Resolve #330: interactive MistDemo (web toggle + native app refresh)

[leogdion]

Summary

Closes out the full #330 plan on the umbrella branch 330-interactive-mistdemo. All six sub-issues land here.

Phase 1 — Foundation refactors

• Refactor MistDemo auth-token server (Hummingbird scaffolding) #288 — extract AuthTokenServer + LoopbackAuthority from AuthTokenCommand. Routes move to a reusable server type; loopback validation moves to a standalone helper. New tests: 26-case parameterized validator coverage + 4 router-level smoke tests via HummingbirdTesting. (b20cc09)
• Refactor MistDemo auth-token inlined HTML/JS #289 — fold four AuthTokenIndexHTML*.swift raw-string constants into a single Resources/auth-token-index.html resource; AuthTokenIndexHTML becomes a thin Bundle.module loader. (10ce538)

Phase 2 — Web CRUD + comparison

• Add CRUD web interface via Hummingbird #274 — new mistdemo web command with Hummingbird CRUD routes (/api/records/{query,create,update,delete,lookup}), WebAuthTokenStore actor, and an index.html resource. Top-level mode toggle scaffolded; CloudKit JS side stubbed until Integrate CloudKit JS into MistDemo web for MistKit-vs-CloudKit-JS comparison #329. (62c7b6c, PR Resolve #274: mistdemo web command with Hummingbird CRUD routes #333)
• Integrate CloudKit JS into MistDemo web for MistKit-vs-CloudKit-JS comparison #329 — wire the CloudKit JS alternate backend behind the mode toggle, sharing ckWebAuthToken with the MistKit side. (1e8b907, PR Resolve #329: CloudKit JS alternate backend + browser-flag defaults #335)

Phase 3 — Database selection

• Add public database interface to MistDemoApp and web #275 — public/private database picker.
  • Web side: mode + DB combine into four auth profiles (MistKit/JS × public/private). (bad7b1e, PR Resolve #275 (web side): public/private database picker #337)
  • App side: CloudKitStore.databaseScope + AccountView picker, absorbed by Replace NativeCloudKitService with CloudKit framework in MistDemoApp #328 as planned. (6be4939)

Phase 4 — Native app rework

• Replace NativeCloudKitService with CloudKit framework in MistDemoApp #328 — replace MistKit-backed NativeCloudKitService with a CKRecord-first, @Observable CloudKitStore using CKContainer / CKDatabase directly. Public/private scope toggle ships with it. (6be4939, PR Resolve #328: MistDemoApp CloudKit refresh (CKRecord-first, @Observable) #339)

Adjacent polish that rode along

• WebUI table+form rework, system-metadata timestamps, sortable Created/Modified columns (31a4168, PR WebUI: table+form rework, system-metadata timestamps, sortable Created/Modified #336)
• Per-call PublicAuthPreference encoded in Database (c891d2f, PR Resolve #338: per-call PublicAuthPreference encoded in Database #340, MistKit + Public signing: S2S vs web-auth identity attribution #338) — supports the public-DB story in MistKit itself

Test plan

• swift build clean on the branch
• swift test — full suite green at each sub-PR merge
• ./Scripts/lint.sh — clean
• CI green on this PR
• Manual smoke: mistdemo web against a real container, exercise both MistKit and CloudKit JS toggles on public and private DBs
• Manual smoke: MistDemoApp on iOS — confirm public/private picker behaves

Resolves #288
Resolves #289
Resolves #274
Resolves #329
Resolves #275
Resolves #328
Resolves #330

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d51650b3-a2cb-4226-9167-e20e71c08436

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 330-interactive-mistdemo

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 73.75887% with 333 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.53%. Comparing base (a28ab3c) to head (6be4939).

