feat: Image Upload, Design Systems, and Test Hardening#294
Open
feat: Image Upload, Design Systems, and Test Hardening#294
Conversation
…kflows Adds 1x1.png fixture and updates theme-extensions tests to ensure clean ArrayBuffer usage.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…sHandler - DownloadAssetsInputSchema gets three optional fields (all backward-compatible): - fileMode (default 0o600): Unix permission bits for written files - tempDir (default outputDir): override atomic-write temp directory - assetsSubdir (default 'assets'): override assets subdirectory name - atomicRename() helper handles EXDEV cross-device fallback (copyFile+unlink) - assetsSubdir is guarded via path.basename() to strip traversal attempts - project-ext.ts: downloadAssets() now accepts an optional opts object - 3 new tests cover each option path; all 11 unit tests pass
| const tempFilename = `.tmp-${crypto.randomBytes(8).toString('hex')}-${filename}`; | ||
| const tempFullPath = path.join(resolvedTempDir, tempFilename); | ||
|
|
||
| await fs.writeFile(tempFullPath, Buffer.from(buffer), { flag: 'wx', mode: fileMode }); |
- domhandler: switch from value import to 'import type { AnyNode }' so tsc
can resolve the type without domhandler in package.json (it's a transitive
dep of cheerio, but not guaranteed to be hoisted in CI)
- CodeQL: temp filenames now contain only crypto.randomBytes — network-derived
filenames are never embedded in the temp path. The sanitized filename only
appears in the final atomicRename destination, which tsc/CodeQL can verify
is safe (sanitizeFilename strips everything non-alphanumeric)
- test: update writeFile assertion to check '.tmp-' instead of 'badname'
since temp paths are now fully random; rename-dest assertion unchanged
tsc resolves 'import type' the same as value imports — if the package isn't in package.json, the typecheck fails even in CI environments that don't hoist transitive deps. domhandler is pinned to 5.0.3 to match the version used by cheerio@1.0.0-rc.12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces several handwritten extensions to the Stitch SDK to support advanced workflows, along with test suite hardening:
Project.uploadImage(using private REST endpoints not exposed in MCP).Projectto infer themes from HTML, sync themes to the API, and inject them into prompts.Project.downloadAssetsmethod that localizes screen assets and preventsENAMETOOLONGerrors.as anyassertions in key test files.Usage
Image Upload & Theme Extraction Flow
Asset Downloader
Changes
Image Upload
Project.uploadImage— Handwritten method for direct REST upload of image assets (PNG, JPEG, WebP), returning domainScreenobjects.upload-handler.ts— Internal handler for managing multipart uploads and resolving correct endpoints.Design System Utilities (Handwritten)
Project.inferTheme(screenId)— Parses HTML of a screen to extract theme tokens (customColor, headlineFont, roundness) using a rule-based extraction system.Project.syncTheme(theme)— Orchestrates the API dance to either create or update the project's design system with the inferred theme.Project.themePrompt(prompt, theme)— Injects design system tokens into a text prompt to guide future generations.Asset Downloader
Project.downloadAssets(outputDir)— Downloads all screens and their referenced assets, rewriting URLs to be self-contained.ENAMETOOLONGerrors on deep paths.Test Suite & Hardening
theme-extensions.test.tswhere using.bufferexposed the Node.js shared pool. Now uses clean manualArrayBufferconstruction.as anycasts in tests and resolved all type errors intheme-extensions.test.ts.fleet-analyze.yml,fleet-dispatch.yml,fleet-label.yml,fleet-merge.yml, andjules-merge-conflicts.yml. Onlyci.ymlremains.