chore: Add unit tests and extract independent libs outside frontmcp monorepo #188
Conversation
📝 WalkthroughWalkthroughThis PR removes two internal libraries (json-schema-to-zod-v3 and mcp-from-openapi) from the monorepo, updates docs/workflows to reference external packages, adds safe-regex utilities and ReDoS guards across uipack/utils, and introduces multiple comprehensive test suites for CLI and approval plugins. Changes
Sequence Diagram(s)(No sequence diagrams generated — changes are broad removals, docs updates, and multiple independent safety-guard additions rather than a single new multi-component control flow.) Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
Comment |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI Agents
In @plugins/plugin-approval/jest.config.ts:
- Around line 43-46: The Jest coverage thresholds in the coverageThreshold
object currently set branches: 66, functions: 80, lines: 80, statements: 80
conflict with the project requirement of 95%+; update the coverageThreshold
entries (branches, functions, lines, statements) in
plugins/plugin-approval/jest.config.ts to 95 (or 95+) and ensure tests are
added/adjusted so the plugin meets those thresholds before committing.
In @plugins/plugin-cache/jest.config.ts:
- Around line 40-43: The coverageThreshold in jest.config.ts was lowered for
"branches" to 90%, violating the 95%+ policy; update the coverageThreshold
object (the properties statements, branches, functions, lines) to enforce at
least 95% for branches (and all metrics if desired) by changing branches: 90 to
branches: 95 (and ensure statements, functions, lines are set to >=95) so the
Jest config restores the required minimums.
In @TEST_COVERAGE.md:
- Around line 7-15: The coverage report is missing libs/ui and libs/uipack and
shows libs/plugins below the 95% requirement; update the test/coverage
configuration to include the missing packages and enforce thresholds: add
include/glob patterns for "libs/ui/src/**/*.test.{ts,tsx}" and
"libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx}" to the coverage collection,
ensure the CI coverage thresholds (statements, branches, functions, lines) are
set to 95% for those packages, and add/expand tests in the plugins package
(targeting files referenced under libs/plugins) to raise statements and branch
coverage above 95%; also add a short note in TEST_COVERAGE.md clarifying whether
external libraries like ast-guard, vectoriadb, and enclave are held to the 95%
standard or a separate expectation so readers know which rule applies.
🧹 Nitpick comments (12)
plugins/plugin-approval/src/__tests__/approval.service.test.ts (1)
26-36: Simplify type assertion for better type safety.The double type assertion
as unknown as jest.Mocked<ApprovalStore>at line 36 is a code smell that bypasses TypeScript's type checking. Consider using a more type-safe approach.As per coding guidelines, avoid using
anytypes without strong justification and prefer proper typing.🔎 Recommended fix to improve type safety
beforeEach(() => { mockStore = { isApproved: jest.fn(), getApproval: jest.fn(), queryApprovals: jest.fn(), grantApproval: jest.fn(), revokeApproval: jest.fn(), clearSessionApprovals: jest.fn(), initialize: jest.fn(), close: jest.fn(), - } as unknown as jest.Mocked<ApprovalStore>; + } as jest.Mocked<ApprovalStore>;plugins/plugin-approval/src/__tests__/challenge.service.test.ts (3)
82-90: Avoidas anytype assertions - use proper typing.The
as anytype assertion at line 87 bypasses TypeScript's type checking, which can hide type errors. Consider defining a proper mock type or usingPartial<>to maintain type safety.As per coding guidelines, avoid
anytypes without strong justification and useunknownfor generic type defaults instead.🔎 Recommended fix for type-safe mocking
it('should create service with storage instance', () => { - const mockInstance = { + const mockInstance: Partial<StorageInstance> = { namespace: jest.fn().mockReturnValue(mockStorage), }; service = new ChallengeService({ - storageInstance: mockInstance as any, + storageInstance: mockInstance as StorageInstance, }); expect(service).toBeDefined(); });Note: You'll need to import or define the appropriate storage interface type.
101-112: Avoidas anytype assertions - use proper typing.Similar to the previous issue, line 106 uses
as anyto bypass type checking. Apply the same type-safe approach here.
378-390: Avoidas anytype assertions - use proper typing.Line 384 also uses
as anyfor the storage instance. Consider using a consistent, type-safe approach across all test cases for better maintainability.plugins/plugin-approval/src/__tests__/approval-storage.store.test.ts (3)
94-102: Avoidas anytype assertions - use proper typing.Line 99 uses
as anyto bypass TypeScript's type checking. As with the other test files, consider using a type-safe approach withPartial<>or proper interface typing.As per coding guidelines, avoid
anytypes without strong justification.
113-124: Avoidas anytype assertions - use proper typing.Line 118 also uses
as anyfor the storage instance parameter. Apply consistent type-safe mocking across all test cases.
721-733: Avoidas anytype assertions - use proper typing.Line 723 uses
as anyfor the external storage mock. Consider defining a proper mock type to maintain type safety throughout the test suite..github/UPDATES_FORMAT.md (1)
319-319: Verify href pattern for independent libraries is no longer active.Line 319 in the summary table shows independent library hrefs pointing to
"https://github.com/agentfront/frontmcp/tree/main/libs/{lib}", but these libraries have been moved to external repositories. This href pattern is now historical and should not be used for new documentation. The documentation correctly marks the related sections as historical (lines 67, 200, 228), but the summary table on line 319 should also include a note clarifying this is a legacy reference pattern.Consider adding a clarifying note to line 319 or the table caption:
| **href** | `"https://github.com/agentfront/frontmcp/releases/tag/v..."` | `"https://github.com/agentfront/frontmcp/tree/main/libs/{lib}"` | + | | *(Historical: independent libs now at external repos)* |libs/cli/jest.config.ts (1)
36-44: Coverage configuration looks reasonable as a baseline.The
collectCoverageFrompatterns correctly exclude declaration files, barrel exports, the CLI entry point, and templates. The coverage thresholds (60/60/53/59) establish a floor that can be incrementally raised as coverage improves.Consider raising these thresholds over time to align with the higher coverage standards (95%+) applied to other libs in this monorepo.
