Skip to content

feat(content-ai): Stability AI image generation integration [Story 484.1] #796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
netogarozi-dev wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(content-ai): Stability AI image generation integration [Story 484.1] #796

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2b23cdb
feat(content-ai): add Stability AI image generation package [Story 48…
netogarozi-dev Jun 22, 2026
4bac8d8
fix(content-ai): register ESM override in root ESLint flat config [St…
netogarozi-dev Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ supabase/

# Output directories (generated artifacts)
outputs/
output/

# Test fixtures (generated during tests)
tests/*/__fixtures__/
Expand Down
12 changes: 12 additions & 0 deletions eslint.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,18 @@ module.exports = [
},
},

// content-ai package - ESM (Node 18+)
{
files: ['packages/content-ai/**/*.js'],
languageOptions: {
sourceType: 'module',
globals: {
FormData: 'readonly',
crypto: 'readonly',
},
},
},

// TypeScript files configuration
{
files: ['**/*.ts', '**/*.tsx'],
Expand Down
2 changes: 2 additions & 0 deletions jest.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ module.exports = {
'tests/integration/install-transaction.test.js',
// License tests require network/crypto resources unavailable in CI (pre-existing)
'tests/license/',
// content-ai package uses ESM + node:test runner — run via npm test in the package
'packages/content-ai/',
],

// Coverage collection (Story TD-3: Updated paths)
Expand Down
35 changes: 35 additions & 0 deletions packages/content-ai/bin/generate.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env node
import { generateImage, ConfigurationError, StabilityApiError, RateLimitError, TimeoutError } from '../stability.js';

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Use an absolute import in the CLI entrypoint.

Line 2 imports ../stability.js via a relative path; this breaks the repo-wide absolute-import rule.

As per coding guidelines, **/*.{js,jsx,ts,tsx}: Use absolute imports instead of relative imports in all code.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/content-ai/bin/generate.js` at line 2, The import statement for
stability.js uses a relative path which violates the repository's absolute
import rule. Replace the relative import path `../stability.js` with the
appropriate absolute import path as configured in your project (typically a
package alias or configured path alias). Keep all the imported symbols
(generateImage, ConfigurationError, StabilityApiError, RateLimitError,
TimeoutError) the same, only changing how the module is referenced from a
relative path to an absolute one.

Source: Coding guidelines


const args = process.argv.slice(2);
let prompt = '';

for (let i = 0; i < args.length; i++) {
if (args[i] === '--prompt' && args[i + 1]) {
prompt = args[i + 1];
break;
}
}

if (!prompt) {
process.stderr.write('Error: --prompt is required\nUsage: node packages/content-ai/bin/generate.js --prompt "your prompt here"\n');
process.exit(1);
}

try {
const result = await generateImage(prompt);
process.stdout.write(JSON.stringify(result, null, 2) + '\n');
} catch (err) {
if (err instanceof ConfigurationError) {
process.stderr.write(`Configuration error: ${err.message}\n`);
} else if (err instanceof RateLimitError) {
process.stderr.write(`Rate limit exceeded: ${err.message}\n`);
} else if (err instanceof StabilityApiError) {
process.stderr.write(`API error (${err.statusCode}): ${err.message}\n`);
} else if (err instanceof TimeoutError) {
process.stderr.write(`Timeout: ${err.message}\n`);
} else {
process.stderr.write(`Unexpected error: ${err.message}\n`);
}
Comment on lines +31 to +33

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Harden unexpected-error output for non-Error throws.

The fallback branch reads err.message directly; if a non-Error value is thrown, stderr logs undefined and loses context.

