Skip to content

Add unsafe faker browser setting#292

Merged
eviltester merged 4 commits into
masterfrom
245-risky-true-browser
Jun 30, 2026
Merged

Add unsafe faker browser setting#292
eviltester merged 4 commits into
masterfrom
245-risky-true-browser

Conversation

@eviltester

@eviltester eviltester commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Summary

  • adds a Generation settings cog with an allow risky faker option for browser generation flows
  • keeps risky Faker expression support disabled by default, with explicit opt-ins for UI, CLI, MCP, and API usage
  • documents risky helper variants and updates API/OpenAPI and MCP contract coverage
  • ignores generated Codex dev web stdout/stderr logs

Closes #245

Verification

  • pnpm --dir docs-src run build
  • Playwright live check against http://127.0.0.1:4173/app.html
  • pnpm run verify:ui
  • pnpm run verify:local
  • commit hook: format check + full Jest suite
  • pre-push hook: local verification gate

Summary by CodeRabbit

  • New Features
    • Added a “Generation settings” UI with an allow unsafe faker expressions toggle, surfaced in the data generation workflow (including panels, toolbar, and Storybook).
    • Enabled opt-in propagation for unsafe faker expressions through the generation pipeline, including REST and MCP endpoints/tools.
  • Documentation
    • Expanded guidance on unsafe faker helper variants and the safe opt-in process across Web UI, CLI, REST, and MCP.
  • Tests
    • Added/updated UI, schema validation, generator, and MCP/integration tests to confirm toggle behavior and unsafe-expression output.
  • Chores
    • Updated ignore rules for development log artifacts.

Copilot AI review requested due to automatic review settings June 30, 2026 07:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 56589d57-d707-439f-8f61-0b97833d971b

📥 Commits

Reviewing files that changed from the base of the PR and between a8521a7 and 4fb4356.

📒 Files selected for processing (6)
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-error-text.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-row-validation.js
  • packages/core-ui/src/tests/app/population-actions.test.js
  • packages/core-ui/src/tests/shared/schema-error-text.test.js
  • packages/core-ui/src/tests/shared/schema-row-validation.test.js
🚧 Files skipped from review as they are similar to previous changes (3)
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js
  • packages/core-ui/src/tests/shared/schema-row-validation.test.js
  • packages/core-ui/src/tests/app/population-actions.test.js

📝 Walkthrough

Walkthrough

Adds a browser Generation settings toggle for unsafe faker expressions, threads that setting through generation and schema validation paths, and updates MCP, REST, OpenAPI, stories, docs, and tests to expose and verify the new opt-in.

Changes

Unsafe Faker Expressions Feature

Layer / File(s) Summary
Browser Generation settings UI
packages/core-ui/js/gui_components/app/population-actions/*, packages/core-ui/js/gui_components/app/test-data-population-toolbar/*, packages/core-ui/js/gui_components/app/data-population-panel/*, packages/core-ui/js/gui_components/app/test-data-grid/controller/test-data-grid-controller.js, apps/web/src/stories/*, apps/web/styles.css, packages/core-ui/src/tests/app/*
Adds Generation settings state, checkbox handling, open/close behavior, component APIs, browser wiring, Storybook controls, styles, and UI tests for unsafe faker expressions.
Generation and schema validation propagation
packages/core-ui/js/gui_components/shared/test-data/generation/*, packages/core-ui/js/gui_components/generator/*, packages/core-ui/js/gui_components/shared/test-data/schema/*, packages/core-ui/js/gui_components/shared/schema-definition/*, packages/core-ui/src/tests/shared/*, packages/core-ui/src/tests/grid/generation/*
Threads unsafeFakerExpressions through generator construction, UI generation sessions, schema parsing, semantic validation, and shared schema editor flows, with tests covering the new gating behavior.
MCP, REST, OpenAPI, and docs
packages/core/js/mcp/anywaydata-mcp-contract.js, apps/mcp/src/mcp.test.js, apps/api/src/openapi.js, docs-src/docs/*, packages/core/src/tests/mcp/*
Adds unsafeFakerExpressions to MCP tool schemas and execution, updates OpenAPI descriptions, and revises REST, CLI, MCP, and faker helper docs to describe the unsafe helper variants and opt-in settings.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