libs/cli/src/__tests__/doctor.spec.ts (1)
82-257: Good coverage of doctor command scenarios.The test suite covers the key paths:
- ✅ All requirements met
- ❌ Node/npm version failures
- ❌ npm not found error
- ❌ Missing tsconfig.json
- ❌ tsconfig configuration issues
- ❌ Entry file not found
- ✅ Entry file path detection
Per coding guidelines, consider adding tests for:
- Multiple simultaneous failures (e.g., old Node AND missing tsconfig)
fileExistsorreadJSONthrowing unexpected errors (network/permission issues)libs/cli/src/__tests__/tsconfig.spec.ts (1)
223-282: runInit tests cover the happy paths well.Consider adding error condition tests as per coding guidelines:
writeJSONthrowing an error (disk full, permission denied)readJSONthrowing a parse error for malformed JSONlibs/cli/src/__tests__/fs.spec.ts (1)
98-187: Good edge case coverage for main field variants.Tests handle:
- Empty and whitespace-only main values
- Multiple extension variants (.tsx, .js, .mjs, .cjs)
- Non-string main field (numeric value)
One consideration: the current tests verify each extension works in isolation. If the extension resolution order matters (e.g.,
.tsbefore.js), a test that returnstruefor multiple extensions and asserts the first-match behavior would strengthen confidence in the priority logic.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
libs/cli/src/commands/build/__tests__/adapters.spec.tsis excluded by!**/build/**yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (107)
.github/UPDATES_FORMAT.md.github/workflows/codex-mintlify-docs.yml.github/workflows/create-release-branch.ymlCHANGELOG.mdCLAUDE.mdTEST_COVERAGE.mddocs/draft/blog/external-links.mdxdocs/live/blog/external-links.mdxdocs/live/updates.mdxeslint.config.mjslibs/adapters/README.mdlibs/adapters/src/openapi/README.mdlibs/cli/jest.config.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/fs.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/json-schema-to-zod-v3/.spec.swcrclibs/json-schema-to-zod-v3/CHANGELOG.mdlibs/json-schema-to-zod-v3/README.mdlibs/json-schema-to-zod-v3/SECURITY.mdlibs/json-schema-to-zod-v3/eslint.config.mjslibs/json-schema-to-zod-v3/examples.tslibs/json-schema-to-zod-v3/jest.config.tslibs/json-schema-to-zod-v3/package.jsonlibs/json-schema-to-zod-v3/project.jsonlibs/json-schema-to-zod-v3/src/__tests__/composition.spec.tslibs/json-schema-to-zod-v3/src/__tests__/global.spec.tslibs/json-schema-to-zod-v3/src/__tests__/handlers.spec.tslibs/json-schema-to-zod-v3/src/__tests__/security.config.spec.tslibs/json-schema-to-zod-v3/src/__tests__/security.spec.tslibs/json-schema-to-zod-v3/src/converter.tslibs/json-schema-to-zod-v3/src/handlers/primitive/array.tslibs/json-schema-to-zod-v3/src/handlers/primitive/basic.tslibs/json-schema-to-zod-v3/src/handlers/primitive/number.tslibs/json-schema-to-zod-v3/src/handlers/primitive/object.tslibs/json-schema-to-zod-v3/src/handlers/primitive/string.tslibs/json-schema-to-zod-v3/src/handlers/refinement/complex.tslibs/json-schema-to-zod-v3/src/handlers/refinement/composition.tslibs/json-schema-to-zod-v3/src/handlers/refinement/special.tslibs/json-schema-to-zod-v3/src/index.tslibs/json-schema-to-zod-v3/src/security.tslibs/json-schema-to-zod-v3/src/types.tslibs/json-schema-to-zod-v3/src/utils.tslibs/json-schema-to-zod-v3/tsconfig.jsonlibs/json-schema-to-zod-v3/tsconfig.lib.jsonlibs/json-schema-to-zod-v3/tsconfig.spec.jsonlibs/mcp-from-openapi/.spec.swcrclibs/mcp-from-openapi/CHANGELOG.mdlibs/mcp-from-openapi/README.mdlibs/mcp-from-openapi/SECURITY.mdlibs/mcp-from-openapi/eslint.config.mjslibs/mcp-from-openapi/examples/frontmcp-integration.tslibs/mcp-from-openapi/examples/usage-examples.tslibs/mcp-from-openapi/jest.config.tslibs/mcp-from-openapi/package.jsonlibs/mcp-from-openapi/project.jsonlibs/mcp-from-openapi/src/__tests__/errors.spec.tslibs/mcp-from-openapi/src/__tests__/generator.spec.tslibs/mcp-from-openapi/src/__tests__/response-builder.spec.tslibs/mcp-from-openapi/src/__tests__/schema-builder.spec.tslibs/mcp-from-openapi/src/__tests__/security-resolver.spec.tslibs/mcp-from-openapi/src/__tests__/types.spec.tslibs/mcp-from-openapi/src/__tests__/validator.spec.tslibs/mcp-from-openapi/src/errors.tslibs/mcp-from-openapi/src/generator.tslibs/mcp-from-openapi/src/index.tslibs/mcp-from-openapi/src/parameter-resolver.tslibs/mcp-from-openapi/src/response-builder.tslibs/mcp-from-openapi/src/schema-builder.tslibs/mcp-from-openapi/src/security-resolver.tslibs/mcp-from-openapi/src/types.tslibs/mcp-from-openapi/src/validator.tslibs/mcp-from-openapi/tsconfig.jsonlibs/mcp-from-openapi/tsconfig.lib.jsonlibs/mcp-from-openapi/tsconfig.spec.jsonlibs/uipack/package.jsonpackage.jsonplugins/plugin-approval/jest.config.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.tsplugins/plugin-cache/jest.config.tsplugins/plugin-cache/src/__tests__/cache.plugin.test.tsplugins/plugin-codecall/jest.config.tsplugins/plugin-codecall/package.jsonplugins/plugin-codecall/src/__tests__/codecall.plugin.test.tsplugins/plugin-codecall/src/__tests__/error-enrichment.service.test.tsplugins/plugin-dashboard/jest.config.tsplugins/plugin-dashboard/src/__tests__/dashboard.app.test.tsplugins/plugin-dashboard/src/__tests__/dashboard.plugin.test.tsplugins/plugin-dashboard/src/__tests__/dashboard.symbol.test.tsplugins/plugin-dashboard/src/__tests__/dashboard.types.test.tsplugins/plugin-dashboard/src/__tests__/graph-data.provider.test.tsplugins/plugin-dashboard/src/__tests__/html.generator.test.tsplugins/plugin-dashboard/src/__tests__/safe-regex.test.tsplugins/plugin-dashboard/src/__tests__/tools.test.tsplugins/plugin-remember/jest.config.tsplugins/plugin-remember/src/__tests__/remember-redis.provider.test.tsplugins/plugin-remember/src/__tests__/remember-secret-persistence.test.tsplugins/plugin-remember/src/__tests__/remember-storage.provider.test.tsplugins/plugin-remember/src/__tests__/remember-tools.test.tsplugins/plugin-remember/src/__tests__/remember-vercel-kv.provider.test.tsplugins/plugin-remember/src/__tests__/remember.plugin.test.tsscripts/bump-version.mjstsconfig.base.json
💤 Files with no reviewable changes (65)
- CHANGELOG.md
- libs/json-schema-to-zod-v3/tsconfig.lib.json
- libs/json-schema-to-zod-v3/SECURITY.md
- libs/json-schema-to-zod-v3/src/converter.ts
- libs/mcp-from-openapi/src/generator.ts
- libs/mcp-from-openapi/src/parameter-resolver.ts
- libs/json-schema-to-zod-v3/package.json
- docs/live/blog/external-links.mdx
- libs/mcp-from-openapi/src/tests/types.spec.ts
- libs/json-schema-to-zod-v3/.spec.swcrc
- libs/mcp-from-openapi/SECURITY.md
- libs/mcp-from-openapi/tsconfig.lib.json
- libs/mcp-from-openapi/src/security-resolver.ts
- libs/json-schema-to-zod-v3/src/utils.ts
- libs/mcp-from-openapi/tsconfig.spec.json
- libs/json-schema-to-zod-v3/src/handlers/refinement/composition.ts
- libs/mcp-from-openapi/README.md
- .github/workflows/codex-mintlify-docs.yml
- libs/json-schema-to-zod-v3/CHANGELOG.md
- libs/json-schema-to-zod-v3/src/tests/composition.spec.ts
- libs/mcp-from-openapi/jest.config.ts
- libs/json-schema-to-zod-v3/src/handlers/primitive/object.ts
- docs/draft/blog/external-links.mdx
- libs/mcp-from-openapi/src/tests/generator.spec.ts
- libs/mcp-from-openapi/examples/usage-examples.ts
- libs/json-schema-to-zod-v3/src/tests/security.spec.ts
- libs/json-schema-to-zod-v3/src/handlers/primitive/array.ts
- libs/mcp-from-openapi/.spec.swcrc
- libs/mcp-from-openapi/src/validator.ts
- libs/json-schema-to-zod-v3/src/tests/global.spec.ts
- libs/mcp-from-openapi/src/tests/schema-builder.spec.ts
- libs/mcp-from-openapi/src/tests/errors.spec.ts
- libs/json-schema-to-zod-v3/tsconfig.json
- libs/json-schema-to-zod-v3/src/handlers/primitive/basic.ts
- libs/json-schema-to-zod-v3/src/handlers/refinement/special.ts
- libs/json-schema-to-zod-v3/src/handlers/primitive/string.ts
- libs/json-schema-to-zod-v3/examples.ts
- libs/json-schema-to-zod-v3/src/types.ts
- libs/mcp-from-openapi/src/tests/validator.spec.ts
- libs/json-schema-to-zod-v3/src/handlers/primitive/number.ts
- libs/mcp-from-openapi/tsconfig.json
- libs/json-schema-to-zod-v3/README.md
- libs/json-schema-to-zod-v3/src/index.ts
- eslint.config.mjs
- libs/mcp-from-openapi/src/response-builder.ts
- libs/mcp-from-openapi/src/errors.ts
- libs/json-schema-to-zod-v3/src/security.ts
- libs/json-schema-to-zod-v3/src/handlers/refinement/complex.ts
- libs/json-schema-to-zod-v3/jest.config.ts
- libs/mcp-from-openapi/src/index.ts
- libs/mcp-from-openapi/CHANGELOG.md
- libs/json-schema-to-zod-v3/eslint.config.mjs
- libs/mcp-from-openapi/package.json
- libs/json-schema-to-zod-v3/src/tests/handlers.spec.ts
- libs/mcp-from-openapi/src/tests/response-builder.spec.ts
- libs/mcp-from-openapi/examples/frontmcp-integration.ts
- libs/mcp-from-openapi/src/tests/security-resolver.spec.ts
- libs/mcp-from-openapi/project.json
- docs/live/updates.mdx
- libs/json-schema-to-zod-v3/tsconfig.spec.json
- libs/mcp-from-openapi/src/schema-builder.ts
- libs/mcp-from-openapi/eslint.config.mjs
- libs/json-schema-to-zod-v3/project.json
- libs/mcp-from-openapi/src/types.ts
- libs/json-schema-to-zod-v3/src/tests/security.config.spec.ts
🧰 Additional context used
📓 Path-based instructions (6)
libs/uipack/**/{package.json,*.ts,*.tsx,*.js,*.jsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Do not add React dependencies to @frontmcp/uipack - it must remain React-free. Use @frontmcp/ui for React components.
