mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-02 03:35:09 +02:00
Garry Tan
03973c2fab
* fix(bin): pass search params via env vars (RCE fix) (#819) Replace shell string interpolation with process.env in gstack-learnings-search to prevent arbitrary code execution via crafted learnings entries. Also fixes the CROSS_PROJECT interpolation that the original PR missed. Adds 3 regression tests verifying no shell interpolation remains in the bun -e block. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): add path validation to upload command (#821) Add isPathWithin() and path traversal checks to the upload command, blocking file exfiltration via crafted upload paths. Uses existing SAFE_DIRECTORIES constant instead of a local copy. Adds 3 regression tests. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): symlink resolution in meta-commands validateOutputPath (#820) Add realpathSync to validateOutputPath in meta-commands.ts to catch symlink-based directory escapes in screenshot, pdf, and responsive commands. Resolves SAFE_DIRECTORIES through realpathSync to handle macOS /tmp -> /private/tmp symlinks. Existing path validation tests pass with the hardened implementation. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add uninstall instructions to README (#812) Community PR #812 by @0531Kim. Adds two uninstall paths: the gstack-uninstall script (handles everything) and manual removal steps for when the repo isn't cloned. Includes CLAUDE.md cleanup note and Playwright cache guidance. Co-Authored-By: 0531Kim <0531Kim@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): Windows launcher extraEnv + headed-mode token (#822) Community PR #822 by @pieterklue. Three fixes: 1. Windows launcher now merges extraEnv into spawned server env (was only passing BROWSE_STATE_FILE, dropping all other env vars) 2. Welcome page fallback serves inline HTML instead of about:blank redirect (avoids ERR_UNSAFE_REDIRECT on Windows) 3. /health returns auth token in headed mode even without Origin header (fixes Playwright Chromium extensions that don't send it) Also adds HOME/USERPROFILE fallback for cross-platform compatibility. Co-Authored-By: pieterklue <pieterklue@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): terminate orphan server when parent process exits (#808) Community PR #808 by @mmporong. Passes BROWSE_PARENT_PID to the spawned server process. The server polls every 15s with signal 0 and calls shutdown() if the parent is gone. Prevents orphaned chrome-headless-shell processes when Claude Code sessions exit abnormally. Co-Authored-By: mmporong <mmporong@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, targeted token (#664) Community PR #664 by @mr-k-man (security audit round 1, new parts only). - IPv6 ULA prefix blocking (fc00::/7) in url-validation.ts with false-positive guard for hostnames like fd.example.com - Cookie value redaction for tokens, API keys, JWTs in browse cookies command - Per-tab cancel files in killAgent() replacing broken global kill-signal - design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload - extension: targeted getToken handler replaces token-in-health-broadcast - Supabase migration 003: column-level GRANT restricts anon UPDATE scope - Telemetry sync: upsert error logging - 10 new tests for IPv6, cookie redaction, DNS rebinding, path traversal Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(security): CSS injection guard, timeout clamping, session validation, tests (#806) Community PR #806 by @mr-k-man (security audit round 2, new parts only). - CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector - Queue file permissions (0o700/0o600) in cli, server, sidebar-agent - escapeRegExp for frame --url ReDoS fix - Responsive screenshot path validation with validateOutputPath - State load cookie filtering (reject localhost/.internal/metadata cookies) - Session ID format validation in loadSession - /health endpoint: remove currentUrl and currentMessage fields - QueueEntry interface + isValidQueueEntry validator for sidebar-agent - SIGTERM->SIGKILL escalation in timeout handler - Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s) - Cookie domain validation in cookie-import and cookie-import-browser - DocumentFragment-based tab switching (XSS fix in sidepanel) - pollInProgress reentrancy guard for pollChat - toggleClass/injectCSS input validation in extension inspector - Snapshot annotated path validation with realpathSync - 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v0.15.13.0) Community security wave: 8 PRs from 4 contributors (@garagon, @mr-k-man, @mmporong, @0531Kim, @pieterklue). IPv6 ULA blocking, cookie redaction, per-tab cancel signaling, CSS injection guards, timeout clamping, session validation, DocumentFragment XSS fix, parent process watchdog, uninstall docs, Windows fixes, and 750+ lines of security regression tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: garagon <garagon@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 0531Kim <0531Kim@users.noreply.github.com> Co-authored-by: pieterklue <pieterklue@users.noreply.github.com> Co-authored-by: mmporong <mmporong@users.noreply.github.com> Co-authored-by: mr-k-man <mr-k-man@users.noreply.github.com>
462 lines
16 KiB
TypeScript
462 lines
16 KiB
TypeScript
/**
|
|
* Tests for the $D serve command — HTTP server for comparison board feedback.
