feat(sdk-core): add URI validation for attachment content strings

[Kzoeps]

Summary

• Add isValidUri utility to validate that content URI strings have a proper scheme (http, https, at://, ipfs://, etc.)
• addAttachment now throws ValidationError when content strings are not valid URIs
• Export isValidUri from the public API for consumer reuse

Changes

New: isValidUri utility (src/lib/url-utils.ts)

• Uses native URL constructor for standard schemes (http, https, ftp, data, mailto)
• Falls back to RFC 3986 scheme regex for non-standard schemes (at://, ipfs://)
• Exported from @hypercerts-org/sdk-core public API

Updated: resolveAttachmentContent (src/repository/HypercertOperationsImpl.ts)

• Validates all string content items are valid URIs before resolving
• Throws ValidationError with a clear message for invalid URIs
• Scoped to content resolution only (location values can still be free-form text)

Closes #97

Summary by CodeRabbit

• New Features

  • Added URI validation for attachment content, supporting http/https, at://, ipfs:// and RFC‑compliant schemes.
  • Exposed a public URI validation utility for consumers.

• Behavior Change

  • Adding attachments with invalid URIs now throws a ValidationError to fail fast.

• Tests

  • Added test coverage for valid and invalid URI handling, including non‑http schemes.

[changeset-bot]

🦋 Changeset detected

Latest commit: d10642f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@hypercerts-org/sdk-core	Minor
@hypercerts-org/sdk-react	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@Kzoeps has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds URI validation for attachment content strings via a new isValidUri utility; resolveAttachmentContent now validates string content and throws ValidationError for invalid URIs. The utility is exported from the public API and covered by unit and integration tests.

Changes

Cohort / File(s)	Summary
URI Validation Utility packages/sdk-core/src/lib/url-utils.ts, packages/sdk-core/src/index.ts	Adds isValidUri(uri: string): boolean and exports it from the package entrypoint. Validation uses native URL parsing for standard schemes and a scheme regex fallback for non-standard schemes (e.g., at://, ipfs://).
Operations Integration packages/sdk-core/src/repository/HypercertOperationsImpl.ts	Adds pre-upload validation in resolveAttachmentContent() that checks string content items with isValidUri and throws ValidationError on invalid URIs (fail-fast).
Tests packages/sdk-core/tests/lib/url-utils.test.ts, packages/sdk-core/tests/repository/HypercertOperationsImpl.test.ts	Adds unit tests for isValidUri (valid: https, http, at://, ipfs://, ftp, data, mailto; invalid: plain text, empty, hostnames, relative paths) and integration tests asserting ValidationError for invalid content and correct handling of valid non-http URIs.
Changeset .changeset/add-content-uri-validation.md	Documents the new URI validation behavior and public export.

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant HypercertOps as HypercertOperationsImpl
  participant Validator as isValidUri
  participant Storage as Uploader

  Caller->>HypercertOps: addAttachment(content)
  HypercertOps->>Validator: isValidUri(stringContent)
  alt valid
    Validator-->>HypercertOps: true
    HypercertOps->>Storage: upload(content)
    Storage-->>HypercertOps: uploadResult
    HypercertOps-->>Caller: success (attachment metadata)
  else invalid
    Validator-->>HypercertOps: false
    HypercertOps-->>Caller: throw ValidationError
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A tiny hop to check each link,
I sniff the scheme before we sync,
If no URI I give a thump,
Fail fast — don’t let uploads dump,
IPFS, at:// — I give them a wink 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately and specifically summarizes the main change: adding URI validation for attachment content strings in the sdk-core package.
Linked Issues check	✅ Passed	The pull request fully implements the requirements from issue #97: validates that attachment content strings are URIs, prevents non-URI inline content, and adds integrity checks during attachment handling via ValidationError.
Out of Scope Changes check	✅ Passed	All changes are directly related to URI validation for attachment content as specified in issue #97; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Kzoeps]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.changeset/add-content-uri-validation.md:
- Around line 1-11: Update the changeset to explicitly call out that adding URI
validation is a breaking behavioral change for pre-1.0 consumers: state that
addAttachment will now throw ValidationError for previously-accepted plain text
content, that isValidUri was added and exported from the public API, and
recommend a minor version bump (not patch) for this 0.x package; include a short
migration note for users and mention compatibility caveats for existing callers
of addAttachment and consumers relying on previous lenient behavior.
- Around line 7-8: Update the changelog sentence that describes the isValidUri
utility to hyphenate “RFC 3986-compliant”; locate the phrase referencing the
utility name isValidUri and change “RFC 3986 compliant scheme” to “RFC
3986-compliant scheme” so the description reads: Add `isValidUri` utility to
validate URI strings have a proper scheme (supports http, https, at://, ipfs://,
and any RFC 3986-compliant scheme).

🧹 Nitpick comments (2)

packages/sdk-core/src/lib/url-utils.ts (1)

1-47: Align URI validation with a Zod schema for runtime validation consistency.

This is runtime validation logic; consider encapsulating it in a Zod schema and using safeParse to back isValidUri, keeping validation patterns consistent across the SDK.

♻️ Suggested refactor

+import { z } from "zod";
+
 /**
  * Regular expression to match a valid URI with a scheme.
  *
@@
 const URI_SCHEME_REGEX = /^[a-zA-Z][a-zA-Z0-9+\-.]*:/;
+
+const UriSchema = z.string().refine((value) => {
+  if (!value) return false;
+  try {
+    new URL(value);
+    return true;
+  } catch {
+    return URI_SCHEME_REGEX.test(value);
+  }
+}, { message: "Invalid URI with scheme" });
@@
 export function isValidUri(uri: string): boolean {
-  if (!uri) return false;
-
-  // First, try the native URL constructor (handles http, https, ftp, data, mailto, etc.)
-  try {
-    new URL(uri);
-    return true;
-  } catch {
-    // URL constructor failed — fall through to scheme regex check
-  }
-
-  // For non-standard schemes (e.g., at://, ipfs://) that URL doesn't support,
-  // validate that the string at least has a valid URI scheme prefix.
-  return URI_SCHEME_REGEX.test(uri);
+  return UriSchema.safeParse(uri).success;
 }

As per coding guidelines: Use Zod schemas for runtime validation.

packages/sdk-core/tests/lib/url-utils.test.ts (1)

1-69: Consider reusing shared fixtures for URI samples (if available).

If tests/utils/fixtures.ts already includes URI samples, referencing them here would align with the shared-fixture convention and reduce duplication.

As per coding guidelines: Use fixtures from tests/utils/fixtures.ts in test files.