AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/tests/test_markdown_render.py
minasarustamyan dc5e0e0d11
Marketplace UX overhaul: rich plugin/skill/agent detail + filename rename (#251) 
* Rename agnes-metadata.json to marketplace-metadata.json

Curated marketplace enrichment file (.claude-plugin/agnes-metadata.json)
becomes marketplace-metadata.json. Clean cut, no fallback — curators of
upstream marketplace repos must rename the file on their side.

Python API renames mirror the file rename: read_agnes_metadata →
read_marketplace_metadata, AGNES_METADATA_REL → MARKETPLACE_METADATA_REL,
AGNES_METADATA_MAX_BYTES → MARKETPLACE_METADATA_MAX_BYTES. Synth Claude
Code marketplace strip rule (.agnes/** + the metadata file) follows the
new filename.

* Marketplace detail polish: window cover + 715:310 aspect + helper alignment

- Plugin & item (skill/agent) detail hero: 160x160 square cover replaced
  with a macOS-style window frame (3 traffic-light dots + titlebar label
  showing the entity name). Body is constrained to 715:310 so curator-
  uploaded covers no longer crop to a square. Window is 380px wide; meta
  column and absolutely-positioned top-right install/remove actions stay
  put. Fallback when no cover_photo_url (translucent gradient + PL/SK/AG
  initials) is unchanged, just inside the window body.

- Inner skill/agent cards in the plugin detail's Internal structure
  section adopt the same 715:310 aspect (was fixed 78px tall). No window
  chrome on inner cards — just the matching proportions so covers read
  consistently across hero, grid tiles, and listing cards.

- Curated nested item helper text ("This skill is part of ... — add the
  bundle to your stack to use it") now stacks UNDER the "Open parent
  plugin" button instead of being a side-by-side flex sibling in the
  actions-row. Added align-self: flex-end so the 260px helper box
  anchors at the right edge of the 300px actions column, matching the
  button's right edge.

* Marketplace My tab: surface the same category + type filters as Flea

- Frontend: mp-cat-row and mp-type-row now show on tab=my (previously
  hidden — type was flea-only, category was flea/curated-only). Curated
  browse stays plugin-only and continues to hide the type pills.
  fetchOne() sends the `type` param for tab=my too, so the items
  endpoint's existing my-branch filter actually receives it.

- Backend categories endpoint, tab=my branch: when the type filter is
  set to skill/agent, skip counting curated subscriptions. Curated
  plugins are always type='plugin', so they wouldn't survive the items
  endpoint's type filter; including them in the category counts made
  the pill numbers overstate what users could actually see in the
  grid. type=None or type='plugin' keeps the previous behaviour.

- CHANGELOG entry under [Unreleased].

* Marketplace plugin detail: render rich content from marketplace-metadata.json

Adds five optional plugin-level fields to marketplace-metadata.json and
renders them on the curated plugin detail page + listing card:

* display_name — friendly h1 / listing-card name / mac-window titlebar
  label (overrides the technical plugin id)
* tagline — punchy 1-line value prop for the hero subtitle and the
  listing card description (replacing the verbose marketplace.json
  description on cards)
* description — multi-paragraph markdown body, server-side rendered
  through markdown-it-py and sanitized through nh3 with a
  description-scoped allowlist (no iframes / no raw HTML / no
  javascript: links). Powers the "What it does" panel.
* use_cases[] — {title, description, prompt} entries that render as a
  3-column "When to use it" card grid; each card shows the literal
  prompt as a code chip so users can copy-paste into Claude Code.
* sample_interaction — {user, assistant} dialog rendered in a Claude
  Code-style dark Catppuccin Mocha transcript panel: monospace user
  row with a green ">" prompt indicator + sans-serif assistant body
  with markdown formatting (peach bold, yellow italic, pink inline
  code, mantle-dark fenced code blocks).