|
|
*
|
|
* Tests the stateful server lifecycle:
|
|
* - SERVING → POST submit → DONE (exit 0)
|
|
* - SERVING → POST regenerate → REGENERATING → POST reload → SERVING
|
|
* - Timeout → exit 1
|
|
* - Error handling (missing HTML, malformed JSON, missing reload path)
|
|
*/
|
|
|
|
import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
|
|
import { generateCompareHtml } from '../src/compare';
|
|
import * as fs from 'fs';
|
|
import * as path from 'path';
|
|
|
|
let tmpDir: string;
|
|
let boardHtml: string;
|
|
|
|
// Create a minimal 1x1 pixel PNG for test variants
|
|
function createTestPng(filePath: string): void {
|
|
const png = Buffer.from(
|
|
'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/58BAwAI/AL+hc2rNAAAAABJRU5ErkJggg==',
|
|
'base64'
|
|
);
|
|
fs.writeFileSync(filePath, png);
|
|
}
|
|
|
|
beforeAll(() => {
|
|
tmpDir = '/tmp/serve-test-' + Date.now();
|
|
fs.mkdirSync(tmpDir, { recursive: true });
|
|
|
|
// Create test PNGs and generate comparison board
|
|
createTestPng(path.join(tmpDir, 'variant-A.png'));
|
|
createTestPng(path.join(tmpDir, 'variant-B.png'));
|
|
createTestPng(path.join(tmpDir, 'variant-C.png'));
|
|
|
|
const html = generateCompareHtml([
|
|
path.join(tmpDir, 'variant-A.png'),
|
|
path.join(tmpDir, 'variant-B.png'),
|
|
path.join(tmpDir, 'variant-C.png'),
|
|
]);
|
|
boardHtml = path.join(tmpDir, 'design-board.html');
|
|
fs.writeFileSync(boardHtml, html);
|
|
});
|
|
|
|
afterAll(() => {
|
|
fs.rmSync(tmpDir, { recursive: true, force: true });
|
|
});
|
|
|
|
// ─── Serve as HTTP module (not subprocess) ────────────────────────
|
|
|
|
describe('Serve HTTP endpoints', () => {
|
|
let server: ReturnType<typeof Bun.serve>;
|
|
let baseUrl: string;
|
|
let htmlContent: string;
|
|
let state: string;
|
|
|
|
beforeAll(() => {
|
|
htmlContent = fs.readFileSync(boardHtml, 'utf-8');
|
|
state = 'serving';
|
|
|
|
server = Bun.serve({
|
|
port: 0,
|
|
fetch(req) {
|
|
const url = new URL(req.url);
|
|
|
|
if (req.method === 'GET' && url.pathname === '/') {
|
|
const injected = htmlContent.replace(
|
|
'</head>',
|
|
`<script>window.__GSTACK_SERVER_URL = '${url.origin}';</script>\n</head>`
|
|
);
|
|
return new Response(injected, {
|
|
headers: { 'Content-Type': 'text/html; charset=utf-8' },
|
|
});
|
|
}
|
|
|
|
if (req.method === 'GET' && url.pathname === '/api/progress') {
|
|
return Response.json({ status: state });
|
|
}
|
|
|
|
if (req.method === 'POST' && url.pathname === '/api/feedback') {
|
|
return (async () => {
|
|
let body: any;
|
|
try { body = await req.json(); } catch { return Response.json({ error: 'Invalid JSON' }, { status: 400 }); }
|
|
if (typeof body !== 'object' || body === null) return Response.json({ error: 'Expected JSON object' }, { status: 400 });
|
|
const isSubmit = body.regenerated === false;
|
|
const feedbackFile = isSubmit ? 'feedback.json' : 'feedback-pending.json';
|
|
fs.writeFileSync(path.join(tmpDir, feedbackFile), JSON.stringify(body, null, 2));
|
|
if (isSubmit) {
|
|
state = 'done';
|
|
return Response.json({ received: true, action: 'submitted' });
|
|
}
|
|
state = 'regenerating';
|
|
return Response.json({ received: true, action: 'regenerate' });
|
|
})();
|
|
}
|
|
|
|
if (req.method === 'POST' && url.pathname === '/api/reload') {
|
|
return (async () => {
|
|
let body: any;
|
|
try { body = await req.json(); } catch { return Response.json({ error: 'Invalid JSON' }, { status: 400 }); }
|
|
if (!body.html || !fs.existsSync(body.html)) {
|
|
return Response.json({ error: `HTML file not found: ${body.html}` }, { status: 400 });
|
|
}
|
|
htmlContent = fs.readFileSync(body.html, 'utf-8');
|
|
state = 'serving';
|
|
return Response.json({ reloaded: true });
