fix: API size limits, decompression guard, lint CI step

- Add per-line (10k chars) and total (80k chars) text size limits to /api/align POST and GET
- Add 2 MB decompression bomb guard in inflateBase64url (codec.ts)
- Derive palette validation from PALETTES constant instead of duplicating the set
- Add typecheck (npm run check) and lint (npm run lint) steps to CI
- Run prettier --write across all files to fix pre-existing formatting
- Fix all 12 pre-existing ESLint errors: unused import, useless mustaches, missing
  each-block keys, bare expression (void tipPortalEl), preserve-caught-error
- Configure svelte/no-navigation-without-resolve with ignoreLinks: true

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: dani-polani

.github/workflows/test.yml

@@ -24,4 +24,8 @@ jobs:
 
       - run: npm run audit:ci
 
+      - run: npm run check
+
+      - run: npm run lint
+
       - run: npm test

bitext/eslint.config.js

@@ -36,6 +36,9 @@ export default defineConfig(
 	{
 		// Override or add rule settings here, such as:
 		// 'svelte/button-has-type': 'error'
-		rules: {}
+		rules: {
+			// <a href> tags don't need resolve() — only goto()/pushState()/replaceState() do.
+			'svelte/no-navigation-without-resolve': ['error', { ignoreLinks: true }]
+		}
 	}
 );

bitext/scripts/README.md

@@ -35,17 +35,17 @@ The script starts `vite preview` on port **4173** (override with `PREVIEW_PORT`)
 
 ## Environment variables
 
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `OBJECT_STORAGE_ACCESS_KEY` | yes | S3-compatible access key |
-| `OBJECT_STORAGE_SECRET_KEY` | yes | Secret key |
-| `OBJECT_STORAGE_BUCKET_NAME` | yes | Bucket name |
-| `OBJECT_STORAGE_ORIGIN_ENDPOINT` | yes | S3 API origin (upload only), e.g. `fra1.digitaloceanspaces.com` |
-| `OBJECT_STORAGE_CDN_ENDPOINT` | yes* | CDN host for **site** `<img>` / OG URLs, e.g. `fra1.cdn.digitaloceanspaces.com` |
-| `OBJECT_STORAGE_PREFIX` | no | Object key prefix, default `examples` |
-| `OBJECT_STORAGE_PUBLIC_BASE` | no | Override full public CDN base URL (no trailing slash) |
-| `PREVIEW_URL` | no | If set, skip starting `vite preview` (use existing server) |
-| `PREVIEW_PORT` | no | Default `4173` when script starts preview |
+| Variable                         | Required | Description                                                                     |
+| -------------------------------- | -------- | ------------------------------------------------------------------------------- |
+| `OBJECT_STORAGE_ACCESS_KEY`      | yes      | S3-compatible access key                                                        |
+| `OBJECT_STORAGE_SECRET_KEY`      | yes      | Secret key                                                                      |
+| `OBJECT_STORAGE_BUCKET_NAME`     | yes      | Bucket name                                                                     |
+| `OBJECT_STORAGE_ORIGIN_ENDPOINT` | yes      | S3 API origin (upload only), e.g. `fra1.digitaloceanspaces.com`                 |
+| `OBJECT_STORAGE_CDN_ENDPOINT`    | yes\*    | CDN host for **site** `<img>` / OG URLs, e.g. `fra1.cdn.digitaloceanspaces.com` |
+| `OBJECT_STORAGE_PREFIX`          | no       | Object key prefix, default `examples`                                           |
+| `OBJECT_STORAGE_PUBLIC_BASE`     | no       | Override full public CDN base URL (no trailing slash)                           |
+| `PREVIEW_URL`                    | no       | If set, skip starting `vite preview` (use existing server)                      |
+| `PREVIEW_PORT`                   | no       | Default `4173` when script starts preview                                       |
 
 \* Not required if `OBJECT_STORAGE_PUBLIC_BASE` is set.
 
