Merge branch 'main' into dependabot/npm_and_yarn/zod-4.3.6

Author: unclesp1d3r

.github/workflows/ci.yml

@@ -64,7 +64,7 @@ jobs:
 
       - name: Upload Playwright report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: playwright-report
           path: packages/frontend/playwright-report/

.gitignore

@@ -43,6 +43,20 @@ temp/
 packages/frontend/test-results/
 packages/frontend/playwright-report/
 
-# Local config
-.claude.local.md
+**/*.local.*
+
+# AI coding assistants (local state, not shared)
+docs/plans/
 .plan/
+.agent/
+.agents/
+.augment/
+.claude/
+.cursor/
+.roo/
+.full-review/
+SECURITY_AUDIT.md
+todos/
+**/tessl__*
+.tessl/tiles/
+.tessl/RULES.md

AGENTS.md

@@ -127,6 +127,11 @@ The backend is a Bun + Hono + TypeScript service:
 - **Database (`src/db/`)** — Drizzle client setup and connection config
 - **Middleware (`src/middleware/`)** — auth, validation, error handling
 
+### Drizzle ORM raw SQL patterns
+
+- `db.execute(sql`...`)` with postgres-js returns array-like result — access rows as `result[0]`, not `result.rows[0]`
+- Drizzle doesn't support `FOR UPDATE SKIP LOCKED` natively — use raw `db.execute(sql`...`)` with a CTE for atomic claim patterns
+
 ### RBAC middleware
 
 Two RBAC middleware variants in `src/middleware/rbac.ts`:
@@ -216,6 +221,8 @@ just ci-check    # Runs: lint → format-check → type-check → build → test
 - **E2E tests**: Playwright for complete user workflows
 - **Contract tests**: Validate Agent API responses against the OpenAPI spec
 
+- **Pure function extraction**: For DB-dependent logic, extract the core algorithm as a pure function and test directly (e.g., DAG validation, threshold decisions) — avoids complex DB mocking
+
 Test the hot paths first: hash submission ingestion, work unit distribution, agent heartbeat processing.
 
 ## Design and documentation sources
@@ -267,9 +274,12 @@ Without this, auth middleware 401 responses get swallowed into 500s.
 
 ## Testing infrastructure
 
-- Backend contract tests validate auth (401) and validation (400) without a running DB
+- Backend contract tests validate auth (401), validation (400), and camelCase response shapes (200) without a running DB
 - Drizzle mock chains must match production code — e.g. `insert().values()` returning `{ onConflictDoNothing: mock() }`
 - BullMQ worker test mocks: if worker does `db.select()`, mock must return chainable `{ from: mock(() => chain), where: mock(() => Promise.resolve([])) }`
+- **bun:test `mock.module()`**: Mock dependencies before `await import()` of module under test — used for service tests that need DB/queue mocks
+- **Route-level contract tests**: When mocking for `import { app }`, mock ALL transitive service dependencies (e.g., `tasks.js` → `events.js` + `campaigns.js`). Mock `db.execute` with snake_case rows to validate the camelCase mapping, not the service function directly.
+- **Separate test files for conflicting mocks**: If a module is already imported at top level in one test file (e.g., `resolveGenerationStrategy` in `campaigns.test.ts`), tests needing full module mocks for the same source must go in a separate test file to avoid import-order conflicts.
 - Frontend tests use `happy-dom` with manual global injection (not `@happy-dom/global-registrator`)
 - Always call `afterEach(cleanup)` in Testing Library tests — DOM persists in happy-dom
 - Test fixtures: `packages/backend/tests/fixtures.ts` — factory functions + token helpers

packages/backend/src/services/campaigns.ts

@@ -3,8 +3,34 @@ import { and, desc, eq, sql } from 'drizzle-orm';
 import { db } from '../db/index.js';
 import { emitCampaignStatus } from './events.js';
 
-// Threshold: if estimated task count is below this, generate inline
-const INLINE_GENERATION_THRESHOLD = 50;
+// Threshold: inline generation when estimated tasks < 100, async enqueue when >= 100
+export const INLINE_GENERATION_THRESHOLD = 100;
+const CHUNK_SIZE = 10_000_000;
+
+// Dynamic import getters — break circular dependency (campaigns ↔ tasks) while
+// remaining testable. bun:test's mock.module cannot override already-cached
+// dynamic imports across test files, so tests swap these getters instead.
+export const _deps = {
+  getTasksModule: () => import('./tasks.js'),
+  getQueueContext: () => import('../queue/context.js'),
+  getQueueConfig: () => import('../config/queue.js'),
+  getQueueTypes: () => import('../queue/types.js'),
+};
+
+/**
+ * Estimates total task count and returns the generation strategy.
+ * Exported for direct unit testing of the threshold boundary.
+ */
+export function resolveGenerationStrategy(
+  attackList: ReadonlyArray<{ keyspace: string | null }>
+): 'inline' | 'async' {
+  let estimatedTasks = 0;
+  for (const atk of attackList) {
+    const keyspace = Number.parseInt(atk.keyspace ?? '0', 10);
+    estimatedTasks += keyspace <= 0 ? 1 : Math.ceil(keyspace / CHUNK_SIZE);
+  }
+  return estimatedTasks < INLINE_GENERATION_THRESHOLD ? 'inline' : 'async';
+}
 
 // ─── Campaign CRUD ──────────────────────────────────────────────────
 
@@ -127,7 +153,7 @@ export async function transitionCampaign(id: number, targetStatus: CampaignStatu
 
   // When starting/resuming a campaign, verify queue availability before transitioning
   if (targetStatus === 'running') {
-    const { getQueueManager } = await import('../queue/context.js');
+    const { getQueueManager } = await _deps.getQueueContext();
     const qm = getQueueManager();
     if (!qm) {
       return {
@@ -184,23 +210,17 @@ export async function transitionCampaign(id: number, targetStatus: CampaignStatu
   if (targetStatus === 'running') {
     const campaignAttacks = await listAttacks(id);
     if (campaignAttacks.length > 0) {
-      // Estimate task count: sum keyspace / chunk-size across attacks
-      const CHUNK_SIZE = 10_000_000;
-      let estimatedTasks = 0;
-      for (const atk of campaignAttacks) {
-        const keyspace = Number.parseInt(atk.keyspace ?? '0', 10);
-        estimatedTasks += keyspace <= 0 ? 1 : Math.ceil(keyspace / CHUNK_SIZE);
-      }
+      const strategy = resolveGenerationStrategy(campaignAttacks);
 
-      if (estimatedTasks <= INLINE_GENERATION_THRESHOLD) {
+      if (strategy === 'inline') {
         // Generate inline in parallel — small enough to not block the request meaningfully
-        const { generateTasksForAttack } = await import('./tasks.js');
+        const { generateTasksForAttack } = await _deps.getTasksModule();
         await Promise.all(campaignAttacks.map((atk) => generateTasksForAttack(atk.id)));
       } else {
         // Enqueue to the dedicated task-generation job queue
-        const { getQueueManager } = await import('../queue/context.js');
-        const { QUEUE_NAMES } = await import('../config/queue.js');
-        const { JOB_PRIORITY } = await import('../queue/types.js');
+        const { getQueueManager } = await _deps.getQueueContext();
+        const { QUEUE_NAMES } = await _deps.getQueueConfig();
+        const { JOB_PRIORITY } = await _deps.getQueueTypes();
         const qm = getQueueManager();
         if (qm) {
           const priorityMap: Record<number, number> = {

packages/backend/src/services/tasks.ts

@@ -1,5 +1,5 @@
 import { agents, attacks, campaigns, hashItems, tasks } from '@hashhive/shared';
-import { and, desc, eq, isNull, sql } from 'drizzle-orm';
+import { and, desc, eq, type SQL, sql } from 'drizzle-orm';
 import { db } from '../db/index.js';
 import { updateCampaignProgress } from './campaigns.js';
 import { emitCrackResult, emitTaskUpdate } from './events.js';
@@ -88,45 +88,47 @@ export async function generateTasksForAttack(
 // ─── Task Assignment ────────────────────────────────────────────────
 