Poem

🐇 I found a settings button bright,
And flipped a risky switch just right.
From browser hops to toolchain trails,
The unsafe helpers wagged their tails,
While careful docs lit up the night.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The browser toggle is added, but it defaults to false instead of the issue’s requested browser default behavior. Adjust the browser default for risky faker to match #245 and confirm the setting appears to the left of Generate in Test Data.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed It clearly summarizes the main change: adding an unsafe faker browser setting.
Out of Scope Changes check ✅ Passed The broader docs, API/MCP/CLI wiring, and log ignores all support the same unsafe-faker feature and are not obviously unrelated.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 245-risky-true-browser

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4b4ff30569

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

}),
storedSchemasEnabled: true,
storedSchemasProps: {},
unsafeFakerExpressions: true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Default risky Faker setting to off

In the production app mount this starts the new allow risky faker control enabled, so browser generation opts into expression-style helper callbacks before the user has explicitly trusted the schema. That contradicts the newly added docs for REST/MCP/CLI/Web UI that describe risky helpers as opt-in for trusted schemas, and it changes the app surface from safe-by-default to executing callback-shaped schema text by default. Initialize this to false and require the user to enable it from the cog.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented in the follow-up commits.

The browser default now matches the API/CLI/MCP behavior: unsafe faker is false unless the user explicitly enables it in Test Data Settings. The old true fallback is gone from the app/controller path, and the current PR head uses the unsafeFakerExpressions naming with the default off.

Nothing is intentionally left unimplemented for this thread.

schemaSource,
fakerInstance: faker,
RandExpClass: RandExp,
unsafeFakerExpressions: getUnsafeFakerExpressions({ validationOptions, schemaState }) === true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply risky Faker opt-in before schema validation

This passes the setting only when creating the generation session, but the app reaches this line only after getSchemaState() succeeds; the real schema editor still parses text/semantic validation through shared-schema-editor-controller.js without unsafeFakerExpressions, and those unsafe-faker diagnostics are returned as validation errors. In the Web UI, a user who enables the cog and enters the documented helpers.mustache("Hello {{name}}", { name: () => "Ada" }) path is rejected during schema validation before this opt-in is used. Thread the setting into text sync/semantic validation or stop treating that diagnostic as blocking when enabled.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented in the follow-up commits.

The unsafe faker setting is now applied before blocking schema validation. It is threaded through the schema parse/semantic validation path and the generation session path, so callback-style helpers such as the documented mustache/multiple variants are allowed only when the UI setting is enabled. Regression coverage was added around the shared schema validation and population/generation behavior.

Nothing is intentionally left unimplemented for this thread.

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown

Greptile Summary

This PR introduces an opt-in "allow unsafe faker expressions" toggle for browser-based data generation, exposing a generation-settings cog in the population toolbar and panel. The same opt-in is threaded consistently through the REST API, MCP contract, CLI, schema validation, and the schema editing session — all defaulting to false.

  • UI layer: PopulationActionsView gains a settings cog that opens/closes a popover dialog containing the checkbox, with outside-click dismissal and proper aria-expanded and hidden management; unsafeFakerExpressionsVisible guards whether the UI is shown at all.
  • Schema validation: validateSchemaRows now filters unsafe_faker_rule errors when the opt-in is active, and schema-error-text appends a UI hint pointing users to the settings panel when the opt-in is off.
  • Propagation chain: getUnsafeFakerExpressions is injected end-to-end from the toolbar through createTestDataGenerationService, createUiGenerationSessionService, and createSchemaEditingSession, so both live validation and generation always read the current checkbox state.

Confidence Score: 5/5

Safe to merge; the opt-in defaults to false across every entry point and the propagation chain is well-tested.

