vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity

test: review-batch-2 follow-up coverage (sandbox html-embed, #101 fixes, i18n) #110

Merged
vvzvlad merged 12 commits from test/review-batch-2-followups into develop 2026-06-21 05:55:11 +03:00
Conversation 0 Commits 12 Files Changed 27 +1055 -70
Ghost commented 2026-06-21 05:53:55 +03:00
Copy Link

Тест-покрытие, заведённое в ревью PR #101 (смержен) и sandbox-рефактора html-embed. 12 коммитов, по коммиту на issue, всё на актуальном develop (после мержа #101). Тесты/мелкие чистые экстракции, без изменения поведения.

Closes #98, #99, #100, #102, #103, #104, #105, #106, #108, #109

Что покрыто

Sandbox html-embed + trackerHead (#98/#99/#100): оба бага из issues (BUG-1 $&-инъекция trackerHead, BUG-2 height NaN) УЖЕ были починены в sandbox-рефакторе — добавлены тесты, пиннящие инварианты:

  • injectTrackerHead (вынес в чистый хелпер): сниппет с $&/$$/$` вставляется байт-в-байт (падает на старом строковом replacer); empty/whitespace/нет </head> → без изменений.
  • Sandbox-токены ровно allow-scripts allow-popups allow-forms (нет allow-same-origin), рендер через srcDoc; clampHeight [40,4000]; isTrustedHeightMessage (чужой source/тип/NaN/Infinity отвергнуты).
  • editor-ext height codec ("abc"→null — пиннит NaN-guard); mcp htmlEmbed round-trip (source/height); DTO-валидация (@MaxLength(20000), @IsBoolean); CASL-гейт записи trackerHead не-админом; slash-меню гейтинг; no-op аудит-ветка.

Тесты на фиксы из #101: #102 movePage cycle-guard (self-move/cycle/legit), #103 non-text part → 400, #104 (resolveShareAiMaxOutputTokens — уже было), #105 export+тест resolveTrustProxy (вынес из main.ts), #106 reconnect-resync (makeConnectHandler), #108 assistant-name предикат.

i18n #109: ru-RU получил недостающие AI agent / AI agent is typing… (был mixed-language); en-US полный; остальные локали — fallback на en-US (полный перевод — отдельная задача).

Проверка

server 10 suites / 77 tests (затронутые) — все зелёные; client 4 files / 40 tests; server+client tsc --noEmit — чисто. Ветвь от текущего develop, конфликтов нет.

