edufeed-org
diff --git a/‎docker-compose.yml‎
Lines changed: 9 additions & 6 deletions b/‎docker-compose.yml‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎packages/oer-adapter-arasaac/src/arasaac.adapter.spec.ts‎
Lines changed: 11 additions & 0 deletions b/‎packages/oer-adapter-arasaac/src/arasaac.adapter.spec.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎packages/oer-adapter-arasaac/src/arasaac.adapter.ts‎
Lines changed: 5 additions & 1 deletion b/‎packages/oer-adapter-arasaac/src/arasaac.adapter.ts‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎packages/oer-adapter-nostr-amb-relay/src/nostr-amb-relay.adapter.ts‎
Lines changed: 6 additions & 1 deletion b/‎packages/oer-adapter-nostr-amb-relay/src/nostr-amb-relay.adapter.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎packages/oer-adapter-nostr-amb-relay/test/nostr-amb-relay.adapter.spec.ts‎
Lines changed: 44 additions & 0 deletions b/‎packages/oer-adapter-nostr-amb-relay/test/nostr-amb-relay.adapter.spec.ts‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎packages/oer-finder-plugin/package.json‎
Lines changed: 1 addition & 1 deletion b/‎packages/oer-finder-plugin/package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/oer-finder-plugin/src/oer-search/OerSearch.spec.ts‎
Lines changed: 188 additions & 7 deletions b/‎packages/oer-finder-plugin/src/oer-search/OerSearch.spec.ts‎
Lines changed: 188 additions & 7 deletions
@@ -14,9 +14,12 @@ services:
       NOSTR_AMB_RELAY_URL: ${NOSTR_AMB_RELAY_URL:-ws://amb-relay:3334}
       ENABLED_ADAPTERS: ${ENABLED_ADAPTERS:-nostr-amb-relay}
       RPI_VIRTUELL_API_URL: ${RPI_VIRTUELL_API_URL:-}
-      IMGPROXY_BASE_URL: ${IMGPROXY_BASE_URL}
-      IMGPROXY_KEY: ${IMGPROXY_KEY:-}
-      IMGPROXY_SALT: ${IMGPROXY_SALT:-}
+      ASSET_SIGNING_KEY: ${ASSET_SIGNING_KEY}
+      ASSET_SIGNING_TTL_SECONDS: ${ASSET_SIGNING_TTL_SECONDS:-3600}
+      THROTTLE_LIMIT: ${THROTTLE_LIMIT:-60}
+      # IMGPROXY_BASE_URL: ${IMGPROXY_BASE_URL}
+      # IMGPROXY_KEY: ${IMGPROXY_KEY:-}
+      # IMGPROXY_SALT: ${IMGPROXY_SALT:-}
     ports:
       - "3000:3000"
       - "5173:5173"
@@ -34,8 +37,8 @@ services:
       - typesense_data:/data
     environment:
       TYPESENSE_DATA_DIR: /data
-      # IMPORTANT: Change TS_APIKEY for production deployments
-      TYPESENSE_API_KEY: ${TS_APIKEY:-xyz}
+      # WARNING: Default key is for local development only. Set TS_APIKEY for any shared/production deployment.
+      TYPESENSE_API_KEY: ${TS_APIKEY:-development-only-key-change-me}
     restart: unless-stopped
 
   amb-relay:
@@ -52,7 +55,7 @@ services:
       PUBKEY: ${AMB_RELAY_PUBKEY:-}
       DESCRIPTION: ${AMB_RELAY_DESCRIPTION:-Local AMB Relay}
       ICON: ${AMB_RELAY_ICON:-}
-      TS_APIKEY: ${TS_APIKEY:-xyz}
+      TS_APIKEY: ${TS_APIKEY:-development-only-key-change-me}
       TS_HOST: http://typesense:8108
       TS_COLLECTION: ${TS_COLLECTION:-amb_events}
     restart: unless-stopped
 
@@ -120,6 +120,17 @@ describe('ArasaacAdapter', () => {
     expect(result.items.map((item) => item.id)).toEqual(['arasaac-2', 'arasaac-3']);
   });
 
