEqual({
enabled: true,
dataDir: '/vaults',
pollIntervalMs: 15000,
debounceMs: 2000,
serviceUserConfigured: true,
});
});
});
});
@@ -0,0 +1,109 @@
import {
Body,
Controller,
ForbiddenException,
HttpCode,
HttpStatus,
NotFoundException,
Post,
Get,
UseGuards,
} from '@nestjs/common';
import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
import { AuthUser } from '../../common/decorators/auth-user.decorator';
import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
import { User, Workspace } from '@docmost/db/types/entity.types';
import { SpaceRepo } from '@docmost/db/repos/space/space.repo';
import WorkspaceAbilityFactory from '../../core/casl/abilities/workspace-ability.factory';
import {
WorkspaceCaslAction,
WorkspaceCaslSubject,
} from '../../core/casl/interfaces/workspace-ability.type';
import { EnvironmentService } from '../environment/environment.service';
import { IsUUID } from 'class-validator';
import {
GitSyncOrchestrator,
GitSyncRunStatus,
} from './services/git-sync.orchestrator';
/** Body for the manual one-shot trigger. */
class TriggerGitSyncDto {
// The global ValidationPipe runs with whitelist:true, which STRIPS any field
// lacking a validation decorator — without this @IsUUID the spaceId would be
// dropped and arrive as undefined.
@IsUUID()
spaceId: string;
}
/**
* Ops/testing endpoints for the git-sync control plane. Admin-guarded
* (workspace Manage/Settings, mirroring WorkspaceController) so only workspace
* admins can force a cycle. Mounted under the global `/api` prefix:
* - POST /api/git-sync/trigger { spaceId } run one cycle now (await result),
* - GET /api/git-sync/status report whether sync is enabled + config.
*/
@UseGuards(JwtAuthGuard)
@Controller('git-sync')
export class GitSyncController {
constructor(
private readonly orchestrator: GitSyncOrchestrator,
private readonly environmentService: EnvironmentService,
private readonly workspaceAbility: WorkspaceAbilityFactory,
private readonly spaceRepo: SpaceRepo,
) {}
/** Throw unless the caller is a workspace admin (Manage Settings). */
private assertAdmin(user: User, workspace: Workspace): void {
const ability = this.workspaceAbility.createForUser(user, workspace);
if (
ability.cannot(WorkspaceCaslAction.Manage, WorkspaceCaslSubject.Settings)
) {
throw new ForbiddenException();
}
}
@HttpCode(HttpStatus.OK)
@Post('trigger')
async trigger(
@Body() dto: TriggerGitSyncDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
): Promise<GitSyncRunStatus> {
this.assertAdmin(user, workspace);
// Verify the client-supplied spaceId BELONGS to this workspace before doing
// any work (review): without this, `runOnce` -> `buildSettings` reads the
// raw `spaces` row and creates an empty per-space vault directory for a
// foreign/non-existent space before the content read finally 404s. Resolve
// it workspace-scoped and 404 early.
const space = await this.spaceRepo.findById(dto.spaceId, workspace.id);
if (!space) {
throw new NotFoundException('Space not found');
}
// Use the workspace from the request context (never client-supplied).
return this.orchestrator.runOnce(dto.spaceId, workspace.id);
}
@HttpCode(HttpStatus.OK)
@Get('status')
async status(
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
): Promise<{
enabled: boolean;
dataDir: string;
pollIntervalMs: number;
debounceMs: number;
serviceUserConfigured: boolean;
}> {
this.assertAdmin(user, workspace);
return {
enabled: this.environmentService.isGitSyncEnabled(),
dataDir: this.environmentService.getGitSyncDataDir(),
pollIntervalMs: this.environmentService.getGitSyncPollIntervalMs(),
debounceMs: this.environmentService.getGitSyncDebounceMs(),
serviceUserConfigured: Boolean(
this.environmentService.getGitSyncServiceUserId(),
),
};
}
}
@@ -0,0 +1,57 @@
import { pathToFileURL } from 'node:url';
import { esmImport } from '../../common/helpers/esm-import';
import type {
VaultGit as VaultGitClass,
vaultGitEnv as vaultGitEnvFn,
runCycle as runCycleFn,
parseDocmostMarkdown as parseDocmostMarkdownFn,
markdownToProseMirror as markdownToProseMirrorFn,
sanitizeTitle as sanitizeTitleFn,
docsCanonicallyEqual as docsCanonicallyEqualFn,
} from '@docmost/git-sync';
/**
* Runtime value-export surface of the ESM-only `@docmost/git-sync` package that
* the server consumes. Types are imported with `import type` (erased at compile,
* no runtime require); only the VALUE exports below need the dynamic-load
* treatment so a CJS `require()` of the ESM package never happens.
*/
interface GitSyncModule {
VaultGit: typeof VaultGitClass;
vaultGitEnv: typeof vaultGitEnvFn;
runCycle: typeof runCycleFn;
parseDocmostMarkdown: typeof parseDocmostMarkdownFn;
markdownToProseMirror: typeof markdownToProseMirrorFn;
sanitizeTitle: typeof sanitizeTitleFn;
docsCanonicallyEqual: typeof docsCanonicallyEqualFn;
}
// The CJS->ESM dynamic-import bridge lives in one shared helper
// (common/helpers/esm-import.ts); see it for why `import()` must be hidden from
// the TS commonjs downleveler. The typed `loadGitSync()` wrapper stays here.
// Memoize the in-flight/loaded module so the dynamic import runs at most once.
let modulePromise: Promise<GitSyncModule> | null = null;
/**
* Lazily load the ESM-only `@docmost/git-sync` package (cached). Resolves the
* package entry to an absolute path, then imports it as a `file://` URL so the
* package "exports" map is honoured without bare-specifier resolution-base
* fragility.
