Skip to content

feat: Postman-compatible scripting engine — JS/Python runtimes, code intelligence, debugger, local scripts & snippets#12

Merged
markkr125 merged 25 commits into
mainfrom
scripting-improvments
May 30, 2026
Merged

feat: Postman-compatible scripting engine — JS/Python runtimes, code intelligence, debugger, local scripts & snippets#12
markkr125 merged 25 commits into
mainfrom
scripting-improvments

Conversation

@markkr125
Copy link
Copy Markdown
Owner

@markkr125 markkr125 commented May 30, 2026

Summary

Turns Postmark from an HTTP client with basic scripts into a Postman-grade
scripting and testing tool. Pre-request and post-response scripts now run in
real JavaScript/TypeScript (sandboxed Deno subprocess) and Python
(bundled Pyodide/WASM) runtimes behind a comprehensive, Postman-compatible
pm.* API, with IDE-grade editing, a step-through debugger, reusable local
modules and snippets, version history, and a hardened sandbox.

Existing Postman scripts are expected to run unmodified.

Highlights

Scripting runtime

  • JS/TS via an isolated Deno subprocess; Python via bundled Pyodide (RestrictedPython fallback)
  • Postman-compatible pm.* surface (pm.environment, pm.request, pm.response,
    pm.test, pm.expect, pm.sendRequest, pm.iterationData, …); same API in both languages
  • Chai-style assertions + a no-code Assertions tab
  • Script inheritance (collection → folder → request; pre top-down, tests bottom-up)
  • Postman dynamic variables ({{$guid}}, {{$randomInt}}, {{$isoTimestamp}}, …)
  • pm.sendRequest for host-executed, rate-limited HTTP from scripts

Code intelligence

  • Real language servers back the editors — Deno (JS/TS) and jedi (Python)
  • IntelliSense merging pm.* with imported packages/local modules; Problems panel,
    hover docs, signature help, go-to-definition; format-on-save (deno fmt / Ruff)

Packages & libraries

  • Offline bundled require() libs (lodash, moment, CryptoJS, Chai, tv4, Ajv, xml2js, csv-parse)
  • On-demand external packages via pm.require: npm:/jsr: (JS) and PyPI (Python, micropip)
  • Private/self-hosted registries with per-scope auth; credentials in the OS keychain
    (encrypted-file fallback), never in plain settings

Local scripts & snippets

  • New "Local scripts" sidebar tree of standalone, reusable script files (JS/TS/Python)
    with Run/Debug/Problems; import/export between files; pm.require("local:…");
    safe rename/move auto-rewrites references
  • In-editor snippets palette (context-filtered insert) + user-authored snippets managed
    from the sidebar; insert picker is read-only (no accidental deletes)

Debugger, history & runner

  • Step-through debugger: conditional breakpoints, step over/into/out, call stack,
    variable/watch inspector, break-on-exception; breakpoints persist per request
  • Automatic script version history with searchable timeline, restore, and a
    side-by-side syntax-highlighted diff viewer
  • Collection runner with data-driven CSV/JSON iterations, flow control, and run history

Workspace & UI

  • VS Code-style left activity rail: "Collections & Environments" and "Local scripts & snippets"
  • Inline environment switching in the sidebar
  • Bulk key-value editing (paste-friendly; // disables a line); tab back/forward history

Security

Scripts run with no filesystem, network, or OS access — network only via the
rate-limited pm.sendRequest, bounded by per-run time/memory limits. Python adds
AST-level restriction and a whitelisted builtin set. Registry secrets are resolved
only at run time and written with owner-only permissions.

Testing

  • ~110 new test files across tests/unit, tests/services, and tests/ui
    (script engine, sandbox security, services, LSP, sidebar, dialogs)
  • Run: poetry run pytest

Scope

  • 22 commits, 522 files changed. A large share of the line count is vendored runtime
    assets (Pyodide WASM/stdlib, JS library bundles) and ~5k lines of new user docs;
    application source and tests account for the rest.
  • New services: script_service, script_version_service, run_history_service,
    local_script_service, snippet_service, assertion_service.
  • README and docs/ (scripting, ui-reference, architecture, guides) updated to match.