+  it('caps parsed results at 2000 items', async () => {
+    const pictograms = Array.from({ length: 2500 }, (_, i) =>
+      makePictogram(i),
+    );
+    vi.stubGlobal('fetch', mockFetchResponse(pictograms));
+
+    const result = await adapter.search(makeQuery({ page: 1, pageSize: 10 }));
+
+    expect(result.total).toBe(2000);
+  });
+
   it('passes AbortSignal to fetch', async () => {
     const mockFetch = mockFetchResponse([makePictogram(1)]);
     vi.stubGlobal('fetch', mockFetch);
 
@@ -22,6 +22,9 @@ const IMAGE_BASE_URL = 'https://static.arasaac.org/pictograms';
 /** Default language for searches when not specified in query */
 const DEFAULT_LANGUAGE = 'en';
 
+/** Maximum number of items to parse from API response to prevent memory exhaustion */
+const MAX_RESULTS = 2000;
+
 /**
  * ARASAAC adapter for searching AAC pictograms.
  *
@@ -75,7 +78,8 @@ export class ArasaacAdapter implements SourceAdapter {
     }
 
     const rawData: unknown = await response.json();
-    const pictograms = parseArasaacSearchResponse(rawData);
+    const allPictograms = parseArasaacSearchResponse(rawData);
+    const pictograms = allPictograms.slice(0, MAX_RESULTS);
 
     // Apply pagination to the results
     const total = pictograms.length;
 
@@ -26,6 +26,9 @@ const DEFAULT_TIMEOUT_MS = 10000;
 /** Maximum number of relay URLs allowed to prevent resource exhaustion */
 const MAX_RELAY_COUNT = 10;
 
+/** Maximum number of events to collect per relay to prevent memory exhaustion */
+const MAX_EVENTS = 500;
+
 /** @see https://w3id.org/kim/hcrt/scheme */
 const HCRT = {
   IMAGE: 'https://w3id.org/kim/hcrt/image',
@@ -270,7 +273,9 @@ export class NostrAmbRelayAdapter implements SourceAdapter {
 
       sub = relay.subscribe([filter], {
         onevent: (event: Event) => {
-          events.push(event);
+          if (events.length < MAX_EVENTS) {
+            events.push(event);
+          }
         },
         oneose: () => {
           clearTimeout(timeoutId);
 
@@ -230,6 +230,50 @@ describe('NostrAmbRelayAdapter keyword sanitization', () => {
   });
 });
 
+describe('NostrAmbRelayAdapter event collection cap', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should cap collected events at 500 per relay', async () => {
+    const eventCount = 600;
+    const events = Array.from({ length: eventCount }, (_, i) =>
+      makeEvent(`event-${i}`),
+    );
+
+    const mockRelay = {
+      subscribe: jest.fn(
+        (
+          _filters: unknown[],
+          params: {
+            onevent?: (e: unknown) => void;
+            oneose?: () => void;
+          },
+        ) => {
+          queueMicrotask(() => {
+            for (const event of events) {
+              params.onevent?.(event);
+            }
+            params.oneose?.();
+          });
+          return { close: jest.fn() };
+        },
+      ),
+      close: jest.fn(),
+    };
+
+    (Relay.connect as jest.Mock).mockResolvedValue(mockRelay);
+
+    const adapter = createAdapter([RELAY_URL]);
+    const result = await adapter.search({
+      ...baseQuery,
+      pageSize: 20,
+    });
+
+    expect(result.total).toBe(500);
+  });
+});
+
 describe('NostrAmbRelayAdapter constructor validation', () => {
   it('should throw when relayUrls is empty', () => {
     expect(() => createAdapter([])).toThrow(
 
@@ -1,6 +1,6 @@
 {
   "name": "@edufeed-org/oer-finder-plugin",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Web Components plugin for OER Proxy",
   "author": "B310 Digital GmbH",
   "license": "MIT",
 
@@ -28,8 +28,12 @@ function createOerItem(name: string): OerItem {
   };
 }
 
-function createSearchResult(items: OerItem[], page: number, total: number): SearchResult {
-  const pageSize = 20;
+function createSearchResult(
+  items: OerItem[],
+  page: number,
+  total: number,
+  pageSize = 20,
+): SearchResult {
   return {
     data: items,
     meta: {
@@ -41,6 +45,10 @@ function createSearchResult(items: OerItem[], page: number, total: number): Sear
   };
 }
 