All five fields are optional; UI sections only render when populated,
so plugins without enrichment look identical to before. Fields are
read on-demand from the working tree (cached by mtime per marketplace
slug) so curator edits land at the next request without waiting for
a sync cycle — same pattern as the existing inner-skill/agent
enrichment path. No DB schema bump.

Skill / agent rich-content rendering is deferred to a later phase
(needs a source-of-truth decision: extend plugin.yml? LLM-generate
from SKILL.md / agent.md?). The schema accepts the same fields at
skill/agent level today for forward compatibility but the UI ignores
them for now.

Also: stripped a stale `background-color: var(--bg)` from the global
`code` rule in style.css (was making inline code visually disappear
on the page background).

* Skill / agent detail: render rich content from marketplace-metadata.json

Brings the skill/agent detail pages to parity with the plugin detail
page. Same rich-content schema (display_name, tagline, description as
markdown, use_cases[], sample_interaction) plus two per-item additions:

* invocation — curator-provided literal command string. When set,
  overrides the computed "<manifest_name>:<inner_name>" chip and
  cleanly supports both "/" skill prefix and "@" agent prefix (the
  hardcoded "/" in the chip markup is hidden when the curator provides
  the invocation, so /grpn-eng:query <q> and @grpn-eng:cto-architect
  both render correctly).
* when_to_use — markdown disambiguation block ("Use this for X. For
  similar Y, see /other-skill") rendered into a new "When to use this"
  panel below the Example section.

Skill / agent category is now per-item overridable in
marketplace-metadata.json. When absent, the API keeps the parent
plugin's category as the badge so existing items don't lose their
category until curators opt in to per-item categorization.

The new "Example" Q&A panel uses the same Claude Code-style dark
Catppuccin Mocha transcript treatment as the plugin detail —
monospace user row with a green ">" prompt indicator + sans-serif
assistant body with markdown formatting.

All new fields are optional and read on-demand from the working tree.
Skills / agents whose marketplace-metadata.json doesn't carry rich
content render exactly the same way they did before (frontmatter
description + computed slash command + cover from existing v32
enrichment). No DB schema bump.

* Fix TypeError in skill / agent detail when curator sets per-item category

`curated_skill_detail` and `curated_agent_detail` were passing both
`**parent` (from `_curated_inner_parent_fields`, which returns the
parent plugin's category as a fallback) and `**enrichment` (from
`_curated_inner_enrichment`, which returns the per-item category
override when the curator set one) into `InnerDetailResponse(...)`.

Python function-call kwargs unpacking with overlapping keys raises
`TypeError: got multiple values for keyword argument 'category'`
— it doesn't merge like a literal dict does. The bug only surfaced
when the marketplace-metadata.json carried a `category` field at
skill / agent level (curator opting into per-item categorization);
items without that override hit the endpoint cleanly because only
parent provided the key.

Fix: build `merged = {**parent, **enrichment}` first (literal-dict
syntax DOES merge, with the right-hand-side winning) and unpack the
merged dict. Curator override still wins via the merge order, and
the same pattern is future-proof for any other field that lands in
both layers later.

Plus a regression test in test_marketplace_metadata.py asserting
that the inner-resolver carries `category` for downstream merging.

* Marketplace detail: tolerate partial curator JSON

Server constructed UseCase / SampleInteraction via raw dict indexing
(uc["title"], sample["assistant"]), so a curator commit missing any
required Pydantic field crashed the whole plugin / skill / agent detail
endpoint with a 500. Route both constructions through _safe_use_case /
_safe_sample_interaction helpers — partial input silently drops the
malformed card / section instead of breaking the page.

Regression test in test_marketplace_api.py covers the three shapes:
use_case missing a key, use_case with an empty string, and
sample_interaction with only user (no assistant). Sibling rich fields
still render.