*/
export async function loadGitSync(): Promise<GitSyncModule> {
if (!modulePromise) {
modulePromise = (async () => {
const entry = require.resolve('@docmost/git-sync');
const mod = (await esmImport(
pathToFileURL(entry).href,
)) as GitSyncModule;
return mod;
})().catch((err) => {
// Do not cache a rejected import — allow the next call to retry.
modulePromise = null;
throw err;
});
}
return modulePromise;
}
@@ -0,0 +1,62 @@
import { Module } from '@nestjs/common';
import { ScheduleModule } from '@nestjs/schedule';
import { DatabaseModule } from '@docmost/db/database.module';
import { EnvironmentModule } from '../environment/environment.module';
import { CollaborationModule } from '../../collaboration/collaboration.module';
import { PageModule } from '../../core/page/page.module';
import { AuthModule } from '../../core/auth/auth.module';
import { GitmostDataSourceService } from './services/gitmost-datasource.service';
import { GitSyncOrchestrator } from './services/git-sync.orchestrator';
import { SpaceLockService } from './services/space-lock.service';
import { VaultRegistryService } from './services/vault-registry.service';
import { PageChangeListener } from './listeners/page-change.listener';
import { GitSyncController } from './git-sync.controller';
import { GitHttpBackendService } from './http/git-http-backend.service';
import { GitHttpService } from './http/git-http.service';
/**
* The git-sync control plane. Wires the native datasource, the
* orchestrator (poll + leader-lock), the per-space vault registry, the
* event-driven listener, and the admin trigger controller.
*
* Imports:
* - DatabaseModule (global) PageRepo / SpaceRepo / KyselyDB for the
* datasource + orchestrator queries;
* - EnvironmentModule (global) EnvironmentService config;
* - CollaborationModule exports CollaborationGateway for native body writes;
* - PageModule exports PageService for structural mutations;
* - ScheduleModule (NOT forRoot) so SchedulerRegistry is injectable (the
* orchestrator registers a DYNAMIC poll interval in onModuleInit). forRoot()
* is already registered globally by TelemetryModule; importing the plain
* module here avoids a duplicate scheduler registration.
*
* RedisService is provided by the global RedisModule (app.module) and CASL's
* WorkspaceAbilityFactory by the global CaslModule both resolve without an
* explicit import here.
*/
@Module({
imports: [
DatabaseModule,
EnvironmentModule,
CollaborationModule,
PageModule,
// AuthModule exports AuthService (verifyUserCredentials for /git HTTP Basic).
AuthModule,
ScheduleModule,
],
controllers: [GitSyncController],
providers: [
GitmostDataSourceService,
GitSyncOrchestrator,
SpaceLockService,
VaultRegistryService,
PageChangeListener,
// /git smart-HTTP host (the raw Fastify route in main.ts resolves these).
GitHttpBackendService,
GitHttpService,
],
// Exported so the raw Fastify route registered in main.ts can resolve the
// handler from the Nest container (app.get(GitHttpService)).
exports: [GitHttpService],
})
export class GitSyncModule {}
@@ -0,0 +1,414 @@
// Unit tests for the pure CGI-response helpers used by GitHttpBackendService.
// The header/body split MUST treat the body as binary (Buffer) and never
// stringify it; the Status: header sets the HTTP status (default 200).
import { EventEmitter } from 'node:events';
import { spawn } from 'node:child_process';
// Mock the spawn boundary so run() never launches a real `git http-backend`; the
// fake child lets us drive every stdout/stderr/error/close branch by hand.
jest.mock('node:child_process', () => ({ spawn: jest.fn() }));
// vaultGitEnv just builds the CGI env overlay; stub it to a passthrough so the
// service runs without the real engine. The service loads it at runtime via the
// `loadGitSync()` bridge (the ESM `@docmost/git-sync` package cannot be
// `require()`d under jest), so we mock that loader rather than the package.
jest.mock('../git-sync.loader', () => ({
loadGitSync: jest.fn(async () => ({
vaultGitEnv: (overlay: Record<string, string>) => overlay,
})),
}));
import {
parseCgiResponse,
splitCgiBuffer,
buildGitBackendCgiEnv,
GitHttpBackendService,
} from './git-http-backend.service';
import { Logger } from '@nestjs/common';
import type { GitHttpBackendRequest } from './git-http-backend.service';
const spawnMock = spawn as unknown as jest.Mock;
/** A fake `git http-backend` child: EventEmitter + stdout/stderr/stdin streams. */
function fakeChild() {
const child = new EventEmitter() as any;
child.stdout = new EventEmitter();
child.stderr = new EventEmitter();
// stdin is written/ended/piped to; capture the calls, swallow nothing.
child.stdin = Object.assign(new EventEmitter(), {
end: jest.fn(),
write: jest.fn(),
});
// The watchdog kills the child on timeout; capture the signal.
child.kill = jest.fn();
return child;
}
/** A fake raw Node ServerResponse capturing status/headers/body/end. */
function fakeRes() {
const res: any = {
headersSent: false,
writableEnded: false,
statusCode: 200,
_headers: {} as Record<string, string>,
_written: [] as Buffer[],
setHeader: jest.fn((name: string, value: string) => {
res._headers[name] = value;
}),
write: jest.fn((chunk: Buffer) => {
res._written.push(chunk);
return true;
}),
end: jest.fn((chunk?: Buffer | string) => {
if (chunk !== undefined) res._written.push(chunk as Buffer);
res.writableEnded = true;
}),
};
return res;
}
/** A fake raw Node IncomingMessage (GET => no body piped). */
function fakeReq() {
const req = new EventEmitter() as any;
req.pipe = jest.fn();
return req;
}
const baseRequest: GitHttpBackendRequest = {
spaceId: 'space-1',
subpath: 'info/refs',
method: 'GET',
queryString: 'service=git-upload-pack',
contentType: '',
remoteUser: 'alice@example.com',
};
function buildService(backendTimeoutMs = 120000) {
const env = {
getGitSyncDataDir: jest.fn(() => '/vaults'),
// The watchdog timeout for the spawned git http-backend. Tests inject a tiny
// value (or use fake timers) to drive the timeout branch.
getGitSyncBackendTimeoutMs: jest.fn(() => backendTimeoutMs),
};
return new GitHttpBackendService(env as any);
}
// `run()` now awaits the async `loadGitSync()` bridge before it spawns the
// child, so the spawn (and its stream-handler wiring) happens one microtask
// after `run()` is called. These tests drive the fake child synchronously, so
// flush the microtask queue first to let `run()` reach the spawn.
const flush = () => new Promise((resolve) => setImmediate(resolve));
describe('GitHttpBackendService.run', () => {
beforeEach(() => {
spawnMock.mockReset();
jest.spyOn(Logger.prototype, 'warn').mockImplementation(() => undefined);
jest.spyOn(Logger.prototype, 'error').mockImplementation(() => undefined);
});
afterEach(() => jest.restoreAllMocks());
it('(a) responds 500 when the child errors before any headers were written', async () => {
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const p = service.run(baseRequest, fakeReq(), res);
await flush();
// Emit a child 'error' before any stdout -> 500, headers not already sent.