Files with missing lines	Patch %	Lines
...Demo/Sources/MistDemoKit/Commands/WebCommand.swift	0.00%	70 Missing ⚠️
.../Sources/MistDemoKit/Configuration/WebConfig.swift	0.00%	62 Missing ⚠️
...ources/MistDemoKit/Commands/AuthTokenCommand.swift	0.00%	47 Missing ⚠️
...stDemo/Sources/MistDemoKit/Server/WebBackend.swift	0.00%	34 Missing ⚠️
...Sources/MistDemoKit/Server/WebBackendFactory.swift	11.76%	15 Missing ⚠️
...ces/MistDemoKit/Commands/DemoInFilterCommand.swift	0.00%	11 Missing ⚠️
...ources/MistDemoKit/Commands/DemoErrorsRunner.swift	0.00%	8 Missing ⚠️
...rces/MistDemoKit/Commands/UploadAssetCommand.swift	0.00%	8 Missing ⚠️
...emoKit/Integration/Phases/ModifyRecordsPhase.swift	0.00%	5 Missing ⚠️
...ce/Extensions/CloudKitService+Classification.swift	28.57%	5 Missing ⚠️
... and 30 more

Additional details and impacted files

@@                Coverage Diff                @@
##           v1.0.0-beta.1     #332      +/-   ##
=================================================
+ Coverage          69.46%   70.53%   +1.06%     
=================================================
  Files                529      551      +22     
  Lines              14457    15426     +969     
=================================================
+ Hits               10042    10880     +838     
- Misses              4415     4546     +131     

Flag	Coverage Δ
mistdemo-spm-macos	60.04% <67.13%> (+1.40%)	⬆️
mistdemo-swift-6.2-jammy	60.03% <67.13%> (+1.38%)	⬆️
mistdemo-swift-6.2-noble	60.03% <67.13%> (+1.35%)	⬆️
mistdemo-swift-6.3-jammy	60.03% <67.13%> (+1.38%)	⬆️
mistdemo-swift-6.3-noble	60.03% <67.13%> (+1.38%)	⬆️
spm	52.58% <82.40%> (+0.90%)	⬆️
swift-6.1-jammy	52.41% <86.11%> (+0.73%)	⬆️
swift-6.1-noble	52.66% <82.40%> (+0.95%)	⬆️
swift-6.2-jammy	52.28% <82.40%> (+0.91%)	⬆️
swift-6.2-noble	52.69% <82.40%> (+1.38%)	⬆️
swift-6.3-jammy	52.47% <83.33%> (+1.16%)	⬆️
swift-6.3-noble	52.28% <82.40%> (+0.93%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[claude]

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

Project Overview

MistKit is a Swift Package for Server-Side and Command-Line Access to CloudKit Web Services. It targets cross-platform Swift (including Linux, WASI, and Windows) using modern Swift concurrency and code generated from Apple's CloudKit Web Services OpenAPI specification.

Key Project Context

• Purpose: Provides a Swift interface to CloudKit Web Services (REST API) rather than the CloudKit framework
• Target Platforms: Cross-platform including macOS, iOS, tvOS, watchOS, visionOS, Linux, WASI, and Windows
• Default Branch: main
• API Reference: The openapi.yaml file contains the OpenAPI 3.0.3 specification for Apple's CloudKit Web Services
• Code Generation: Generated client code lives in Sources/MistKit/Generated/ and is not committed

Development Commands

Swift Package Commands

# Build the package
swift build

# Run tests
swift test

# Run tests with coverage
swift test --enable-code-coverage

# Build for release
swift build -c release

# Clean build artifacts
swift package clean

# Update dependencies
swift package update

# Resolve package dependencies
swift package resolve

# Generate Xcode project (if needed)
swift package generate-xcodeproj

OpenAPI Code Generation

# Generate OpenAPI client code (run this after modifying openapi.yaml)
./Scripts/generate-openapi.sh

# Or manually with swift-openapi-generator
swift run swift-openapi-generator generate \
    --output-directory Sources/MistKit/Generated \
    --config openapi-generator-config.yaml \
    openapi.yaml

Development Workflow

# Run specific test
swift test --filter TestClassName.testMethodName

# Run tests in parallel
swift test --parallel

# Show test output
swift test --verbose

# Format + lint
# swift-format, swiftlint, periphery, and swift-openapi-generator are pinned
# in mise.toml — do NOT invoke them from PATH directly. Run them THROUGH mise:
mise exec -- swift-format -i -r Sources/ Tests/
mise exec -- swiftlint              # lint
mise exec -- swiftlint --fix        # auto-fix

