Files
wehub-resource-sync b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:23:53 +08:00
..

@emdash-cms/marketplace

Standalone Cloudflare Worker that hosts the EmDash plugin marketplace — discovery, publishing, and moderation.

Development

pnpm dev        # starts wrangler dev server on :8787
pnpm test       # runs vitest

Requires an AI binding (wrangler.jsonc has it configured). Code and image audits run on Workers AI.

Manual audit testing

The /api/v1/dev/audit endpoint (localhost only) runs the code + image audit pipeline without auth or DB writes. Use it to evaluate AI model accuracy against the fixture corpus.

Using the test script

# Run a single fixture
tests/fixtures/audit/test-audit.sh tests/fixtures/audit/prompt-injection

# Against a different host
tests/fixtures/audit/test-audit.sh tests/fixtures/audit/data-exfiltration http://localhost:8787

The script tars the fixture directory and POSTs it as a multipart bundle. Output is the raw audit JSON.

Using curl directly

Tarball mode (full bundle with manifest, code, and images):

tar -czf /tmp/bundle.tar.gz -C tests/fixtures/audit/crypto-miner .
curl -s -X POST http://localhost:8787/api/v1/dev/audit -F "bundle=@/tmp/bundle.tar.gz" | jq

JSON mode (code only, no manifest required):

curl -s -X POST http://localhost:8787/api/v1/dev/audit \
  -H "Content-Type: application/json" \
  -d '{"backendCode": "const x = eval(\"1+1\");"}' | jq

Running all fixtures

for d in tests/fixtures/audit/*/; do
  echo "=== $(basename "$d") ==="
  tests/fixtures/audit/test-audit.sh "$d"
  echo
done

Compare the verdict and riskScore in each response against the fixture's expected.json to evaluate model accuracy.

Fixture format

Each fixture in tests/fixtures/audit/ is a directory containing:

File Required Purpose
manifest.json yes Plugin manifest
backend.js yes Backend code (primary audit target)
admin.js no Admin UI code
icon.png no Plugin icon (triggers image audit)
screenshots/*.png no Screenshots (trigger image audit)
expected.json yes Expected verdict, score, categories

expected.json shape:

{
  "verdict": "pass" | "warn" | "fail",
  "minRiskScore": 50,
  "maxRiskScore": 10,
  "categories": ["data-exfiltration", "obfuscation"]
}

minRiskScore and maxRiskScore are optional bounds. categories lists the finding categories the model should detect.