Harden Asset Manager add/remove guards without schema changes - PR_11_316

Author: DavidQ

docs/dev/codex_commands.md

@@ -152,3 +152,10 @@ PR_11_315
 ```bash
 npx @openai/codex run --model gpt-5.3-codex --reasoning medium "Implement PR_11_315: Enable core asset management actions in Asset Manager V2 (add/remove entries) with strict required-field validation and workspace persistence."
 ```
+
+---
+PR_11_316
+
+```bash
+npx @openai/codex run --model gpt-5.3-codex --reasoning medium "Implement PR_11_316: Harden Asset Manager V2 add/remove actions by rejecting duplicate ids, blank/whitespace fields, and missing remove ids with actionable status messages while preserving valid persistence behavior."
+```

docs/dev/commit_comment.txt

@@ -1 +1 @@
-Enable Asset Manager V2 add/remove asset entries with strict validation and workspace persistence - PR 11.315
+Harden Asset Manager V2 add/remove rejection paths and preserve valid persistence behavior - PR 11.316

docs/dev/reports/PR_11_316_report.md

@@ -0,0 +1,38 @@
+# PR_11_316 Report
+
+## Purpose
+Harden Asset Manager V2 add/remove behavior with explicit rejection paths while preserving existing valid persistence behavior.
+
+## Files Changed
+- `tools/asset-manager-v2/index.js`
+- `tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs`
+- `docs/pr/PR_11_316_ASSET_MANAGER_ADD_REMOVE_HARDENING/PLAN_PR.md`
+- `docs/pr/PR_11_316_ASSET_MANAGER_ADD_REMOVE_HARDENING/BUILD_PR.md`
+- `docs/dev/reports/PR_11_316_report.md`
+- `docs/dev/codex_commands.md`
+- `docs/dev/commit_comment.txt`
+
+## Implementation Summary
+- Add action now reports exactly which required field(s) are missing when id/label/kind/path are blank or whitespace-only.
+- Duplicate asset id add remains blocked with clear status.
+- Remove-by-id remains blocked with clear status when id is missing or not found.
+- Valid add/remove still flows through existing validation + session persistence path.
+- No schema or manifest contract changes.
+
+## Validation Commands
+- `node --check tools/asset-manager-v2/index.js` -> **PASS**
+- `node --check tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs` -> **PASS**
+- `node tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs` -> **PASS**
+
+## Targeted Test Output
+- `tmp/pr_11_316_asset_manager_add_remove_results.json`
+- Verified checks:
+  - duplicate id rejected
+  - blank/whitespace-only required field rejected
+  - remove missing id rejected
+  - valid add persists
+  - valid remove persists
+
+## Full Samples Smoke Decision
+- **Skipped** full samples smoke test.
+- Reason: change is strictly scoped to `asset-manager-v2` add/remove validation and has focused runtime test coverage with syntax checks.

docs/pr/PR_11_316_ASSET_MANAGER_ADD_REMOVE_HARDENING/BUILD_PR.md

@@ -0,0 +1,16 @@
+# BUILD_PR_11_316
+
+## Implementation
+- Updated `tools/asset-manager-v2/index.js` add/remove hardening:
+  - blank or whitespace-only add fields are rejected with explicit missing-field messaging
+  - duplicate asset id rejection remains explicit and blocking
+  - remove-by-id rejection remains explicit when id is not found
+  - valid add/remove continues through existing load/validate/persist flow
+- Added targeted runtime test:
+  - `tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs`
+  - validates rejected add/remove actions and successful persistence path
+
+## Validation
+- `node --check tools/asset-manager-v2/index.js`
+- `node --check tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs`
+- `node tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs`

docs/pr/PR_11_316_ASSET_MANAGER_ADD_REMOVE_HARDENING/PLAN_PR.md

@@ -0,0 +1,18 @@
+# PLAN_PR_11_316
+
+## Purpose
+Harden Asset Manager V2 add/remove validation behavior while preserving valid persistence behavior and leaving import/export contracts unchanged.
+
+## Scope
+- `tools/asset-manager-v2/index.js`
+- `tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs`
+- `docs/dev/reports/PR_11_316_report.md`
+- `docs/dev/codex_commands.md`
+- `docs/dev/commit_comment.txt`
+
+## Steps
+1. Tighten add-field rejection messaging for blank/whitespace-only values.
+2. Keep duplicate asset id rejection explicit and unchanged in behavior.
+3. Keep remove-by-id rejection explicit when the id does not exist.
+4. Add targeted runtime test coverage for duplicate, blank field, missing remove id, and valid add/remove persistence.
+5. Run targeted syntax and targeted Asset Manager runtime test only.