child.emit('error', new Error('ENOENT spawn git'));
await p;
expect(res.statusCode).toBe(500);
expect(res._headers['Content-Type']).toBe('text/plain');
expect(res.end).toHaveBeenCalledWith('Internal server error');
});
it('(a) responds 500 when the child closes before a complete CGI header block', async () => {
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const p = service.run(baseRequest, fakeReq(), res);
await flush();
// stderr diagnostics, then a close with no valid CGI output -> 500.
child.stderr.emit('data', Buffer.from('fatal: boom'));
child.emit('close', 128);
await p;
expect(res.statusCode).toBe(500);
expect(res.end).toHaveBeenCalledWith('Internal server error');
});
it('(b) parses the CGI header block, sets status/headers, writes the body', async () => {
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const p = service.run(baseRequest, fakeReq(), res);
await flush();
// A full CGI response: status line + header + blank line + body.
child.stdout.emit(
'data',
Buffer.from(
'Status: 200 OK\r\nContent-Type: application/x-git-upload-pack-advertisement\r\n\r\nPACKBODY',
'utf8',
),
);
child.emit('close', 0);
await p;
expect(res.statusCode).toBe(200);
expect(res._headers['Content-Type']).toBe(
'application/x-git-upload-pack-advertisement',
);
expect(Buffer.concat(res._written.map((c) => Buffer.from(c))).toString()).toContain(
'PACKBODY',
);
expect(res.writableEnded).toBe(true);
});
it('(c) swallows a stdout stream error (EPIPE) without throwing or 500ing', async () => {
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const warnSpy = jest.spyOn(Logger.prototype, 'warn');
const p = service.run(baseRequest, fakeReq(), res);
await flush();
// The stdout 'error' handler must absorb this — no unhandled throw, no 500.
expect(() => child.stdout.emit('error', new Error('EPIPE'))).not.toThrow();
expect(() => child.stderr.emit('error', new Error('EPIPE'))).not.toThrow();
expect(warnSpy).toHaveBeenCalled();
expect(res.statusCode).not.toBe(500);
// Let run() settle so the promise does not dangle.
child.emit('close', 0);
await p;
});
it('(d) timeout: a child that never closes is killed and a 500 is sent', async () => {
// The child never emits stdout/close (a stalled git-receive-pack). With a
// tiny injected watchdog timeout the run() promise must still resolve: the
// child is killed and a clean 500 is sent (no headers were sent yet).
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService(5); // 5ms watchdog
const res = fakeRes();
const warnSpy = jest.spyOn(Logger.prototype, 'warn');
// run() resolves only via the watchdog firing (no close/error emitted).
await service.run(baseRequest, fakeReq(), res);
expect(child.kill).toHaveBeenCalledWith('SIGTERM');
expect(warnSpy).toHaveBeenCalled();
expect(res.statusCode).toBe(500);
expect(res.end).toHaveBeenCalledWith('Internal server error');
});
it('(d) timeout watchdog is cleared on a normal close (no kill, no 500)', async () => {
// A normal request that completes well within the watchdog window must NOT be
// killed and must NOT trip the timeout 500 — the timer is cleared on close.
jest.useFakeTimers();
try {
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService(120000);
const res = fakeRes();
const p = service.run(baseRequest, fakeReq(), res);
// loadGitSync resolves on a real microtask; advance it under fake timers.
await Promise.resolve();
await Promise.resolve();
child.stdout.emit(
'data',
Buffer.from('Status: 200 OK\r\nContent-Type: text/plain\r\n\r\nOK', 'utf8'),
);
child.emit('close', 0);
await p;
// The watchdog never fired even if we advance past its window.
jest.advanceTimersByTime(200000);
expect(child.kill).not.toHaveBeenCalled();
expect(res.statusCode).toBe(200);
} finally {
jest.useRealTimers();
}
});
it('spawn throwing synchronously -> 500 (spawn-failed)', async () => {
spawnMock.mockImplementation(() => {
throw new Error('spawn EACCES');
});
const service = buildService();
const res = fakeRes();
await service.run(baseRequest, fakeReq(), res);
expect(res.statusCode).toBe(500);
expect(res.end).toHaveBeenCalledWith('Internal server error');
});
it('(abort) an ALREADY-aborted signal -> no spawn, 500 lock-lost', async () => {
// The per-space lock was already lost before run() reached the spawn: we must
// NOT start writing the working tree after a possible lock takeover.
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const controller = new AbortController();
controller.abort();
await service.run(baseRequest, fakeReq(), res, controller.signal);
expect(spawnMock).not.toHaveBeenCalled();
expect(res.statusCode).toBe(500);
expect(res.end).toHaveBeenCalledWith('Internal server error');
});
it('(abort) a live signal aborted mid-request -> child SIGTERM + response closed', async () => {
// The lock lapses mid-push: the abort fires, the child is killed (SIGTERM,
// then SIGKILL on escalation), and the response is finished.
const child = fakeChild();
spawnMock.mockReturnValue(child);
const service = buildService();
const res = fakeRes();
const warnSpy = jest.spyOn(Logger.prototype, 'warn');
const controller = new AbortController();
const p = service.run(baseRequest, fakeReq(), res, controller.signal);
await flush(); // let run() reach the spawn + wire the abort listener
controller.abort();
await p;
expect(child.kill).toHaveBeenCalledWith('SIGTERM');
expect(warnSpy).toHaveBeenCalled();
// No headers were sent before the abort -> a clean 500 is sent and ended.
expect(res.statusCode).toBe(500);
expect(res.writableEnded).toBe(true);
});
});
describe('buildGitBackendCgiEnv', () => {
const base = {
spaceId: 'space-1',
subpath: 'info/refs',
method: 'GET',
queryString: 'service=git-upload-pack',
contentType: '',
remoteUser: 'alice@example.com',
};
it('points PATH_INFO at the NON-bare repo dir (no .git suffix)', () => {
// Regression guard: the vault lives at <root>/<spaceId> (a working repo), so
// PATH_INFO must be /<spaceId>/<subpath>. A `.git` suffix made git
// http-backend resolve <root>/<spaceId>.git and 404 every fetch/push.