Files:
libs/uipack/package.json
libs/**
⚙️ CodeRabbit configuration file
libs/**: Contains publishable SDK libraries. Review for API correctness, breaking changes, and consistency with docs. When public APIs change, ensure there is a matching docs/draft/docs/** update (not direct edits under docs/docs/**).
Files:
libs/uipack/package.jsonlibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tslibs/cli/jest.config.tslibs/adapters/README.mdlibs/adapters/src/openapi/README.md
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Enable and use strict TypeScript settings - noanytypes without strong justification, useunknownfor generic type defaults instead
Avoid non-null assertions (!) - use proper error handling and throw specific errors when values are missing instead
Always use @frontmcp/utils for cryptographic operations - use hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode instead of node:crypto
Always use @frontmcp/utils for file system operations - use readFile, writeFile, mkdir, rename, unlink, stat, etc. instead of fs/promises or node:fs
Use constrained generic type parameters withRecord<string, string>or similar constraints instead of unconstrainedanydefaults
Files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tslibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.tsplugins/plugin-cache/jest.config.ts
**/*.{ts,tsx,md}
📄 CodeRabbit inference engine (CLAUDE.md)
Document known limitations clearly in code comments and README files
Files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tsCLAUDE.mdlibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tslibs/adapters/README.mdplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.tslibs/adapters/src/openapi/README.mdplugins/plugin-cache/jest.config.tsTEST_COVERAGE.md
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
Test all code paths including error conditions - include constructor validation tests, error class instanceof checks, and edge cases
Files:
libs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.ts
**/libs/**/src/**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
Do not add backwards compatibility exports in new libraries - avoid legacy prefixes like PT-001 in test names
Files:
libs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.ts
🧠 Learnings (37)
📓 Common learnings
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx} : Maintain 95%+ code coverage across statements, branches, functions, and lines
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{package.json,*.ts,*.tsx,*.js,*.jsx} : Do not add React dependencies to frontmcp/uipack - it must remain React-free. Use frontmcp/ui for React components.
Applied to files:
libs/uipack/package.json.github/UPDATES_FORMAT.md
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/package.json : The frontmcp/ui package requires React as a peer dependency (^18.0.0 || ^19.0.0)
Applied to files:
libs/uipack/package.json
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Use proper ES module imports instead of `require()` for SDK imports; avoid dynamic require of `frontmcp/sdk` modules
Applied to files:
libs/uipack/package.json
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Always use `frontmcp/utils` for cryptographic operations (hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode) instead of `node:crypto`
Applied to files:
libs/uipack/package.jsonpackage.json
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{ts,tsx} : Always use frontmcp/utils for cryptographic operations - use hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode instead of node:crypto
Applied to files:
libs/uipack/package.jsonpackage.json
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Avoid using `node:crypto` directly; always use `frontmcp/utils` for cross-platform cryptographic support
Applied to files:
libs/uipack/package.jsonpackage.json
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/package.json : Entry points must match the documented paths: frontmcp/ui/react, frontmcp/ui/renderers, frontmcp/ui/render, frontmcp/ui/universal, frontmcp/ui/bundler, frontmcp/ui/bridge, frontmcp/ui/components, frontmcp/ui/layouts, frontmcp/ui/web-components
Applied to files:
libs/uipack/package.jsonlibs/cli/src/__tests__/fs.spec.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/bundler/**/*.{ts,tsx} : The bundler module must re-export utilities from frontmcp/uipack/bundler and provide SSR component bundling functionality
Applied to files:
libs/uipack/package.json
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{ts,tsx} : Always use frontmcp/utils for file system operations - use readFile, writeFile, mkdir, rename, unlink, stat, etc. instead of fs/promises or node:fs
Applied to files:
libs/uipack/package.jsonlibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx} : Maintain 95%+ code coverage across statements, branches, functions, and lines
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/jest.config.tsplugins/plugin-cache/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.test.{ts,tsx} : Test coverage must be 95%+ across statements, branches, functions, and lines
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/jest.config.tsplugins/plugin-cache/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.test.ts : Tests must achieve 95%+ code coverage across all metrics; use `MockStore` implementing `RememberStoreInterface` for RememberPlugin testing
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.tsplugins/plugin-cache/jest.config.ts
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Configure approval requirements on tools using the `approval` decorator property with fields: `required`, `defaultScope`, `category`, `riskLevel`, and `approvalMessage`
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/tsconfig.spec.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{theme,adapters,bundler}/**/*.{test,spec}.{ts,tsx,js,jsx} : Test behavior across all supported platform configurations (OpenAI, Claude, etc.)
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tslibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval.service.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-cache/jest.config.ts
📚 Learning: 2026-01-06T02:34:41.821Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.821Z
Learning: Achieve 95%+ test coverage across all metrics (statements, branches, functions, lines)
Applied to files:
plugins/plugin-approval/jest.config.tsplugins/plugin-cache/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Extend tool metadata using `declare global` pattern to allow tools to specify plugin-specific options in their decorators
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-cache/jest.config.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{ts,tsx} : Enable and use strict TypeScript settings - no `any` types without strong justification, use `unknown` for generic type defaults instead
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/jest.config.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{test,spec}.{ts,tsx} : Test all code paths including error conditions - include constructor validation tests, error class instanceof checks, and edge cases
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tslibs/cli/jest.config.tsplugins/plugin-approval/src/__tests__/approval.plugin.test.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.tsplugins/plugin-approval/src/__tests__/challenge.service.test.tsplugins/plugin-cache/jest.config.ts
📚 Learning: 2026-01-06T02:34:41.821Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.821Z
Learning: Build must complete without TypeScript warnings or errors
Applied to files:
plugins/plugin-approval/jest.config.tslibs/cli/jest.config.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/*.{test,spec}.{ts,tsx,js,jsx} : Every component and utility must test invalid inputs and edge cases
Applied to files:
libs/cli/src/__tests__/doctor.spec.tslibs/cli/src/__tests__/colors.spec.tslibs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/**/src/**/*.{ts,tsx} : Do not add backwards compatibility exports in new libraries - avoid legacy prefixes like PT-001 in test names
Applied to files:
libs/cli/src/__tests__/tsconfig.spec.tslibs/cli/jest.config.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.test.{ts,tsx} : Use React Testing Library for component tests and include SSR/hydration tests for all interactive components
Applied to files:
libs/cli/src/__tests__/tsconfig.spec.tslibs/cli/src/__tests__/fs.spec.tsplugins/plugin-approval/src/__tests__/approval-storage.store.test.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.test.{ts,tsx} : SSR components must be tested for correct HTML output and client-side hydration must be tested separately
Applied to files:
libs/cli/src/__tests__/tsconfig.spec.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,plugins}/**/src/**/*preset*.ts : Follow the preset pattern for hierarchical configurations - create preset files that provide layered, hierarchical settings
Applied to files:
libs/cli/src/__tests__/tsconfig.spec.tslibs/cli/jest.config.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/index.{ts,js} : Export all public APIs through appropriate entry points (frontmcp/uipack, frontmcp/uipack/adapters, frontmcp/uipack/theme, etc.)