The unsafe-faker flag is gated by === true everywhere it is initialized or read, so it is off by default for all surfaces. The MCP contract correctly inverts safeFakerRules when the opt-in is set. Schema validation, session creation, and the generator constructor all receive the flag through explicit injection rather than global state. Test coverage spans the full lifecycle — checkbox interaction, session creation, schema validation filtering, and MCP/API contract.

population-actions-view.js — rebuildTemplate() does not reset the generationSettingsOpen controller state; re-enabling unsafeFakerExpressionsVisible after the dialog was open would render it open immediately.

Important Files Changed

Filename Overview
packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js Adds generation-settings panel with open/close, outside-click dismiss, and rebuildTemplate; stale generationSettingsOpen state if visibility is toggled off while dialog is open.
packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js Adds generationSettingsOpen toggle/close handlers and unsafeFakerExpressions state; defaults all opt-in flags to false via === true guards.
packages/core-ui/js/gui_components/shared/test-data/generation/ui-generation-session-service.js Adds getUnsafeFakerExpressions injection point; called with context args that all current implementations ignore — safe but undocumented API shape.
packages/core-ui/js/gui_components/shared/test-data/schema/schema-editor-core.js Filters unsafe_faker_rule errors from validateSchemaRows when opt-in is true; deduplicated error list correctly filtered.
packages/core/js/mcp/anywaydata-mcp-contract.js Exposes unsafeFakerExpressions in MCP tool schema; correctly maps to safeFakerRules: !unsafeFakerExpressions so both flags stay in sync.
apps/api/src/openapi.js Adds or improves unsafeFakerExpressions description across all four generate/amend operation schemas; no logic changes.
packages/core-ui/js/gui_components/shared/test-data/schema/schema-row-validation.js Threads unsafeFakerExpressions into semantic validation and appends UI hint to unsafe_faker_rule messages.
packages/core-ui/js/gui_components/app/test-data-grid/controller/test-data-grid-controller.js Adds getUnsafeFakerExpressions accessor on the generation panel manager, wired to the data population panel; defaults to false.

Reviews (4): Last reviewed commit: "Improve unsafe faker UI guidance" | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/core/js/mcp/anywaydata-mcp-contract.js (1)

357-376: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Preserve the actual validation mode in unsafe_faker_rule errors.

Opting into unsafeFakerExpressions makes createGenerationSession run with safeFakerRules: false, but the later error remap still hard-codes { mode: 'safe' }. That now returns the wrong MCP error details for forbidden-rule failures in non-safe mode. Please forward the session/result diagnostics mode instead of always reporting "safe".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/js/mcp/anywaydata-mcp-contract.js` around lines 357 - 376, The
validation error remap in the MCP contract is hard-coding the diagnostics mode
to safe even when unsafeFakerExpressions is enabled. Update the result handling
around createGenerationSession and the unsafe_faker_rule error mapping in
anywaydata-mcp-contract.js so it forwards the actual session/result diagnostics
mode instead of always using safe, ensuring forbidden-rule failures report the
correct mode.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs-src/docs/040-test-data/faker/010-helpers.md`:
- Around line 45-64: The safe/risky guidance in the helpers docs needs to match
the later `helpers.uniqueArray` example. Update the `Risky Helper Variants`
section and the later `helpers.uniqueArray` example so they agree: either
rewrite the example to use the literal-array safe form, or explicitly mark it as
requiring the risky opt-in. Make sure the wording around `helpers.uniqueArray`
is consistent with the rest of the table and the trust-based guidance.

In `@docs-src/docs/070-interfaces-and-deployment/030-rest-api.md`:
- Line 157: The REST docs note for unsafe faker helpers only mentions
/v1/generate and /v1/generate/fromschema, but it now needs to include
/v1/generate/amend as well. Update the prose in the REST API documentation near
the unsafeFakerExpressions guidance to mention that the same opt-in can be
passed in the JSON body for the amend endpoint, matching the contract exposed by
apps/api/src/openapi.js and keeping the guidance aligned with the published REST
surface.

In
`@packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js`:
- Around line 49-52: `unsafeFakerExpressionsVisible` is only reflected during
the initial template render, so later state changes do not add or remove the
cog/dialog. Update `createPopulationActionsComponent.update()` to re-render the
parts controlled by `renderGenerationSettings()` when
`state.unsafeFakerExpressionsVisible` changes, using the existing
`view`/`PopulationActionsView` methods so the generation-settings UI stays in
sync after mount.

