2026-05-28 23:37:31 +00:00
|
|
|
{
|
|
|
|
|
"name": "@workspace/api-server",
|
|
|
|
|
"version": "0.0.0",
|
|
|
|
|
"private": true,
|
|
|
|
|
"type": "module",
|
|
|
|
|
"scripts": {
|
|
|
|
|
"dev": "export NODE_ENV=development && pnpm run build && pnpm run start",
|
|
|
|
|
"build": "node ./build.mjs",
|
|
|
|
|
"start": "node --enable-source-maps ./dist/index.mjs",
|
Add automated tests for skill version detection
Task #13: lock in the fingerprint/relation logic behind SkillGuard's
identical/modified/new version detection with automated tests.
What was added
- Set up Vitest in artifacts/api-server (dev dep + `test` script + vitest.config.ts
using the "workspace" resolve condition so @workspace/* resolve to source).
- Unit tests (no DB):
- src/lib/skillFingerprint.test.ts — hashText/hashBytes stability & agreement,
computeFingerprint stable + order-independent + sensitive to content/path/add/remove,
jaccard overlap/symmetry/empty handling.
- src/lib/lineDiff.test.ts — lineSimilarity ratios (identical, single-edit, disjoint,
symmetric, CRLF), lineDiff context/add/remove with line numbers and the 2000-line cap.
- DB-backed tests (use the existing DATABASE_URL):
- src/routes/relation.test.ts — computeRelation: identical content under a different
name -> "identical" + check-counter (countFingerprint) increments; one-line edit to a
single-file skill -> "modified" with sensible similarity; unrelated skill -> "new".
Also direct computeContentSimilarity cases. Fixtures use randomized content to avoid
collisions with shared dev data and are cleaned up afterEach.
- src/routes/compare.test.ts — e2e GET /api/scans/:id/compare/:otherId via a live
server: asserts unchanged/modified/added/removed statuses, sorted file order, the
line diff for the modified file, null diffs elsewhere, and 404 for missing scans.
Production code change
- Exported computeRelation, computeContentSimilarity, countFingerprint from
src/routes/scans.ts so the relation logic can be unit-tested. No behavior change.
Verification
- `pnpm --filter @workspace/api-server run test` -> 34 tests, 4 files, all pass.
- `pnpm --filter @workspace/api-server run typecheck` passes (rebuilt stale lib/db
declarations via `pnpm run typecheck:libs`).
- Production build unaffected: esbuild only bundles from src/index.ts, so *.test.ts
files are not included.
Replit-Task-Id: e9ae5e24-1480-4a09-8436-1718c535573a
2026-06-10 19:48:10 +00:00
|
|
|
"typecheck": "tsc -p tsconfig.json --noEmit",
|
|
|
|
|
"test": "vitest run"
|
2026-05-28 23:37:31 +00:00
|
|
|
},
|
|
|
|
|
"dependencies": {
|
|
|
|
|
"@workspace/api-zod": "workspace:*",
|
|
|
|
|
"@workspace/db": "workspace:*",
|
Replace Clerk with custom email+password authentication
Task: Replace Clerk (Replit-managed) with a standalone JWT/cookie-based auth system.
## What changed
### Backend (api-server)
- Added `admin_users` table (lib/db/src/schema/adminUsers.ts) with id, email (unique), password_hash, created_at; pushed to DB with drizzle-kit push
- Replaced `resolveAuth`/`requireAdmin` in auth.ts middleware: now reads a signed HS256 JWT from the `session` httpOnly cookie (via `jose`) instead of Clerk tokens
- Added `POST /api/auth/login` (bcrypt password check → sets httpOnly cookie), `POST /api/auth/logout` (clears cookie), `GET /api/me` (unchanged contract)
- Added `seedAdminUser()` in lib/seedAdmin.ts: on startup, if no admin exists, creates one from ADMIN_EMAIL + ADMIN_PASSWORD env vars (bcrypt-hashed)
- Removed all Clerk imports from app.ts: clerkMiddleware, publishableKeyFromHost, clerkProxyMiddleware deleted
- Deleted clerkProxyMiddleware.ts entirely
- Added cookie-parser middleware to app.ts
- Removed @clerk/express, @clerk/shared from package.json; added jose, bcryptjs, @types/bcryptjs
### Frontend (skillguard)
- Removed ClerkProvider, SignIn, SignUp, ClerkQueryClientCacheInvalidator from App.tsx; replaced with plain wouter routes
- Replaced /sign-in and /sign-up routes with a single /sign-in route pointing to new LoginPage
- New LoginPage (src/pages/login.tsx): email+password form using shadcn Input/Button/Card, calls POST /api/auth/login, redirects to /admin on success
- layout.tsx: replaced useClerk/useUser with useGetMe() + fetch POST /api/auth/logout
- require-admin.tsx: unchanged logic (already used useGetMe()), updated comment
- Removed @clerk/react, @clerk/localizations, @clerk/themes from package.json
- Added signInButton + loginError i18n keys to all 3 locales (de/en/es)
## New secrets required
- SESSION_SECRET (already existed)
- ADMIN_EMAIL (new — first admin email)
- ADMIN_PASSWORD (new — first admin password, stored as bcrypt hash)
## Removed env vars
- CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, VITE_CLERK_PUBLISHABLE_KEY, VITE_CLERK_PROXY_URL (can be deleted from secrets)
## Test results
All 79 tests pass.