Suggested patch 
 } catch (err) {
+  const fallbackMessage = err instanceof Error ? err.message : String(err);
   if (err instanceof ConfigurationError) {
     process.stderr.write(`Configuration error: ${err.message}\n`);
   } else if (err instanceof RateLimitError) {
     process.stderr.write(`Rate limit exceeded: ${err.message}\n`);
   } else if (err instanceof StabilityApiError) {
     process.stderr.write(`API error (${err.statusCode}): ${err.message}\n`);
   } else if (err instanceof TimeoutError) {
     process.stderr.write(`Timeout: ${err.message}\n`);
   } else {
-    process.stderr.write(`Unexpected error: ${err.message}\n`);
+    process.stderr.write(`Unexpected error: ${fallbackMessage}\n`);
   }
   process.exit(1);
 }

As per coding guidelines, **/*.js: Verify error handling is comprehensive.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/content-ai/bin/generate.js` around lines 31 - 33, The error handling
in the else block reads err.message directly without verifying that err is an
Error object; if a non-Error value (such as a string or object) is thrown,
err.message will be undefined, causing the log to output "Unexpected error:
undefined". Modify the process.stderr.write call to safely handle both Error and
non-Error thrown values by checking if err is an instance of Error and using
err.message when available, otherwise convert err to a string using String(err)
to preserve the actual error context in the output.

Source: Coding guidelines

process.exit(1);
}
2 changes: 2 additions & 0 deletions packages/content-ai/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
export { generateImage } from './stability.js';
export { StabilityApiError, RateLimitError, TimeoutError, ConfigurationError } from './stability.js';
Comment on lines +1 to +2

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Switch re-exports to absolute module paths.

These re-exports currently use a relative path (./stability.js), which violates the repository import-path rule for JS/TS files.

As per coding guidelines, **/*.{js,jsx,ts,tsx}: Use absolute imports instead of relative imports in all code.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/content-ai/index.js` around lines 1 - 2, The re-exports for
generateImage, StabilityApiError, RateLimitError, TimeoutError, and
ConfigurationError are currently using relative import paths (./stability.js)
which violates the repository import guidelines. Replace both relative paths
with absolute module paths that follow the project's module resolution
configuration. Consult your project's module path aliases (typically in
jsconfig.json, tsconfig.json, or package.json exports field) to determine the
correct absolute path for the stability module, then update both export
statements to use that absolute path instead of the relative ./stability.js
reference.

Source: Coding guidelines

24 changes: 24 additions & 0 deletions packages/content-ai/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "@aiox/content-ai",
"version": "0.1.0",
"description": "Content AI module — image generation via Stability AI API",
"type": "module",
"main": "index.js",
"bin": {
"generate-image": "bin/generate.js"
},
"scripts": {
"test": "node --test --test-concurrency=1",
"lint": "eslint ."
},
"engines": {
"node": ">=18"
},
"author": "SynkraAI",
"license": "MIT",
"repository": {
"type": "git",
"url": "git+https://github.com/SynkraAI/aiox-core.git",
"directory": "packages/content-ai"
}
}
217 changes: 217 additions & 0 deletions packages/content-ai/stability.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,217 @@
import fs from 'node:fs/promises';
import path from 'node:path';

const STABILITY_API_URL = 'https://api.stability.ai/v2beta/stable-image/generate/sd3';
const MODEL = 'sd3.5-large';
const TIMEOUT_MS = 30_000;
const RETRY_AFTER_DEFAULT_MS = 10_000;

export class StabilityApiError extends Error {
constructor(message, statusCode) {
super(message);
this.name = 'StabilityApiError';
this.statusCode = statusCode;
}
}

export class RateLimitError extends Error {
constructor(message) {
super(message);
this.name = 'RateLimitError';
}
}

export class TimeoutError extends Error {
constructor(message) {
super(message);
this.name = 'TimeoutError';
}
}

export class ConfigurationError extends Error {
constructor(message) {
super(message);
this.name = 'ConfigurationError';
}
}

function _validateConfig() {
if (!process.env.STABILITY_API_KEY) {
throw new ConfigurationError(
'STABILITY_API_KEY environment variable is required but not set',
);
}
return process.env.STABILITY_API_KEY;
}

function _buildRequestBody(prompt) {
const body = new FormData();
body.append('prompt', prompt);
body.append('model', MODEL);
body.append('aspect_ratio', '1:1');
body.append('output_format', 'png');
return body;
}

async function _callApi(requestBody, apiKey) {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
try {
const response = await fetch(STABILITY_API_URL, {
method: 'POST',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'image/*',
},
body: requestBody,
signal: controller.signal,
});
return response;
} catch (err) {
if (err.name === 'AbortError') {
throw new TimeoutError('Stability AI API did not respond within 30 seconds');
}
throw err;
} finally {
clearTimeout(timeoutId);
}
}

