boocode

Author SHA1 Message Date

Author	SHA1	Message	Date
indifferentketchup	b5cf5a664e	v1.13.11-b: convert raw broker.publish call sites to typed publishFrame Second half of the WebSocket-frame-typing batch. Phase A (`b1c3daf`) landed the schemas + frontend receive validation + publishFrame / publishUserFrame wrappers. This commit converts the existing publish call sites so every server-emitted WS frame now goes through Zod validation at the broker boundary. Conversion strategy: change once in the inference / skills adapters in index.ts (so ctx.publish / ctx.publishUser propagate to publishFrame / publishUserFrame for ALL ~50 inference + auto_name call sites in one move), then bulk-replace the ~30 direct broker.publish* call sites in the routes + compaction. Files touched: - index.ts: inference + skills route adapters now call publishFrame / publishUserFrame internally; raw broker.publishUser('default', ...) call in the stale-row sweeper also converted. - routes/projects.ts (7 sites), routes/chats.ts (9 sites), routes/sessions.ts (8 sites): all broker.publishUser(...) → broker. publishUserFrame(...). - services/compaction.ts (3 sites): 2 publishUser, 1 publish. Real protocol drift surfaced by Zod, fixed in the same commit: services/compaction.ts:442 was publishing chat_status with status: 'working' — the v1.12.1 chat_status widening (CLAUDE.md:55) dropped this enum value in favor of streaming\|tool_running\|waiting_for_input\| idle\|error. The compaction.ts site was missed during v1.12.1; the frame had been published with an unknown enum value ever since (the frontend useChatStatus quietly ignored it). Corrected to 'streaming' — compaction's LLM call has the same dot-state semantic as an inference turn. This is exactly the class of bug v1.13.11 exists to catch. Schema relaxation: OpaqueObject (the bag type for nested entities like Project / Chat / Session / WorkspacePane embedded in WS frames) was z.object({}).passthrough(), which Zod outputs as {} & {[k:string]: unknown}. The strict-typed entities don't have index signatures so TypeScript rejected them at publishFrame call sites. Relaxed to z.unknown() — runtime validation still accepts the value, dev-time narrowing happens via the existing hand-maintained types. Trade-off: frame-level drift detection stays sharp; nested-payload validation goes to follow-up work as the brief intended. Schema audit: grep -rn "broker\.publish(\\|broker\.publishUser(" apps/server/src \ --include=".ts" \| grep -v "broker.ts\\|__tests__\\|.bak" → 0 results. Every server publish goes through publishFrame / publishUserFrame. The remaining ctx.publish / ctx.publishUser sites in services/inference/ + services/auto_name.ts route through the index.ts adapter, which calls publishFrame internally. Tests: 219/219 pass (unchanged from v1.13.11-a; the Phase B conversion is mechanical and doesn't add test cases). Smoke: clean container boot, no ws-frame-validation-failed entries under normal traffic. Sidebar list refresh + agent picker open both pass through useUserEvents without drops. ~70 LoC across 7 files. v1.13.11 closed.	2026-05-22 15:54:00 +00:00
indifferentketchup	b1c3dafd02	v1.13.11-a: WS frame schemas + frontend receive validation First half of the WebSocket-frame-typing batch (split per recon — total scope was ~535 LoC, larger than the roadmap's ~300 estimate, so the server-side publish-site conversion lands separately in v1.13.11-b). Phase A scope: (1) apps/server/src/types/ws-frames.ts (NEW) — Zod schemas for all 27 wire-format WS frame types. Discriminated union (WsFrameSchema) plus KNOWN_FRAME_TYPES const for diagnostic lookup. UUIDs are z.string(). uuid(); model-emitted tool_call_id stays z.string().min(1) since OpenAI- compatible APIs emit "call_<random>" not UUID. Per-kind payload narrowing (tool args, message_parts payloads) intentionally stays z.unknown() — frame-level drift detection is the goal; deep payload validation is follow-up work. (2) apps/web/src/api/ws-frames.ts (NEW) — byte-identical mirror of the authoritative server file. No path alias from web→server in the existing tsconfig setup; sync-by-hand was chosen over a new packages/shared/ dir. A ws-frames.test.ts test asserts the two files match. (3) apps/server/src/services/broker.ts — adds publishFrame() and publishUserFrame() methods to the Broker interface. Both validate via WsFrameSchema and fail-closed: log + drop on invalid. createBroker now accepts an optional FastifyBaseLogger so validation failures land in the pino stream (with console.error fallback for unit tests). The existing publish() / publishUser() raw methods stay legal — they get converted to the typed variants in v1.13.11-b. (4) apps/web/src/hooks/useSessionStream.ts + useUserEvents.ts — wrap ws.onmessage with WsFrameSchema.safeParse. Fail-closed: invalid frames log + return without dispatching. Hand-maintained WsFrame and SessionEvent types stay in place; one cast bridges Zod-typed → narrowed shape (Zod uses OpaqueObject for nested Message[] / WorkspacePane[] etc., which are dev-time-narrowed via the existing hand-maintained types). (5) apps/web/package.json — adds zod ^3.23.8 as a direct dep. Was a transitive dep via ai-sdk / postgres; promotion makes the import legal. (6) Tests: 15 new in ws-frames.test.ts covering happy-path per major frame type, drift-catchers (unknown type, invalid enum, non-UUID, negative tokens), parts-authoritative read variants, the mirror-file diff check, and four broker fail-closed scenarios. 219/219 server tests pass (was 204; +15 new). Two recon corrections to the dispatch brief, both flagged before implementation: - No 'parts_appended' frame exists. The brief assumed one; the codebase reads parts via the messages_with_parts view after message_complete triggers a refetch. MessagePartSchema is therefore unused this batch. - No 'tool_running' frame exists. The brief listed it as standalone; it is in fact a 'chat_status' variant ({ status: 'tool_running' }), already covered by ChatStatusFrame. Smoke: clean container boot, no validation errors in the server log. Real production frames pass validation (the schemas were derived from the existing hand-maintained types in api/types.ts and sessionEvents.ts). v1.13.11-b will follow immediately: convert all ~85 raw broker.publish / ctx.publish call sites across 11 server files to publishFrame / publishUserFrame. Mechanical edit; the wiring done here means the diff in -b is just the call-site swaps. ~310 LoC across 9 files (4 new + 5 modified).	2026-05-22 15:48:32 +00:00