* Address PR-251 review (must-fixes + S2/S3 polish) + release-cut 0.50.0

Five must-fixes from the review pass (3 from @cvrysanek's two-stage
review, 2 from my independent pass), plus the 0.50.0 release-cut as the
last commit on this PR per CLAUDE.md (CLAUDE.md "Release-cut belongs
to the PR" rule added in v0.49.1).

Must-fixes
----------

1. Cache eviction: bounded LRU instead of per-marketplace predicate.
   The previous predicate (`k[0] == marketplace_id and k[1] != mtime_ns`)
   only swept stale entries for the CURRENT marketplace; with N>100
   distinct marketplaces each holding one mtime key, the cap silently
   failed and memory grew linearly. Replaced with OrderedDict-backed
   bounded LRU at cap=256, drop oldest insert on overflow.
   Cache stress test pinned in test_marketplace_metadata.py.

2. Render CPU cap: per-field byte cap on description / when_to_use /
   sample_interaction.assistant via MARKETPLACE_METADATA_FIELD_MAX_BYTES
   (= 64 KiB). Without this, a 1 MiB curator markdown body × QPS =
   curator-controlled CPU burn through pure-Python markdown-it-py.
   Truncation respects UTF-8 boundaries and logs a warning so the
   curator sees the cap fire on the next sync. Test for cap +
   UTF-8-boundary preservation.

3. Inner-detail bypassed the metadata cache. _curated_inner_enrichment,
   _curated_inner_cover, and curated_detail all called
   read_marketplace_metadata directly, defeating the mtime cache the
   plugin listing already shared. Routed all three through
   _read_metadata_cached so skill/agent detail hits are O(1) re-parses
   per marketplace per mtime instead of O(QPS).

4. Truthy-vs-presence trap in plugin/inner enrichment merge. API-layer
   writers used `if resolved.get(k):` which silently dropped any
   future falsy-but-valid resolver field (bool featured=False, int
   priority=0, str category=''). Switched to presence check
   (`if k in resolved`) so the resolver is the authority on field
   presence; `{**parent, **enrichment}` merge respects whatever the
   resolver decided to ship.

5. Vendor-agnostic OSS cleanup. Removed operator-specific token
   references (/grpn-eng:, @grpn-eng:, .foundryai/) from
   src/marketplace_metadata.py docstring, app/web/templates/
   marketplace_item_detail.html JS comment, docs/curated-marketplace-
   format.md, and tests/test_marketplace_metadata.py fixtures. Replaced
   with generic /my-plugin:tool / @my-agent:role / .example/ placeholders.

CHANGELOG
---------
- New "### Fixed (PR #251 follow-ups)" section documenting all 4
  code-side must-fixes
- New "### Internal" section noting the vendor cleanup + new tests
- BREAKING bullet for the file rename now covers operator-side
  migration: running instances see plugin enrichment disappear from
  the UI until upstream curator renames + nightly sync overwrites the
  working tree; POST /api/marketplaces/{id}/sync forces refresh sooner
- Stripped /grpn-eng: leaks from the existing skill/agent rich-content
  bullet

Tests
-----
128 targeted tests pass (test_marketplace_metadata, test_marketplace_api,
test_marketplace, test_markdown_render, test_marketplace_synth_strip,
test_marketplace_filter). New tests added:
- 6 XSS regression tests on render_safe (javascript:/data:/vbscript:
  schemes via autolink, reference link, and mixed-case + positive
  http/https/mailto + noopener noreferrer rel)
- 3 byte-cap tests (truncation + UTF-8 boundary + under-cap pass-through)
- 1 cache eviction stress test (>256 marketplaces -> bounded at cap)
- 1 truthy-vs-presence resolver-contract test

Release-cut
-----------
- pyproject.toml 0.49.1 -> 0.50.0 (minor; BREAKING file rename per
  pre-1.0 CHANGELOG note: "breaking changes called out under Changed
  or Removed with the BREAKING marker")
- CHANGELOG [Unreleased] -> [0.50.0] - 2026-05-12, new empty
  [Unreleased] on top.