In
`@packages/core-ui/js/gui_components/app/test-data-grid/controller/test-data-grid-controller.js`:
- Line 190: Browser generation is still defaulting to risky Faker processing,
which keeps the UI in the wrong mode. Update the test-data-grid controller’s
getUnsafeFakerExpressions fallback so it does not return true when panel state
is unavailable, and change the dataPopulationPanel initialization that currently
seeds unsafeFakerExpressions to true so browser flows start disabled until the
user explicitly enables it. Keep the behavior aligned between
getUnsafeFakerExpressions and the panel setup in test-data-grid-controller.

In
`@packages/core-ui/js/gui_components/app/test-data-grid/generation/test-data-generation-service.js`:
- Line 65: The browser grid flow is still enabling unsafe faker helpers by
default via TestDataGenerationService.getUnsafeFakerExpressions and propagating
that into generatorOptions/session engine. Change the default to
opt-in/disabled-by-default in the service, and make sure the controller’s
fallback in TestDataGridController does not re-enable it with ?? true so the
browser grid path only turns this on when explicitly requested.

In
`@packages/core-ui/js/gui_components/app/test-data-population-toolbar/test-data-population-toolbar-controller.js`:
- Line 13: The browser risky Faker flag is currently enabled by default when the
prop is omitted, which conflicts with the intended default-off behavior. Update
the default initialization in test-data-population-toolbar-controller and the
matching default in population-actions-controller so unsafeFakerExpressions only
becomes true when the prop is explicitly true, then adjust the new toolbar test
expectation to assert the default remains disabled.

In
`@packages/core-ui/js/gui_components/generator/generation/generator-schema-generation-service.js`:
- Line 26: The generator page service is defaulting getUnsafeFakerExpressions to
true, which makes unsafe helpers opt-out instead of opt-in. Update
generator-schema-generation-service so the default for getUnsafeFakerExpressions
is false in the relevant defaults used by generator configuration and
session-backed generation, and ensure any fallback/constructor wiring in the
generator service path preserves that false default unless a caller explicitly
overrides it.

In
`@packages/core-ui/js/gui_components/shared/test-data/generation/ui-generation-session-service.js`:
- Line 137: The shared session helper is defaulting unsafe faker expressions on,
which breaks the intended opt-in behavior. Update
createUiGenerationSessionService and the default getUnsafeFakerExpressions
fallback in ui-generation-session-service so the service starts in safe mode
unless a caller explicitly injects an unsafe-allowing implementation. Keep the
existing symbol names consistent and ensure any consumers relying on the default
path no longer enable risky helpers implicitly.

---

Outside diff comments:
In `@packages/core/js/mcp/anywaydata-mcp-contract.js`:
- Around line 357-376: The validation error remap in the MCP contract is
hard-coding the diagnostics mode to safe even when unsafeFakerExpressions is
enabled. Update the result handling around createGenerationSession and the
unsafe_faker_rule error mapping in anywaydata-mcp-contract.js so it forwards the
actual session/result diagnostics mode instead of always using safe, ensuring
forbidden-rule failures report the correct mode.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 57c09e4c-49b0-4752-a84a-362d5be8e48e

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6a120 and 4b4ff30.