tests/runtime/V2AssetManagerAddRemoveHardening.test.mjs

@@ -0,0 +1,215 @@
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import path from "node:path";
+import vm from "node:vm";
+import { execFileSync } from "node:child_process";
+import { fileURLToPath, pathToFileURL } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const repoRoot = path.resolve(__dirname, "..", "..");
+const toolPath = path.join(repoRoot, "tools", "asset-manager-v2", "index.js");
+const resultsPath = path.join(repoRoot, "tmp", "pr_11_316_asset_manager_add_remove_results.json");
+
+function checkSyntax(filePath) {
+  execFileSync(process.execPath, ["--check", filePath], {
+    cwd: repoRoot,
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+}
+
+function createElementRecord(id = "") {
+  return {
+    id,
+    value: "",
+    textContent: "",
+    hidden: false,
+    type: "",
+    children: [],
+    listeners: {},
+    append(...nodes) {
+      this.children.push(...nodes);
+    },
+    appendChild(node) {
+      this.children.push(node);
+      return node;
+    },
+    replaceChildren(...nodes) {
+      this.children = [...nodes];
+    },
+    addEventListener(eventName, handler) {
+      this.listeners[eventName] = handler;
+    },
+    click() {
+      if (typeof this.listeners.click === "function") {
+        this.listeners.click();
+      }
+    }
+  };
+}
+
+function createHarness() {
+  const elementRecords = new Map();
+  const storage = new Map();
+  const validSession = {
+    version: "v2",
+    toolId: "asset-manager-v2",
+    payloadJson: {
+      assetCatalog: {
+        name: "Catalog",
+        entries: [
+          { id: "ship-1", label: "Ship", kind: "svg", path: "assets/ship.svg" }
+        ]
+      }
+    }
+  };
+  storage.set("ctx-1", JSON.stringify(validSession));
+
+  const document = {
+    title: "",
+    body: {
+      dataset: {}
+    },
+    getElementById(id) {
+      if (!elementRecords.has(id)) {
+        elementRecords.set(id, createElementRecord(id));
+      }
+      return elementRecords.get(id);
+    },
+    createElement(tagName) {
+      const element = createElementRecord(tagName);
+      element.tagName = tagName;
+      return element;
+    }
+  };
+
+  const window = {
+    location: {
+      href: "https://example.test/tools/asset-manager-v2/index.html?hostContextId=ctx-1"
+    },
+    addEventListener() {},
+    sessionStorage: {
+      getItem(key) {
+        return storage.has(key) ? storage.get(key) : null;
+      },
+      setItem(key, value) {
+        storage.set(key, String(value));
+      }
+    }
+  };
+
+  const context = vm.createContext({
+    window,
+    document,
+    URL,
+    JSON,
+    Error,
+    console: { log() {}, error() {} }
+  });
+
+  const rawSource = fs.readFileSync(toolPath, "utf8");
+  const classSource = rawSource.replace(/\nnew AssetBrowserV2\(\);\s*$/u, "\n");
+  vm.runInContext(`${classSource}\nthis.AssetBrowserV2 = AssetBrowserV2;`, context);
+  const instance = new context.AssetBrowserV2();
+
+  return { instance, elementRecords, storage, rawSource };
+}
+
+function setFormValues(elementRecords, values) {
+  if (!elementRecords.has("assetManagerV2AddId")) elementRecords.set("assetManagerV2AddId", createElementRecord("assetManagerV2AddId"));
+  if (!elementRecords.has("assetManagerV2AddLabel")) elementRecords.set("assetManagerV2AddLabel", createElementRecord("assetManagerV2AddLabel"));
+  if (!elementRecords.has("assetManagerV2AddKind")) elementRecords.set("assetManagerV2AddKind", createElementRecord("assetManagerV2AddKind"));
+  if (!elementRecords.has("assetManagerV2AddPath")) elementRecords.set("assetManagerV2AddPath", createElementRecord("assetManagerV2AddPath"));
+  elementRecords.get("assetManagerV2AddId").value = values.id;