b5cf5a664e

v1.13.11-b: convert raw broker.publish call sites to typed publishFrame

Second half of the WebSocket-frame-typing batch. Phase A (b1c3daf)
landed the schemas + frontend receive validation + publishFrame /
publishUserFrame wrappers. This commit converts the existing publish
call sites so every server-emitted WS frame now goes through Zod
validation at the broker boundary.

Conversion strategy: change once in the inference / skills adapters in
index.ts (so ctx.publish / ctx.publishUser propagate to publishFrame /
publishUserFrame for ALL ~50 inference + auto_name call sites in one
move), then bulk-replace the ~30 direct broker.publish* call sites in
the routes + compaction.

Files touched:
- index.ts: inference + skills route adapters now call publishFrame /
  publishUserFrame internally; raw broker.publishUser('default', ...)
  call in the stale-row sweeper also converted.
- routes/projects.ts (7 sites), routes/chats.ts (9 sites),
  routes/sessions.ts (8 sites): all broker.publishUser(...) → broker.
  publishUserFrame(...).
- services/compaction.ts (3 sites): 2 publishUser, 1 publish.

Real protocol drift surfaced by Zod, fixed in the same commit:

  services/compaction.ts:442 was publishing chat_status with status:
  'working' — the v1.12.1 chat_status widening (CLAUDE.md:55) dropped
  this enum value in favor of streaming|tool_running|waiting_for_input|
  idle|error. The compaction.ts site was missed during v1.12.1; the
  frame had been published with an unknown enum value ever since (the
  frontend useChatStatus quietly ignored it). Corrected to 'streaming'
  — compaction's LLM call has the same dot-state semantic as an
  inference turn. This is exactly the class of bug v1.13.11 exists to
  catch.

Schema relaxation: OpaqueObject (the bag type for nested entities like
Project / Chat / Session / WorkspacePane embedded in WS frames) was
z.object({}).passthrough(), which Zod outputs as {} & {[k:string]:
unknown}. The strict-typed entities don't have index signatures so
TypeScript rejected them at publishFrame call sites. Relaxed to
z.unknown() — runtime validation still accepts the value, dev-time
narrowing happens via the existing hand-maintained types. Trade-off:
frame-level drift detection stays sharp; nested-payload validation
goes to follow-up work as the brief intended.