# Or run the full lint pipeline (build + swiftlint + header.sh + periphery):
./Scripts/lint.sh

MistDemo Commands

# MistDemo is located in Examples/MistDemo and must be run from there
cd Examples/MistDemo

# Build MistDemo
swift build

# Run MistDemo commands
swift run mistdemo --help
swift run mistdemo auth-token
swift run mistdemo current-user
swift run mistdemo query
swift run mistdemo lookup
swift run mistdemo create
swift run mistdemo update
swift run mistdemo modify
swift run mistdemo delete
swift run mistdemo upload-asset
swift run mistdemo lookup-zones
swift run mistdemo fetch-changes
swift run mistdemo demo-in-filter
swift run mistdemo demo-errors
swift run mistdemo test-integration
swift run mistdemo test-private

# Run with specific configuration
swift run mistdemo --config-file ~/.mistdemo/config.json query

Architecture Considerations

FieldValue Type Architecture

MistKit uses separate types for requests and responses at the OpenAPI schema level to accurately model CloudKit's asymmetric API behavior:

Type Layers:

1. Domain Layer: FieldValue enum - Pure Swift types, no API metadata (Sources/MistKit/FieldValue.swift)
2. API Request Layer: FieldValueRequest - No type field, CloudKit infers type from value structure
3. API Response Layer: FieldValueResponse - Optional type field for explicit type information

Why Separate Request/Response Types?

• CloudKit API has asymmetric behavior: requests omit type field, responses may include it
• OpenAPI schema accurately models this asymmetry (openapi.yaml:867-920)
• Swift code generation produces type-safe request/response types
• Compiler prevents accidentally using response types in requests
• Cleaner architecture without nil type values in conversion code

Generated Types:

• Components.Schemas.FieldValueRequest - Used for modify, create, filter operations
• Components.Schemas.FieldValueResponse - Used for query, lookup, changes responses
• Components.Schemas.RecordRequest - Records in request bodies
• Components.Schemas.RecordResponse - Records in response bodies

Conversion:

• Request conversion: Extensions/OpenAPI/Components+FieldValue.swift converts domain FieldValue → FieldValueRequest
• Response conversion: Service/FieldValue+Components.swift converts FieldValueResponse → domain FieldValue

Modern Swift Features to Utilize

• Swift Concurrency (async/await) for all network operations
• Structured concurrency with TaskGroup for parallel operations
• Actors for thread-safe state management
• Result builders for query construction
• Property wrappers for CloudKit field mapping

Package Structure

MistKit/
├── Sources/
│   └── MistKit/
│       ├── Generated/      # Auto-generated OpenAPI client code (not committed)
│       └── MistKitClient.swift  # Main client wrapper
├── Tests/
│   └── MistKitTests/
├── Scripts/
│   └── generate-openapi.sh # Script to generate OpenAPI code
├── openapi.yaml           # CloudKit Web Services OpenAPI specification
└── openapi-generator-config.yaml # Configuration for code generation

CloudKitService Operations

CloudKitService operations are split across focused extension files:

File	Operations
CloudKitService+Initialization.swift	initializer overloads (API token, web auth token, server-to-server)
CloudKitService+Operations.swift	queryRecords, queryAllRecords, lookupRecords
CloudKitService+WriteOperations.swift	modifyRecords, createRecord, updateRecord, deleteRecord
CloudKitService+ZoneOperations.swift	listZones, lookupZones(zoneIDs:), fetchZoneChanges(syncToken:)
CloudKitService+SyncOperations.swift	fetchRecordChanges(recordType:syncToken:), fetchAllRecordChanges(recordType:syncToken:)
CloudKitService+UserOperations.swift	fetchCaller(), discoverUserIdentities(lookupInfos:), discoverAllUserIdentities() (unavailable — pending #28), lookupUsersByEmail(_:), lookupUsersByRecordName(_:), fetchCurrentUser() (deprecated, forwards to fetchCaller)
CloudKitService+AssetOperations.swift	uploadAssets, requestAssetUploadURL
CloudKitService+AssetUpload.swift	uploadAssetData
CloudKitService+RecordManaging.swift	record-managing convenience surface
CloudKitService+Classification.swift	operation classification (batch sync result tracking)
CloudKitService+ErrorHandling.swift	error mapping helpers

Sync/Change Operations:

• fetchRecordChanges(recordType:syncToken:) → /records/changes — returns RecordChangesResult with records, syncToken, moreComing
• fetchAllRecordChanges(recordType:syncToken:) — convenience wrapper that auto-paginates using moreComing
• fetchZoneChanges(syncToken:) → /zones/changes — returns ZoneChangesResult
• lookupZones(zoneIDs:) → /zones/lookup — returns [ZoneInfo]
• discoverUserIdentities(lookupInfos:) → POST /users/discover — takes [UserIdentityLookupInfo], returns [UserIdentity]

User-Identity Operations (public DB + web-auth required):

• fetchCaller() → /users/caller — returns UserInfo. Replaces deprecated fetchCurrentUser() / users/current. Only valid against the public database with web-auth credentials.
• discoverAllUserIdentities() → GET /users/discover — returns [UserIdentity] for every discoverable user in the caller's address book.
• lookupUsersByEmail(_:) → POST /users/lookup/email — returns [UserIdentity].
• lookupUsersByRecordName(_:) → POST /users/lookup/id — returns [UserIdentity].

In MistDemo, integration runs targeting these endpoints use PhaseContext.userContextService (a public+web-auth CloudKitService) which is built from CLOUDKIT_API_TOKEN + CLOUDKIT_WEB_AUTH_TOKEN regardless of the primary --database selection. The DatabaseConfiguration / AuthenticationCredentials types in Examples/MistDemo/Sources/MistDemoKit/Configuration/ enforce valid database+auth combinations at construction time.

Result Types (Sources/MistKit/Service/):

• QueryResult — records: [RecordInfo], continuationMarker: String?
• RecordChangesResult — records: [RecordInfo], syncToken: String?, moreComing: Bool
• ZoneChangesResult — zones: [ZoneInfo], syncToken: String?, moreComing: Bool
• UserIdentity — userRecordName: String?, nameComponents: NameComponents?, lookupInfo: UserIdentityLookupInfo?
• UserIdentityLookupInfo — emailAddress: String?, phoneNumber: String?, userRecordName: String?
• NameComponents — full personal name parts (givenName, familyName, nickname, etc.)

Protocols:

• RecordTypeIterating (Sources/MistKit/Protocols/RecordTypeIterating.swift) — forEach(_ action:) to iterate over CloudKit record types; used by fetchAllRecordChanges

Key Design Principles

1. Protocol-Oriented: Define protocols for all major components (TokenManager, NetworkClient, etc.)
2. Dependency Injection: Use initializer injection for testability
3. Error Handling: Use typed errors conforming to LocalizedError
4. Sendable Compliance: Ensure all types are Sendable for concurrency safety

Logging

MistKit uses swift-log for cross-platform logging support, enabling usage on macOS, Linux, Windows, and other platforms.

Key Logging Components:

• MistKitLogger - Centralized logging infrastructure with subsystems for api, auth, and network
• Environment-based privacy control via MISTKIT_DISABLE_LOG_REDACTION environment variable
• SecureLogging utilities for token masking and safe message formatting
• Structured logging in LoggingMiddleware for HTTP request/response debugging (DEBUG builds only)

Logging Subsystems:

MistKitLogger.api      // CloudKit API operations
MistKitLogger.auth     // Authentication and token management
MistKitLogger.network  // Network operations

Helper Methods:

MistKitLogger.logError(_:logger:shouldRedact:)    // Error level
MistKitLogger.logWarning(_:logger:shouldRedact:)  // Warning level
MistKitLogger.logInfo(_:logger:shouldRedact:)     // Info level
MistKitLogger.logDebug(_:logger:shouldRedact:)    // Debug level

Privacy Controls:

• By default, logs use SecureLogging.safeLogMessage() to redact sensitive information
• Set MISTKIT_DISABLE_LOG_REDACTION=1 to disable redaction for debugging
• Tokens, keys, and secrets are automatically masked in logged messages

Asset Upload Transport Design

⚠️ CRITICAL WARNING: Transport Separation

When providing a custom AssetUploader implementation:

• NEVER use the CloudKit API transport (ClientTransport) for asset uploads
• MUST use a separate URLSession instance, NOT shared with api.apple-cloudkit.com
• MUST NOT share HTTP/2 connections between CloudKit API and CDN hosts
• Custom uploaders should ONLY be used for testing or specialized CDN configurations
• Production code should use the default implementation (URLSession.shared)

Why URLSession instead of ClientTransport?