Replit-Task-Id: 41d32d48-8f20-44bc-b665-a2becb83e503
2026-06-16 21:22:55 +00:00
|
|
|
"bcryptjs": "^2.4.3",
|
2026-05-28 23:37:31 +00:00
|
|
|
"cookie-parser": "^1.4.7",
|
|
|
|
|
"cors": "^2.8.6",
|
|
|
|
|
"drizzle-orm": "catalog:",
|
|
|
|
|
"express": "^5.2.1",
|
2026-06-11 05:23:53 +00:00
|
|
|
"express-rate-limit": "^8.5.2",
|
SkillGuard: complete frontend wiring and harden backend
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
2026-06-08 14:59:17 +00:00
|
|
|
"fflate": "^0.8.3",
|
Replace Clerk with custom email+password authentication
Task: Replace Clerk (Replit-managed) with a standalone JWT/cookie-based auth system.
## What changed
### Backend (api-server)
- Added `admin_users` table (lib/db/src/schema/adminUsers.ts) with id, email (unique), password_hash, created_at; pushed to DB with drizzle-kit push
- Replaced `resolveAuth`/`requireAdmin` in auth.ts middleware: now reads a signed HS256 JWT from the `session` httpOnly cookie (via `jose`) instead of Clerk tokens
- Added `POST /api/auth/login` (bcrypt password check → sets httpOnly cookie), `POST /api/auth/logout` (clears cookie), `GET /api/me` (unchanged contract)
- Added `seedAdminUser()` in lib/seedAdmin.ts: on startup, if no admin exists, creates one from ADMIN_EMAIL + ADMIN_PASSWORD env vars (bcrypt-hashed)
- Removed all Clerk imports from app.ts: clerkMiddleware, publishableKeyFromHost, clerkProxyMiddleware deleted
- Deleted clerkProxyMiddleware.ts entirely
- Added cookie-parser middleware to app.ts
- Removed @clerk/express, @clerk/shared from package.json; added jose, bcryptjs, @types/bcryptjs
### Frontend (skillguard)
- Removed ClerkProvider, SignIn, SignUp, ClerkQueryClientCacheInvalidator from App.tsx; replaced with plain wouter routes
- Replaced /sign-in and /sign-up routes with a single /sign-in route pointing to new LoginPage
- New LoginPage (src/pages/login.tsx): email+password form using shadcn Input/Button/Card, calls POST /api/auth/login, redirects to /admin on success
- layout.tsx: replaced useClerk/useUser with useGetMe() + fetch POST /api/auth/logout
- require-admin.tsx: unchanged logic (already used useGetMe()), updated comment
- Removed @clerk/react, @clerk/localizations, @clerk/themes from package.json
- Added signInButton + loginError i18n keys to all 3 locales (de/en/es)
## New secrets required
- SESSION_SECRET (already existed)
- ADMIN_EMAIL (new — first admin email)
- ADMIN_PASSWORD (new — first admin password, stored as bcrypt hash)
## Removed env vars
- CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, VITE_CLERK_PUBLISHABLE_KEY, VITE_CLERK_PROXY_URL (can be deleted from secrets)
## Test results
All 79 tests pass.
Replit-Task-Id: 41d32d48-8f20-44bc-b665-a2becb83e503
2026-06-16 21:22:55 +00:00
|
|
|
"jose": "^5.10.0",
|
2026-05-28 23:37:31 +00:00
|
|
|
"pino": "^9.14.0",
|
|
|
|
|
"pino-http": "^10.5.0"
|
|
|
|
|
},
|
|
|
|
|
"devDependencies": {
|
Replace Clerk with custom email+password authentication
Task: Replace Clerk (Replit-managed) with a standalone JWT/cookie-based auth system.