Applied to files:
libs/cli/src/__tests__/fs.spec.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Organize code following the frontmcp/uipack directory structure (adapters/, bundler/, theme/, renderers/, validation/, etc.)
Applied to files:
CLAUDE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*plugin.ts : Use module augmentation for context properties via `declare module 'frontmcp/sdk'` combined with runtime plugin metadata `contextExtensions`, not module-level side effects
Applied to files:
CLAUDE.md
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/plugins/**/src/**/*.ts : Use module augmentation to extend ExecutionContextBase with new properties - declare module 'frontmcp/sdk' and define interface extensions for plugin context properties
Applied to files:
CLAUDE.mdplugins/plugin-approval/src/__tests__/approval.plugin.test.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*.ts : Validation flow pattern - execute/read methods return strictly typed MCP responses, parseOutput normalizes various input shapes, flows finalize using entry's parse methods
Applied to files:
CLAUDE.mdlibs/adapters/README.mdTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*metadata*.ts : Validate URIs per RFC 3986 at metadata level using Zod schema validation with `isValidMcpUri` refinement
Applied to files:
CLAUDE.mdTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*plugin.ts : Extend ExecutionContextBase with plugin-specific properties using module declaration (`declare module 'frontmcp/sdk'`) combined with `contextExtensions` in plugin metadata
Applied to files:
CLAUDE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*plugin.ts : Plugins should extend `DynamicPlugin<Options, OptionsInput>` for configurable behavior, with `Plugin` decorator specifying name, description, and static providers
Applied to files:
plugins/plugin-approval/src/__tests__/approval.plugin.test.ts
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : RememberPlugin automatically provides `this.remember` and `this.approval` on execution contexts when installed; use helper functions `getRemember()` or `tryGetRemember()` for graceful degradation
Applied to files:
plugins/plugin-approval/src/__tests__/approval.plugin.test.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,adapters}/**/src/**/*.ts : Use getCapabilities() method in registries for dynamic capability exposure - do not hardcode capabilities in transport adapters
Applied to files:
libs/adapters/README.md
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*.ts : MCP response types must use strictly typed MCP protocol definitions, not `unknown` - use `Promise<GetPromptResult>`, `Promise<ReadResourceResult>`, and similar MCP-defined types for execute() and read() methods
Applied to files:
libs/adapters/README.md
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*error*.ts : Use specific MCP error classes with MCP error codes instead of generic errors - define error classes with `mcpErrorCode` property and `toJsonRpcError()` method
Applied to files:
libs/adapters/README.mdlibs/adapters/src/openapi/README.md
🧬 Code graph analysis (2)
libs/cli/src/__tests__/colors.spec.ts (1)
libs/cli/src/colors.ts (2)
COLORS(1-11)c(13-13)
libs/cli/src/__tests__/fs.spec.ts (1)
libs/cli/src/utils/fs.ts (1)
resolveEntry(18-56)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (19)
plugins/plugin-approval/src/__tests__/approval.plugin.test.ts (1)
121-130: Test validates provider presence but not configuration propagation.This test verifies that the store provider exists but includes a comment acknowledging it "can't easily test the internals without mocking." While this is acceptable for unit tests at this abstraction level, consider whether integration tests elsewhere verify that the config (namespace: 'custom', cleanupIntervalSeconds: 120) is actually propagated to the store.
plugins/plugin-approval/src/__tests__/approval-storage.store.test.ts (2)
604-610: Excellent edge case coverage for glob metacharacter escaping.This test properly validates that special glob characters in session IDs are escaped, preventing potential security issues or unexpected behavior in key pattern matching. This is exactly the kind of edge case testing that improves robustness.
41-747: Comprehensive test coverage validates all store operations.This test suite provides excellent coverage of the ApprovalStorageStore including:
- Initialization with various configurations
- All CRUD operations with proper error handling
- Query and filtering logic
- Expiration handling and cleanup
- Statistics gathering
- Lifecycle management (owned vs external storage)
- Edge cases like invalid JSON and glob metacharacters
The test structure is well-organized and follows good testing practices with proper setup/teardown.
libs/adapters/README.md (1)
18-19: Documentation update is clear and accurate.The updated text correctly identifies mcp-from-openapi as an external package, which is consistent with the PR's objective to externalize independent libraries from the monorepo.
CLAUDE.md (1)
18-18: Documentation update accurately reflects the repository restructuring.The updated note clearly communicates that several libraries have been moved to external repositories, which aligns with the PR's objective to externalize independent libraries. This provides helpful context for developers working with the monorepo.
package.json (2)
34-34: Dependency version is valid.mcp-from-openapi 2.1.2 is confirmed as the latest available version on npm registry. No updates needed.
36-36: The enclave-vm upgrade to 2.4.0 is valid and secure.Verification confirms that enclave-vm 2.4.0 is a legitimate NPM release with cryptographic signatures and SLSA provenance attestation. No known security vulnerabilities were detected. The version reference is consistent across both package.json and libs/uipack/package.json (both use "^2.4.0").
libs/adapters/src/openapi/README.md (2)
984-984: Documentation link is valid.The external mcp-from-openapi GitHub link is accessible and correctly points to the repository for authentication examples.
1209-1210: FrontMCP SDK npm package link is inaccessible (HTTP 403).The mcp-from-openapi GitHub repository link is accessible (HTTP 200), but the FrontMCP SDK npm package link returns HTTP 403 Forbidden. This link must be verified and made accessible before merging, as it is unreachable to users.
