…g to core (#2121)

* feat: add responsive widths endpoint for multi-DOM capture

- Add GET /percy/widths-config endpoint to compute responsive widths
- Implement computeResponsiveWidths() in core utils for width/height calculation
- Add getResponsiveWidths() SDK method to fetch computed widths
- Mobile device widths include height, other widths are height-agnostic
- Returns widths sorted in ascending order

* adding unit tests

* fixing test coverage

* fixing test coverage

* feat: add CORS iframe processing support for domSnapshots

- Add processCorsIframes and processCorsIframesInDomSnapshot utilities in utils.js
- Add appendUrlSearchParam utility for adding query parameters to URLs
- Integrate CORS iframe processing in snapshot method before validation
- Process iframe resources and update HTML src attributes with width-aware URLs
- Support both single domSnapshot object and array of domSnapshots

* adding tests for cors iframes functionality

* moving creatating of iframe resource object logic to CLI from sdk, since its common

* fixing test

* adding nosemgrep comment for the regex error

* Fix regex injection via unescaped percyElementId in processCorsIframesInDomSnapshot (#2124)

* Initial plan

* fix: escape percyElementId before using in RegExp to prevent regex injection

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* Guard getResponsiveWidths return type with Array.isArray (#2126)

* Initial plan

* Use Array.isArray check in getResponsiveWidths to ensure stable array return type

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* Validate required fields in corsIframes entries to avoid throwing on malformed input (#2125)

* Initial plan

* Add validation for malformed corsIframes entries in processCorsIframesInDomSnapshot

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* adding validation for widths as well

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>
Co-authored-by: bhokaremoin <bhokaremoin@gmail.com>

* adding no semgrep

* fix: prioritize user-passed widths over mobile widths in computeResponsiveWidths

* fixing test

* adding cors iframe in config so it can become part of domSnapshot

* fixing test with the config change

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

* fixing test coverage for serialize iframes

* fixing lint

* added uri check

* added test case

* coverage fix

* added warning

* comment fix

* added test case

* added test case for catch block

* comment fix

* Add regression tests for various web features

- Create HTML pages for testing canvas rendering, CORS iframes, CORS resources, CSSOM, fonts, images, iframes, and shadow DOM.
- Implement a regression test runner using Node.js to start servers and capture snapshots with Percy.
- Add support for handling redirects and serving static assets with appropriate MIME types.
- Include tests for JavaScript-enabled rendering and responsive layouts.
- Define snapshot configurations in a YAML file for easy management of test cases.

* feat: Enhance regression workflow permissions and improve CORS resource handling

* feat: Update regression workflow and improve custom element definitions

* docs: Remove hardcoding warning for PERCY_TOKEN from README

* refactor: update regression test setup to use npx percy and streamline dependencies

* fix: add verbose flag to percy snapshot command for detailed output

* fix: add server.js to .semgrepignore and update path traversal audit comment

* docs: Remove note about issue_comment trigger dependency on default branch

* refactor: simplify regression workflow by removing issue_comment triggers and related steps

* feat: add regression workflow to test.yml with updated steps and dependencies

* initial commit

* more changes

* cleaning up few things

* more changes

* Adding specs

* semgrep ignore

* yarn lock with node 14

* adding coverage

* Adding coverage

* adding coverage

* adding coverage

* Removing function injection + more coverage

* More coverage + refactoring

* final coverage

* package version update

* windows test fix

* covering macos cases

* coverage

* coverage

* coverage

* coverage

* coverage

* fixing flay specs

* Removing ssl.js as it is removed

* CodeQL/ semgrep

* semgrep

* Resolving comments from AI researcher

* semgrep resolve

* semgrep ci

* version bump

* updating percy-doctor version

---------

Co-authored-by: rishigupta1599 <rishi@browserstack.com>

* fix: correct fallback value in osVersionRollUp method

* fix: enhance osVersionRollUp to return normalized fallback values for unmapped versions

* fix: add comments to clarify output examples in osVersionRollUp method

* test fix

…ck mode, auto-doctor (#2153)