@@ -55,12 +55,12 @@ Upload sets **`ACL: public-read`** on each object (per-file, not bucket-wide). T
 
 Objects use `Cache-Control: immutable`, so the CDN keeps old PNGs until purged. After upload, the script can call the [DigitalOcean CDN purge API](https://docs.digitalocean.com/products/spaces/how-to/manage-cdn-cache/) when a **Personal Access Token** is set (this is **not** the Spaces S3 access key):
 
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `DIGITALOCEAN_API_TOKEN` or `DO_API_TOKEN` | for purge | DO control-plane PAT |
-| `DO_CDN_ENDPOINT_ID` | no | CDN endpoint UUID; auto-resolved from bucket + origin if omitted |
-| `OBJECT_STORAGE_CDN_PURGE` | no | Set to `0` to skip purge |
-| `OBJECT_STORAGE_CDN_PURGE_PATHS` | no | Comma-separated paths, default `examples/*` |
+| Variable                                   | Required  | Description                                                      |
+| ------------------------------------------ | --------- | ---------------------------------------------------------------- |
+| `DIGITALOCEAN_API_TOKEN` or `DO_API_TOKEN` | for purge | DO control-plane PAT                                             |
+| `DO_CDN_ENDPOINT_ID`                       | no        | CDN endpoint UUID; auto-resolved from bucket + origin if omitted |
+| `OBJECT_STORAGE_CDN_PURGE`                 | no        | Set to `0` to skip purge                                         |
+| `OBJECT_STORAGE_CDN_PURGE_PATHS`           | no        | Comma-separated paths, default `examples/*`                      |
 
 Without a token, upload still succeeds; purge manually in the DO control panel as today.
 

bitext/scripts/purge-do-cdn.ts

@@ -81,8 +81,6 @@ export async function purgeDigitalOceanCdnCache(
 
 export function digitalOceanApiTokenFromEnv(): string | undefined {
 	return (
-		process.env.DIGITALOCEAN_API_TOKEN?.trim() ||
-		process.env.DO_API_TOKEN?.trim() ||
-		undefined
+		process.env.DIGITALOCEAN_API_TOKEN?.trim() || process.env.DO_API_TOKEN?.trim() || undefined
 	);
 }

bitext/scripts/render-example-previews.ts

@@ -38,16 +38,7 @@ function startPreview(): ChildProcess {
 	// detached → own process group so we can SIGTERM the whole tree on exit
 	return spawn(
 		'npm',
-		[
-			'run',
-			'preview',
-			'--',
-			'--port',
-			String(PREVIEW_PORT),
-			'--host',
-			'127.0.0.1',
-			'--strictPort'
-		],
+		['run', 'preview', '--', '--port', String(PREVIEW_PORT), '--host', '127.0.0.1', '--strictPort'],
 		{
 			cwd: BITEXT_ROOT,
 			stdio: ['ignore', 'pipe', 'pipe'],
@@ -85,7 +76,11 @@ async function stopPreview(proc: ChildProcess, port: number): Promise<void> {
 }
 
 /** Wait until Vite prints its Local URL — fetch alone is not enough (stale/zombie listeners). */
-function waitForPreviewProcess(proc: ChildProcess, url: string, timeoutMs = 120_000): Promise<void> {
+function waitForPreviewProcess(
+	proc: ChildProcess,
+	url: string,
+	timeoutMs = 120_000
+): Promise<void> {
 	return new Promise((resolve, reject) => {
 		const timer = setTimeout(
 			() => reject(new Error(`Preview process did not become ready within ${timeoutMs}ms`)),
@@ -209,7 +204,8 @@ async function main(): Promise<void> {
 						() => document.documentElement.dataset.exampleRenderReady ?? '(unset)'
 					);
 					throw new Error(
-						`Layout not ready for ${slug} (title=${JSON.stringify(title)}, ready=${ready}): ${err}`
+						`Layout not ready for ${slug} (title=${JSON.stringify(title)}, ready=${ready})`,
+						{ cause: err }
 					);
 				}
 				const target = page.locator('[data-example-render-target] .preview-frame');

bitext/scripts/upload-example-previews.ts

@@ -128,9 +128,9 @@ async function main(): Promise<void> {
 		const cdnId =
 			process.env.DO_CDN_ENDPOINT_ID?.trim() ||
 			(await resolveDigitalOceanCdnEndpointId(doToken, bucket, endpoint));
-		const purgePaths =
-			process.env.OBJECT_STORAGE_CDN_PURGE_PATHS?.trim().split(/\s*,\s*/).filter(Boolean) ??
-			[`${prefix}/*`];
+		const purgePaths = process.env.OBJECT_STORAGE_CDN_PURGE_PATHS?.trim()
+			.split(/\s*,\s*/)
+			.filter(Boolean) ?? [`${prefix}/*`];
 		console.log('');
 		console.log(`Purging CDN cache (endpoint ${cdnId}) …`);
 		console.log(`  paths: ${purgePaths.join(', ')}`);

bitext/src/lib/analytics/affiliate-link-tracking.ts

@@ -15,10 +15,7 @@ function onDocumentClickCapture(e: MouseEvent): void {
 	const g = (window as Window & { gtag?: (...args: unknown[]) => void }).gtag;
 	if (typeof g !== 'function') return;
 