⛔ Skipped due to learnings
Learnt from: CR Repo: agentfront/frontmcp PR: 0 File: libs/uipack/CLAUDE.md:0-0 Timestamp: 2026-01-04T14:35:18.353Z Learning: Organize code following the frontmcp/uipack directory structure (adapters/, bundler/, theme/, renderers/, validation/, etc.)Learnt from: CR Repo: agentfront/frontmcp PR: 0 File: CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:41.820Z Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*error*.ts : Use specific MCP error classes with MCP error codes instead of generic errors - define error classes with `mcpErrorCode` property and `toJsonRpcError()` methodLearnt from: CR Repo: agentfront/frontmcp PR: 0 File: CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:41.820Z Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*.ts : Validation flow pattern - execute/read methods return strictly typed MCP responses, parseOutput normalizes various input shapes, flows finalize using entry's parse methodsLearnt from: CR Repo: agentfront/frontmcp PR: 0 File: libs/plugins/CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:55.680Z Learning: Applies to libs/plugins/**/*.ts : Use proper ES module imports instead of `require()` for SDK imports; avoid dynamic require of `frontmcp/sdk` modulesLearnt from: CR Repo: agentfront/frontmcp PR: 0 File: CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:41.820Z Learning: Applies to **/libs/plugins/**/src/**/*.ts : Use module augmentation to extend ExecutionContextBase with new properties - declare module 'frontmcp/sdk' and define interface extensions for plugin context propertiesLearnt from: CR Repo: agentfront/frontmcp PR: 0 File: CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:41.820Z Learning: Applies to **/libs/{sdk,adapters,plugins}/**/src/**/*.ts : MCP response types must use strictly typed MCP protocol definitions, not `unknown` - use `Promise<GetPromptResult>`, `Promise<ReadResourceResult>`, and similar MCP-defined types for execute() and read() methodsLearnt from: CR Repo: agentfront/frontmcp PR: 0 File: libs/plugins/CLAUDE.md:0-0 Timestamp: 2026-01-06T02:34:55.680Z Learning: Applies to libs/plugins/**/*.ts : Always use `frontmcp/utils` for cryptographic operations (hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode) instead of `node:crypto`Learnt from: CR Repo: agentfront/frontmcp PR: 0 File: libs/uipack/CLAUDE.md:0-0 Timestamp: 2026-01-04T14:35:18.353Z Learning: Applies to libs/uipack/**/index.{ts,js} : Export all public APIs through appropriate entry points (frontmcp/uipack, frontmcp/uipack/adapters, frontmcp/uipack/theme, etc.)Learnt from: CR Repo: agentfront/frontmcp PR: 0 File: libs/uipack/CLAUDE.md:0-0 Timestamp: 2026-01-04T14:35:18.353Z Learning: Applies to libs/uipack/**/{build,bundler}/**/*.{ts,tsx,js,jsx} : For server-side MDX rendering with bundled React, use frontmcp/ui/renderers instead of frontmcp/uipack/rendererslibs/uipack/package.json (1)
62-62: The enclave-vm version bump to 2.4.0 is valid and safe. The package version exists on npm (published 2026-01-06, not deprecated, currently the latest), has no React dependencies, and maintains the React-free requirement for @frontmcp/uipack..github/UPDATES_FORMAT.md (1)
67-68: Documentation appropriately marks historical content with clear context notes.The addition of historical context notes (lines 67-68, 200-204, 228-231) effectively communicates that independent libraries have been moved to external repositories. This prevents confusion for future maintainers about why these sections still exist and when they should be referenced.
Also applies to: 200-204, 228-231
TEST_COVERAGE.md (1)
84-94: Running Tests section is clear and helpful.The provided commands for running tests with coverage reporting are straightforward and should help developers validate coverage locally.
.github/workflows/create-release-branch.yml (1)
260-260: The documentation is accurate and doesn't require changes.Line 260 correctly instructs Codex to return library names as shown in the LIBRARY field, which are folder names (sdk, adapters, cli) populated directly from the independent projects. The normalization logic (lines 344-354) is defensive programming to handle edge cases where Codex might ignore the instruction or return alternate formats—it's not an indication that the documentation is inaccurate.
Likely an incorrect or invalid review comment.
libs/cli/src/__tests__/colors.spec.ts (1)
1-90: Comprehensive test coverage for the colors module.The tests thoroughly validate:
- All ANSI escape codes in the
COLORSconstant- The
c()function behavior across all color/style variants- Edge case handling for empty strings
Good adherence to coding guidelines with no legacy test prefixes.
libs/cli/src/__tests__/doctor.spec.ts (1)
65-81: Well-structured test setup with proper mock ordering.The mock declarations before imports and the
beforeEach/afterEachcleanup pattern are correct. CapturingoriginalVersionsand restoring it inafterEachensures test isolation.libs/cli/src/__tests__/tsconfig.spec.ts (2)
49-91: Thorough deepMerge test coverage.The tests cover important edge cases:
- Flat and nested object merging
- Array replacement (not concatenation)
- Null and undefined value handling
- Missing nested properties in base
This aligns well with the coding guideline to test edge cases.
138-221: Excellent checkRequiredTsOptions validation tests.Good coverage of:
- Correct configuration returning no issues
- Individual field validation (target, module, decorator flags)
- Undefined compilerOptions handling
- Case-insensitive string comparison
- Non-string type handling
The test at line 212-220 for non-string target is a good edge case per coding guidelines.
libs/cli/src/__tests__/fs.spec.ts (2)
16-22: Clean test setup with proper mock clearing.The
beforeEachwithjest.clearAllMocks()ensures test isolation, and the constantcwdprovides consistent path references across tests.
23-96: Comprehensive resolveEntry test coverage.The tests thoroughly cover:
- Explicit entry path resolution and error handling
package.jsonmain field resolution- Extension-less main field handling
- Directory main field with index file fallback
- Default
src/main.tsfallback- Detailed error message when no entry is found
This aligns well with the implementation in
libs/cli/src/utils/fs.ts.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI Agents
In @libs/uipack/src/runtime/sanitizer.ts:
- Around line 164-177: The guard in redactPIIFromText that returns the original
text when text.length > MAX_PII_TEXT_LENGTH creates a security gap; update the
function by adding JSDoc that documents this limitation (mention
MAX_PII_TEXT_LENGTH and that inputs >100KB bypass redaction), emit a
warning-level log when the guard is hit so developers are alerted (use the
module's logger or accept an optional logger parameter), and/or replace the
early return with chunked processing logic that safely splits the input into
<=MAX_PII_TEXT_LENGTH segments and applies the existing redaction routine to
each segment before rejoining; reference redactPIIFromText and
MAX_PII_TEXT_LENGTH when making changes.
In @TEST_COVERAGE.md:
- Around line 7-13: The coverage report shows multiple libraries below the
required 95% threshold and the thresholds table still documents 90% targets for
ui/uipack; update the coverage policy in TEST_COVERAGE.md by raising the
documented minimums for libs/uipack and libs/ui to 95%
(statements/branches/funcs/lines as applicable), adjust plugin-approval and
plugin-cache branch thresholds to >=95%, remove/conflicting 90% entries in the
thresholds table (the block previously noted at lines 120-126), and add a short
remediation plan with concrete milestones and dates for bringing the currently
non-compliant libraries into compliance.
🧹 Nitpick comments (4)
libs/utils/src/regex/safe-regex.ts (1)
237-250: Type assertion insafeReplaceis technically incorrect but functionally safe.The
replacement as stringcast on line 249 discards the function signature variant. WhileString.prototype.replace()accepts both strings and functions, the cast could mask type errors if a caller passes a function.🔎 Suggested fix to preserve function replacement support
export function safeReplace( input: string, pattern: RegExp, replacement: string | ((match: string, ...args: unknown[]) => string), options: SafeRegexOptions = {}, ): string { const { maxInputLength = DEFAULT_MAX_INPUT_LENGTH } = options; if (input.length > maxInputLength) { return input; } - return input.replace(pattern, replacement as string); + // Type assertion needed because TS overloads don't unify well + return input.replace(pattern, replacement as Parameters<typeof input.replace>[1]); }libs/uipack/src/theme/css-to-theme.ts (2)
84-87: Document the rationale for the input length limit.The MAX_CSS_INPUT_LENGTH constant should include JSDoc explaining why 100000 characters was chosen and what users should do if they need to process larger CSS inputs.
As per coding guidelines, known limitations must be clearly documented.
🔎 Suggested documentation
-/** - * Maximum CSS input length for theme extraction (ReDoS prevention). - */ -const MAX_CSS_INPUT_LENGTH = 100000; +/** + * Maximum CSS input length for theme extraction (ReDoS prevention). + * + * Inputs exceeding this limit will be rejected to prevent regex denial-of-service + * attacks. 100KB should be sufficient for typical theme CSS while protecting against + * pathological inputs. If you need to process larger CSS, consider splitting it + * into multiple chunks or pre-processing to extract only color variables. + */ +const MAX_CSS_INPUT_LENGTH = 100000;
89-97: Document the length guard behavior in the function JSDoc.The function now silently returns empty results when input exceeds MAX_CSS_INPUT_LENGTH, but the JSDoc (lines 59-83) doesn't document this behavior. Callers should know that extremely large inputs will be rejected.