const env = buildGitBackendCgiEnv(base, '/vaults');
expect(env.PATH_INFO).toBe('/space-1/info/refs');
expect(env.PATH_INFO).not.toContain('.git');
expect(env.GIT_PROJECT_ROOT).toBe('/vaults');
});
it('forwards method/query/content-type/remote-user and exports all repos', () => {
const env = buildGitBackendCgiEnv(
{ ...base, method: 'POST', subpath: 'git-receive-pack', contentType: 'application/x-git-receive-pack-request', queryString: '' },
'/vaults',
);
expect(env.REQUEST_METHOD).toBe('POST');
expect(env.PATH_INFO).toBe('/space-1/git-receive-pack');
expect(env.CONTENT_TYPE).toBe('application/x-git-receive-pack-request');
expect(env.REMOTE_USER).toBe('alice@example.com');
expect(env.GIT_HTTP_EXPORT_ALL).toBe('1');
});
it('sets GIT_PROTOCOL only when the client sent the header', () => {
expect(buildGitBackendCgiEnv(base, '/vaults').GIT_PROTOCOL).toBeUndefined();
expect(
buildGitBackendCgiEnv({ ...base, gitProtocol: 'version=2' }, '/vaults')
.GIT_PROTOCOL,
).toBe('version=2');
});
});
describe('parseCgiResponse', () => {
it('defaults to status 200 with no Status header', () => {
const r = parseCgiResponse('Content-Type: application/x-git-upload-pack-result');
expect(r.statusCode).toBe(200);
expect(r.headers).toEqual([
['Content-Type', 'application/x-git-upload-pack-result'],
]);
});
it('honors a Status header and does not forward it', () => {
const r = parseCgiResponse('Status: 404 Not Found\nContent-Type: text/plain');
expect(r.statusCode).toBe(404);
expect(r.headers).toEqual([['Content-Type', 'text/plain']]);
});
it('parses multiple headers and trims whitespace', () => {
const r = parseCgiResponse(
'Status: 403 Forbidden\r\nContent-Type: text/plain \r\nX-Foo: bar ',
);
expect(r.statusCode).toBe(403);
expect(r.headers).toEqual([
['Content-Type', 'text/plain'],
['X-Foo', 'bar'],
]);
});
it('ignores malformed (colon-less) lines defensively', () => {
const r = parseCgiResponse('Content-Type: text/plain\ngarbage-line\nX-A: b');
expect(r.statusCode).toBe(200);
expect(r.headers).toEqual([
['Content-Type', 'text/plain'],
['X-A', 'b'],
]);
});
it('ignores an out-of-range Status code and keeps the default', () => {
const r = parseCgiResponse('Status: not-a-number\nContent-Type: text/plain');
expect(r.statusCode).toBe(200);
});
it('treats the Status header case-insensitively', () => {
const r = parseCgiResponse('status: 500 Boom');
expect(r.statusCode).toBe(500);
expect(r.headers).toEqual([]);
});
});
describe('splitCgiBuffer', () => {
it('splits on a CRLF blank line and keeps the body as bytes', () => {
const buf = Buffer.concat([
Buffer.from('Status: 200 OK\r\nContent-Type: text/plain\r\n\r\n', 'utf8'),
Buffer.from([0x00, 0x01, 0x02, 0xff]),
]);
const split = splitCgiBuffer(buf);
expect(split).not.toBeNull();
expect(split!.headerText).toBe('Status: 200 OK\r\nContent-Type: text/plain');
expect(Array.from(split!.body)).toEqual([0x00, 0x01, 0x02, 0xff]);
});
it('splits on a bare LF blank line', () => {
const buf = Buffer.from('Content-Type: text/plain\n\nhello', 'utf8');
const split = splitCgiBuffer(buf);
expect(split).not.toBeNull();
expect(split!.headerText).toBe('Content-Type: text/plain');
expect(split!.body.toString('utf8')).toBe('hello');
});
it('returns an empty body when nothing follows the separator', () => {
const buf = Buffer.from('Content-Type: text/plain\r\n\r\n', 'utf8');
const split = splitCgiBuffer(buf);
expect(split).not.toBeNull();
expect(split!.body.length).toBe(0);
});
it('returns null when there is no blank-line separator yet', () => {
const buf = Buffer.from('Content-Type: text/plain\r\nincomplete', 'utf8');
expect(splitCgiBuffer(buf)).toBeNull();
});
});
@@ -0,0 +1,419 @@
import { Injectable, Logger } from '@nestjs/common';
import { spawn } from 'node:child_process';
import type { IncomingMessage, ServerResponse } from 'node:http';
import { loadGitSync } from '../git-sync.loader';
import { EnvironmentService } from '../../environment/environment.service';
/** The parsed first part of a CGI response: the HTTP status + header pairs. */
export interface ParsedCgiResponse {
statusCode: number;
/** Lower-cased? No — keep header names verbatim as git http-backend emits. */
headers: Array<[string, string]>;
}
/**
* Parse the CGI header block emitted by `git http-backend` into an HTTP status
* and a list of header pairs. The input is ONLY the header text (everything up
* to, but not including, the blank-line separator) the binary body is split
* off by the caller on the raw Buffer (never stringified).
*
* CGI semantics (RFC 3875 §6): a `Status: <code> <reason>` header sets the HTTP
* status (default 200 when absent). Every other header is forwarded verbatim.
* Header lines are `Name: value`; a line without a ':' is ignored defensively.
*
* Pure + framework-free so it is unit-testable in isolation.
*/
export function parseCgiResponse(headerBlock: string): ParsedCgiResponse {
let statusCode = 200;
const headers: Array<[string, string]> = [];
// Header lines may be separated by CRLF or LF; split on either.
const lines = headerBlock.split(/\r?\n/);
for (const line of lines) {
if (line.length === 0) continue;
const sep = line.indexOf(':');
if (sep === -1) continue; // not a header line — ignore defensively
const name = line.slice(0, sep).trim();
const value = line.slice(sep + 1).trim();
if (name.toLowerCase() === 'status') {
// `Status: 404 Not Found` — the leading integer is the HTTP status code.
const code = parseInt(value, 10);
if (Number.isFinite(code) && code >= 100 && code <= 599) {
statusCode = code;
}
continue; // never forward the CGI Status header itself
}
headers.push([name, value]);
}
return { statusCode, headers };
}
/**
* Split a raw CGI response buffer at the first blank-line boundary
* (`\r\n\r\n` or `\n\n`). Returns the header text and the remaining body bytes.
* Returns null when no blank-line separator is present (a malformed response).
*
* Pure (operates on Buffers, never stringifies the body) so it is testable.