-	const linkText = (el.textContent ?? '')
-		.trim()
-		.replace(/\s+/g, ' ')
-		.slice(0, 120);
+	const linkText = (el.textContent ?? '').trim().replace(/\s+/g, ' ').slice(0, 120);
 
 	g('event', EVENT_NAME, {
 		partner: el.dataset.partner ?? '',

bitext/src/lib/api/align.test.ts

@@ -25,12 +25,16 @@ describe('parseAlignBody', () => {
 	});
 
 	it('rejects more than 8 lines', () => {
-		expect(parseAlignBody({ lines: Array(9).fill('x') })).toMatchObject({ err: expect.any(String) });
+		expect(parseAlignBody({ lines: Array(9).fill('x') })).toMatchObject({
+			err: expect.any(String)
+		});
 	});
 
 	it('accepts string lines without alignments (backward compat)', () => {
 		const result = parseAlignBody({ lines: ['Hello', 'Bonjour'] });
-		expect(result).toMatchObject({ ok: { lines: [{ text: 'Hello' }, { text: 'Bonjour' }], alignments: [] } });
+		expect(result).toMatchObject({
+			ok: { lines: [{ text: 'Hello' }, { text: 'Bonjour' }], alignments: [] }
+		});
 	});
 
 	it('accepts string lines with alignments', () => {
@@ -48,7 +52,9 @@ describe('parseAlignBody', () => {
 	});
 
 	it('rejects object line missing text', () => {
-		expect(parseAlignBody({ lines: [{ font: 'Noto Serif' }] })).toMatchObject({ err: expect.any(String) });
+		expect(parseAlignBody({ lines: [{ font: 'Noto Serif' }] })).toMatchObject({
+			err: expect.any(String)
+		});
 	});
 
 	it('rejects alignment tuples that are not length-4 integer arrays', () => {
@@ -204,9 +210,9 @@ describe('buildAlignUrl', () => {
 	});
 
 	it('rejects invalid tokenMergeChar (more than one character)', () => {
-		expect(
-			parseAlignBody({ lines: ['a', 'b'], settings: { tokenMergeChar: '++' } })
-		).toMatchObject({ err: expect.stringContaining('tokenMergeChar') });
+		expect(parseAlignBody({ lines: ['a', 'b'], settings: { tokenMergeChar: '++' } })).toMatchObject(
+			{ err: expect.stringContaining('tokenMergeChar') }
+		);
 	});
 
 	it('applies per-line options (font, sizePx, rtl)', () => {
@@ -252,9 +258,9 @@ describe('buildAlignUrl', () => {
 	});
 
 	it('rejects line index out of range', () => {
-		expect(
-			buildAlignUrl(ORIGIN, { lines: ['a', 'b'], alignments: [[0, 0, 5, 0]] })
-		).toMatchObject({ err: expect.stringContaining('lineB=5') });
+		expect(buildAlignUrl(ORIGIN, { lines: ['a', 'b'], alignments: [[0, 0, 5, 0]] })).toMatchObject({
+			err: expect.stringContaining('lineB=5')
+		});
 	});
 
 	it('rejects non-adjacent lines', () => {

bitext/src/lib/api/align.ts

@@ -1,6 +1,10 @@
 import { encodeState } from '$lib/serialization/encode.js';
 import { tokenize, tokenizeOptionsFromVisualSettings } from '$lib/domain/tokens.js';
-import { createConnectionId, pendingAlignmentColor, type Connection } from '$lib/domain/alignment.js';
+import {
+	createConnectionId,
+	pendingAlignmentColor,
+	type Connection
+} from '$lib/domain/alignment.js';
 import {
 	defaultVisualSettingsV2,
 	SCHEMA_VERSION,
@@ -10,10 +14,12 @@ import {
 	type PairControlV2,
 	type VisualSettingsV2
 } from '$lib/serialization/schema.js';
+import { PALETTES } from '$lib/domain/palettes.js';
 
 const DEFAULT_FONT_FAMILY = 'Inter';
 const DEFAULT_TEXT_SIZE_PX = 36;
 const DEFAULT_WORD_GAP_PX = 14;
+const MAX_LINE_TEXT_LENGTH = 10_000;
 
 export type AlignmentTuple = [number, number, number, number];
 
