Skip to content

Comments

feat: add ws-signaling-proxy reference implementation#92

Merged
AdirAmsalem merged 2 commits intomainfrom
add-ws-signaling-proxy
Feb 23, 2026
Merged

feat: add ws-signaling-proxy reference implementation#92
AdirAmsalem merged 2 commits intomainfrom
add-ws-signaling-proxy

Conversation

@AdirAmsalem
Copy link
Contributor

@AdirAmsalem AdirAmsalem commented Feb 23, 2026

Summary

  • Adds ws-signaling-proxy package — a reference WebSocket signaling proxy for providers integrating with Decart's realtime API
  • Keeps the provider's API key server-side while transparently forwarding all signaling messages between end-user clients and Decart
  • Includes an e2e test that verifies the full round-trip against Decart's API

Test plan

  • cd ws-signaling-proxy && pnpm typecheck && pnpm lint
  • DECART_API_KEY=... pnpm test:e2e
  • pnpm dev — connect from browser SDK and verify signaling flow

Note

Medium Risk
Introduces a new server-side WebSocket proxy that handles API keys and bidirectional message forwarding; correctness and safe logging/close handling are important even though it’s added as an isolated, private package.

Overview
Adds a new packages/ws-signaling-proxy reference service that terminates client WebSocket connections and opens an upstream Decart /v1/stream WebSocket using a server-side DECART_API_KEY, forwarding frames bidirectionally (with buffering until upstream is ready) and propagating closes with sanitized close codes.

Includes developer docs (README.md, .env.example), TypeScript build/config and an e2e test that spins up the proxy and validates set_image/prompt round-trips against the Decart API. CI is updated to run build/lint/format/typecheck for this new package and the lockfile is updated for the added dependencies.

Written by Cursor Bugbot for commit 34a8212. This will update automatically on new commits. Configure here.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 23, 2026

Open in StackBlitz

npm i https://pkg.pr.new/DecartAI/sdk/@decartai/sdk@92

commit: bd74e99

@AdirAmsalem AdirAmsalem merged commit eb204bc into main Feb 23, 2026
5 checks passed
@AdirAmsalem AdirAmsalem deleted the add-ws-signaling-proxy branch February 23, 2026 21:12
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 3 potential issues.

}

start() {
const url = `${this.config.decartBaseUrl}/v1/stream?api_key=${this.config.decartApiKey}&model=${this.config.model}`;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unencoded model parameter enables URL injection

High Severity

The model value comes from client-supplied query parameters via URLSearchParams.get(), which returns the decoded value. It's then directly interpolated into the upstream URL string without encoding. A malicious client can inject arbitrary query parameters into the upstream Decart API request (e.g. ?model=x%26api_key=other) by embedding encoded ampersands. The model value needs to be passed through encodeURIComponent before interpolation.

Additional Locations (1)

Fix in Cursor Fix in Web

return code;
}
return 1000;
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanitizeCloseCode silently converts valid error codes to normal

Medium Severity

sanitizeCloseCode only allows code 1000 or >= 3000, but the ws library accepts 1000–1003, 1007–1014, and 3000–4999 as valid close codes. This means the explicit this.close(1011, "upstream connection error") on upstream failure is silently downgraded to 1000 (Normal Closure), so the client never learns the connection was closed due to an error. Additionally, valid forwarded codes like 1001 (Going Away) are lost. The condition also passes through codes >= 5000 which the ws library considers invalid and would throw a RangeError on.

Additional Locations (1)

Fix in Cursor Fix in Web

);
this.close(code, reasonStr);
});
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing client WebSocket error handler crashes process

High Severity

The start() method attaches an "error" handler on this.upstream but not on this.clientWs. In Node.js, an EventEmitter that emits an "error" event with no listener throws the error as an uncaught exception, crashing the process. Any client-side network disruption (connection reset, broken pipe, etc.) would bring down the entire proxy for all connected users.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant