Task #13: lock in the fingerprint/relation logic behind SkillGuard's
identical/modified/new version detection with automated tests.
What was added
- Set up Vitest in artifacts/api-server (dev dep + `test` script + vitest.config.ts
using the "workspace" resolve condition so @workspace/* resolve to source).
- Unit tests (no DB):
- src/lib/skillFingerprint.test.ts — hashText/hashBytes stability & agreement,
computeFingerprint stable + order-independent + sensitive to content/path/add/remove,
jaccard overlap/symmetry/empty handling.
- src/lib/lineDiff.test.ts — lineSimilarity ratios (identical, single-edit, disjoint,
symmetric, CRLF), lineDiff context/add/remove with line numbers and the 2000-line cap.
- DB-backed tests (use the existing DATABASE_URL):
- src/routes/relation.test.ts — computeRelation: identical content under a different
name -> "identical" + check-counter (countFingerprint) increments; one-line edit to a
single-file skill -> "modified" with sensible similarity; unrelated skill -> "new".
Also direct computeContentSimilarity cases. Fixtures use randomized content to avoid
collisions with shared dev data and are cleaned up afterEach.
- src/routes/compare.test.ts — e2e GET /api/scans/:id/compare/:otherId via a live
server: asserts unchanged/modified/added/removed statuses, sorted file order, the
line diff for the modified file, null diffs elsewhere, and 404 for missing scans.
Production code change
- Exported computeRelation, computeContentSimilarity, countFingerprint from
src/routes/scans.ts so the relation logic can be unit-tested. No behavior change.
Verification
- `pnpm --filter @workspace/api-server run test` -> 34 tests, 4 files, all pass.
- `pnpm --filter @workspace/api-server run typecheck` passes (rebuilt stale lib/db
declarations via `pnpm run typecheck:libs`).
- Production build unaffected: esbuild only bundles from src/index.ts, so *.test.ts
files are not included.
Replit-Task-Id: e9ae5e24-1480-4a09-8436-1718c535573a
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