---------

Co-authored-by: Minas Arustamyan <arustamyan.minas@gmail.com>
Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>
2026-05-12 08:38:39 +00:00

208 lines
7.7 KiB
Python
Raw Blame History

"""Tests for app/markdown_render.py — the curator-content render+sanitize path."""
from __future__ import annotations
from app.markdown_render import render_safe
# --- Empty / null inputs -------------------------------------------------
def test_render_safe_none_returns_empty_string():
assert render_safe(None) == ""
def test_render_safe_empty_string_returns_empty_string():
assert render_safe("") == ""
def test_render_safe_whitespace_only_returns_empty_or_trivial():
# Whitespace-only markdown renders to "" or a single empty paragraph;
# either is acceptable — both render as nothing visually.
out = render_safe(" \n ")
assert out.strip() in {"", "<p></p>"}
# --- Allowed formatting survives -----------------------------------------
def test_render_safe_renders_paragraph_with_bold():
assert render_safe("**hello** world").strip() == "<p><strong>hello</strong> world</p>"
def test_render_safe_renders_italic():
assert "<em>x</em>" in render_safe("*x*")
def test_render_safe_renders_inline_code():
assert "<code>foo()</code>" in render_safe("`foo()`")
def test_render_safe_renders_fenced_code_block():
out = render_safe("```py\nprint('hi')\n```")
assert "<pre>" in out
assert "<code>" in out
# The literal `print('hi')` must end up inside <code> — apostrophe is
# safe in attribute-free body text so escaping is not strictly required.
assert "print(" in out
assert "'hi'" in out or "&#39;hi&#39;" in out
def test_render_safe_renders_lists():
out = render_safe("- one\n- two\n- three")
assert out.count("<li>") == 3
assert "<ul>" in out
def test_render_safe_renders_headings():
out = render_safe("## Heading two\n\n### Heading three")
assert "<h2>" in out
assert "<h3>" in out
def test_render_safe_renders_blockquote():
out = render_safe("> Quoted line")
assert "<blockquote>" in out
def test_render_safe_renders_strikethrough():
out = render_safe("~~old~~")
assert "<s>" in out or "<del>" in out # markdown-it emits <s>
def test_render_safe_table_supported():
md = "| A | B |\n|---|---|\n| 1 | 2 |"
out = render_safe(md)
assert "<table>" in out
assert "<th>" in out
assert "<td>1</td>" in out
# --- Links --------------------------------------------------------------
def test_render_safe_renders_http_link_with_rel_noopener():
out = render_safe("[link](https://example.com)")
assert "<a" in out
assert 'href="https://example.com"' in out
assert "noopener" in out
def test_render_safe_strips_javascript_url():
"""`javascript:` URLs must NOT survive into an executable <a href>.
Markdown-it rejects the link at parse time (scheme isn't valid for an
autolink target) leaving the [bad](javascript:...) source as plain
text. The text bytes survive but are inert — no anchor tag wraps them.
"""
out = render_safe("[bad](javascript:alert(1))")
# The dangerous bit is `<a href="javascript:..."` — verify no such
# anchor is emitted. The literal text "javascript:" CAN appear as
# plain text in the rendered paragraph; that's inert.
assert '<a href="javascript:' not in out.lower()
assert "<a " not in out # no <a> tag at all means no clickable href
def test_render_safe_strips_data_url():
"""`data:` URLs also blocked (image-payload / phishing vector)."""
out = render_safe("[x](data:text/html,test)")
assert '<a href="data:' not in out.lower()
assert "<a " not in out
def test_render_safe_allows_mailto():
"""mailto: stays in the allowlist for contact links in descriptions."""
out = render_safe("[email](mailto:hi@example.com)")
assert 'href="mailto:hi@example.com"' in out
# --- HTML injection ------------------------------------------------------
def test_render_safe_strips_raw_script_tag():
"""Curator pastes `<script>` literally in markdown source — markdown-it