## What changed
### Backend (api-server)
- Added `admin_users` table (lib/db/src/schema/adminUsers.ts) with id, email (unique), password_hash, created_at; pushed to DB with drizzle-kit push
- Replaced `resolveAuth`/`requireAdmin` in auth.ts middleware: now reads a signed HS256 JWT from the `session` httpOnly cookie (via `jose`) instead of Clerk tokens
- Added `POST /api/auth/login` (bcrypt password check → sets httpOnly cookie), `POST /api/auth/logout` (clears cookie), `GET /api/me` (unchanged contract)
- Added `seedAdminUser()` in lib/seedAdmin.ts: on startup, if no admin exists, creates one from ADMIN_EMAIL + ADMIN_PASSWORD env vars (bcrypt-hashed)
- Removed all Clerk imports from app.ts: clerkMiddleware, publishableKeyFromHost, clerkProxyMiddleware deleted
- Deleted clerkProxyMiddleware.ts entirely
- Added cookie-parser middleware to app.ts
- Removed @clerk/express, @clerk/shared from package.json; added jose, bcryptjs, @types/bcryptjs
### Frontend (skillguard)
- Removed ClerkProvider, SignIn, SignUp, ClerkQueryClientCacheInvalidator from App.tsx; replaced with plain wouter routes
- Replaced /sign-in and /sign-up routes with a single /sign-in route pointing to new LoginPage
- New LoginPage (src/pages/login.tsx): email+password form using shadcn Input/Button/Card, calls POST /api/auth/login, redirects to /admin on success
- layout.tsx: replaced useClerk/useUser with useGetMe() + fetch POST /api/auth/logout
- require-admin.tsx: unchanged logic (already used useGetMe()), updated comment
- Removed @clerk/react, @clerk/localizations, @clerk/themes from package.json
- Added signInButton + loginError i18n keys to all 3 locales (de/en/es)
## New secrets required
- SESSION_SECRET (already existed)
- ADMIN_EMAIL (new — first admin email)
- ADMIN_PASSWORD (new — first admin password, stored as bcrypt hash)
## Removed env vars
- CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, VITE_CLERK_PUBLISHABLE_KEY, VITE_CLERK_PROXY_URL (can be deleted from secrets)
## Test results
All 79 tests pass.
Replit-Task-Id: 41d32d48-8f20-44bc-b665-a2becb83e503
2026-06-16 21:22:55 +00:00
|
|
|
"@types/bcryptjs": "^2.4.6",
|
2026-05-28 23:37:31 +00:00
|
|
|
"@types/cookie-parser": "^1.4.10",
|
|
|
|
|
"@types/cors": "^2.8.19",
|
|
|
|
|
"@types/express": "^5.0.6",
|
|
|
|
|
"@types/node": "catalog:",
|
|
|
|
|
"esbuild": "0.27.3",
|
|
|
|
|
"esbuild-plugin-pino": "^2.3.3",
|
|
|
|
|
"pino-pretty": "^13.1.3",
|
Add automated tests for skill version detection
Task #13: lock in the fingerprint/relation logic behind SkillGuard's
identical/modified/new version detection with automated tests.
What was added
- Set up Vitest in artifacts/api-server (dev dep + `test` script + vitest.config.ts
using the "workspace" resolve condition so @workspace/* resolve to source).
- Unit tests (no DB):
- src/lib/skillFingerprint.test.ts — hashText/hashBytes stability & agreement,
computeFingerprint stable + order-independent + sensitive to content/path/add/remove,
jaccard overlap/symmetry/empty handling.
- src/lib/lineDiff.test.ts — lineSimilarity ratios (identical, single-edit, disjoint,
symmetric, CRLF), lineDiff context/add/remove with line numbers and the 2000-line cap.
- DB-backed tests (use the existing DATABASE_URL):
- src/routes/relation.test.ts — computeRelation: identical content under a different
name -> "identical" + check-counter (countFingerprint) increments; one-line edit to a
single-file skill -> "modified" with sensible similarity; unrelated skill -> "new".
Also direct computeContentSimilarity cases. Fixtures use randomized content to avoid
collisions with shared dev data and are cleaned up afterEach.
- src/routes/compare.test.ts — e2e GET /api/scans/:id/compare/:otherId via a live
server: asserts unchanged/modified/added/removed statuses, sorted file order, the
line diff for the modified file, null diffs elsewhere, and 404 for missing scans.
Production code change
- Exported computeRelation, computeContentSimilarity, countFingerprint from
src/routes/scans.ts so the relation logic can be unit-tested. No behavior change.
Verification
- `pnpm --filter @workspace/api-server run test` -> 34 tests, 4 files, all pass.
- `pnpm --filter @workspace/api-server run typecheck` passes (rebuilt stale lib/db
declarations via `pnpm run typecheck:libs`).
- Production build unaffected: esbuild only bundles from src/index.ts, so *.test.ts
files are not included.
Replit-Task-Id: e9ae5e24-1480-4a09-8436-1718c535573a
2026-06-10 19:48:10 +00:00
|
|
|
"thread-stream": "3.1.0",
|
|
|
|
|
"vitest": "^4.1.8"
|
2026-05-28 23:37:31 +00:00
|
|
|
}
|
|
|
|
|
}
|