+function createOerItems(prefix: string, count: number): OerItem[] {
+  return Array.from({ length: count }, (_, i) => createOerItem(`${prefix}-${i + 1}`));
+}
+
 function createMockClient(
   searchFn?: (params: SearchParams) => Promise<SearchResult>,
   availableSources?: { id: string; label: string; checked?: boolean }[],
@@ -144,6 +152,81 @@ describe('OerSearch', () => {
       expect(loadingFired).toBe(true);
     });
 
+    it('caps multi-source results at pageSize', async () => {
+      const pageSize = 10;
+      const sourceAItems = createOerItems('SourceA', pageSize);
+      const sourceBItems = createOerItems('SourceB', pageSize);
+
+      const mockClient = createMockClient(
+        (params: SearchParams) => {
+          if (params.source === 'source-a') {
+            return Promise.resolve(createSearchResult(sourceAItems, 1, 40, pageSize));
+          }
+          return Promise.resolve(createSearchResult(sourceBItems, 1, 40, pageSize));
+        },
+        [
+          { id: 'source-a', label: 'Source A' },
+          { id: 'source-b', label: 'Source B' },
+        ],
+      );
+
+      createSpy.mockReturnValue(mockClient);
+
+      search = document.createElement('oer-search') as OerSearchElement;
+      search.language = 'en';
+      search.setAttribute('page-size', String(pageSize));
+      document.body.appendChild(search);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+
+      const resultPromise = awaitSearchResult(search);
+      triggerSearch(search, 'test');
+
+      const result = await resultPromise;
+      // 2 sources each return 10 items = 20 total, but should be capped at pageSize (10)
+      expect(result.data).toHaveLength(pageSize);
+    });
+
+    it('interleaves multi-source results in round-robin order within pageSize', async () => {
+      const pageSize = 6;
+      const sourceAItems = createOerItems('A', pageSize);
+      const sourceBItems = createOerItems('B', pageSize);
+
+      const mockClient = createMockClient(
+        (params: SearchParams) => {
+          if (params.source === 'source-a') {
+            return Promise.resolve(createSearchResult(sourceAItems, 1, 40, pageSize));
+          }
+          return Promise.resolve(createSearchResult(sourceBItems, 1, 40, pageSize));
+        },
+        [
+          { id: 'source-a', label: 'Source A' },
+          { id: 'source-b', label: 'Source B' },
+        ],
+      );
+
+      createSpy.mockReturnValue(mockClient);
+
+      search = document.createElement('oer-search') as OerSearchElement;
+      search.language = 'en';
+      search.setAttribute('page-size', String(pageSize));
+      document.body.appendChild(search);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+
+      const resultPromise = awaitSearchResult(search);
+      triggerSearch(search, 'test');
+
+      const result = await resultPromise;
+      // Round-robin: A-1, B-1, A-2, B-2, A-3, B-3
+      expect(result.data.map((d) => d.amb.name)).toEqual([
+        'A-1',
+        'B-1',
+        'A-2',
+        'B-2',
+        'A-3',
+        'B-3',
+      ]);
+    });
+
     it('dispatches search-results with empty data when source fails', async () => {
       const mockClient = createMockClient(() => Promise.reject(new Error('Network failure')));
 
@@ -187,6 +270,95 @@ describe('OerSearch', () => {
       expect(secondResult.data).toEqual([...page1Items, ...page2Items]);
     });
 