Update the function JSDoc to document the length limitation:
/** * Extract --color-* variables from user CSS and convert to Tailwind @theme block. * * This function: * 1. Finds all --color-* variable declarations in the CSS * 2. Creates a @theme block with these variables (for Tailwind v4 to process) * 3. Returns the remaining CSS without color variables + * + * @security ReDoS Protection: Inputs exceeding 100KB are rejected by returning + * empty results to prevent denial-of-service attacks. * * @param userCss - CSS string containing :root with --color-* variables * @returns Object with themeBlock, remainingCss, and colorVars maplibs/utils/src/uri/uri-template.ts (1)
38-39: Clarify the rationale for the pattern change.The comments state "ReDoS prevention" but the original pattern
/\{[^}]+\}/is not vulnerable to ReDoS. The character class[^}]+is bounded and doesn't exhibit catastrophic backtracking.The change from
[^}]+to[^{}]+prevents matching nested braces (e.g.,{outer{inner}}), which is a correctness improvement for RFC 6570 Level 1 compliance rather than a security fix. URI templates don't support nested braces, so this change makes the pattern fail faster on malformed input.🔎 Suggested comment clarification
- // Use [^{}]+ instead of [^}]+ to fail fast on nested braces (ReDoS prevention) + // Use [^{}]+ instead of [^}]+ to reject nested braces (RFC 6570 Level 1 compliance)Apply this change to lines 38, 54, 115, 140, and 159.
Also applies to: 54-55, 115-116, 140-141, 159-160
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (23)
TEST_COVERAGE.mdlibs/sdk/jest.config.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/renderers/utils/detect.tslibs/uipack/src/runtime/sanitizer.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/typings/dts-parser.tslibs/utils/package.jsonlibs/utils/src/index.tslibs/utils/src/naming/naming.tslibs/utils/src/path/path.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/utils/src/regex/index.tslibs/utils/src/regex/patterns.tslibs/utils/src/regex/safe-regex.tslibs/utils/src/uri/uri-template.tsplugins/plugin-approval/jest.config.tsplugins/plugin-approval/src/__tests__/approval.context-extension.test.tsplugins/plugin-approval/src/approval/__tests__/schemas.test.tsplugins/plugin-approval/src/hooks/__tests__/approval-check.hook.test.tsplugins/plugin-cache/jest.config.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- plugins/plugin-approval/jest.config.ts
🧰 Additional context used
📓 Path-based instructions (12)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Enable and use strict TypeScript settings - noanytypes without strong justification, useunknownfor generic type defaults instead
Avoid non-null assertions (!) - use proper error handling and throw specific errors when values are missing instead
Always use @frontmcp/utils for cryptographic operations - use hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode instead of node:crypto
Always use @frontmcp/utils for file system operations - use readFile, writeFile, mkdir, rename, unlink, stat, etc. instead of fs/promises or node:fs
Use constrained generic type parameters withRecord<string, string>or similar constraints instead of unconstrainedanydefaults
Files:
libs/utils/src/naming/naming.tslibs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/utils/src/uri/uri-template.tslibs/utils/src/regex/index.tslibs/utils/src/index.tslibs/utils/src/path/path.tslibs/uipack/src/registry/render-template.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/utils/src/regex/patterns.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/utils/src/regex/safe-regex.tslibs/sdk/jest.config.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
**/*.{ts,tsx,md}
📄 CodeRabbit inference engine (CLAUDE.md)
Document known limitations clearly in code comments and README files
Files:
libs/utils/src/naming/naming.tslibs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/utils/src/uri/uri-template.tslibs/utils/src/regex/index.tslibs/utils/src/index.tslibs/utils/src/path/path.tslibs/uipack/src/registry/render-template.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/utils/src/regex/patterns.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/utils/src/regex/safe-regex.tslibs/sdk/jest.config.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.tsTEST_COVERAGE.md
**/libs/**/src/**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
Do not add backwards compatibility exports in new libraries - avoid legacy prefixes like PT-001 in test names
Files:
libs/utils/src/naming/naming.tslibs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/utils/src/uri/uri-template.tslibs/utils/src/regex/index.tslibs/utils/src/index.tslibs/utils/src/path/path.tslibs/uipack/src/registry/render-template.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/utils/src/regex/patterns.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/utils/src/regex/safe-regex.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
libs/**
⚙️ CodeRabbit configuration file
libs/**: Contains publishable SDK libraries. Review for API correctness, breaking changes, and consistency with docs. When public APIs change, ensure there is a matching docs/draft/docs/** update (not direct edits under docs/docs/**).
Files:
libs/utils/src/naming/naming.tslibs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/utils/src/uri/uri-template.tslibs/utils/src/regex/index.tslibs/utils/src/index.tslibs/utils/src/path/path.tslibs/utils/package.jsonlibs/uipack/src/registry/render-template.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/utils/src/regex/patterns.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/utils/src/regex/safe-regex.tslibs/sdk/jest.config.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
libs/uipack/**/{package.json,*.ts,*.tsx,*.js,*.jsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Do not add React dependencies to @frontmcp/uipack - it must remain React-free. Use @frontmcp/ui for React components.
Files:
libs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Maintain 95%+ code coverage across statements, branches, functions, and lines
Files:
libs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
libs/uipack/**/{validation,**}/**/*.{ts,tsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Use
.strict()on all Zod schemas for validation
Files:
libs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
**/libs/**/src/index.ts
📄 CodeRabbit inference engine (CLAUDE.md)
Use barrel exports (index.ts) for all TypeScript libraries - export everything users need, avoid legacy/alias exports
Files:
libs/utils/src/index.ts
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
Test all code paths including error conditions - include constructor validation tests, error class instanceof checks, and edge cases
Files:
libs/utils/src/regex/__tests__/safe-regex.spec.ts
libs/uipack/**/{theme,build,bundler}/**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Do not hard-code CDN URLs - use theme.cdn configuration instead
Files:
libs/uipack/src/theme/css-to-theme.ts
libs/uipack/**/{renderers,handlebars,base-template}/**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
Never skip HTML escaping for user-provided content in renderers and templates
Files:
libs/uipack/src/renderers/utils/detect.ts
libs/uipack/**/{renderers,build}/**/*.{ts,tsx}
📄 CodeRabbit inference engine (libs/uipack/CLAUDE.md)
libs/uipack/**/{renderers,build}/**/*.{ts,tsx}: Use htmlRenderer for HTML template rendering without React dependency
Use mdxClientRenderer for CDN-based MDX rendering without bundled React
Files:
libs/uipack/src/renderers/utils/detect.ts
🧠 Learnings (33)
📓 Common learnings
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx} : Maintain 95%+ code coverage across statements, branches, functions, and lines
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{package.json,*.ts,*.tsx,*.js,*.jsx} : Do not add React dependencies to frontmcp/uipack - it must remain React-free. Use frontmcp/ui for React components.
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{theme,adapters,bundler}/**/*.{test,spec}.{ts,tsx,js,jsx} : Test behavior across all supported platform configurations (OpenAI, Claude, etc.)
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{validation,**}/**/*.{ts,tsx} : Use `.strict()` on all Zod schemas for validation
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{renderers,handlebars,utils}/**/*.{test,spec}.{ts,tsx,js,jsx} : Test HTML escaping for user-provided content to prevent XSS vulnerabilities
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Configure approval requirements on tools using the `approval` decorator property with fields: `required`, `defaultScope`, `category`, `riskLevel`, and `approvalMessage`
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src}/**/*.{ts,tsx,js,jsx} : Do not expose internal error details in public APIs - use sanitized error messages
Applied to files:
libs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/typings/dts-parser.tslibs/utils/src/regex/index.tslibs/utils/src/index.tslibs/uipack/src/registry/render-template.tslibs/utils/src/regex/patterns.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{renderers,handlebars,utils}/**/*.{test,spec}.{ts,tsx,js,jsx} : Test HTML escaping for user-provided content to prevent XSS vulnerabilities
Applied to files:
libs/uipack/src/runtime/sanitizer.tslibs/uipack/src/dependency/import-map.tslibs/uipack/src/registry/render-template.tslibs/utils/src/regex/__tests__/safe-regex.spec.tslibs/uipack/src/bridge-runtime/iife-generator.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.tsTEST_COVERAGE.md
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{package.json,*.ts,*.tsx,*.js,*.jsx} : Do not add React dependencies to frontmcp/uipack - it must remain React-free. Use frontmcp/ui for React components.
Applied to files:
libs/uipack/src/dependency/import-map.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/index.{ts,js} : Export all public APIs through appropriate entry points (frontmcp/uipack, frontmcp/uipack/adapters, frontmcp/uipack/theme, etc.)
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/utils/src/regex/index.tslibs/utils/src/index.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/bundler/**/*.{ts,tsx} : The bundler module must re-export utilities from frontmcp/uipack/bundler and provide SSR component bundling functionality
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/sdk/jest.config.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{renderers,build}/**/*.{ts,tsx} : Use mdxClientRenderer for CDN-based MDX rendering without bundled React
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{renderers,handlebars,base-template}/**/*.{ts,tsx,js,jsx} : Never skip HTML escaping for user-provided content in renderers and templates
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/theme/css-to-theme.tslibs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{build,bundler}/**/*.{ts,tsx,js,jsx} : For server-side MDX rendering with bundled React, use frontmcp/ui/renderers instead of frontmcp/uipack/renderers
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/uipack/src/registry/render-template.tslibs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.{ts,tsx} : Never import React-free utilities from frontmcp/ui; use frontmcp/uipack for bundling, build tools, platform adapters, and theme utilities
Applied to files:
libs/uipack/src/dependency/import-map.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src,tests}/**/*.{ts,tsx,js,jsx} : Maintain 95%+ code coverage across statements, branches, functions, and lines
Applied to files:
libs/uipack/src/dependency/import-map.tslibs/sdk/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{src}/**/*.{ts,tsx} : Do not use `any` type without justification in TypeScript code
Applied to files:
libs/uipack/src/typings/dts-parser.tslibs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{validation,**}/**/*.{ts,tsx} : Use `.strict()` on all Zod schemas for validation
Applied to files:
libs/uipack/src/typings/dts-parser.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/**/src/index.ts : Use barrel exports (index.ts) for all TypeScript libraries - export everything users need, avoid legacy/alias exports
Applied to files:
libs/utils/src/regex/index.tslibs/utils/src/index.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/**/src/**/*.{ts,tsx} : Do not add backwards compatibility exports in new libraries - avoid legacy prefixes like PT-001 in test names
Applied to files:
libs/utils/src/regex/index.tslibs/utils/src/regex/patterns.tslibs/sdk/jest.config.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/sdk/src/common/records/**/*.ts : Centralize record types in common/records directory - import AnyResourceRecord and similar types from common/records, not from module-specific files
Applied to files:
libs/utils/src/regex/index.ts
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{ts,tsx} : Always use frontmcp/utils for cryptographic operations - use hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode instead of node:crypto
Applied to files:
libs/utils/src/regex/index.tslibs/utils/src/index.tslibs/utils/package.json
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Always use `frontmcp/utils` for cryptographic operations (hkdfSha256, encryptAesGcm, decryptAesGcm, randomBytes, sha256, sha256Hex, base64urlEncode, base64urlDecode) instead of `node:crypto`
Applied to files:
libs/utils/src/index.tslibs/utils/package.json
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Avoid using `node:crypto` directly; always use `frontmcp/utils` for cross-platform cryptographic support
Applied to files:
libs/utils/package.json
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{ts,tsx} : Always use frontmcp/utils for file system operations - use readFile, writeFile, mkdir, rename, unlink, stat, etc. instead of fs/promises or node:fs
Applied to files:
libs/utils/package.json
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/package.json : The frontmcp/ui package requires React as a peer dependency (^18.0.0 || ^19.0.0)
Applied to files:
libs/utils/package.json
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/*.{test,spec}.{ts,tsx} : Test all code paths including error conditions - include constructor validation tests, error class instanceof checks, and edge cases
Applied to files:
libs/utils/src/regex/__tests__/safe-regex.spec.tsTEST_COVERAGE.md
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{theme,adapters,bundler}/**/*.{test,spec}.{ts,tsx,js,jsx} : Test behavior across all supported platform configurations (OpenAI, Claude, etc.)
Applied to files:
libs/utils/src/regex/__tests__/safe-regex.spec.tslibs/sdk/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/*.{test,spec}.{ts,tsx,js,jsx} : Every component and utility must test invalid inputs and edge cases
Applied to files:
libs/utils/src/regex/__tests__/safe-regex.spec.tsTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Extend tool metadata using `declare global` pattern to allow tools to specify plugin-specific options in their decorators
Applied to files:
libs/utils/src/regex/patterns.ts
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.test.{ts,tsx} : Test coverage must be 95%+ across statements, branches, functions, and lines
Applied to files:
libs/sdk/jest.config.tsTEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:41.820Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.820Z
Learning: Applies to **/libs/{sdk,plugins}/**/src/**/*preset*.ts : Follow the preset pattern for hierarchical configurations - create preset files that provide layered, hierarchical settings
Applied to files:
libs/sdk/jest.config.ts
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.ts : Use proper ES module imports instead of `require()` for SDK imports; avoid dynamic require of `frontmcp/sdk` modules
Applied to files:
libs/sdk/jest.config.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{theme,build,bundler}/**/*.{ts,tsx,js,jsx} : Do not hard-code CDN URLs - use theme.cdn configuration instead
Applied to files:
libs/uipack/src/theme/css-to-theme.ts
📚 Learning: 2026-01-04T14:35:18.353Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/uipack/CLAUDE.md:0-0
Timestamp: 2026-01-04T14:35:18.353Z
Learning: Applies to libs/uipack/**/{renderers,build}/**/*.{ts,tsx} : Use htmlRenderer for HTML template rendering without React dependency
Applied to files:
libs/uipack/src/renderers/utils/detect.ts
📚 Learning: 2026-01-06T02:34:55.680Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/plugins/CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:55.680Z
Learning: Applies to libs/plugins/**/*.test.ts : Tests must achieve 95%+ code coverage across all metrics; use `MockStore` implementing `RememberStoreInterface` for RememberPlugin testing
Applied to files:
TEST_COVERAGE.md
📚 Learning: 2026-01-06T02:34:41.821Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-06T02:34:41.821Z
Learning: Achieve 95%+ test coverage across all metrics (statements, branches, functions, lines)
Applied to files:
TEST_COVERAGE.md
📚 Learning: 2025-12-24T00:41:41.819Z
Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: libs/ui/CLAUDE.md:0-0
Timestamp: 2025-12-24T00:41:41.819Z
Learning: Applies to libs/ui/src/**/*.test.{ts,tsx} : Use React Testing Library for component tests and include SSR/hydration tests for all interactive components
Applied to files:
TEST_COVERAGE.md
🧬 Code graph analysis (4)
libs/utils/src/naming/naming.ts (2)
libs/utils/src/index.ts (1)
trimBoth(146-146)libs/utils/src/regex/patterns.ts (1)
trimBoth(87-89)
libs/utils/src/path/path.ts (2)
libs/utils/src/index.ts (1)
trimBoth(146-146)libs/utils/src/regex/patterns.ts (1)
trimBoth(87-89)
libs/utils/src/regex/__tests__/safe-regex.spec.ts (3)
libs/utils/src/index.ts (18)
analyzePattern(133-133)isPatternSafe(134-134)createSafeRegExp(135-135)safeTest(136-136)DEFAULT_MAX_INPUT_LENGTH(141-141)safeMatch(137-137)safeReplace(138-138)safeExec(139-139)isInputLengthSafe(140-140)trimLeading(144-144)trimTrailing(145-145)trimBoth(146-146)trimChars(147-147)extractBracedParams(148-148)expandTemplate(149-149)hasTemplatePlaceholders(150-150)collapseChar(151-151)collapseWhitespace(152-152)libs/utils/src/regex/safe-regex.ts (9)