async function _handleApiError(response) {
let message = `Stability AI API error: HTTP ${response.status}`;
try {
const text = await response.text();
if (text) {
message += ` — ${text.slice(0, 200)}`;
}
} catch {
// ignore read errors on error response body
}
throw new StabilityApiError(message, response.status);
}

async function _callWithRetry(prompt, apiKey) {
const requestBody = _buildRequestBody(prompt);
const response = await _callApi(requestBody, apiKey);

if (response.status === 429) {
const retryAfterHeader = response.headers.get('Retry-After');
const waitMs = retryAfterHeader
? parseInt(retryAfterHeader, 10) * 1000
: RETRY_AFTER_DEFAULT_MS;

_log({ event: 'stability.rate_limit.retry', waitMs, ts: new Date().toISOString() });
await new Promise((resolve) => setTimeout(resolve, waitMs));
Comment on lines +98 to +104

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle non-numeric Retry-After values before sleeping.

Line 99 assumes Retry-After is integer seconds. If the API returns an HTTP-date value, parseInt(...) yields NaN, and Line 104 retries immediately instead of backing off.

Proposed fix 
+function _parseRetryAfterMs(retryAfterHeader) {
+  if (!retryAfterHeader) return RETRY_AFTER_DEFAULT_MS;
+
+  const seconds = Number(retryAfterHeader);
+  if (Number.isFinite(seconds) && seconds > 0) {
+    return seconds * 1000;
+  }
+
+  const retryAt = Date.parse(retryAfterHeader);
+  if (!Number.isNaN(retryAt)) {
+    return Math.max(retryAt - Date.now(), RETRY_AFTER_DEFAULT_MS);
+  }
+
+  return RETRY_AFTER_DEFAULT_MS;
+}
+
 async function _callWithRetry(prompt, apiKey) {
   const requestBody = _buildRequestBody(prompt);
   const response = await _callApi(requestBody, apiKey);
 
   if (response.status === 429) {
     const retryAfterHeader = response.headers.get('Retry-After');
-    const waitMs = retryAfterHeader
-      ? parseInt(retryAfterHeader, 10) * 1000
-      : RETRY_AFTER_DEFAULT_MS;
+    const waitMs = _parseRetryAfterMs(retryAfterHeader);

As per coding guidelines, "Verify error handling is comprehensive."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const retryAfterHeader = response.headers.get('Retry-After');
const waitMs = retryAfterHeader
? parseInt(retryAfterHeader, 10) * 1000
: RETRY_AFTER_DEFAULT_MS;
_log({ event: 'stability.rate_limit.retry', waitMs, ts: new Date().toISOString() });
await new Promise((resolve) => setTimeout(resolve, waitMs));
function _parseRetryAfterMs(retryAfterHeader) {
if (!retryAfterHeader) return RETRY_AFTER_DEFAULT_MS;
const seconds = Number(retryAfterHeader);
if (Number.isFinite(seconds) && seconds > 0) {
return seconds * 1000;
}
const retryAt = Date.parse(retryAfterHeader);
if (!Number.isNaN(retryAt)) {
return Math.max(retryAt - Date.now(), RETRY_AFTER_DEFAULT_MS);
}
return RETRY_AFTER_DEFAULT_MS;
}
async function _callWithRetry(prompt, apiKey) {
const requestBody = _buildRequestBody(prompt);
const response = await _callApi(requestBody, apiKey);
if (response.status === 429) {
const retryAfterHeader = response.headers.get('Retry-After');
const waitMs = _parseRetryAfterMs(retryAfterHeader);
_log({ event: 'stability.rate_limit.retry', waitMs, ts: new Date().toISOString() });
await new Promise((resolve) => setTimeout(resolve, waitMs));
🧰 Tools
🪛 ast-grep (0.44.0)

[warning] 103-103: Avoid using the initial state variable in setState
Context: setTimeout(resolve, waitMs)
Note: [CWE-710] Improper Adherence to Coding Standards. Security best practice.