|
|
})();
|
|
}
|
|
|
|
return new Response('Not found', { status: 404 });
|
|
},
|
|
});
|
|
baseUrl = `http://localhost:${server.port}`;
|
|
});
|
|
|
|
afterAll(() => {
|
|
server.stop();
|
|
});
|
|
|
|
test('GET / serves HTML with injected __GSTACK_SERVER_URL', async () => {
|
|
const res = await fetch(baseUrl);
|
|
expect(res.status).toBe(200);
|
|
const html = await res.text();
|
|
expect(html).toContain('__GSTACK_SERVER_URL');
|
|
expect(html).toContain(baseUrl);
|
|
expect(html).toContain('Design Exploration');
|
|
});
|
|
|
|
test('GET /api/progress returns current state', async () => {
|
|
state = 'serving';
|
|
const res = await fetch(`${baseUrl}/api/progress`);
|
|
const data = await res.json();
|
|
expect(data.status).toBe('serving');
|
|
});
|
|
|
|
test('POST /api/feedback with submit sets state to done', async () => {
|
|
state = 'serving';
|
|
const feedback = {
|
|
preferred: 'A',
|
|
ratings: { A: 4, B: 3, C: 2 },
|
|
comments: { A: 'Good spacing' },
|
|
overall: 'Go with A',
|
|
regenerated: false,
|
|
};
|
|
|
|
const res = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify(feedback),
|
|
});
|
|
const data = await res.json();
|
|
expect(data.received).toBe(true);
|
|
expect(data.action).toBe('submitted');
|
|
expect(state).toBe('done');
|
|
|
|
// Verify feedback.json was written
|
|
const written = JSON.parse(fs.readFileSync(path.join(tmpDir, 'feedback.json'), 'utf-8'));
|
|
expect(written.preferred).toBe('A');
|
|
expect(written.ratings.A).toBe(4);
|
|
});
|
|
|
|
test('POST /api/feedback with regenerate sets state and writes feedback-pending.json', async () => {
|
|
state = 'serving';
|
|
// Clean up any prior pending file
|
|
const pendingPath = path.join(tmpDir, 'feedback-pending.json');
|
|
if (fs.existsSync(pendingPath)) fs.unlinkSync(pendingPath);
|
|
|
|
const feedback = {
|
|
preferred: 'B',
|
|
ratings: { A: 3, B: 5, C: 2 },
|
|
comments: {},
|
|
overall: null,
|
|
regenerated: true,
|
|
regenerateAction: 'different',
|
|
};
|
|
|
|
const res = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify(feedback),
|
|
});
|
|
const data = await res.json();
|
|
expect(data.received).toBe(true);
|
|
expect(data.action).toBe('regenerate');
|
|
expect(state).toBe('regenerating');
|
|
|
|
// Progress should reflect regenerating state
|
|
const progress = await fetch(`${baseUrl}/api/progress`);
|
|
const pd = await progress.json();
|
|
expect(pd.status).toBe('regenerating');
|
|
|
|
// Agent can poll for feedback-pending.json
|
|
expect(fs.existsSync(pendingPath)).toBe(true);
|
|
const pending = JSON.parse(fs.readFileSync(pendingPath, 'utf-8'));
|
|
expect(pending.regenerated).toBe(true);
|
|
expect(pending.regenerateAction).toBe('different');
|
|
});
|
|
|
|
test('POST /api/feedback with remix contains remixSpec', async () => {
|
|
state = 'serving';
|
|
const feedback = {
|
|
preferred: null,
|
|
ratings: { A: 4, B: 3, C: 3 },
|
|
comments: {},
|
|
overall: null,
|
|
regenerated: true,
|
|
regenerateAction: 'remix',
|
|
remixSpec: { layout: 'A', colors: 'B', typography: 'C' },
|
|
};
|
|
|
|
const res = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify(feedback),
|
|
});
|
|
const data = await res.json();
|
|
expect(data.received).toBe(true);
|
|
expect(state).toBe('regenerating');
|
|
});
|
|
|
|
test('POST /api/feedback with malformed JSON returns 400', async () => {
|
|
const res = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: 'not json',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
test('POST /api/feedback with non-object returns 400', async () => {
|
|
const res = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: '"just a string"',