Reviewer notes

  • The Deno/Pyodide runtime bootstrap and sandbox isolation are the highest-risk areas —
    worth focused review (src/services/scripting/, docs/scripting/security.md).
  • Vendored bundles under data/scripts/vendor* and data/lsp are generated/third-party.

markkr125 added 25 commits March 27, 2026 11:54
@markkr125
Add comprehensive tests for script execution engine, sandbox security…
4d044b2 
…, and script service

- Implement unit tests for the script execution engine covering context building, request mutations, variable changes, and sensitive value masking.
- Introduce security tests for the Python and JavaScript sandboxes to ensure isolation and prevent escape vectors.
- Add tests for the ScriptService to verify script chain resolution from the database and inline events.
@markkr125
Add comprehensive tests for script engine, sandbox, and version service
c2dddc0 
- Implement tests for runtime errors in script engine, ensuring source names are captured.
- Add tests for UUID v4 generation and HMAC-SHA256 functionality in the script sandbox.
- Remove redundant test for empty scripts in script service.
- Introduce new tests for various vendor libraries including CryptoJS, lodash, moment, and more.
- Create tests for script version service, covering capture, listing, diffing, and deletion of versions.
@markkr125
Refactor import statements for consistency and clarity; add test for …
0f21c3c 
…omitting empty scripts in script chain
@markkr125
Refactor tab change handling to sync collection tree selection by def…
c6a235a 
…ault; adjust layout in folder editor and scripts mixin for consistency
@markkr125
feat: add diff viewer and toolbar for version history
425ee3e 
- Implemented a new diff viewer (_DiffViewer) to display side-by-side comparisons of script versions.
- Added a diff toolbar (_DiffToolbar) with search, navigation, copy, and whitespace handling features.
- Introduced helper functions for formatting timestamps and computing fold ranges in diffs.
- Enhanced the code editor to support diff highlighting with line and character-level selections.
- Updated global QSS styles for version lists and diff components.
- Added tests for diff functionality, including navigation, whitespace handling, and version search filtering.
- Refactored existing components to integrate with the new diff features.
@markkr125
update
6b6b158
@markkr125
feat: add DenoManager and feature detection for advanced JavaScript f…
3455e24 
…eatures

- Introduced DenoManager for managing the Deno runtime binary, including download, caching, and removal functionalities.
- Added feature detection for advanced JavaScript features (async/await and npm imports) with the `detect_advanced_features` function.
- Implemented a RuntimeBanner widget to prompt users for Deno installation when required features are detected.
- Updated documentation to reflect new functionalities and added tests for DenoManager and feature detection utilities.
@markkr125
feat: add comprehensive agent instructions and skills documentation
02832f2 
- Introduced a new `AGENTS.md` file to serve as a central source of truth for agent instructions, including mandatory sync guidelines after code changes.
- Created multiple skill documentation files under `.agents/skills/`, detailing procedures for customization, import parsing, service and repository references, signal flow, test writing, and widget patterns.
- Updated `README.md` to reference the new `AGENTS.md` for architecture and coding conventions.
- Enhanced the overall documentation structure to improve clarity and accessibility for developers.
@markkr125
feat: integrate Esprima for JavaScript syntax validation and enhance …
034b568 
…ScriptLinter