 /**
- * Checks whether an agent's capabilities satisfy a task's required capabilities.
- * Uses JSON containment logic: agent caps must include all required keys/values.
+ * Builds a SQL predicate that checks whether the agent's capabilities satisfy
+ * a task's required_capabilities column at the database level.
+ *
+ * Covers:
+ * - GPU requirement: task requires `gpu: true` → agent capabilities must contain `{"gpu": true}`
+ * - Hash mode compatibility: task's `hashcatMode` value must be in agent's `hashModes` array
  */
-function agentMatchesCapabilities(
-  agentCaps: Record<string, unknown>,
-  requiredCaps: Record<string, unknown>
-): boolean {
-  for (const [key, requiredValue] of Object.entries(requiredCaps)) {
-    const agentValue = agentCaps[key];
-
-    // Boolean requirements: agent must have the capability set to true
-    if (requiredValue === true && agentValue !== true) {
-      return false;
-    }
-
-    // Non-boolean values: exact match or array containment
-    if (typeof requiredValue !== 'boolean') {
-      // hashcatMode required by task → check against agent's hashModes array
-      if (key === 'hashcatMode' && Array.isArray(agentCaps['hashModes'])) {
-        if (!agentCaps['hashModes'].includes(requiredValue)) {
-          return false;
-        }
-      } else if (Array.isArray(agentValue)) {
-        // Generic array containment: agent array must include required value
-        if (!agentValue.includes(requiredValue)) {
-          return false;
-        }
-      } else if (agentValue !== requiredValue) {
-        return false;
-      }
-    }
-  }
-  return true;
+function buildCapabilityPredicate(agentCaps: Record<string, unknown>): SQL {
+  const hasGpu = agentCaps['gpu'] === true;
+  const rawHashModes = Array.isArray(agentCaps['hashModes']) ? agentCaps['hashModes'] : [];
+  // Sanitize to finite integers only — NaN, Infinity, non-numeric strings are dropped
+  const hashModes = rawHashModes
+    .map((m: unknown) => Number(m))
+    .filter((n): n is number => Number.isFinite(n) && Number.isInteger(n));
+
+  // GPU check: if the task requires GPU, the agent must have it.
+  // If the agent has GPU, this is always satisfied. If not, exclude GPU-requiring tasks.
+  const gpuCondition = hasGpu
+    ? sql`TRUE`
+    : sql`NOT (${tasks.requiredCapabilities}->>'gpu' = 'true')`;
+
+  // Hash mode check: the task's required hashcatMode must be in the agent's hashModes array.
+  // If agent advertises no hashModes (or all were invalid), only tasks without a hashcatMode requirement pass.
+  const hashModeCondition =
+    hashModes.length > 0
+      ? sql`(
+          ${tasks.requiredCapabilities}->>'hashcatMode' IS NULL
+          OR (${tasks.requiredCapabilities}->>'hashcatMode')::int = ANY(${hashModes}::int[])
+        )`
+      : sql`(${tasks.requiredCapabilities}->>'hashcatMode' IS NULL)`;
+
+  return sql`(${gpuCondition} AND ${hashModeCondition})`;
 }
 