*/
export function splitCgiBuffer(
buf: Buffer,
): { headerText: string; body: Buffer } | null {
// Prefer the CRLF separator; fall back to bare LF.
let idx = buf.indexOf('\r\n\r\n');
let sepLen = 4;
if (idx === -1) {
idx = buf.indexOf('\n\n');
sepLen = 2;
}
if (idx === -1) return null;
const headerText = buf.subarray(0, idx).toString('utf8');
const body = buf.subarray(idx + sepLen);
return { headerText, body };
}
/** A parsed git smart-HTTP request, resolved by the controller/handler. */
export interface GitHttpBackendRequest {
/** The space id (the on-disk vault dir name == GIT_PROJECT_ROOT child). */
spaceId: string;
/** The subpath after `<spaceId>.git/`, e.g. `info/refs` or `git-receive-pack`. */
subpath: string;
/** REQUEST_METHOD — `GET` or `POST`. */
method: string;
/** Raw query string WITHOUT the leading '?', e.g. `service=git-receive-pack`. */
queryString: string;
/** Content-Type header value (may be empty for GET). */
contentType: string;
/** The Git-Protocol request header value, or undefined when absent. */
gitProtocol?: string;
/** Content-Encoding request header (e.g. `gzip`), or undefined when absent.
* git gzips RPC bodies >1KiB; http-backend only inflates when HTTP_CONTENT_ENCODING
* is present, so it MUST be forwarded or a non-trivial `git pull` fails with
* `fatal: expected 'packfile'` (review #4). */
contentEncoding?: string;
/** Authenticated user email — used as REMOTE_USER (reflog identity). */
remoteUser: string;
}
/**
* Bridges an HTTP git smart-protocol request to `git http-backend` (the CGI that
* implements the entire smart-HTTP protocol: info/refs, upload-pack,
* receive-pack, protocol v2, dumb fallback). We do NOT reimplement pkt-line.
*
* The Fastify reply is hijacked by the caller; this service streams the request
* body to the child's stdin and writes the child's CGI response (status +
* headers parsed from the leading header block, then the raw binary body) to the
* Node response. Errors before any output produce a 500. Credentials are never
* logged.
*/
/**
* Build the `git http-backend` CGI environment overlay for one request (the
* variables layered on top of `vaultGitEnv`'s cwd-isolated base). Pure so the
* PATH_INFO / REMOTE_USER / conditional GIT_PROTOCOL wiring is unit-testable
* without spawning git.
*
* PATH_INFO is the repo-relative CGI path. The vault is a NON-BARE working repo
* on disk at `<dataDir>/<spaceId>` (the engine needs a working tree), so the
* repo directory git http-backend must resolve is `<spaceId>` NOT
* `<spaceId>.git`. The URL carries the conventional `.git` suffix (stripped by
* parseGitPath into `spaceId`); re-appending it here pointed the CGI at a
* non-existent `<dataDir>/<spaceId>.git` and every fetch/push 404'd.
*/
export function buildGitBackendCgiEnv(
parsed: GitHttpBackendRequest,
projectRoot: string,
): Record<string, string> {
const cgiEnv: Record<string, string> = {
GIT_PROJECT_ROOT: projectRoot,
GIT_HTTP_EXPORT_ALL: '1', // authz is done by us; no git-daemon-export-ok file
PATH_INFO: `/${parsed.spaceId}/${parsed.subpath}`,
REQUEST_METHOD: parsed.method,
QUERY_STRING: parsed.queryString,
CONTENT_TYPE: parsed.contentType,
REMOTE_USER: parsed.remoteUser,
};
// GIT_PROTOCOL is only set when the client sent the Git-Protocol header.
if (parsed.gitProtocol) {
cgiEnv.GIT_PROTOCOL = parsed.gitProtocol;
}
// HTTP_CONTENT_ENCODING must be forwarded so git http-backend inflates a
// gzip'd RPC body (git compresses receive-pack/upload-pack bodies >1KiB).
// Without it a non-trivial `git pull` negotiation fails deterministically with
// `fatal: expected 'packfile'` (review #4). The body is piped to stdin as-is
// (no upstream decompression), so the CGI must do the inflate.
if (parsed.contentEncoding) {
cgiEnv.HTTP_CONTENT_ENCODING = parsed.contentEncoding;
}
return cgiEnv;
}
@Injectable()
export class GitHttpBackendService {
private readonly logger = new Logger(GitHttpBackendService.name);
constructor(private readonly environmentService: EnvironmentService) {}
/**
* Spawn `git http-backend` for one request and bridge it to the raw Node
* request/response. Resolves when the response has been fully written (the
* child exited and its output was flushed), or after a 500 was sent on an
* early failure. Never rejects push ingestion relies on this resolving so
* the lock-held cycle body can run afterwards.
*
* `signal` (optional) is the git-sync per-space lock's lost-lock abort signal.
* A receive-pack writes `main`'s working tree, so if the lock lapses mid-push
* (heartbeat CAS miss / Redis outage) the signal fires and we kill the child
* preventing it from continuing to write the working tree while another replica
* may have taken over the lock and started a cycle (warning #3).
*/
async run(
parsed: GitHttpBackendRequest,
rawReq: IncomingMessage,
rawRes: ServerResponse,
signal?: AbortSignal,
): Promise<void> {
const { vaultGitEnv } = await loadGitSync();
const projectRoot = this.environmentService.getGitSyncDataDir();
// Build the CGI env from the engine's cwd-isolated base (strips GIT_DIR /
// GIT_WORK_TREE), then layer the http-backend CGI variables. PATH is
// preserved (vaultGitEnv already copies process.env, so PATH carries
// through).
const env = vaultGitEnv(buildGitBackendCgiEnv(parsed, projectRoot));
return new Promise<void>((resolve) => {
let settled = false;
// Set once the child exists so the abort handler can target it.
let onAbort: (() => void) | null = null;
// The watchdog timer; cleared centrally in done() so EVERY settle path
// (close, error, timeout, abort) tears it down exactly once.
let watchdogTimer: ReturnType<typeof setTimeout> | undefined;
const done = () => {
if (settled) return;
settled = true;
if (watchdogTimer) clearTimeout(watchdogTimer);
// Detach the abort listener so a later lock loss does not fire into a
// request that already finished.
if (onAbort) {
signal?.removeEventListener('abort', onAbort);
onAbort = null;
}
resolve();
};
// Reject early if the lock was already lost before we even spawned: do not
// start writing the working tree after a possible lock takeover.