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
test('POST /api/reload swaps HTML and resets state to serving', async () => {
|
|
state = 'regenerating';
|
|
|
|
// Create a new board HTML
|
|
const newBoard = path.join(tmpDir, 'new-board.html');
|
|
fs.writeFileSync(newBoard, '<html><body>New board content</body></html>');
|
|
|
|
const res = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: newBoard }),
|
|
});
|
|
const data = await res.json();
|
|
expect(data.reloaded).toBe(true);
|
|
expect(state).toBe('serving');
|
|
|
|
// Verify the new HTML is served
|
|
const pageRes = await fetch(baseUrl);
|
|
const pageHtml = await pageRes.text();
|
|
expect(pageHtml).toContain('New board content');
|
|
});
|
|
|
|
test('POST /api/reload with missing file returns 400', async () => {
|
|
const res = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: '/nonexistent/file.html' }),
|
|
});
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
test('GET /unknown returns 404', async () => {
|
|
const res = await fetch(`${baseUrl}/random-path`);
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
// ─── Path traversal protection in /api/reload ─────────────────────
|
|
|
|
describe('Serve /api/reload — path traversal protection', () => {
|
|
let server: ReturnType<typeof Bun.serve>;
|
|
let baseUrl: string;
|
|
let htmlContent: string;
|
|
let allowedDir: string;
|
|
|
|
beforeAll(() => {
|
|
// Production-equivalent allowedDir anchored to tmpDir
|
|
allowedDir = fs.realpathSync(tmpDir);
|
|
htmlContent = fs.readFileSync(boardHtml, 'utf-8');
|
|
|
|
// This server mirrors the production serve() with the path validation fix
|
|
server = Bun.serve({
|
|
port: 0,
|
|
fetch(req) {
|
|
const url = new URL(req.url);
|
|
|
|
if (req.method === 'GET' && url.pathname === '/') {
|
|
return new Response(htmlContent, {
|
|
headers: { 'Content-Type': 'text/html; charset=utf-8' },
|
|
});
|
|
}
|
|
|
|
if (req.method === 'POST' && url.pathname === '/api/reload') {
|
|
return (async () => {
|
|
let body: any;
|
|
try { body = await req.json(); } catch { return Response.json({ error: 'Invalid JSON' }, { status: 400 }); }
|
|
if (!body.html || !fs.existsSync(body.html)) {
|
|
return Response.json({ error: `HTML file not found: ${body.html}` }, { status: 400 });
|
|
}
|
|
// Production path validation — same as design/src/serve.ts
|
|
const resolvedReload = fs.realpathSync(path.resolve(body.html));
|
|
if (!resolvedReload.startsWith(allowedDir + path.sep) && resolvedReload !== allowedDir) {
|
|
return Response.json({ error: `Path must be within: ${allowedDir}` }, { status: 403 });
|
|
}
|
|
htmlContent = fs.readFileSync(resolvedReload, 'utf-8');
|
|
return Response.json({ reloaded: true });
|
|
})();
|
|
}
|
|
|
|
return new Response('Not found', { status: 404 });
|
|
},
|
|
});
|
|
baseUrl = `http://localhost:${server.port}`;
|
|
});
|
|
|
|
afterAll(() => {
|
|
server.stop();
|
|
});
|
|
|
|
test('blocks reload with path outside allowed directory', async () => {
|
|
const res = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: '/etc/passwd' }),
|
|
});
|
|
expect(res.status).toBe(403);
|
|
const data = await res.json();
|
|
expect(data.error).toContain('Path must be within');
|
|
});
|
|
|
|
test('blocks reload with symlink pointing outside allowed directory', async () => {
|
|
const linkPath = path.join(tmpDir, 'evil-link.html');
|
|
try {
|
|
fs.symlinkSync('/etc/passwd', linkPath);
|
|
const res = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: linkPath }),
|
|
});
|
|
expect(res.status).toBe(403);
|
|
} finally {
|
|
try { fs.unlinkSync(linkPath); } catch {}
|
|
}
|
|
});
|
|
|
|
test('allows reload with file inside allowed directory', async () => {