 /**
  * Assigns the next available pending task to an agent.
- * Filters by project scope and capability predicate.
- * Uses SELECT ... FOR UPDATE SKIP LOCKED for safe concurrent assignment.
+ *
+ * All eligibility filters (project scope, capability match) are enforced
+ * in the SQL predicate. Uses `FOR UPDATE SKIP LOCKED` to guarantee only
+ * one claimant atomically selects and claims a task row, even under
+ * concurrent access from multiple agents.
  */
 export async function assignNextTask(agentId: number) {
   // Verify agent exists and is online
@@ -137,47 +139,57 @@ export async function assignNextTask(agentId: number) {
 
   const projectId = agent.projectId;
   const agentCaps = (agent.capabilities ?? {}) as Record<string, unknown>;
-
-  // Find and claim a pending task atomically using a transaction
-  const result = await db.transaction(async (tx) => {
-    // Find pending tasks for campaigns in this agent's project
-    const pendingTasks = await tx
-      .select()
-      .from(tasks)
-      .where(and(eq(tasks.status, 'pending'), isNull(tasks.agentId)))
-      .innerJoin(
-        campaigns,
-        and(eq(tasks.campaignId, campaigns.id), eq(campaigns.projectId, projectId))
-      )
-      .orderBy(campaigns.priority, tasks.id)
-      .limit(10);
-
-    // Find first task whose required capabilities the agent satisfies
-    const matchingTask = pendingTasks.find((row) => {
-      const requiredCaps = (row.tasks.requiredCapabilities ?? {}) as Record<string, unknown>;
-      return agentMatchesCapabilities(agentCaps, requiredCaps);
-    });
-
-    if (!matchingTask) {
-      return null;
-    }
-
-    // Claim the task
-    const [assigned] = await tx
-      .update(tasks)
-      .set({
-        agentId,
-        status: 'assigned',
-        assignedAt: new Date(),
-        updatedAt: new Date(),
-      })
-      .where(and(eq(tasks.id, matchingTask.tasks.id), eq(tasks.status, 'pending')))
-      .returning();
-
-    return assigned ?? null;
-  });
-
-  return result;
+  const capabilityPredicate = buildCapabilityPredicate(agentCaps);
+
+  // Atomic candidate selection + claim via raw SQL with FOR UPDATE SKIP LOCKED
+  const result = await db.execute(sql`
+    WITH candidate AS (
+      SELECT ${tasks.id} AS task_id
+      FROM ${tasks}
+      INNER JOIN ${campaigns} ON ${tasks.campaignId} = ${campaigns.id}
+      WHERE ${tasks.status} = 'pending'
+        AND ${tasks.agentId} IS NULL
+        AND ${campaigns.projectId} = ${projectId}
+        AND ${capabilityPredicate}
+      ORDER BY ${campaigns.priority}, ${tasks.id}
+      LIMIT 1
+      FOR UPDATE OF ${tasks} SKIP LOCKED
+    )
+    UPDATE ${tasks}
+    SET
+      agent_id = ${agentId},
+      status = 'assigned',
+      assigned_at = NOW(),
+      updated_at = NOW()
+    FROM candidate
+    WHERE ${tasks.id} = candidate.task_id
+    RETURNING ${tasks.id}, ${tasks.attackId}, ${tasks.campaignId}, ${tasks.agentId},
+              ${tasks.status}, ${tasks.workRange}, ${tasks.progress}, ${tasks.resultStats},
+              ${tasks.requiredCapabilities}, ${tasks.assignedAt}, ${tasks.startedAt},
+              ${tasks.completedAt}, ${tasks.failureReason}, ${tasks.createdAt}, ${tasks.updatedAt}
+  `);
+
+  const row = result[0] as Record<string, unknown> | undefined;
+  if (!row) return null;
+
+  // Map snake_case DB columns back to camelCase to preserve the public API contract
+  return {
+    id: row['id'],
+    attackId: row['attack_id'],
+    campaignId: row['campaign_id'],
+    agentId: row['agent_id'],
+    status: row['status'],
+    workRange: row['work_range'],
+    progress: row['progress'],
+    resultStats: row['result_stats'],
+    requiredCapabilities: row['required_capabilities'],
+    assignedAt: row['assigned_at'],
+    startedAt: row['started_at'],
+    completedAt: row['completed_at'],
+    failureReason: row['failure_reason'],
+    createdAt: row['created_at'],
+    updatedAt: row['updated_at'],
+  };
 }
 
 // ─── Task Progress & Results ────────────────────────────────────────