+  elementRecords.get("assetManagerV2AddLabel").value = values.label;
+  elementRecords.get("assetManagerV2AddKind").value = values.kind;
+  elementRecords.get("assetManagerV2AddPath").value = values.path;
+}
+
+export function run() {
+  checkSyntax(toolPath);
+  const { instance, elementRecords, storage, rawSource } = createHarness();
+  if (!elementRecords.has("assetManagerV2ActionStatus")) {
+    elementRecords.set("assetManagerV2ActionStatus", createElementRecord("assetManagerV2ActionStatus"));
+  }
+  const actionStatus = elementRecords.get("assetManagerV2ActionStatus");
+  const hostContextId = "ctx-1";
+
+  setFormValues(elementRecords, {
+    id: "dup-asset",
+    label: "Duplicate",
+    kind: "png",
+    path: "assets/duplicate.png"
+  });
+  instance.addAssetEntry();
+  const afterFirstAdd = JSON.parse(storage.get(hostContextId));
+  setFormValues(elementRecords, {
+    id: "dup-asset",
+    label: "Duplicate Again",
+    kind: "png",
+    path: "assets/duplicate-again.png"
+  });
+  instance.addAssetEntry();
+  const duplicateMessage = actionStatus.textContent;
+  const afterDuplicateAttempt = JSON.parse(storage.get(hostContextId));
+
+  setFormValues(elementRecords, {
+    id: "   ",
+    label: "Label",
+    kind: "svg",
+    path: "assets/x.svg"
+  });
+  instance.addAssetEntry();
+  const whitespaceMessage = actionStatus.textContent;
+  const afterWhitespaceAttempt = JSON.parse(storage.get(hostContextId));
+
+  instance.removeAssetEntryById("missing-asset-id");
+  const missingRemoveMessage = actionStatus.textContent;
+  const afterMissingRemoveAttempt = JSON.parse(storage.get(hostContextId));
+
+  setFormValues(elementRecords, {
+    id: "new-asset",
+    label: "New Asset",
+    kind: "png",
+    path: "assets/new.png"
+  });
+  instance.addAssetEntry();
+  const afterValidAdd = JSON.parse(storage.get(hostContextId));
+
+  instance.removeAssetEntryById("new-asset");
+  const afterValidRemove = JSON.parse(storage.get(hostContextId));
+
+  const summary = {
+    generatedAt: new Date().toISOString(),
+    checks: {
+      duplicateIdRejected: duplicateMessage === "Add blocked. Asset id 'dup-asset' already exists.",
+      duplicateIdDidNotMutateEntries: afterDuplicateAttempt.payloadJson.assetCatalog.entries.length === afterFirstAdd.payloadJson.assetCatalog.entries.length,
+      whitespaceOnlyFieldRejected: whitespaceMessage === "Add blocked. Missing required field(s): id.",
+      whitespaceRejectDidNotMutateEntries: afterWhitespaceAttempt.payloadJson.assetCatalog.entries.length === afterDuplicateAttempt.payloadJson.assetCatalog.entries.length,
+      removeMissingIdRejected: missingRemoveMessage === "Remove blocked. Asset id 'missing-asset-id' was not found.",
+      removeMissingDidNotMutateEntries: afterMissingRemoveAttempt.payloadJson.assetCatalog.entries.length === afterWhitespaceAttempt.payloadJson.assetCatalog.entries.length,
+      validAddStillPersists: afterValidAdd.payloadJson.assetCatalog.entries.some((entry) => entry.id === "new-asset"),
+      validRemoveStillPersists: !afterValidRemove.payloadJson.assetCatalog.entries.some((entry) => entry.id === "new-asset"),
+      hasNoWhitespaceFallbackPath: !rawSource.includes("payloadJson: {}")
+    }
+  };
+
+  fs.mkdirSync(path.dirname(resultsPath), { recursive: true });
+  fs.writeFileSync(resultsPath, `${JSON.stringify(summary, null, 2)}\n`, "utf8");
+
+  for (const [key, value] of Object.entries(summary.checks)) {
+    assert.equal(value, true, `${key} failed`);
+  }
+
+  return summary;
+}
+
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  try {
+    const summary = run();
+    console.log(JSON.stringify(summary, null, 2));
+  } catch (error) {
+    console.error(error);
+    process.exitCode = 1;
+  }
+}