|
|
const goodPath = path.join(tmpDir, 'safe-board.html');
|
|
fs.writeFileSync(goodPath, '<html><body>Safe reload</body></html>');
|
|
|
|
const res = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: goodPath }),
|
|
});
|
|
expect(res.status).toBe(200);
|
|
const data = await res.json();
|
|
expect(data.reloaded).toBe(true);
|
|
|
|
// Verify the new content is served
|
|
const page = await fetch(baseUrl);
|
|
expect(await page.text()).toContain('Safe reload');
|
|
});
|
|
});
|
|
|
|
// ─── Full lifecycle: regeneration round-trip ──────────────────────
|
|
|
|
describe('Full regeneration lifecycle', () => {
|
|
let server: ReturnType<typeof Bun.serve>;
|
|
let baseUrl: string;
|
|
let htmlContent: string;
|
|
let state: string;
|
|
|
|
beforeAll(() => {
|
|
htmlContent = fs.readFileSync(boardHtml, 'utf-8');
|
|
state = 'serving';
|
|
|
|
server = Bun.serve({
|
|
port: 0,
|
|
fetch(req) {
|
|
const url = new URL(req.url);
|
|
if (req.method === 'GET' && url.pathname === '/') {
|
|
return new Response(htmlContent, { headers: { 'Content-Type': 'text/html' } });
|
|
}
|
|
if (req.method === 'GET' && url.pathname === '/api/progress') {
|
|
return Response.json({ status: state });
|
|
}
|
|
if (req.method === 'POST' && url.pathname === '/api/feedback') {
|
|
return (async () => {
|
|
const body = await req.json();
|
|
if (body.regenerated) { state = 'regenerating'; return Response.json({ received: true, action: 'regenerate' }); }
|
|
state = 'done'; return Response.json({ received: true, action: 'submitted' });
|
|
})();
|
|
}
|
|
if (req.method === 'POST' && url.pathname === '/api/reload') {
|
|
return (async () => {
|
|
const body = await req.json();
|
|
if (body.html && fs.existsSync(body.html)) {
|
|
htmlContent = fs.readFileSync(body.html, 'utf-8');
|
|
state = 'serving';
|
|
return Response.json({ reloaded: true });
|
|
}
|
|
return Response.json({ error: 'Not found' }, { status: 400 });
|
|
})();
|
|
}
|
|
return new Response('Not found', { status: 404 });
|
|
},
|
|
});
|
|
baseUrl = `http://localhost:${server.port}`;
|
|
});
|
|
|
|
afterAll(() => { server.stop(); });
|
|
|
|
test('regenerate → reload → submit round-trip', async () => {
|
|
// Step 1: User clicks regenerate
|
|
expect(state).toBe('serving');
|
|
const regen = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ regenerated: true, regenerateAction: 'different', preferred: null, ratings: {}, comments: {} }),
|
|
});
|
|
expect((await regen.json()).action).toBe('regenerate');
|
|
expect(state).toBe('regenerating');
|
|
|
|
// Step 2: Progress shows regenerating
|
|
const prog1 = await (await fetch(`${baseUrl}/api/progress`)).json();
|
|
expect(prog1.status).toBe('regenerating');
|
|
|
|
// Step 3: Agent generates new variants and reloads
|
|
const newBoard = path.join(tmpDir, 'round2-board.html');
|
|
fs.writeFileSync(newBoard, '<html><body>Round 2 variants</body></html>');
|
|
const reload = await fetch(`${baseUrl}/api/reload`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ html: newBoard }),
|
|
});
|
|
expect((await reload.json()).reloaded).toBe(true);
|
|
expect(state).toBe('serving');
|
|
|
|
// Step 4: Progress shows serving (board would auto-refresh)
|
|
const prog2 = await (await fetch(`${baseUrl}/api/progress`)).json();
|
|
expect(prog2.status).toBe('serving');
|
|
|
|
// Step 5: User submits on round 2
|
|
const submit = await fetch(`${baseUrl}/api/feedback`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ regenerated: false, preferred: 'B', ratings: { A: 3, B: 5 }, comments: {}, overall: 'B is great' }),
|
|
});
|
|
expect((await submit.json()).action).toBe('submitted');
|
|
expect(state).toBe('done');
|
|
});
|
|
});
|