if (signal?.aborted) {
if (!rawRes.headersSent) this.send500(rawRes, 'lock-lost');
else
try {
rawRes.end();
} catch {
/* ignore */
}
return done();
}
let child: ReturnType<typeof spawn>;
try {
child = spawn('git', ['http-backend'], { env });
} catch (err) {
this.send500(rawRes, 'spawn-failed', err);
return done();
}
// Lost-lock abort: the per-space lock lapsed mid-request. Kill the child so
// a receive-pack stops writing `main`'s working tree before another replica
// (which may now hold the lock) starts a cycle. Same kill+finish path the
// watchdog uses (extracted into terminateChild).
onAbort = () => {
this.terminateChild(
child,
rawRes,
headerParsed,
'lock-lost',
'git http-backend aborted (git-sync lock lost mid-request); killing child',
done,
);
};
signal?.addEventListener('abort', onAbort);
// Watchdog: a client that opens git-receive-pack and stalls keeps the
// child alive forever, so run() never resolves and (because this runs
// inside withSpaceLock) the per-space lock is held + heartbeat-refreshed
// indefinitely. Bound the request: on expiry kill the child, send a clean
// 500 if nothing was sent yet, and settle the promise. `.unref()` so the
// timer never keeps the event loop alive; ALWAYS cleared in done().
watchdogTimer = setTimeout(() => {
this.terminateChild(
child,
rawRes,
headerParsed,
'timeout',
`git http-backend timed out after ` +
`${this.environmentService.getGitSyncBackendTimeoutMs()}ms; killing child`,
done,
);
}, this.environmentService.getGitSyncBackendTimeoutMs());
watchdogTimer.unref?.();
// Accumulate stdout until we have the full CGI header block, then write the
// parsed status/headers and start streaming the remaining body bytes.
let headerParsed = false;
let pending: Buffer = Buffer.alloc(0);
const flushHeadersAndBody = (chunk: Buffer): void => {
pending = Buffer.concat([pending, chunk]);
const split = splitCgiBuffer(pending);
if (!split) return; // header block not complete yet
headerParsed = true;
const { statusCode, headers } = parseCgiResponse(split.headerText);
rawRes.statusCode = statusCode;
for (const [name, value] of headers) {
rawRes.setHeader(name, value);
}
if (split.body.length > 0) rawRes.write(split.body);
pending = Buffer.alloc(0);
};
child.stdout?.on('data', (chunk: Buffer) => {
if (headerParsed) {
rawRes.write(chunk);
} else {
flushHeadersAndBody(chunk);
}
});
// A stream 'error' (e.g. EPIPE when the client aborts mid-response) is an
// EventEmitter 'error' with no listener -> Node rethrows it as an uncaught
// exception and crashes the process. Swallow + log it (never echo to the
// client); child.on('close')/'error' below drives the actual cleanup.
child.stdout?.on('error', (err) => {
this.logger.warn(`git http-backend stdout stream error: ${err.message}`);
});
let stderr = '';
child.stderr?.on('data', (chunk: Buffer) => {
// Capture for diagnostics; never echo to the client. http-backend writes
// CGI errors here. We do NOT log the request body or any credentials.
if (stderr.length < 8192) stderr += chunk.toString('utf8');
});
child.stderr?.on('error', (err) => {
this.logger.warn(`git http-backend stderr stream error: ${err.message}`);
});
child.on('error', (err) => {
// The watchdog timer is cleared centrally in done().
if (!headerParsed && !rawRes.headersSent) {
this.send500(rawRes, 'child-error', err);
} else {
// Output already started — we can only terminate the stream.
try {
rawRes.end();
} catch {
/* ignore */
}
}
done();
});
child.on('close', (code) => {
// The watchdog timer is cleared centrally in done().
if (!headerParsed && !rawRes.headersSent) {
// The child exited before emitting a complete CGI header block.
this.logger.error(
`git http-backend produced no valid response (exit ${code}) for ` +
`space; stderr: ${stderr.trim().slice(0, 500)}`,
);
this.send500(rawRes, 'no-output');
} else {
try {
rawRes.end();
} catch {
/* ignore */
}
}
done();
});
// Pipe the request body to the child's stdin. For GET there is no body, so
// end stdin immediately. We pipe `rawReq` (the raw Node stream) directly so
// large pushes are streamed, not buffered.
if (parsed.method === 'POST') {
rawReq.pipe(child.stdin!);
rawReq.on('error', () => {
try {
child.stdin?.end();
} catch {
/* ignore */
}
});
} else {
child.stdin?.end();
}
// Swallow EPIPE etc. on the child's stdin so a client disconnect does not
// crash the process.
child.stdin?.on('error', () => {
/* ignore broken-pipe on stdin */
});
});
}
/**
* Kill the child (SIGTERM, then SIGKILL after a grace period if it ignores the
* term) and finish the HTTP response cleanly, then settle. Shared by the two
* forced-termination paths the watchdog timeout and the lost-lock abort
* which differ ONLY by the log line and the send500 `reason`. If no response
* has started a clean 500 is sent; otherwise the in-flight stream is just
* ended. Never throws (a thrown kill/end would crash the request).
*/
private terminateChild(
child: ReturnType<typeof spawn>,
rawRes: ServerResponse,
responseStarted: boolean,
send500Reason: string,
logMessage: string,
done: () => void,
): void {
this.logger.warn(logMessage);
try {
child.kill('SIGTERM');
// Escalate to SIGKILL shortly after in case SIGTERM is ignored.
const sigkill = setTimeout(() => {
try {
child.kill('SIGKILL');
} catch {
/* ignore */
}
}, 2000);
sigkill.unref?.();
} catch {
/* ignore */
}
if (!responseStarted && !rawRes.headersSent) {
this.send500(rawRes, send500Reason);
} else {
try {
rawRes.end();
} catch {
/* ignore */
}
}
done();
}
/** Send a clean 500 without leaking credentials or the request body. */
private send500(rawRes: ServerResponse, reason: string, err?: unknown): void {
const message = err instanceof Error ? err.message : undefined;
this.logger.error(
`git http-backend failed (${reason})${message ? `: ${message}` : ''}`,
);
try {
if (!rawRes.headersSent) {
rawRes.statusCode = 500;
rawRes.setHeader('Content-Type', 'text/plain');
}
rawRes.end('Internal server error');
} catch {
/* ignore */
}
}
}
@@ -0,0 +1,211 @@
// Unit tests for the pure /git smart-HTTP helpers: URL parsing, service->kind
// mapping (read vs write), and the gating/auth decision precedence.
