8ae9bced24
Search view: read ?q from hash, call /api/search, group hits by kind with rank + space_id; sidebar filters for kinds and space_id; updates on Enter or filter change. Bumps package.json + server.js VERSION to 2.0.0-alpha.2 and pins the /health version assertion to match. CHANGELOG: full Plan 2 entry covering API surface, capability tiering, audit chain extension (approve/reject events), and the SPA shell. Security: adds safeHref() to dom.js and applies it everywhere an API-supplied URL becomes href / src (reference media block + reference source_url anchor + resource url anchor). javascript: and other non-http(s)/mailto schemes from agent-suggested content can no longer execute in the owner's browser. Plan 2 surface is feature-complete: 22/22 tasks landed, 185 tests across 43 files, SPA renders end-to-end including the suggest -> approve agent flow. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
54 lines
1.7 KiB
JavaScript
54 lines
1.7 KiB
JavaScript
import { describe, it, expect, beforeAll } from 'vitest';
|
|
import request from 'supertest';
|
|
import { createApp } from '../server.js';
|
|
import { resetDb } from './helpers/db.js';
|
|
import { migrateUp } from '../lib/db/migrate.js';
|
|
|
|
let app;
|
|
beforeAll(async () => {
|
|
await resetDb();
|
|
await migrateUp();
|
|
process.env.OWNER_TOKEN = 'test-token';
|
|
app = createApp();
|
|
});
|
|
|
|
describe('server', () => {
|
|
it('GET /health returns 200 with db_ok=true', async () => {
|
|
const res = await request(app).get('/health');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.db_ok).toBe(true);
|
|
expect(res.body.version).toBe('2.0.0-alpha.2');
|
|
});
|
|
|
|
it('GET /api/spaces without token returns 401', async () => {
|
|
const res = await request(app).get('/api/spaces');
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
it('GET /api/spaces with token returns 200 and empty array', async () => {
|
|
const res = await request(app)
|
|
.get('/api/spaces')
|
|
.set('Authorization', 'Bearer test-token');
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual([]);
|
|
});
|
|
|
|
it('unknown /api route returns 404 with structured error', async () => {
|
|
const res = await request(app).get('/api/nope').set('Authorization', 'Bearer test-token');
|
|
expect(res.status).toBe(404);
|
|
expect(res.body).toEqual({ error: { code: 'not_found', message: 'route not found' } });
|
|
});
|
|
|
|
it('unknown non-api route returns 404', async () => {
|
|
const res = await request(app).get('/missing');
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('GET / serves the SPA shell (text/html)', async () => {
|
|
const res = await request(app).get('/');
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers['content-type']).toMatch(/text\/html/);
|
|
expect(res.text).toMatch(/<div id="shell">/);
|
|
});
|
|
});
|