(setstate-same-var)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/content-ai/stability.js` around lines 98 - 104, The code assumes the
Retry-After header is always numeric seconds, but it can also be an HTTP-date
format. When parseInt receives a non-numeric string, it returns NaN, causing the
setTimeout to resolve immediately instead of backing off. Add a check after
parsing the retryAfterHeader to verify that the parsed value is a valid number
using Number.isNaN(), and if it is NaN, use RETRY_AFTER_DEFAULT_MS instead. This
ensures waitMs is always a valid number before being passed to setTimeout.

Source: Coding guidelines


const retryBody = _buildRequestBody(prompt);
const retryResponse = await _callApi(retryBody, apiKey);
if (!retryResponse.ok) {
if (retryResponse.status === 429) {
throw new RateLimitError('Stability AI rate limit exceeded after 1 retry');
}
await _handleApiError(retryResponse);
}
return retryResponse;
}

if (!response.ok) {
await _handleApiError(response);
}

return response;
}

async function _ensureOutputDir(dir) {
await fs.mkdir(dir, { recursive: true });
}

function _generateFilename() {
const now = new Date();
const pad = (n) => String(n).padStart(2, '0');
const datePart = `${now.getFullYear()}-${pad(now.getMonth() + 1)}-${pad(now.getDate())}`;
const timePart = `${pad(now.getHours())}${pad(now.getMinutes())}${pad(now.getSeconds())}`;
// crypto.randomUUID() is available globally in Node 18+ (Web Crypto API)
const shortId = crypto.randomUUID().replace(/-/g, '').slice(0, 8);
return `image-${datePart}-${timePart}-${shortId}.png`;
}

function _parsePngDimensions(buffer) {
// PNG IHDR: bytes 16-19 = width, 20-23 = height (big-endian uint32)
if (buffer.length < 24) {
return { width: 0, height: 0 };
}
return {
width: buffer.readUInt32BE(16),
height: buffer.readUInt32BE(20),
};
}

function _log(data) {
console.log(JSON.stringify(data));
}

export async function generateImage(prompt, options = {}) {
const apiKey = _validateConfig();

if (!prompt || typeof prompt !== 'string' || prompt.trim().length === 0) {
throw new ConfigurationError('prompt must be a non-empty string');
}

const startedAt = Date.now();

_log({
event: 'stability.generate.start',
prompt: prompt.slice(0, 200),
model: MODEL,
aspect_ratio: '1:1',
ts: new Date().toISOString(),
});
Comment on lines +162 to +168

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging raw prompt text.

Line 164 logs user-provided prompt content, which can leak sensitive data/PII into logs.

Proposed fix 
   _log({
     event: 'stability.generate.start',
-    prompt: prompt.slice(0, 200),
+    promptLength: prompt.length,
     model: MODEL,
     aspect_ratio: '1:1',
     ts: new Date().toISOString(),
   });

As per coding guidelines, "Look for potential security vulnerabilities."

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/content-ai/stability.js` around lines 162 - 168, The _log function
is logging the raw prompt text by including the prompt property with a slice of
the user-provided input, which can expose sensitive data or PII in logs. Remove
the prompt field from the _log call entirely to prevent logging any
user-provided content, keeping only the necessary metadata fields like event,
model, aspect_ratio, and ts.

Source: Coding guidelines


let response;
try {
response = await _callWithRetry(prompt, apiKey);
} catch (err) {
_log({
event: 'stability.generate.error',
errorType: err.name,
message: err.message,
statusCode: err.statusCode,
ts: new Date().toISOString(),
});
throw err;
}

const buffer = Buffer.from(await response.arrayBuffer());
const { width, height } = _parsePngDimensions(buffer);

const outputDir = options.outputDir
? path.resolve(options.outputDir)
: path.resolve(process.cwd(), 'output', 'images');
await _ensureOutputDir(outputDir);

const filename = _generateFilename();
const filePath = path.join(outputDir, filename);
await fs.writeFile(filePath, buffer);

const durationMs = Date.now() - startedAt;
const generatedAt = new Date().toISOString();

_log({
event: 'stability.generate.success',
path: filePath,
filename,
durationMs,
ts: generatedAt,
});

return {
path: filePath,
filename,
prompt,
model: MODEL,
width,
height,
generatedAt,
durationMs,
};
}
Loading