tools/asset-manager-v2/index.js

@@ -132,8 +132,13 @@ class AssetBrowserV2 {
     const label = typeof document.getElementById("assetManagerV2AddLabel").value === "string" ? document.getElementById("assetManagerV2AddLabel").value.trim() : "";
     const kind = typeof document.getElementById("assetManagerV2AddKind").value === "string" ? document.getElementById("assetManagerV2AddKind").value.trim() : "";
     const path = typeof document.getElementById("assetManagerV2AddPath").value === "string" ? document.getElementById("assetManagerV2AddPath").value.trim() : "";
-    if (!id || !label || !kind || !path) {
-      return { ok: false, message: "Add blocked. id, label, kind, and path are required.", entry: null };
+    const missingFields = [];
+    if (!id) missingFields.push("id");
+    if (!label) missingFields.push("label");
+    if (!kind) missingFields.push("kind");
+    if (!path) missingFields.push("path");
+    if (missingFields.length > 0) {
+      return { ok: false, message: `Add blocked. Missing required field(s): ${missingFields.join(", ")}.`, entry: null };
     }
     return { ok: true, message: "", entry: { id, label, kind, path } };
   }
@@ -167,8 +172,9 @@ class AssetBrowserV2 {
       this.setActionStatus(newEntry.message);
       return;
     }
-    if (this.currentSessionContext.payloadJson.assetCatalog.entries.some((entry) => entry && typeof entry === "object" && !Array.isArray(entry) && typeof entry.id === "string" && entry.id.trim() === newEntry.entry.id)) {
-      this.setActionStatus(`Add blocked. Asset id '${newEntry.entry.id}' already exists.`);
+    const normalizedId = newEntry.entry.id.trim();
+    if (this.currentSessionContext.payloadJson.assetCatalog.entries.some((entry) => entry && typeof entry === "object" && !Array.isArray(entry) && typeof entry.id === "string" && entry.id.trim() === normalizedId)) {
+      this.setActionStatus(`Add blocked. Asset id '${normalizedId}' already exists.`);
       return;
     }
     const nextSessionContext = this.cloneSessionValue(this.currentSessionContext);
@@ -199,15 +205,16 @@ class AssetBrowserV2 {
       this.setActionStatus("Remove blocked. Asset id is required.");
       return;
     }
+    const normalizedId = assetId.trim();
     const nextSessionContext = this.cloneSessionValue(this.currentSessionContext);
     const startLength = nextSessionContext.payloadJson.assetCatalog.entries.length;
-    nextSessionContext.payloadJson.assetCatalog.entries = nextSessionContext.payloadJson.assetCatalog.entries.filter((entry) => !entry || typeof entry !== "object" || Array.isArray(entry) || typeof entry.id !== "string" || entry.id.trim() !== assetId.trim());
+    nextSessionContext.payloadJson.assetCatalog.entries = nextSessionContext.payloadJson.assetCatalog.entries.filter((entry) => !entry || typeof entry !== "object" || Array.isArray(entry) || typeof entry.id !== "string" || entry.id.trim() !== normalizedId);
     if (nextSessionContext.payloadJson.assetCatalog.entries.length === startLength) {
-      this.setActionStatus(`Remove blocked. Asset id '${assetId.trim()}' was not found.`);
+      this.setActionStatus(`Remove blocked. Asset id '${normalizedId}' was not found.`);
       return;
     }
     this.loadContract(nextSessionContext);
-    this.setActionStatus(`Asset '${assetId.trim()}' removed.`);
+    this.setActionStatus(`Asset '${normalizedId}' removed.`);
   }
 
   logStructuredError(type, message, details) {