Asset uploads use URLSession.shared directly rather than the injected ClientTransport to avoid HTTP/2 connection reuse issues:

1. Problem: CloudKit API (api.apple-cloudkit.com) and CDN (cvws.icloud-content.com) are different hosts
2. HTTP/2 Issue: Reusing the same HTTP/2 connection for both hosts causes 421 Misdirected Request errors
3. Solution: Use separate URLSession for CDN uploads, maintaining distinct connection pools

Design:

• AssetUploader closure type allows dependency injection for testing
• Default implementation uses URLSession.shared.upload(_:to:) with separate connection pool
• Tests provide mock uploader closures without network calls
• Platform-specific: WASI compilation excludes URLSession code via #if !os(WASI)
• CRITICAL: Custom uploaders must maintain connection pool separation from CloudKit API

Implementation Details:

• AssetUploader type: (Data, URL) async throws -> (statusCode: Int?, data: Data)
• Defined in: Sources/MistKit/Core/AssetUploader.swift
• URLSession extension: Sources/MistKit/Extensions/URLSession+AssetUpload.swift
• Upload orchestration:
  • uploadAssets() - Complete two-step upload workflow → Sources/MistKit/Service/CloudKitService+AssetOperations.swift
  • requestAssetUploadURL() - Step 1: Get CDN upload URL → Sources/MistKit/Service/CloudKitService+AssetOperations.swift
  • uploadAssetData() - Step 2: Upload binary data to CDN → Sources/MistKit/Service/CloudKitService+AssetUpload.swift

Future Consideration:
A ClientTransport extension could provide a generic upload method, but would need to:

• Handle connection pooling separately for different hosts
• Provide platform-specific implementations (URLSession, custom transports)
• Maintain the same testability via dependency injection

FilterBuilder Extensions

FilterBuilder is split across extension files for maintainability:

• Sources/MistKit/Helpers/FilterBuilder.swift — core comparators (EQUALS, NOT_EQUALS, LESS_THAN, etc.) and IN/NOT_IN
• Sources/MistKit/Helpers/FilterBuilder+StringFilters.swift — string-specific: beginsWith, notBeginsWith, containsAllTokens
• Sources/MistKit/Helpers/FilterBuilder+ListMemberFilters.swift — list-specific: listContains, etc.

IN/NOT_IN serialization: Uses ListValuePayload (Components.Schemas.ListValuePayload) to wrap array values. The fix in v1.0.0-alpha.5 ensures the correct value key structure is used when serializing list comparators.

CloudKit Web Services Integration

• Base URL: https://api.apple-cloudkit.com
• Authentication:
  • Public database: CLOUDKIT_KEY_ID + CLOUDKIT_PRIVATE_KEY or CLOUDKIT_PRIVATE_KEY_PATH → server-to-server signing
  • Private database: CLOUDKIT_API_TOKEN + CLOUDKIT_WEB_AUTH_TOKEN → web authentication
• All operations should reference the OpenAPI spec in openapi.yaml
• URL Pattern: /database/{version}/{container}/{environment}/{database}/{operation}
• Supported databases: public, private, shared
• Environments: development, production

Testing Strategy

• Use Swift Testing framework (@Test macro) for all tests
• Unit tests for all public APIs
• Integration tests using mock URLSession
• Use #expect() and #require() for assertions
• Async test support with async let and await
• Parameterized tests for testing multiple scenarios
• See testing-enablinganddisabling.md for Swift Testing patterns

Asset Upload Testing

Integration Test Requirements:

• Verify connection pool separation between CloudKit API and CDN
• Test HTTP/2 connection reuse prevention
• Validate 421 Misdirected Request error handling
• Mock uploaders should simulate realistic HTTP responses

Test Files:

• Tests/MistKitTests/Service/CloudKitServiceUpload/CloudKitServiceTests.Upload+*.swift
• Tests/MistKitTests/Service/AssetUploadTokenTests.swift

MistDemo Integration Test Runner

Examples/MistDemo/Sources/MistDemoKit/Integration/ provides a live end-to-end test suite that runs against a real CloudKit container:

• IntegrationTestRunner.swift — orchestrates all operations (query, create, update, lookup, upload, fetchChanges, lookupZones, discoverUserIdentities)
• IntegrationTestData.swift — seed data for integration tests
• IntegrationTestError.swift — typed errors for test failures
• IntegrationTest.swift, PhasedIntegrationTest.swift, and Tests/ subdirectory — protocol-based phase pipeline introduced in Refactor IntegrationTestRunner into protocol-based phase pipeline (#254) #283

Run via swift run mistdemo test-integration or swift run mistdemo test-private (private database variant). Both commands require valid CloudKit credentials in the config file.

Important Implementation Notes

1. Async/Await First: All network operations should use async/await, not completion handlers
2. Codable Compliance: All models should be Codable with custom CodingKeys when needed
3. CloudKit Types: Map CloudKit types (Asset, Reference, Location) to Swift types appropriately
4. Error Context: Include request/response details in error types for debugging
5. Pagination: Implement AsyncSequence for paginated results (queries, list operations)

OpenAPI-Driven Development

The Swift package uses Apple's swift-openapi-generator to create type-safe client code from the OpenAPI specification. Generated code is placed in Sources/MistKit/Generated/ and should not be committed to version control.

IMPORTANT: Never manually edit files in Sources/MistKit/Generated/. These files are auto-generated from openapi.yaml. Any manual edits will be lost when code is regenerated. Instead, modify openapi.yaml and regenerate using ./Scripts/generate-openapi.sh.

The openapi.yaml file serves as the source of truth for:

• All available endpoints and their HTTP methods
• Request/response schemas and models
• Authentication requirements
• Error response formats

Key endpoints documented in the OpenAPI spec:

• Records: /records/query, /records/modify, /records/lookup, /records/changes
• Zones: /zones/list, /zones/lookup, /zones/modify, /zones/changes
• Subscriptions: /subscriptions/list, /subscriptions/lookup, /subscriptions/modify
• Users: /users/caller, /users/discover (POST + GET), /users/lookup/email, /users/lookup/id
• Assets: /assets/upload
• Tokens: /tokens/create, /tokens/register

Reference Documentation

Apple's official CloudKit documentation is available in .claude/docs/ for offline reference during development:

When to Consult Each Document

webservices.md (289 KB) - CloudKit Web Services REST API

• Primary use: Implementing REST API endpoints
• Contains: Authentication, request formats, all endpoints, data types, error codes
• Consult when: Writing API client code, handling authentication, debugging responses

cloudkitjs.md (188 KB) - CloudKit JS Framework

• Primary use: Understanding CloudKit concepts and operation flows
• Contains: Container/database patterns, operations, response objects, error handling
• Consult when: Designing Swift types, implementing queries, working with subscriptions

testing-enablinganddisabling.md (126 KB) - Swift Testing Framework

• Primary use: Writing modern Swift tests
• Contains: @Test macros, async testing, parameterization, migration from XCTest
• Consult when: Writing or organizing tests, testing async code

swift-openapi-generator.md (235 KB) - Swift OpenAPI Generator Documentation

• Primary use: Understanding code generation configuration and features
• Contains: Generator configuration, type overrides, middleware system, transport protocols, API stability
• Consult when: Configuring openapi-generator-config.yaml, implementing middleware, troubleshooting generated code

See .claude/docs/README.md for detailed topic breakdowns and integration guidance.

MistDemo Documentation

• Swift Configuration Reference (.claude/docs/mistdemo/swift-configuration-reference.md) - Guide for using Swift Configuration in MistDemo
• Official Swift Configuration Docs (.claude/docs/https_-swiftpackageindex.com-apple-swift-configuration-1.0.0-documentation-configuration.md) - Full API reference

CloudKit Schema Language

cloudkit-schema-reference.md - CloudKit Schema Language Quick Reference

• Primary use: Working with text-based .ckdb schema files
• Contains: Complete grammar, field options, data types, permissions, common patterns, MistKit-specific notes
• Consult when: Reading/modifying schemas, understanding indexing, designing record types

sosumi-cloudkit-schema-source.md - Apple's Official Schema Language Documentation