Schema audit:
  grep -rn "broker\.publish(\|broker\.publishUser(" apps/server/src \
    --include="*.ts" | grep -v "broker.ts\|__tests__\|.bak"
  → 0 results. Every server publish goes through publishFrame /
  publishUserFrame. The remaining ctx.publish / ctx.publishUser sites
  in services/inference/* + services/auto_name.ts route through the
  index.ts adapter, which calls publishFrame internally.

Tests: 219/219 pass (unchanged from v1.13.11-a; the Phase B conversion
is mechanical and doesn't add test cases).

Smoke: clean container boot, no ws-frame-validation-failed entries
under normal traffic. Sidebar list refresh + agent picker open both
pass through useUserEvents without drops.

~70 LoC across 7 files. v1.13.11 closed.

2026-05-22 15:54:00 +00:00

indifferentketchup

b1c3dafd02

v1.13.11-a: WS frame schemas + frontend receive validation

First half of the WebSocket-frame-typing batch (split per recon — total
scope was ~535 LoC, larger than the roadmap's ~300 estimate, so the
server-side publish-site conversion lands separately in v1.13.11-b).

Phase A scope:

(1) apps/server/src/types/ws-frames.ts (NEW) — Zod schemas for all 27
wire-format WS frame types. Discriminated union (WsFrameSchema) plus
KNOWN_FRAME_TYPES const for diagnostic lookup. UUIDs are z.string().
uuid(); model-emitted tool_call_id stays z.string().min(1) since OpenAI-
compatible APIs emit "call_<random>" not UUID. Per-kind payload narrowing
(tool args, message_parts payloads) intentionally stays z.unknown() —
frame-level drift detection is the goal; deep payload validation is
follow-up work.

(2) apps/web/src/api/ws-frames.ts (NEW) — byte-identical mirror of the
authoritative server file. No path alias from web→server in the existing
tsconfig setup; sync-by-hand was chosen over a new packages/shared/ dir.
A ws-frames.test.ts test asserts the two files match.

(3) apps/server/src/services/broker.ts — adds publishFrame() and
publishUserFrame() methods to the Broker interface. Both validate via
WsFrameSchema and fail-closed: log + drop on invalid. createBroker now
accepts an optional FastifyBaseLogger so validation failures land in
the pino stream (with console.error fallback for unit tests). The
existing publish() / publishUser() raw methods stay legal — they get
converted to the typed variants in v1.13.11-b.

(4) apps/web/src/hooks/useSessionStream.ts + useUserEvents.ts — wrap
ws.onmessage with WsFrameSchema.safeParse. Fail-closed: invalid frames
log + return without dispatching. Hand-maintained WsFrame and
SessionEvent types stay in place; one cast bridges Zod-typed → narrowed
shape (Zod uses OpaqueObject for nested Message[] / WorkspacePane[] etc.,
which are dev-time-narrowed via the existing hand-maintained types).

(5) apps/web/package.json — adds zod ^3.23.8 as a direct dep. Was a
transitive dep via ai-sdk / postgres; promotion makes the import legal.

(6) Tests: 15 new in ws-frames.test.ts covering happy-path per major
frame type, drift-catchers (unknown type, invalid enum, non-UUID, negative
tokens), parts-authoritative read variants, the mirror-file diff check,
and four broker fail-closed scenarios. 219/219 server tests pass (was
204; +15 new).

Two recon corrections to the dispatch brief, both flagged before
implementation:

- No 'parts_appended' frame exists. The brief assumed one; the codebase
  reads parts via the messages_with_parts view after message_complete
  triggers a refetch. MessagePartSchema is therefore unused this batch.
- No 'tool_running' frame exists. The brief listed it as standalone; it
  is in fact a 'chat_status' variant ({ status: 'tool_running' }), already
  covered by ChatStatusFrame.

Smoke: clean container boot, no validation errors in the server log. Real
production frames pass validation (the schemas were derived from the
existing hand-maintained types in api/types.ts and sessionEvents.ts).

v1.13.11-b will follow immediately: convert all ~85 raw broker.publish /
ctx.publish call sites across 11 server files to publishFrame /
publishUserFrame. Mechanical edit; the wiring done here means the diff
in -b is just the call-site swaps.

~310 LoC across 9 files (4 new + 5 modified).

2026-05-22 15:48:32 +00:00

2 Commits