feat(frontend): add synthetic monitoring, edge caching, and phishing mitigation

[Vicky08100]

Closes #611
Closes #587
Closes #578

PR Description

This PR implements three MVP-critical frontend features for the SoroTask platform. Each is a self-contained TypeScript module in src/lib/, with a full Jest test suite and dedicated documentation file.

Issue #611 - Synthetic Monitoring Script Generator

Added SyntheticMonitoringGenerator in src/lib/synthetic-monitoring.ts. It takes a declarative list of monitoring steps and generates a self-contained, Playwright-compatible TypeScript async function string. The generated function wraps every step in try/catch and returns a typed MonitoringResult ({ success, timestamp, error? }), so automated pipelines get structured output instead of uncaught exceptions.

Supported step types: navigate, click, type, waitForSelector, assertText.

All selector and value arguments are serialised with JSON.stringify before being embedded in the generated script, which prevents string-injection attacks through crafted selector inputs. The navigate step uses waitUntil: 'load' - networkidle was considered but is officially discouraged by Playwright as brittle and slow.

Time complexity is O(N) per generateScript() call where N is the number of steps. The generator fails fast at addStep() time (not at script generation) for invalid actions or empty targets.

Issue #587 - Service Worker Edge Caching Strategy Engine

Added EdgeCachingStrategyEngine in src/lib/edge-caching.ts. It implements the Stale-While-Revalidate caching strategy using the browser Cache API:

1. On a cache hit - return the stored response immediately, then kick off a background network request to refresh the cache for next time.
2. On a cache miss - fetch from the network, store the response, serve it.
3. If the network fails during a miss but a stale copy exists - return the stale copy rather than an error.
4. If both the network and the cache are unavailable - return a structured 503 JSON response.

Only responses that are status 200, ok, and type basic (same-origin) are written to cache. This deliberately excludes opaque cross-origin responses, which have status 0, inaccessible headers, and can bloat cache storage by ~7MB per entry in some browsers.

Cache entries are evicted oldest-first when the count exceeds maxItems (default 250). The class is instantiated once and wired into the service worker fetch event via handleRequest().

Issue #578 — Phishing Attack Mitigation and URL Validator

Added PhishingMitigator in src/lib/phishing-mitigation.ts. It validates URLs for phishing risk using eleven independent checks, each contributing a numeric score. The score maps to a risk level:

• 0 → safe
• 1–3 → suspicious (valid, but caller should warn the user)
• ≥ 4 → dangerous (invalid, sanitizedUrl is null)

Detection layers:

• Blocked schemes: javascript:, data:, vbscript:, blob:, file: — immediate score of 10.
• Insecure HTTP: +3 (skipped when allowHttpInDev is set).
• IP literal hosts: IPv4 and IPv6 raw addresses instead of domain names — +4.
• Punycode / IDN: labels starting with xn-- signal possible homograph attacks — +3.
• Unicode homoglyphs: Cyrillic, Greek, and other lookalike characters in the hostname — +5.
• Untrusted domain: host not in the trustedDomains allowlist — +2.
• Suspicious TLDs: .tk, .ml, .ga, .cf, .gq, .xyz, .top, .work, .click — +2.
• Open redirect query params: redirect, url, next, goto, return, returnurl, continue, destination, forward, redir, redirect_uri — +3.
• Embedded credentials: user:pass@host in URL authority — +4.
• Abnormal URL length: over 2048 characters — +1.

The default trusted domain list covers sorotask.app, sorolabs.xyz, stellar.org, freighter.app, stellarchain.io, and the Stellar horizon/testnet hosts.

A defaultMitigator singleton is exported for use anywhere in the app. The class is stateless — no DOM, no network I/O — making every code path deterministic and fully unit-testable.

Change

Source files (new):

• frontend/src/lib/synthetic-monitoring.ts — SyntheticMonitoringGenerator class; generates Playwright-compatible monitoring scripts from declarative step lists
• frontend/src/lib/edge-caching.ts — EdgeCachingStrategyEngine class; Stale-While-Revalidate service worker caching with eviction and offline fallback
• frontend/src/lib/phishing-mitigation.ts — PhishingMitigator class; multi-layer URL threat scoring, allowlist enforcement, and defaultMitigator export

Test files (new):

• frontend/src/lib/__tests__/synthetic-monitoring.test.ts — 18 tests covering all step types, validation, script output, injection prevention, and instance isolation
• frontend/src/lib/__tests__/edge-caching.test.ts — 13 tests covering SWR cache hit/miss, offline fallback, stale-cache fallback, eviction, and uninitialised passthrough
• frontend/src/lib/__tests__/phishing-mitigation.test.ts — 37 tests covering all 11 threat detection layers, isSafe, sanitize, defaultMitigator, and result shape invariants

Documentation files (new):

• frontend/docs/synthetic-monitoring-script-generator.md
• frontend/docs/service-worker-edge-caching-strategy.md
• frontend/docs/phishing-attack-mitigation-url-validator.md

Testing

cd frontend
npx jest --testPathPatterns="synthetic-monitoring|edge-caching|phishing-mitigation" --no-coverage

Result: 68 passed, 0 failed across 3 test suites.

[drips-wave]

@Vicky08100 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[GBOYEE]

@GBOYEE has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Implement following existing patterns and conventions. Add tests, ensure CI passes, and document any new API surface.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @GBOYEE to this issue.