• Primary use: Authoritative reference for CloudKit Schema Language
• Contains: Full grammar specification, identifier rules, system fields, permission model
• Consult when: Understanding schema fundamentals, resolving syntax questions

Comprehensive Schema Guides

For detailed schema workflows and integration:

• AI Schema Workflow (Examples/CelestraCloud/.claude/AI_SCHEMA_WORKFLOW.md) - Comprehensive guide for understanding, designing, modifying, and validating CloudKit schemas with text-based tools
• Quick Reference (Examples/SCHEMA_QUICK_REFERENCE.md) - One-page cheat sheet with syntax, patterns, cktool commands, and troubleshooting

Additional Notes

• We are using explicit ACLs in the Swift code
• type order is based on the default in swiftlint: https://realm.github.io/SwiftLint/type_contents_order.html
• Anything inside [CONTENT] [/CONTENT] is written by me

[claude]

Review: PR #332 — Extract auth-token server scaffolding + resource bundle

Overall this is a solid refactor. The architecture is cleaner and testability is improved.

What's good

• Separation of concerns: AuthTokenCommand now delegates to AuthTokenServer; route assembly and loopback validation are independently testable
• internal import: Explicitly scoping module imports prevents leaking dependencies through the public API
• Resource bundle: Moving the raw-string HTML/JS constants into Resources/auth-token-index.html removes ~500 LOC of awkward Swift string escaping and makes the HTML editable with proper tooling
• Test coverage: 26-case parameterized loopback test + 4 router smoke tests is thorough

Minor observations

LoopbackAuthority on non-Hummingbird platforms: The utility lives in Sources/MistDemoKit/Utilities/ outside a #if canImport(Hummingbird) guard. Verify this compiles cleanly on WASI/platforms where Hummingbird is unavailable, or add a compile guard if it is only ever used by Hummingbird-gated code.

AuthTokenIndexHTML.content error path: Using preconditionFailure for a missing bundle resource is fine for a demo tool, but a comment clarifying the intentional crash-vs-silent-failure choice would help future readers.

Import access in test files: The new test files import without internal qualifiers, inconsistent with the source files in this PR. Non-critical since tests are module-internal, but consistency is nice.

These are all minor — the refactoring is well-executed.

---

Note: there is also a stale comment above this one that was posted by mistake — it can be ignored.

[claude]

Review: PR #332 — Extract auth-token server scaffolding + resource bundle

Summary: Phase 1 of #330. Two issues resolved (#288, #289). Routes extracted from AuthTokenCommand into WebServer, loopback validation into standalone LoopbackAuthority, and the auth-flow HTML/JS moved from raw Swift strings into a Bundle.module-loaded resource file. 907 tests pass, lint clean.

---

What's well done

Architecture

• Clean separation of concerns: AuthTokenCommand is now lifecycle-only, WebServer owns routing, LoopbackAuthority owns host validation. Exactly the right decomposition.
• WebAuthTokenStore as an actor with an AsyncStream continuation is a solid pattern — thread-safe, one-shot consumers can await iterator.next(), and deinit finishes the continuation correctly.
• WebBackend protocol is narrow and testable. MockBackend in tests eliminates the live CloudKit dependency entirely.
• WebServer.runOperation catching all backend errors and serializing them as {"message":"..."} JSON keeps the browser UI from parsing raw HTTP errors — good defensive design for a demo.
• nonisolated let tokenUpdates on WebAuthTokenStore is the right way to expose the stream without requiring await at the call site.

Testing

• 26-case parameterized LoopbackAuthorityTests — the rejection matrix covers 10.0.0.1, 192.168.x.x, 0.0.0.0, IPv6 non-loopback, and subdomain-bypass attempts (e.g. localhost.evil.com). Very thorough.
• WebServerTests / WebServerTests+CRUD use HummingbirdTesting to exercise the full router without a live port — the right approach.
• The intermittent timeout test is now wrapped in withKnownIssue(isIntermittent: true) and disabled on wasm32 — pragmatic fix for cooperative-executor flakiness.

Resource bundle

• Moving four concatenated raw-string constants into a single Resources/index.html is clearly better. The iOS CodeSign concern was correctly investigated and shown to be moot (MistDemoApp has no dependency on MistDemoKit).

---

Issues / suggestions

1. HummingbirdTesting added to the executable target (Package.swift)

HummingbirdTesting is a test-only framework — bundling it into the MistDemo production executable is unexpected. It bloats the binary and may cause issues if Hummingbird's testing utilities make assumptions about the process environment. If WebServerTests needs it, it should live in the test target's dependency list, not the executable's. Worth confirming this is in the right target.

2. WebBackend hard-codes .private database

All four CloudKitService: WebBackend methods hard-code database: .private. Fine for the current demo scope, but a short comment explaining the intentional constraint would prevent future confusion when someone tries to adapt it for the public database.

3. LoopbackOnlyMiddleware — absent Host header is blocked

request.head.authority ?? "" calls LoopbackAuthority.isLoopback("") when the header is absent, correctly returning false and yielding 403. Right security behavior, but worth a code comment so future maintainers don't "fix" the ?? "" to something permissive.

4. host(in:) — ?? authority fallback is dead code

let host = authority.split(separator: ":", maxSplits: 1).first
return host.map(String.init) ?? authority

The only time first is nil is when authority == "", making ?? authority return "" anyway. The fallback is unreachable in practice. Minor nit — could guard on empty input explicitly instead.

5. CloudKitClientConfig.environment is String

The struct stores the enum's string representation. Make sure the conversion from MistKit.Environment to its raw value is explicit at construction time so it doesn't silently break if the enum's raw value ever changes.

6. runOperation exposes localizedDescription to the browser

For a loopback demo this is acceptable and useful for debugging. Worth a note in the README security section if this surface ever expands beyond loopback.

---

Summary

The refactoring is clean, well-tested, and directionally correct. The main item worth resolving before merge is issue #1 (HummingbirdTesting in the executable target). The rest are minor observations or documentation suggestions. High-quality work overall.

Generated with Claude Code

[claude]

Code Review PR 332 - Resolve 288 289: extract auth-token server scaffolding and resource bundle. Overview: Extracts the embedded HTTP server logic from AuthTokenCommand into a reusable WebServer struct, introduces WebCommand for a long-running interactive CRUD demo, and moves the HTML page into a resource bundle. Two commands now share one server implementation distinguished by the terminatesAfterAuth flag. Architecture Strengths: Clean separation of concerns across WebServer, WebBackend protocol, and WebBackendFactory. WebAuthTokenStore is correctly an actor preventing data races. LoopbackOnlyMiddleware is scoped to the /api router group so the HTML index stays accessible while the sensitive API surface is restricted to loopback. terminatesAfterAuth elegantly drives the 205 vs 204 behavior. Suggestions: (1) WebIndexHTML.loadContent() uses preconditionFailure - a descriptive message hinting at the resource target would help contributors who hit this during development. (2) All CRUD routes use POST even for delete and update - worth a brief comment so future contributors do not accidentally fix it and break the client JS. (3) runOperation maps all errors to 500 - CloudKit typed errors would benefit from more specific status codes in a future pass. (4) The 300-second timeout in captureToken is hardcoded with no user-visible progress feedback - a log line at start would improve UX. (5) MockBackend.stubRecord uses string interpolation for JSON which is fragile with special characters in record names. Security: LoopbackAuthority correctly handles IPv6 bracketed form, trailing ports, and empty authorities. API token is only served behind the loopback guard. Session token in WebAuthTokenStore has no expiry which is acceptable for a local demo but worth noting in the help text. Test Coverage: Coverage is solid. Gap: LoopbackOnlyMiddleware is only tested in isolation via LoopbackAuthorityTests - a routing-level test that sends a request with a non-loopback Host header and expects 403 would close this. Minor nits: addIndexEndpoint captures indexBytes via an extra closure layer that is not necessary since ByteBuffer is Sendable. WebRequests.decodeDatabase is fileprivate on an enum where private would be equally correct. Summary: Clean architecture, good test coverage, follows project conventions. The WebAuthTokenStore actor plus AsyncStream pattern for token capture is particularly clean. Three items worth addressing before leaving DRAFT: (1) routing-level test for LoopbackOnlyMiddleware rejecting non-loopback requests, (2) user-visible log message for the auth timeout countdown, (3) comment on the POST-for-all-verbs decision.