🤖 Generated with Claude Code

Тест-покрытие, заведённое в ревью PR #101 (смержен) и sandbox-рефактора html-embed. 12 коммитов, по коммиту на issue, всё на актуальном develop (после мержа #101). Тесты/мелкие чистые экстракции, без изменения поведения. Closes #98, #99, #100, #102, #103, #104, #105, #106, #108, #109 ## Что покрыто **Sandbox html-embed + trackerHead (#98/#99/#100):** оба бага из issues (BUG-1 `$&`-инъекция trackerHead, BUG-2 height NaN) УЖЕ были починены в sandbox-рефакторе — добавлены тесты, пиннящие инварианты: - `injectTrackerHead` (вынес в чистый хелпер): сниппет с `$&`/`$$`/`` $` `` вставляется байт-в-байт (падает на старом строковом replacer); empty/whitespace/нет `</head>` → без изменений. - Sandbox-токены ровно `allow-scripts allow-popups allow-forms` (нет `allow-same-origin`), рендер через `srcDoc`; `clampHeight` [40,4000]; `isTrustedHeightMessage` (чужой source/тип/NaN/Infinity отвергнуты). - editor-ext height codec (`"abc"`→null — пиннит NaN-guard); mcp htmlEmbed round-trip (source/height); DTO-валидация (`@MaxLength(20000)`, `@IsBoolean`); CASL-гейт записи trackerHead не-админом; slash-меню гейтинг; no-op аудит-ветка. **Тесты на фиксы из #101:** #102 movePage cycle-guard (self-move/cycle/legit), #103 non-text part → 400, #104 (resolveShareAiMaxOutputTokens — уже было), #105 export+тест `resolveTrustProxy` (вынес из main.ts), #106 reconnect-resync (`makeConnectHandler`), #108 assistant-name предикат. **i18n #109:** ru-RU получил недостающие `AI agent` / `AI agent is typing…` (был mixed-language); en-US полный; остальные локали — fallback на en-US (полный перевод — отдельная задача). ## Проверка server 10 suites / 77 tests (затронутые) — все зелёные; client 4 files / 40 tests; server+client `tsc --noEmit` — чисто. Ветвь от текущего develop, конфликтов нет. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Ghost added 12 commits 2026-06-21 05:53:55 +03:00
test(page): cover movePage server-side cycle guard (#102) 85db20f9f2 
Adds the missing tests for the #67 guard: self-move and a destination inside the
moved page's subtree both throw BadRequestException before updatePage; a
legitimate move proceeds. Mocks pageRepo + spies getPageBreadCrumbs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(share-ai): drive the non-text message-part 400 path (#103) 33c52045a2 
Covers the #63 guard: a message with a non-text part -> 400 'Unsupported message
content'; a message mixing text + a non-text part still 400s (before the 413
size check).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(security): export + unit-test resolveTrustProxy (#105) ec4622a1b8 
Relocate resolveTrustProxy from main.ts (untestable — bootstraps on import) to
integrations/environment/trust-proxy.util.ts and import it back. Unit-test every
branch (empty/undefined -> safe loopback/private default; true/false; hop count;
trim; CIDR/negative passthrough) so a regression can't silently re-open the XFF
spoofing hole (#61).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(ai-chat): cover the conditional assistant-name signature (#108) e8775c45b0 
Extract the shared assistant-name predicate (resolveAssistantName: trimmed name
or null) used by typing-indicator + message-item, and unit-test the branches
(name shown; whitespace-only -> 'AI agent' fallback; undefined -> fallback).
Behavior-identical (|| -> ?? since the helper returns null).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(share): extract + cover injectTrackerHead (#100, #98) d9fa804197 
Extract the admin trackerHead <head> injection into a pure injectTrackerHead()
and test it: a snippet containing $&/$$/backtick-dollar survives BYTE-FOR-BYTE
(pins the function-replacer fix), empty/whitespace/undefined and a missing </head>
leave the html unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(workspace): cover trackerHead DTO validation, CASL gate, no-op audit (#98) 85fd4afa85 
DTO: trackerHead @IsString/@MaxLength(20000) + htmlEmbed @IsBoolean accept/reject
cases. CASL: a non-admin updating trackerHead/htmlEmbed gets ForbiddenException
(update not called); owner/admin proceed. Audit: a no-op trackerHead re-save
doesn't enter the audit diff.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(mcp): round-trip the htmlEmbed passthrough node (#99, #98) b21433af4e 
Add htmlEmbed to the schema toYdoc/fromYdoc acceptance cases, asserting source +
height survive, so removing the passthrough node (which prevents 'Unknown node
type: htmlEmbed' on MCP/AI edits of an embed page) fails CI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(html-embed): cover sandbox resize/security helpers (#98, #99) 267bafdd73 
Extract clampHeight + isTrustedHeightMessage + the HTML_EMBED_SANDBOX token
constant from the NodeView and test them: clamp bounds; reject a resize message
from a foreign window / wrong type / NaN/Infinity; accept a valid same-source
finite message; assert the sandbox is exactly 'allow-scripts allow-popups
allow-forms' (no allow-same-origin) and rendered via srcDoc (not src).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(editor-ext): cover the html-embed height attr codec (#98, #99) ba37907f50 
Extract parse/renderHtmlEmbedHeight and test: '300'->300, absent->null,
'abc'->null (pins the NaN guard), '120px'->120; render 120->data-height, null/0->{}.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(html-embed): cover slash-menu gating of the HTML embed item (#98) 9797751b0a 
Export + test isHtmlEmbedFeatureEnabled: the 'HTML embed' slash item is hidden by
default / when the toggle is off / on broken localStorage (no throw), shown only
when the workspace toggle is exactly true.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
i18n(ai-chat): add the missing ru-RU typing-indicator keys (#109) 10bff229d6 
ru-RU had only '{{name}} is typing…' but not 'AI agent' / 'AI agent is typing…',
so the Russian typing indicator was mixed-language. Add them (AI-агент / AI-агент
печатает…) grouped with the named key. en-US is already complete; other locales
intentionally keep the en-US fallback (full translation is a separate effort).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(ws): cover the user-provider reconnect-resync branch (#106) 5418e259a6 
Extract makeConnectHandler(queryClient) (owning the firstConnect flag) from
UserProvider and test it: first connect does NOT invalidate; a reconnect
invalidates both root-sidebar-pages + sidebar-pages. Behavior-identical (#66).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vvzvlad merged commit e5bc82c7f1 into develop 2026-06-21 05:55:11 +03:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 epic
Large multi-phase effort spanning many changes
 feature
New functionality request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 idea
Idea / proposal for discussion
 invalid
This doesn't seem right
 needs-human
эскалация: нужно решение человека
 question
Further information is requested
 refactor
Code cleanup / refactoring
 review/approved
в последнем ревью нет открытых blocking-находок
 review/changes-requested
последнее ревью оставило открытые blocking-находки
 review/needs
head не ревьюился (head != reviewed_head)
 security
Security / hardening issue
 status/blocked
ждёт зависимость blocked_by
 status/done
закрыто и проверено
 status/in-progress
в активной работе (мягкая заявка)
 status/ready
специфицировано, не заблокировано, ждёт исполнителя
 test
Test coverage / test infrastructure
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent_coder agent_reviewer vvzvlad
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: vvzvlad/gitmost#110
Delete Branch "test/review-batch-2-followups"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?