📒 Files selected for processing (32)
  • .gitignore
  • apps/api/src/openapi.js
  • apps/mcp/src/mcp.test.js
  • apps/web/src/stories/population-actions.stories.js
  • apps/web/src/stories/test-data-embedded-panel.stories.js
  • apps/web/src/stories/test-data-population-toolbar.stories.js
  • apps/web/styles.css
  • docs-src/docs/040-test-data/faker/010-helpers.md
  • docs-src/docs/070-interfaces-and-deployment/030-rest-api.md
  • docs-src/docs/070-interfaces-and-deployment/040-mcp.md
  • docs-src/docs/070-interfaces-and-deployment/050-cli-node-and-bun.md
  • packages/core-ui/js/gui_components/app/data-population-panel/data-population-panel-controller.js
  • packages/core-ui/js/gui_components/app/data-population-panel/data-population-panel-view.js
  • packages/core-ui/js/gui_components/app/data-population-panel/index.js
  • packages/core-ui/js/gui_components/app/population-actions/index.js
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js
  • packages/core-ui/js/gui_components/app/test-data-grid/controller/test-data-grid-controller.js
  • packages/core-ui/js/gui_components/app/test-data-grid/generation/test-data-generation-service.js
  • packages/core-ui/js/gui_components/app/test-data-population-toolbar/index.js
  • packages/core-ui/js/gui_components/app/test-data-population-toolbar/test-data-population-toolbar-controller.js
  • packages/core-ui/js/gui_components/app/test-data-population-toolbar/test-data-population-toolbar-view.js
  • packages/core-ui/js/gui_components/generator/generation/generator-schema-generation-service.js
  • packages/core-ui/js/gui_components/shared/test-data/generation/generation-controller.js
  • packages/core-ui/js/gui_components/shared/test-data/generation/ui-generation-session-service.js
  • packages/core-ui/src/tests/app/data-population-panel.test.js
  • packages/core-ui/src/tests/app/population-actions.test.js
  • packages/core-ui/src/tests/app/test-data-population-toolbar.test.js
  • packages/core-ui/src/tests/grid/generation/test-data-generation-service.test.js
  • packages/core-ui/src/tests/shared/ui-generation-session-service.test.js
  • packages/core/js/mcp/anywaydata-mcp-contract.js
  • packages/core/src/tests/mcp/anywaydata-mcp-contract.test.js

Comment thread docs-src/docs/040-test-data/faker/010-helpers.md Outdated
Comment thread docs-src/docs/070-interfaces-and-deployment/030-rest-api.md Outdated
@eviltester eviltester changed the title Add risky faker browser setting Add unsafe faker browser setting Jun 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js (1)

66-72: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Add keyboard dismissal/focus handling for the settings dialog.

The popover uses role="dialog" but is only dismissable via the close button or an outside click; there is no Escape handler and focus is not moved into the dialog on open. Keyboard/screen-reader users get a dialog role without the expected interaction contract. Consider adding an Escape keydown handler that calls closeGenerationSettings() and moving focus to the dialog (or first control) when it opens.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js`
around lines 66 - 72, The generation settings popover in
population-actions-view.js has a dialog role but lacks keyboard dismissal and
focus management. Update the dialog behavior around the generation settings
markup and the closeGenerationSettings/open flow to add an Escape keydown
handler that closes the dialog, and move focus into the dialog or its first
interactive control when generationSettingsOpen becomes true. Use the existing
closeGenerationSettings() and the dialog element identified by
data-role="generation-settings-dialog" so the interaction matches the dialog
semantics.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js`:
- Around line 66-72: The generation settings popover in
population-actions-view.js has a dialog role but lacks keyboard dismissal and
focus management. Update the dialog behavior around the generation settings
markup and the closeGenerationSettings/open flow to add an Escape keydown
handler that closes the dialog, and move focus into the dialog or its first
interactive control when generationSettingsOpen becomes true. Use the existing
closeGenerationSettings() and the dialog element identified by
data-role="generation-settings-dialog" so the interaction matches the dialog
semantics.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c5b626d4-7bf6-4df0-94b1-6c3c8daef88f

📥 Commits

Reviewing files that changed from the base of the PR and between 4b4ff30 and a8521a7.