@@ -84,11 +90,21 @@ export type AlignResult = { url: string } | { err: string };
 // ── Validation helpers ────────────────────────────────────────────────────────
 
 function parseLineEntry(val: unknown, idx: number): LineInput | { err: string } {
-	if (typeof val === 'string') return { text: val };
+	if (typeof val === 'string') {
+		if (val.length > MAX_LINE_TEXT_LENGTH)
+			return {
+				err: `lines[${idx}] text exceeds maximum length of ${MAX_LINE_TEXT_LENGTH} characters`
+			};
+		return { text: val };
+	}
 	if (!val || typeof val !== 'object') return { err: `lines[${idx}] must be a string or object` };
 	const v = val as Record<string, unknown>;
 	if (typeof v.text !== 'string' || v.text === '')
 		return { err: `lines[${idx}].text must be a non-empty string` };
+	if (v.text.length > MAX_LINE_TEXT_LENGTH)
+		return {
+			err: `lines[${idx}].text exceeds maximum length of ${MAX_LINE_TEXT_LENGTH} characters`
+		};
 	if (v.font !== undefined && typeof v.font !== 'string')
 		return { err: `lines[${idx}].font must be a string` };
 	if (v.sizePx !== undefined && (typeof v.sizePx !== 'number' || !Number.isFinite(v.sizePx)))
@@ -110,30 +126,38 @@ function parseSettingsInput(val: unknown): { ok: SettingsInput } | { err: string
 	if (!val || typeof val !== 'object') return { err: '"settings" must be an object' };
 	const v = val as Record<string, unknown>;
 
-	const PALETTES = new Set(['pastel', 'vivid', 'academic']);
+	const PALETTE_NAMES = new Set(Object.keys(PALETTES));
 	const STYLES = new Set(['straight', 'curved']);
-	const THEMES = new Set(['light', 'dark']);
-	const BKGS = new Set(['light', 'dark']);
+	const THEMES_AND_BKGS = new Set(['light', 'dark']);
 
-	if (v.palette !== undefined && !PALETTES.has(v.palette as string))
-		return { err: `settings.palette must be one of: ${[...PALETTES].join(', ')}` };
+	if (v.palette !== undefined && !PALETTE_NAMES.has(v.palette as string))
+		return { err: `settings.palette must be one of: ${[...PALETTE_NAMES].join(', ')}` };
 	if (v.lineStyle !== undefined && !STYLES.has(v.lineStyle as string))
 		return { err: `settings.lineStyle must be one of: ${[...STYLES].join(', ')}` };
-	if (v.theme !== undefined && !THEMES.has(v.theme as string))
-		return { err: `settings.theme must be one of: ${[...THEMES].join(', ')}` };
-	if (v.background !== undefined && !BKGS.has(v.background as string))
-		return { err: `settings.background must be one of: ${[...BKGS].join(', ')}` };
-	if (v.lineThickness !== undefined && (typeof v.lineThickness !== 'number' || !Number.isFinite(v.lineThickness)))
+	if (v.theme !== undefined && !THEMES_AND_BKGS.has(v.theme as string))
+		return { err: `settings.theme must be one of: ${[...THEMES_AND_BKGS].join(', ')}` };
+	if (v.background !== undefined && !THEMES_AND_BKGS.has(v.background as string))
+		return { err: `settings.background must be one of: ${[...THEMES_AND_BKGS].join(', ')}` };
+	if (
+		v.lineThickness !== undefined &&
+		(typeof v.lineThickness !== 'number' || !Number.isFinite(v.lineThickness))
+	)
 		return { err: 'settings.lineThickness must be a number' };
-	if (v.lineOpacity !== undefined && (typeof v.lineOpacity !== 'number' || !Number.isFinite(v.lineOpacity)))
+	if (
+		v.lineOpacity !== undefined &&
+		(typeof v.lineOpacity !== 'number' || !Number.isFinite(v.lineOpacity))
+	)
 		return { err: 'settings.lineOpacity must be a number' };
 	if (v.showNumbers !== undefined && typeof v.showNumbers !== 'boolean')
 		return { err: 'settings.showNumbers must be a boolean' };
 	if (v.colorTokensByLink !== undefined && typeof v.colorTokensByLink !== 'boolean')
 		return { err: 'settings.colorTokensByLink must be a boolean' };
 	if (v.tokenSplitChars !== undefined && typeof v.tokenSplitChars !== 'string')
 		return { err: 'settings.tokenSplitChars must be a string' };
-	if (v.tokenMergeChar !== undefined && (typeof v.tokenMergeChar !== 'string' || v.tokenMergeChar.length > 1))
+	if (
+		v.tokenMergeChar !== undefined &&
+		(typeof v.tokenMergeChar !== 'string' || v.tokenMergeChar.length > 1)
+	)
 		return { err: 'settings.tokenMergeChar must be a single character' };
 
 	return {
@@ -164,7 +188,10 @@ function parsePairsInput(val: unknown, lineCount: number): { ok: PairInput[] } |
 		const upper = pv.upper as number;
 		const lower = pv.lower as number;
 		if (upper < 0 || upper >= lineCount) return { err: `pairs[${i}].upper=${upper} out of range` };
-		if (lower !== upper + 1) return { err: `pairs[${i}]: lower must equal upper + 1 (got upper=${upper}, lower=${lower})` };
+		if (lower !== upper + 1)
+			return {
+				err: `pairs[${i}]: lower must equal upper + 1 (got upper=${upper}, lower=${lower})`
+			};
 		if (pv.gapPx !== undefined && (typeof pv.gapPx !== 'number' || !Number.isFinite(pv.gapPx)))
 			return { err: `pairs[${i}].gapPx must be a number` };
 		if (pv.showConnectors !== undefined && typeof pv.showConnectors !== 'boolean')
@@ -234,9 +261,7 @@ export function buildAlignUrl(origin: string, req: AlignRequest): AlignResult {
 	const visualSettings: VisualSettingsV2 = {
 		...defaults,
 		...(req.settings
-			? Object.fromEntries(
-					Object.entries(req.settings).filter(([, v]) => v !== undefined)
-				)
+			? Object.fromEntries(Object.entries(req.settings).filter(([, v]) => v !== undefined))
 			: {})
 	};
 	// Clamp numeric settings to valid ranges
@@ -294,7 +319,12 @@ export function buildAlignUrl(origin: string, req: AlignRequest): AlignResult {
 
 		const upperTokenId = upperTokens[upperWordIdx]!.id;
 		const lowerTokenId = lowerTokens[lowerWordIdx]!.id;
-		const color = pendingAlignmentColor(connections, [upperTokenId], [lowerTokenId], visualSettings.palette);
+		const color = pendingAlignmentColor(
+			connections,
+			[upperTokenId],
+			[lowerTokenId],
+			visualSettings.palette
+		);
 		connections.push({ id: createConnectionId(), upperTokenId, lowerTokenId, color });
 	}
 

bitext/src/lib/components/editor/Editor.svelte

@@ -49,9 +49,7 @@
 			<p
 				class="m-0 max-w-full text-right text-sm leading-snug text-gray-600 dark:text-gray-400 [&>span]:mr-1 [&>span]:last:mr-0"
 			>
-				<span
-					class="inline md:hidden [&>span]:mr-1 [&>span]:inline [&>span]:last:mr-0"
-				>
+				<span class="inline md:hidden [&>span]:mr-1 [&>span]:inline [&>span]:last:mr-0">
 					<span class="sr-only">Whitespace splits words.</span>
 					<span
 						>Split: <code class="{chipClass} max-w-[min(100vw-4rem,24rem)] break-all"
@@ -65,9 +63,7 @@
 						></span
 					>
 				</span>
-				<span
-					class="hidden md:inline [&>span]:mr-1 [&>span]:inline [&>span]:last:mr-0"
-				>
+				<span class="hidden md:inline [&>span]:mr-1 [&>span]:inline [&>span]:last:mr-0">
 					<span>Whitespace splits words.</span>
 					<span>Extra split: <code class={chipClass}>{tok.extraSplitChars}</code>.</span>
 					<span>Join: <code class={chipClass}>{tok.joinChars}</code>.</span>