import {
decideGitHttpGate,
parseGitPath,
resolveServiceKind,
} from './git-http.helpers';
describe('parseGitPath', () => {
it('parses spaceId + subpath, stripping the trailing .git', () => {
expect(parseGitPath('abc123.git/info/refs')).toEqual({
spaceId: 'abc123',
subpath: 'info/refs',
});
});
it('tolerates a leading slash', () => {
expect(parseGitPath('/abc.git/git-receive-pack')).toEqual({
spaceId: 'abc',
subpath: 'git-receive-pack',
});
});
it('returns an empty subpath for the bare repo root', () => {
expect(parseGitPath('abc.git')).toEqual({ spaceId: 'abc', subpath: '' });
});
it('returns null when the first segment lacks .git', () => {
expect(parseGitPath('abc/info/refs')).toBeNull();
});
it('returns null on an empty space id', () => {
expect(parseGitPath('.git/info/refs')).toBeNull();
});
it('rejects path traversal', () => {
expect(parseGitPath('abc.git/../../etc/passwd')).toBeNull();
expect(parseGitPath('..git/x')).toBeNull();
});
it('rejects percent-encoded dot/slash traversal in the subpath (case-insensitive)', () => {
expect(parseGitPath('abc.git/%2e%2e%2fetc/passwd')).toBeNull();
expect(parseGitPath('abc.git/%2E%2E/secret')).toBeNull();
expect(parseGitPath('abc.git/objects/%2fabsolute')).toBeNull();
});
});
describe('resolveServiceKind', () => {
it('GET info/refs?service=git-upload-pack -> read', () => {
expect(
resolveServiceKind({
method: 'GET',
subpath: 'info/refs',
service: 'git-upload-pack',
}),
).toBe('read');
});
it('GET info/refs?service=git-receive-pack -> write', () => {
expect(
resolveServiceKind({
method: 'GET',
subpath: 'info/refs',
service: 'git-receive-pack',
}),
).toBe('write');
});
it('POST git-upload-pack -> read', () => {
expect(
resolveServiceKind({ method: 'POST', subpath: 'git-upload-pack' }),
).toBe('read');
});
it('POST git-receive-pack -> write', () => {
expect(
resolveServiceKind({ method: 'POST', subpath: 'git-receive-pack' }),
).toBe('write');
});
it('a dumb-protocol GET (HEAD / objects) -> read', () => {
expect(resolveServiceKind({ method: 'GET', subpath: 'HEAD' })).toBe('read');
expect(
resolveServiceKind({ method: 'GET', subpath: 'objects/12/abcdef' }),
).toBe('read');
});
it('info/refs with no/unknown service -> read (dumb discovery)', () => {
expect(resolveServiceKind({ method: 'GET', subpath: 'info/refs' })).toBe(
'read',
);
});
it('an unknown POST endpoint -> null', () => {
expect(resolveServiceKind({ method: 'POST', subpath: 'whatever' })).toBeNull();
});
it('an unsupported method -> null', () => {
expect(
resolveServiceKind({ method: 'DELETE', subpath: 'git-receive-pack' }),
).toBeNull();
});
});
describe('decideGitHttpGate', () => {
const base = {
hasCredentials: true,
credentialsValid: true,
serviceKind: 'read' as const,
gitSyncEnabled: true,
gitHttpEnabled: true,
spaceExists: true,
spaceGitSyncEnabled: true,
userIsSpaceMember: true,
permissionGranted: true,
};
it('proceeds on the happy path', () => {
expect(decideGitHttpGate(base)).toEqual({ kind: 'proceed' });
});
it('401 when credentials are missing (even for a valid space)', () => {
expect(
decideGitHttpGate({ ...base, hasCredentials: false }),
).toEqual({ kind: 'unauthorized' });
});
it('401 when credentials are present but invalid', () => {
expect(
decideGitHttpGate({ ...base, credentialsValid: false }),
).toEqual({ kind: 'unauthorized' });
});
it('400 on an unparseable service kind', () => {
expect(decideGitHttpGate({ ...base, serviceKind: null })).toEqual({
kind: 'bad-request',
});
});
it('404 when the space is not git-sync-enabled (never reveals existence)', () => {
expect(
decideGitHttpGate({ ...base, spaceGitSyncEnabled: false }),
).toEqual({ kind: 'not-found' });
});
it('404 when the space does not exist', () => {
expect(decideGitHttpGate({ ...base, spaceExists: false })).toEqual({
kind: 'not-found',
});
});
it('404 when git-sync is globally disabled', () => {
expect(decideGitHttpGate({ ...base, gitSyncEnabled: false })).toEqual({
kind: 'not-found',
});
});
it('404 when the git-http host is disabled', () => {
expect(decideGitHttpGate({ ...base, gitHttpEnabled: false })).toEqual({
kind: 'not-found',
});
});
it('403 when a MEMBER lacks the required permission (reader on write)', () => {
// A member of the space (existence already known to them) who lacks the role:
// 403 leaks nothing new.
expect(
decideGitHttpGate({
...base,
serviceKind: 'write',
userIsSpaceMember: true,
permissionGranted: false,
}),
).toEqual({ kind: 'forbidden' });
});
it('404 (NOT 403) when an authenticated NON-member hits a git-sync space', () => {
// SECURITY: a non-member must be indistinguishable from a missing/disabled
// space. If this returned 403, the 403↔404 difference would let any
// authenticated workspace user brute-force slugs to discover which spaces
// exist and which have git-sync enabled.
expect(
decideGitHttpGate({
...base,
serviceKind: 'write',
userIsSpaceMember: false,
permissionGranted: false,
}),
).toEqual({ kind: 'not-found' });
// Same for a read by a non-member.
expect(
decideGitHttpGate({
...base,
serviceKind: 'read',
userIsSpaceMember: false,
permissionGranted: false,
}),
).toEqual({ kind: 'not-found' });
});
it('still 401 (not 404) for missing creds against a disabled space', () => {
// Anonymous probe must always get 401 first, regardless of space state.
expect(
decideGitHttpGate({
...base,
hasCredentials: false,
spaceGitSyncEnabled: false,
}),
).toEqual({ kind: 'unauthorized' });
});
});
@@ -0,0 +1,164 @@
// Pure, framework-free helpers for the /git smart-HTTP host. They carry no Nest
// / DI / concrete-service imports so the request parsing and the auth/authz
// gating DECISION can be unit-tested in isolation, and nothing here ever logs a
// password or the Authorization header.