+    it('caps multi-source load-more results at pageSize', async () => {
+      const pageSize = 6;
+
+      const mockClient = createMockClient(
+        (params: SearchParams) => {
+          const sourcePrefix = params.source === 'source-a' ? 'A' : 'B';
+          const items = createOerItems(`${sourcePrefix}-p${params.page}`, pageSize);
+          return Promise.resolve(createSearchResult(items, params.page ?? 1, 60, pageSize));
+        },
+        [
+          { id: 'source-a', label: 'Source A' },
+          { id: 'source-b', label: 'Source B' },
+        ],
+      );
+
+      createSpy.mockReturnValue(mockClient);
+
+      search = document.createElement('oer-search') as OerSearchElement;
+      search.language = 'en';
+      search.setAttribute('page-size', String(pageSize));
+      document.body.appendChild(search);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+
+      // Initial search
+      const firstResultPromise = awaitSearchResult(search);
+      triggerSearch(search, 'test');
+      const firstResult = await firstResultPromise;
+
+      // First search should be capped at pageSize
+      expect(firstResult.data).toHaveLength(pageSize);
+
+      // Load more — should drain overflow buffer, no new fetch
+      const secondResultPromise = awaitSearchResult(search);
+      search.dispatchEvent(new CustomEvent('load-more', { bubbles: true, composed: true }));
+      const secondResult = await secondResultPromise;
+
+      // After load-more: pageSize (initial) + pageSize (from buffer) = 12 total
+      expect(secondResult.data).toHaveLength(pageSize * 2);
+    });
+
+    it('drains overflow buffer before fetching new pages', async () => {
+      const pageSize = 6;
+      const searchCalls: SearchParams[] = [];
+
+      const mockClient = createMockClient(
+        (params: SearchParams) => {
+          searchCalls.push({ ...params });
+          const sourcePrefix = params.source === 'source-a' ? 'A' : 'B';
+          const items = createOerItems(`${sourcePrefix}-p${params.page}`, pageSize);
+          return Promise.resolve(createSearchResult(items, params.page ?? 1, 60, pageSize));
+        },
+        [
+          { id: 'source-a', label: 'Source A' },
+          { id: 'source-b', label: 'Source B' },
+        ],
+      );
+
+      createSpy.mockReturnValue(mockClient);
+
+      search = document.createElement('oer-search') as OerSearchElement;
+      search.language = 'en';
+      search.setAttribute('page-size', String(pageSize));
+      document.body.appendChild(search);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+
+      // Initial search: 2 sources × 6 items = 12 fetched, 6 shown, 6 buffered
+      const firstResultPromise = awaitSearchResult(search);
+      triggerSearch(search, 'test');
+      await firstResultPromise;
+
+      // Record call count after initial search
+      const callsAfterSearch = searchCalls.length;
+
+      // First load-more should drain buffer — no new fetch
+      const secondResultPromise = awaitSearchResult(search);
+      search.dispatchEvent(new CustomEvent('load-more', { bubbles: true, composed: true }));
+      await secondResultPromise;
+
+      expect(searchCalls.length).toBe(callsAfterSearch);
+
+      // Second load-more: buffer is empty, should trigger fetch (page 2)
+      const thirdResultPromise = awaitSearchResult(search);
+      search.dispatchEvent(new CustomEvent('load-more', { bubbles: true, composed: true }));
+      await thirdResultPromise;
+
+      const page2Calls = searchCalls.slice(callsAfterSearch);
+      expect(page2Calls.every((c) => c.page === 2)).toBe(true);
+    });
+
     it('sends correct page number to the client on load-more', async () => {
       const searchCalls: SearchParams[] = [];
       const mockClient = createMockClient((params: SearchParams) => {
@@ -737,7 +909,20 @@ describe('OerSearch', () => {
   });
 
   describe('lockedType', () => {
-    it('sends the locked type in search params and hides type dropdown', async () => {
+    it('hides the type dropdown when locked-type is set', async () => {
+      createSpy.mockReturnValue(createMockClient());
+
+      search = document.createElement('oer-search') as OerSearchElement;
+      search.language = 'en';
+      search.setAttribute('locked-type', 'image');
+      document.body.appendChild(search);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+
+      const typeSelect = search.shadowRoot?.querySelector('#type');
+      expect(typeSelect).toBeNull();
+    });
+
+    it('sends the locked type in search params', async () => {
       const capturedParams: SearchParams[] = [];
       const mockClient = createMockClient((params: SearchParams) => {
         capturedParams.push({ ...params });
@@ -752,10 +937,6 @@ describe('OerSearch', () => {
       document.body.appendChild(search);
       await new Promise((resolve) => setTimeout(resolve, 0));
 
-      // Type dropdown should be hidden
-      const typeSelect = search.shadowRoot?.querySelector('#type');
-      expect(typeSelect).toBeNull();
-
       const resultPromise = awaitSearchResult(search);
       triggerSearch(search, 'test');
       await resultPromise;
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@edufeed-org/oer-finder-plugin",`
`3`		`- "version": "0.2.3",`
	`3`	`+ "version": "0.2.4",`
`4`	`4`	`"description": "Web Components plugin for OER Proxy",`
`5`	`5`	`"author": "B310 Digital GmbH",`
`6`	`6`	`"license": "MIT",`