is configured with `html=False` so raw HTML is escaped, not parsed.
nh3's second-pass sanitizes whatever escaping missed."""
out = render_safe("Hello <script>alert(1)</script> world")
assert "<script>" not in out
assert "alert(1)" not in out or "&lt;script&gt;" in out
def test_render_safe_strips_iframe():
"""Iframes are not in this allowlist (the news sanitizer permits them
for video providers; marketplace descriptions don't need them)."""
out = render_safe('<iframe src="https://evil.example.com"></iframe>')
assert "<iframe" not in out
assert "evil.example.com" not in out or "&lt;iframe" in out
def test_render_safe_strips_event_handler_attribute():
"""`onerror=` on an <img> must NOT survive into the rendered HTML as
an executable attribute. markdown-it with `html=False` already escapes
the literal `<img ...>` to `&lt;img ...&gt;` text; verify no live
`<img>` tag (with or without onerror) reaches output."""
out = render_safe('<img src=x onerror=alert(1)>')
# No live <img> tag — the raw HTML was escaped to text, the substring
# "onerror" may appear inside escaped text but cannot fire.
assert "<img" not in out # raw open-tag would mean live attribute
# The escaped form `&lt;img` is fine.
assert "&lt;img" in out or "&amp;lt;img" in out
# --- XSS regression — disallowed schemes via markdown-native links ----------
# CommonMark autolinks (e.g. `<javascript:alert(1)>`) and reference links
# emit `href` regardless of scheme; defense rests on nh3's `url_schemes`
# allowlist. These tests pin the scheme allowlist so adding `data:` /
# `tel:` / etc. later requires updating both the allowlist AND a test.
def test_render_safe_strips_javascript_autolink():
"""`<javascript:...>` autolink — with `html=False` markdown-it escapes
the literal `<` to `&lt;`, so it never reaches the href emitter at all.
Either way: no live `<a href="javascript:...">` anchor in output."""
out = render_safe("<javascript:alert(1)>")
assert 'href="javascript:' not in out.lower()
assert "<a " not in out # no anchor tag at all
def test_render_safe_strips_javascript_link_mixed_case():
"""Scheme matching must be case-insensitive (`JaVaScRiPt:` would slip
through a literal-string filter). `javascript:` may appear as escaped
text in the output; the invariant is that no live `<a href=...>`
anchor was emitted."""
out = render_safe("[click](JaVaScRiPt:alert(1))")
assert 'href=' not in out # link entirely stripped
def test_render_safe_strips_data_url_link():
"""`data:` URLs can carry `text/html` payloads — browsers happily
execute scripts in them. Allowlist must reject."""
out = render_safe("[click](data:text/html,<script>alert(1)</script>)")
assert 'href="data:' not in out.lower()
def test_render_safe_strips_vbscript_link():
"""Legacy IE attack surface, still worth pinning."""
out = render_safe("[click](vbscript:msgbox(1))")
assert 'href="vbscript:' not in out.lower()
def test_render_safe_strips_javascript_reference_link():
"""Reference-style links route through the same href emitter."""
out = render_safe("[click][1]\n\n[1]: javascript:alert(1)")
assert 'href="javascript:' not in out.lower()
def test_render_safe_keeps_http_https_mailto_schemes():
"""Allowlist positive-coverage so future tightening is a visible diff."""
out = render_safe("[a](https://example.com) [b](http://example.com) [c](mailto:x@example.com)")
assert 'href="https://example.com"' in out
assert 'href="http://example.com"' in out
assert 'href="mailto:x@example.com"' in out
def test_render_safe_adds_noopener_noreferrer_rel():
"""Render must add `rel="noopener noreferrer"` to outbound links so
`window.opener` tabnabbing isn't possible from curator-controlled
markdown."""
out = render_safe("[a](https://example.com)")
assert "noopener" in out and "noreferrer" in out
Reference in a new issue View git blame Copy permalink