* feat(doctor): add auth, config, and CI checks with inter-check context

Add three new diagnostic checks to percy-doctor:
- Token auth check (PERCY-DR-001 through -006): validates presence,
  format, prefix-based project type detection, and API authentication
- Config validation (PERCY-DR-100 through -106): detects config file,
  validates version, warns on project-type config mismatches
- CI environment (PERCY-DR-200 through -209): detects CI system,
  validates commit SHA, branch, parallel config, and git availability

Also adds:
- Inter-check context (ctx) with bestProxy getter for downstream checks
- Report version field and summary banner rendering
- Headers support in HttpProber for auth API calls
- Comprehensive Jasmine test coverage for all new checks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(doctor): add env audit, quick mode, and build failure auto-doctor

Phase 6: Environment variable audit check (PERCY-DR-300 through -305)
- Lists set Percy vars, validates PERCY_PARALLEL_TOTAL format
- Detects manual overrides (PERCY_COMMIT/BRANCH/PULL_REQUEST)
- Warns on NODE_TLS_REJECT_UNAUTHORIZED=0
- Never exposes env var VALUES in findings (security)

Phase 7: --quick mode flag
- Runs only connectivity + SSL + token auth (~4s)
- Skips config, CI, env audit, proxy, PAC, and browser checks
- Skips token auth with PERCY-DR-007 when connectivity fails

Phase 9: Orchestration updates
- Wired env audit into Phase 1 parallel allSettled
- Updated runDiagnostics() programmatic API with mode parameter
- Added env-audit.js export to package.json

Phase 10: Build failure auto-doctor integration
- Added runDoctorOnFailure() to snapshot.js (packages/core)
- Triggers from all 3 failure branches in createSnapshotsQueue
- Guarded by PERCY_AUTO_DOCTOR env var
- Dynamic import with graceful fallback when doctor not installed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(doctor): QA cycle fixes — security hardening, test coverage, validation alignment

Two QA cycles with functional + security agents found and resolved:

Security fixes:
- Sanitize HTTP error messages in auth.js to prevent token leakage (defense-in-depth)
- Remove PERCY_PARALLEL_NONCE value from ci.js findings (was leaking env var values)
- Add 300s upper bound on --timeout to prevent DoS via indefinite hangs
- Align timeout validation (Number.isInteger) between doctor.js and runDiagnostics()

Bug fixes:
- Fix config.js project type for ss_/vmw_/res_ tokens (was showing "web" for all)
- Fix DR-106 web-only key check to cover all non-web token types (was only auto/app)
- Fix DR-103 to show actual version number instead of hardcoding "version 1"
- Fix PERCY_PARALLEL_TOTAL validation to reject floats like "4.5"
- Fix ci.js git check to use stdio:'pipe' instead of shell redirect (Windows compat)

Test coverage:
- Wire auth test mock server via apiBaseUrl DI param (DR-003/004/005/006 now deterministic)
- Add tests for DR-209 (git unavailable), DR-106 with ss_ token, config version 0
- Add tests for float PERCY_PARALLEL_TOTAL, auth 401/403/200/500/unreachable
- Add config tests for ss_/vmw_/res_ token prefix type labels

510 specs pass (1 pre-existing connectivity flake).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs(doctor): update README with new checks, quick mode, and auto-doctor

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(doctor): address code review findings — security, dedup, dead code

- Strengthen sanitizeError() to also strip raw PERCY_TOKEN value from
  error messages (defense-in-depth, not just Authorization header format)
- Extract KNOWN_PREFIXES to shared constants.js (was duplicated in
  auth.js and config.js)
- Remove unused `isApp` variable in config.js
- Change cross-package import in snapshot.js from deep path
  (@percy/cli-doctor/src/utils/helpers.js) to package root
- Add cross-reference comments between doctor.js and runDiagnostics()
  orchestration paths
- Add targeted test for raw token sanitization in error messages

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Adding Coverage + Refactoring

* Adding coverage for core

* removing fdescribe

* Resolving comments

* Committing package.json

* spec fix

* resolving comment

* Removing DR codes with categories + README update

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: rishigupta1599 <rishi@browserstack.com>

* 🔖 Release 1.31.10

* updating tag