📒 Files selected for processing (31)
  • apps/web/src/stories/population-actions.stories.js
  • apps/web/src/stories/test-data-embedded-panel.stories.js
  • apps/web/src/stories/test-data-population-toolbar.stories.js
  • docs-src/docs/040-test-data/faker/010-helpers.md
  • docs-src/docs/070-interfaces-and-deployment/030-rest-api.md
  • docs-src/docs/070-interfaces-and-deployment/040-mcp.md
  • docs-src/docs/070-interfaces-and-deployment/050-cli-node-and-bun.md
  • packages/core-ui/js/gui_components/app/data-population-panel/data-population-panel-controller.js
  • packages/core-ui/js/gui_components/app/data-population-panel/data-population-panel-view.js
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-view.js
  • packages/core-ui/js/gui_components/app/test-data-grid/controller/test-data-grid-controller.js
  • packages/core-ui/js/gui_components/app/test-data-grid/generation/test-data-generation-service.js
  • packages/core-ui/js/gui_components/app/test-data-population-toolbar/test-data-population-toolbar-controller.js
  • packages/core-ui/js/gui_components/generator/generation/generator-schema-generation-service.js
  • packages/core-ui/js/gui_components/generator/runtime/create-generator-page-defaults.js
  • packages/core-ui/js/gui_components/generator/runtime/generator-schema-rule-helpers.js
  • packages/core-ui/js/gui_components/shared/schema-definition/shared-schema-definition-controller.js
  • packages/core-ui/js/gui_components/shared/test-data/generation/ui-generation-session-service.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-controller.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-editor-core.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-row-validation.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/schema-runtime.js
  • packages/core-ui/js/gui_components/shared/test-data/schema/shared-schema-editor-controller.js
  • packages/core-ui/src/tests/app/data-population-panel.test.js
  • packages/core-ui/src/tests/app/population-actions.test.js
  • packages/core-ui/src/tests/app/test-data-population-toolbar.test.js
  • packages/core-ui/src/tests/shared/schema-controller.test.js
  • packages/core-ui/src/tests/shared/schema-editor-core.test.js
  • packages/core-ui/src/tests/shared/schema-row-validation.test.js
  • packages/core-ui/src/tests/shared/ui-generation-session-service.test.js
✅ Files skipped from review due to trivial changes (4)
  • packages/core-ui/src/tests/shared/schema-editor-core.test.js
  • docs-src/docs/070-interfaces-and-deployment/040-mcp.md
  • docs-src/docs/070-interfaces-and-deployment/050-cli-node-and-bun.md
  • docs-src/docs/070-interfaces-and-deployment/030-rest-api.md
🚧 Files skipped from review as they are similar to previous changes (4)
  • packages/core-ui/js/gui_components/generator/generation/generator-schema-generation-service.js
  • docs-src/docs/040-test-data/faker/010-helpers.md
  • packages/core-ui/js/gui_components/app/population-actions/population-actions-controller.js
  • packages/core-ui/js/gui_components/app/data-population-panel/data-population-panel-view.js

@eviltester

Copy link
Copy Markdown
Owner Author

Implementation status for the PR review comments and follow-up testing:

Implemented:

  • Browser default is now safe by default: unsafeFakerExpressions is false unless enabled from the Test Data Settings cog, matching API/CLI/MCP behavior.
  • The unsafe faker opt-in is applied before schema validation, not only during generation, so allowed unsafe helper expressions work when the UI setting is enabled.
  • The generation settings cog/dialog rendering was improved and the visibility state is handled after mount.
  • Helper docs now use "unsafe" terminology, show safe literal helper variants separately from unsafe callback variants, and call out the UI flag plus CLI/MCP/API options.
  • REST docs now include the amend endpoint alongside the other generation endpoints for unsafeFakerExpressions.
  • UI validation errors now add: Configure in Test Data Settings 'allow unsafe faker'.
  • The allow unsafe faker tippy now builds the docs link through the shared docs URL helper, so the test environment links under /site/docs/... correctly.
  • The branch was republished to the test environment at PR head 4fb4356c409f36cea39073bf06bd75ecbd1a5e21.

Not implemented:

  • I did not change the core API/CLI validation error text to mention the browser UI setting; the Test Data Settings hint is browser UI presentation only.
  • I did not resolve review threads from this comment pass; I only replied with status as requested.

Verification already run for the current PR head: focused Jest coverage, pnpm run verify:ui, pnpm run verify:local, and the push verification path.

@eviltester eviltester merged commit 9585b1f into master Jun 30, 2026
18 checks passed
@eviltester eviltester deleted the 245-risky-true-browser branch June 30, 2026 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

configurable risky faker helper processing in browser

2 participants