- Added Esprima as a new dependency for JavaScript syntax parsing and validation.
- Updated the ScriptLinter to utilize Esprima for improved syntax and API validation in JavaScript scripts.
- Introduced a new pm_api_schema.py file to define the schema for the pm/postman API, aiding in linting unknown members and incorrect usage.
- Enhanced the completion engine to include JavaScript and Python keywords for better code suggestions.
- Improved the UI for script output panels, including idle hints and layout adjustments for better user experience.
- Updated global styles to accommodate new UI elements and ensure consistency across the application.
- Added tests to verify the integration of Esprima and the functionality of the updated ScriptLinter.
@markkr125
feat: enhance scripting capabilities with Deno and Pyodide integration
878ef3b 
- Updated `AGENTS.md` to reflect changes in the project structure and new entry points for the application.
- Introduced `deno_drain.mjs` and `esprima_parse.mjs` for improved JavaScript execution and parsing under Deno.
- Added `pm_bootstrap.py` for the Postmark API in Pyodide, enabling Python script execution in the Deno environment.
- Enhanced the `pm` API in `pm_bootstrap.js` to support dynamic module loading with `pm.require`.
- Updated the `pyproject.toml` to include new dependencies and adjusted the Python path for testing.
- Improved documentation for the `ScriptEngine` and added new helper functions for script execution and validation.
- Refactored existing components to accommodate the new runtime features and ensure consistency across the application.
@markkr125
update
98bab1e
@markkr125
update
07c774f
@markkr125
update
8c745be
@markkr125
feat: enhance scripting capabilities with new snippet support and API…
8749901 
… improvements

- Added a new `data/snippets/` directory containing JSON files for JavaScript and Python snippets, enabling quick code insertion in script editors.
- Updated `AGENTS.md` to include the new `data/snippets/` structure and its purpose.
- Enhanced `pm_bootstrap.js` and `pm_bootstrap.py` to support new HTTP status assertions and body checks, improving the testing framework.
- Introduced new methods in the `_Expectation` class for body assertions and refined status checks by canonical name.
- Updated `pyproject.toml` to include new dependencies for keyring and cryptography.
- Improved documentation to reflect the new snippet features and API enhancements.
@markkr125
feat: introduce comprehensive local script modules plan and UI enhanc…
09056d6 
…ements

- Added a complete implementation plan for local script modules, detailing the integration of reusable scripts as local files on disk.
- Introduced a new left-pane toggle row in the UI for switching between Collections and Scripts, enhancing user navigation.
- Clarified requirements for the Scripts panel, including folder grouping and context actions for module management.
- Ensured full reuse of the existing script editor surface for module tabs, maintaining consistency with pre/post-request scripts.
- Updated documentation to reflect the new structure and features, including inline amendments for clarity and traceability.
@markkr125
feat: enhance key-value table functionality with bulk editing support
b6356fa 
- Introduced new `key_value_bulk.py` for Postman-style bulk text serialization and parsing.
- Updated `AGENTS.md`, `directory-structure.md`, and various UI references to include new key-value bulk editing features.
- Enhanced `KeyValueTableWidget` to support bulk editing mode with appropriate settings profiles for Params, Headers, and Body.
- Improved UI elements and documentation to reflect changes in key-value table interactions and styling.
- Adjusted signal descriptions in `signals.md` to clarify bulk editing behavior.
@markkr125
feat: enhance environment management with sidebar panel and UI updates
2038ad3 
- Introduced `EnvironmentSidebarPanel` for listing environments with activation controls, allowing users to set or clear the active environment.
- Updated `AGENTS.md`, `directory-structure.md`, and various UI references to include the new sidebar panel and its functionalities.
- Refactored `EnvironmentEditorDialog` into `EnvironmentEditorWidget` for a non-modal editing experience, improving usability in the main window.
- Enhanced documentation to reflect changes in environment management and UI structure, including new signal descriptions in `signals.md`.
- Adjusted `pyproject.toml` for linting configurations and added new test files for the sidebar panel functionality.
@markkr125
feat: introduce LeftSidebar for enhanced navigation and UI structure
b357182 
- Added `LeftSidebar` to provide a VSCode-style activity rail with a collapsible flyout for collections and environments.
- Updated `AGENTS.md`, `directory-structure.md`, and various UI references to reflect the new sidebar layout and functionalities.
- Enhanced the main window layout to accommodate the new left rail alongside the existing right sidebar.
- Improved documentation to clarify the structure and behavior of the new sidebar components, including signal descriptions and styling adjustments.
- Adjusted global styles to ensure consistent appearance across the application, particularly for the new sidebar elements.
@markkr125
feat: enhance local script management and UI components
763b276 
- Expanded local script functionality with new repositories for CRUD operations and query capabilities.
- Updated `AGENTS.md` to include detailed descriptions of local script services and their methods.
- Introduced new icons for JavaScript, TypeScript, and Python to improve visual representation in the UI.
- Enhanced the request editor with a new assertions tab for declarative testing, integrating with the existing scripting framework.
- Improved documentation across various files to reflect changes in local script handling and UI structure, including new signal descriptions.
- Adjusted `pyproject.toml` to include new dependencies and updated testing configurations for timeout handling.
@markkr125
feat: enhance dynamic variable support and UI components
84948e2 
- Introduced a new `dynamic_variables.json` file containing various dynamic variable pools for enhanced scripting capabilities.
- Updated `pm_bootstrap.js` and `pm_bootstrap.py` to support new dynamic variable resolution methods, improving the flexibility of variable handling in scripts.
- Enhanced the `Expectation` class with a new `jsonSchema` method for validating response bodies against JSON schemas.
- Improved documentation in `AGENTS.md` to reflect the new dynamic variable features and their usage.
- Adjusted various UI components to accommodate the new dynamic variable functionalities, ensuring a seamless user experience.
@markkr125
feat: enhance snippets management and UI interactions
e8603e5 
- Introduced a new `SnippetsSidebarPanel` for user-authored script snippets, allowing for organized categorization and easy access.
- Updated `AGENTS.md` to reflect the new snippets structure and CRUD operations, including context menu actions for editing and deleting snippets.
- Enhanced the `CollectionTreeDelegate` to support in-place renaming for local scripts and folders using an overlay QLineEdit, improving user experience.
- Improved documentation across various files to clarify the new snippets functionality and UI components, including detailed descriptions of signals and interactions.
- Added new methods in `SnippetService` for managing snippet categories, including deletion and renaming capabilities.
@markkr125
feat: revamp README.md for enhanced clarity and feature overview
24b3f8b 
- Updated the README to provide a more structured and visually appealing introduction to Postmark, including a centered title and improved description.
- Expanded the features section to detail capabilities such as scripting, collections management, and code intelligence.
- Added code examples for JavaScript and Python to illustrate scripting functionalities.
- Enhanced organization of content for better readability and user engagement.
@markkr125
feat: update vendor libraries and enhance UI interactions
92fb261 
- Upgraded Lodash to version 4.18.1 and Chai to version 6.2.2, along with Ajv to version 8.20.0 and csv-parse to version 6.2.1, ensuring compatibility and improved functionality.
- Enhanced the tree overlay rename functionality by adding safety checks with Shiboken to prevent invalid references during renaming operations.
- Improved code readability by refactoring lambda functions and connecting signals in a more concise manner across various UI components.
- Updated documentation in VERSIONS.md and audit_vendor.py to reflect the new library versions and their integration into the project.
@markkr125
fix: update type hinting and improve tree overlay functionality
2c6f270 
- Changed the base class of `_TreeOverlayRenameBase` from `object` to `QObject` for better integration with Qt's object model.
- Enhanced the `_top_level_titles` function to include safety checks, ensuring it handles potential `None` values when retrieving top-level item titles from the tree.
@markkr125
feat: enhance scripting security and UI interactions
69cdf20 
- Introduced a minimal environment for sandbox subprocesses to prevent host secrets from being exposed to untrusted scripts.
- Updated the `pm.require` method to restrict imports to a predefined list of bundled modules, enhancing security against arbitrary module access.
- Implemented checks to block subrequests to non-public hosts, improving protection against SSRF vulnerabilities.
- Enhanced the `RequestEditorWidget` to synchronize URL and Params table, ensuring consistency and user-friendly interactions.
- Added a help dialog for the Assertions tab, providing users with guidance on declarative checks and their usage.
- Updated `AGENTS.md` to reflect new features and improvements in scripting capabilities and UI components.
@markkr125 markkr125 merged commit 131895b into main May 30, 2026
4 checks passed
@markkr125 markkr125 deleted the scripting-improvments branch May 30, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markkr125