analyzePattern(75-111)isPatternSafe(127-129)createSafeRegExp(147-164)safeTest(186-194)DEFAULT_MAX_INPUT_LENGTH(14-14)safeMatch(211-219)safeReplace(237-250)safeExec(267-275)isInputLengthSafe(284-286)libs/utils/src/regex/patterns.ts (9)
trimLeading(27-38)trimTrailing(57-68)trimBoth(87-89)trimChars(103-119)extractBracedParams(140-179)expandTemplate(200-254)hasTemplatePlaceholders(265-277)collapseChar(295-318)collapseWhitespace(334-362)
libs/utils/src/regex/patterns.ts (2)
libs/utils/src/index.ts (10)
trimLeading(144-144)trimTrailing(145-145)trimBoth(146-146)trimChars(147-147)extractBracedParams(148-148)DEFAULT_MAX_INPUT_LENGTH(141-141)expandTemplate(149-149)hasTemplatePlaceholders(150-150)collapseChar(151-151)collapseWhitespace(152-152)libs/utils/src/regex/safe-regex.ts (1)
DEFAULT_MAX_INPUT_LENGTH(14-14)
🪛 ast-grep (0.40.3)
libs/utils/src/regex/safe-regex.ts
[warning] 82-82: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(patternStr)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
(regexp-from-variable)
[warning] 159-159: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(pattern, flags)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
(regexp-from-variable)
🪛 LanguageTool
TEST_COVERAGE.md
[grammar] ~60-~60: Ensure spelling is correct
Context: ...s : 38.50% ( 6068/15757 ) ### uipack text Tests: 941 passed, 941 total Statements : 48.03% Branches : 39.54% Functions : 47.14% Lines : 47.51% ### ui text Tests: 514 passed (3 s...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Build Libraries
- GitHub Check: Lint & Format Checks
- GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (21)
libs/sdk/jest.config.ts (1)
19-26: LGTM! Coverage configuration appropriately scopes collection to source code.The
collectCoverageFrompattern correctly focuses on implementation files while excluding barrel exports (index.ts), declaration files, and test utilities. This ensures coverage metrics reflect actual source code quality rather than re-exports or test infrastructure.libs/uipack/src/registry/render-template.ts (1)
18-36: LGTM! ReDoS protection applied correctly.The length guard effectively prevents ReDoS attacks on the MDX detection regex patterns. The 100KB threshold is reasonable, and the guard is correctly placed before any regex operations.
Note that this changes behavior for very large inputs: templates exceeding the limit will not be detected as MDX and will be processed as plain strings instead.
libs/uipack/src/dependency/import-map.ts (1)
239-243: LGTM! ReDoS protection for minification path.The guard correctly prevents ReDoS in the minification regex by only applying minification when the code length is within the 100KB threshold. For oversized inputs, the unminified code is returned as a safe fallback.
libs/uipack/src/renderers/utils/detect.ts (3)
11-15: LGTM! ReDoS protection for template detection.The length guard prevents ReDoS attacks on template detection regex patterns. Note that the 50KB threshold is more conservative than the 100KB limit used in other files (e.g., render-template.ts, import-map.ts), which is reasonable given that template detection may run more frequently.
121-124: LGTM! Guard correctly placed before regex operations.The guard in
containsJsxprevents ReDoS by returning false for oversized inputs before any regex patterns are evaluated.
186-189: LGTM! Guard correctly placed before regex operations.The guard in
containsMdxSyntaxprevents ReDoS by returning false for oversized inputs before any regex patterns are evaluated.libs/utils/package.json (1)
29-29: ast-guard@2.1.0 is valid and free from known security advisories.The version exists on the npm registry as the current latest release and is not deprecated. No security advisories or CVEs are reported for this package.
libs/utils/src/path/path.ts (1)
7-8: LGTM! Safe refactoring to prevent ReDoS vulnerability.The delegation to
trimBothis a clean approach that maintains identical behavior while eliminating the vulnerable/^\/+|\/+$/gpattern. The null coalescing handles edge cases correctly.Also applies to: 23-25
libs/uipack/src/bridge-runtime/iife-generator.ts (1)
935-956: LGTM! ReDoS guard for minification is appropriate.The 500KB threshold is sensible for JS minification, and returning the original code on oversized inputs is a safe fallback. The regex patterns used in
minifyJSare relatively simple and the length guard provides adequate protection.libs/utils/src/regex/patterns.ts (4)
1-9: Well-designed module with comprehensive safe string utilities.Good use of index-based parsing throughout to avoid ReDoS vulnerabilities. The import of
DEFAULT_MAX_INPUT_LENGTHensures consistency with the safe-regex module.
27-38: Clean implementations oftrimLeadingandtrimTrailing.The early returns for invalid
charlength and null input are handled correctly. Usingslice()at the end avoids unnecessary allocations when no trimming is needed.Also applies to: 57-68
140-179: Robust template parameter extraction with nested brace handling.The logic correctly skips nested braces and validates parameter names. One minor observation:
paramName.trim()on line 170 handles whitespace inside braces (e.g.,{ param }), which is a nice touch.
334-362: Comprehensive whitespace detection incollapseWhitespace.Including
\fand\valongside common whitespace characters ensures complete coverage. The length guard prevents processing of oversized inputs.libs/utils/src/regex/safe-regex.ts (3)
75-111: Solid pattern analysis with proper error handling.The two-phase approach (syntax validation first, then ReDoS analysis) is correct. The static analysis warning on line 82 is a false positive—the RegExp is only used for syntax validation, not for matching against untrusted input.
147-164: Safe RegExp creation with pre-validation.The pattern is only instantiated after
analyzePatternconfirms it's safe. The static analysis warning on line 159 is a false positive since the pattern has been validated by ast-guard before reaching this point.
186-194: Consistent length-protected wrappers for regex operations.The
safeTest,safeMatch, andsafeExecfunctions provide uniform protection against oversized inputs. Returningnullfor oversized inputs allows callers to distinguish between "no match" and "input rejected."Also applies to: 211-219, 267-275
libs/uipack/src/typings/dts-parser.ts (1)
245-267: LGTM! Appropriate ReDoS guard for import statement parsing.The 2000 character limit is generous for import statements while still providing protection. Returning
nullfor oversized inputs maintains consistency with the existing "invalid import" return behavior.libs/utils/src/regex/index.ts (1)
1-25: LGTM! Clean barrel export with helpful documentation.The module documentation provides clear usage examples covering both pattern safety checking and safe operations. This follows the coding guidelines for barrel exports in TypeScript libraries.
libs/utils/src/naming/naming.ts (1)
8-9: LGTM! Safe refactoring inidFromString.The replacement of
/^-+|-+$/gwithtrimBothis correct and maintains identical behavior. The inline comment explaining the ReDoS prevention rationale is helpful for future maintainers.Also applies to: 143-149
libs/utils/src/regex/__tests__/safe-regex.spec.ts (1)
1-375: Excellent test coverage for safe-regex utilities.This comprehensive test suite covers all the safe-regex and pattern utilities with good coverage of:
- Valid and invalid patterns
- Edge cases (empty strings, null, undefined, malformed inputs)
- Length guards and custom options
- Performance/timing tests for ReDoS protection
The test structure is clear and follows coding guidelines for testing all code paths and error conditions.
Note on timing tests (lines 350-374): The timing assertions use
Date.now()with a 100ms threshold. While this should be stable in most environments, consider using higher thresholds in CI if these tests become flaky under heavy load.libs/utils/src/index.ts (1)
130-156: Well-structured barrel exports for safe regex utilities.The new export block follows coding guidelines correctly:
- Uses barrel exports pattern for the library's public API
- Organized with clear comments separating core functions, utilities, and types
- No legacy or alias exports
The safe regex utilities are now properly exposed for consumption via
@frontmcp/utils.
Summary by CodeRabbit
Documentation
Tests
Chores
Bug Fixes / Security
New Features
✏️ Tip: You can customize this high-level summary in your review settings.