/** The git operation a request maps to: a read (fetch/clone) or a write (push). */
export type GitHttpServiceKind = 'read' | 'write';
/** A parsed `/git/<spaceId>.git/<subpath>` URL. */
export interface ParsedGitPath {
spaceId: string;
/** The subpath after `<spaceId>.git/` (no leading slash), e.g. `info/refs`. */
subpath: string;
}
/**
* Parse the `<rest>` of a `/git/<rest>` URL path (no query string) into the
* space id and the repo-relative subpath. The space id is the first path
* segment with its trailing `.git` stripped. Returns null when the shape does
* not match (missing `.git`, empty space id, traversal attempt).
*
* `rest` MUST already be URL-path-decoded of its query string by the caller
* (pass the pathname only). We reject `..` segments defensively even though
* http-backend resolves PATH_INFO against GIT_PROJECT_ROOT.
*/
export function parseGitPath(rest: string): ParsedGitPath | null {
// Strip a leading slash, then take the first segment as `<spaceId>.git`.
const clean = rest.replace(/^\/+/, '');
const slash = clean.indexOf('/');
const first = slash === -1 ? clean : clean.slice(0, slash);
const subpath = slash === -1 ? '' : clean.slice(slash + 1);
if (!first.endsWith('.git')) return null;
const spaceId = first.slice(0, -'.git'.length);
if (!spaceId) return null;
// Reject path traversal / degenerate ids in either component.
if (
spaceId === '.' ||
spaceId.includes('..') ||
spaceId.includes('/') ||
subpath.split('/').some((seg) => seg === '..')
) {
return null;
}
// Defense-in-depth: reject percent-encoded dot/slash traversal (`%2e`, `%2f`,
// case-insensitive) in the subpath BEFORE it is used to build PATH_INFO — a
// decoder downstream could otherwise turn `%2e%2e%2f` back into `../`.
if (/%2e|%2f/i.test(subpath)) {
return null;
}
return { spaceId, subpath };
}
/**
* Map a parsed git request (method + subpath + query) to the required operation
* kind. The smart-HTTP shapes:
* - GET info/refs?service=git-upload-pack -> read (fetch)
* - GET info/refs?service=git-receive-pack -> write (push)
* - POST git-upload-pack -> read (fetch)
* - POST git-receive-pack -> write (push)
* - any other dumb-protocol GET (HEAD, objects/) -> read
* Returns null for an unsupported shape (e.g. a POST that is neither pack
* endpoint) so the caller can 403/404 rather than guess.
*/
export function resolveServiceKind(input: {
method: string;
subpath: string;
service?: string;
}): GitHttpServiceKind | null {
const method = input.method.toUpperCase();
const subpath = input.subpath;
if (method === 'GET') {
if (subpath === 'info/refs') {
if (input.service === 'git-receive-pack') return 'write';
if (input.service === 'git-upload-pack') return 'read';
// info/refs without a known service: dumb-protocol discovery — read.
return 'read';
}
// Dumb-protocol object/ref fetches (HEAD, objects/…) are reads.
return 'read';
}
if (method === 'POST') {
if (subpath === 'git-receive-pack') return 'write';
if (subpath === 'git-upload-pack') return 'read';
return null; // unknown POST endpoint
}
return null; // unsupported method
}
/** The outcome of the gating/auth decision the request handler must enforce. */
export type GitHttpGateDecision =
| { kind: 'unauthorized' } // 401 + WWW-Authenticate (missing/invalid creds)
| { kind: 'not-found' } // 404 (space hidden / sync or http disabled)
| { kind: 'forbidden' } // 403 (authenticated but lacks the permission)
| { kind: 'bad-request' } // 400 (unparseable git request shape)
| { kind: 'proceed' }; // run http-backend
/**
* Pure gating decision, mirroring the handler precedence so it can be unit
* tested without the DB / CASL graph. Inputs are the already-resolved booleans
* the handler computes from EnvironmentService / SpaceRepo / SpaceAbilityFactory.
*
* Precedence (matches the spec):
* 1. no/invalid Basic credentials -> 401 (regardless of space).
* 2. credentials present but invalid -> 401.
* 3. unparseable git request shape -> 400.
* 4. git-sync globally disabled, or git-http disabled, or the space is missing
* / not git-sync-enabled, OR the authenticated user is NOT a member of the
* space (has no role at all) -> 404 (never reveal existence).
* 5. a MEMBER of the space who lacks the required perm (e.g. a reader trying to
* push) -> 403.
* 6. otherwise -> proceed.
*
* Note (4) is checked AFTER (1)/(2): an anonymous probe always gets 401 first;
* an authenticated user hitting a hidden/disabled space OR a space they are not
* a member of gets 404 (not 403). Folding non-membership into the 404 branch is
* a SECURITY requirement: if a non-member got 403 here (as a "permission denied")
* while a non-existent / sync-disabled space got 404, the 403404 difference would
* let any authenticated workspace user brute-force slugs to discover which spaces
* exist and which have git-sync enabled including spaces they cannot see. 403 is
* therefore reserved for the one case where existence is ALREADY known to the
* caller because they ARE a member (so it leaks nothing new): a member without the
* required role. `userIsSpaceMember` is the resolved "the user has SOME role in
* this space" boolean (false when SpaceAbilityFactory.createForUser throws
* NotFound / the user has no role).
*/
export function decideGitHttpGate(input: {
hasCredentials: boolean;
credentialsValid: boolean;
serviceKind: GitHttpServiceKind | null;
gitSyncEnabled: boolean;
gitHttpEnabled: boolean;
spaceExists: boolean;
spaceGitSyncEnabled: boolean;
/** The user has SOME role in the space (false = non-member -> 404, not 403). */
userIsSpaceMember: boolean;
permissionGranted: boolean;
}): GitHttpGateDecision {
if (!input.hasCredentials) return { kind: 'unauthorized' };
if (!input.credentialsValid) return { kind: 'unauthorized' };
if (input.serviceKind === null) return { kind: 'bad-request' };
if (
!input.gitSyncEnabled ||
!input.gitHttpEnabled ||
!input.spaceExists ||
!input.spaceGitSyncEnabled ||
// A non-member must be indistinguishable from a missing/disabled space: 404,
// never 403 (otherwise the 403↔404 split leaks space existence — see above).
!input.userIsSpaceMember
) {
return { kind: 'not-found' };
}
if (!input.permissionGranted) return { kind: 'forbidden' };
return { kind: 'proceed' };
}

Some files were not shown because too many files have changed in this diff Show More