@1agh/maude 0.39.0 → 0.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/apps/studio/acp/bridge.ts +144 -5
- package/apps/studio/acp/index.ts +11 -1
- package/apps/studio/annotations-context-toolbar.tsx +44 -1
- package/apps/studio/annotations-layer.tsx +253 -3
- package/apps/studio/annotations-model.ts +107 -6
- package/apps/studio/api.ts +812 -64
- package/apps/studio/bin/_html-playwright.mjs +9 -1
- package/apps/studio/bin/_pdf-playwright.mjs +8 -1
- package/apps/studio/bin/_png-playwright.mjs +8 -1
- package/apps/studio/bin/_pw-launch.mjs +54 -0
- package/apps/studio/bin/_svg-playwright.mjs +8 -1
- package/apps/studio/bin/_video-playwright.mjs +452 -0
- package/apps/studio/bin/prep.sh +8 -1
- package/apps/studio/canvas-edit.ts +1885 -104
- package/apps/studio/canvas-lib.tsx +19 -0
- package/apps/studio/canvas-list-watch.ts +6 -2
- package/apps/studio/canvas-shell.tsx +27 -0
- package/apps/studio/client/app.jsx +1029 -30
- package/apps/studio/client/github.js +7 -0
- package/apps/studio/client/panels/TimelinePanel.jsx +860 -0
- package/apps/studio/client/panels/timeline-parse.js +229 -0
- package/apps/studio/client/panels/timeline-snap.js +55 -0
- package/apps/studio/client/styles/3-shell-maude.css +107 -0
- package/apps/studio/config.schema.json +14 -0
- package/apps/studio/context-menu.tsx +1 -1
- package/apps/studio/context.ts +113 -1
- package/apps/studio/dist/client.bundle.js +88 -16
- package/apps/studio/dist/comment-mount.js +1 -1
- package/apps/studio/dist/runtime/.min-sizes.json +11 -1
- package/apps/studio/dist/runtime/@remotion_media.js +491 -0
- package/apps/studio/dist/runtime/@remotion_player.js +56 -0
- package/apps/studio/dist/runtime/@remotion_transitions.js +300 -0
- package/apps/studio/dist/runtime/@remotion_transitions_clock-wipe.js +1 -0
- package/apps/studio/dist/runtime/@remotion_transitions_fade.js +1 -0
- package/apps/studio/dist/runtime/@remotion_transitions_flip.js +1 -0
- package/apps/studio/dist/runtime/@remotion_transitions_none.js +1 -0
- package/apps/studio/dist/runtime/@remotion_transitions_slide.js +1 -0
- package/apps/studio/dist/runtime/@remotion_transitions_wipe.js +1 -0
- package/apps/studio/dist/runtime/REMOTION-LICENSE.md +28 -0
- package/apps/studio/dist/runtime/remotion.js +42 -0
- package/apps/studio/dist/styles.css +1 -1
- package/apps/studio/exporters/_browser-bundles.ts +117 -0
- package/apps/studio/exporters/_runtime.ts +69 -0
- package/apps/studio/exporters/html.ts +4 -3
- package/apps/studio/exporters/index.ts +28 -2
- package/apps/studio/exporters/pdf.ts +4 -3
- package/apps/studio/exporters/png.ts +5 -3
- package/apps/studio/exporters/pptx.ts +6 -4
- package/apps/studio/exporters/svg.ts +9 -5
- package/apps/studio/exporters/video-encode-lib.ts +200 -0
- package/apps/studio/exporters/video-render-lib.ts +108 -0
- package/apps/studio/exporters/video.ts +184 -0
- package/apps/studio/http.ts +535 -27
- package/apps/studio/input-router.tsx +7 -1
- package/apps/studio/runtime-bundle.ts +30 -0
- package/apps/studio/server.ts +34 -9
- package/apps/studio/test/acp-bridge.test.ts +132 -0
- package/apps/studio/test/acp-commands.test.ts +8 -3
- package/apps/studio/test/annotations-roundtrip.test.ts +47 -0
- package/apps/studio/test/canvas-create-api.test.ts +76 -0
- package/apps/studio/test/canvas-edit.test.ts +90 -0
- package/apps/studio/test/canvas-list-watch.test.ts +49 -0
- package/apps/studio/test/canvas-media-drop.test.ts +30 -1
- package/apps/studio/test/canvas-origin-gate.test.ts +36 -0
- package/apps/studio/test/clip-addressing.test.ts +732 -0
- package/apps/studio/test/config-reload.test.ts +230 -0
- package/apps/studio/test/dns-rebinding-guard.test.ts +74 -0
- package/apps/studio/test/edit-persistence.test.ts +91 -0
- package/apps/studio/test/exporters/runtime.test.ts +59 -0
- package/apps/studio/test/file-lock.test.ts +84 -0
- package/apps/studio/test/fixtures/mock-acp-agent.mjs +24 -1
- package/apps/studio/test/fixtures/video-comp-fixture.tsx +82 -0
- package/apps/studio/test/timeline-parse.test.ts +127 -0
- package/apps/studio/test/timeline-snap.test.ts +85 -0
- package/apps/studio/test/video-asset.test.ts +163 -0
- package/apps/studio/test/video-comp-fixture.test.ts +50 -0
- package/apps/studio/test/video-comp.test.ts +168 -0
- package/apps/studio/test/video-render-bridge.test.ts +149 -0
- package/apps/studio/use-annotation-resize.tsx +6 -3
- package/apps/studio/use-canvas-media-drop.tsx +66 -4
- package/apps/studio/video-comp.tsx +444 -0
- package/apps/studio/whats-new.json +36 -0
- package/apps/studio/ws.ts +5 -0
- package/package.json +8 -8
- package/plugins/design/templates/_shell.html +25 -2
- package/plugins/design/templates/design-system-inspiration/_MAPPING.md +1 -1
|
@@ -67,6 +67,25 @@ describe('canvas-origin gate — A1/A2 traversal + privilege containment', () =>
|
|
|
67
67
|
'/_api/edit-css',
|
|
68
68
|
'/_api/edit-text',
|
|
69
69
|
'/_api/edit-attr',
|
|
70
|
+
// DDR-148 — raw canvas source for the Timeline parser is MAIN-ORIGIN
|
|
71
|
+
// ONLY (the untrusted canvas iframe must never read project source).
|
|
72
|
+
'/_api/canvas-source',
|
|
73
|
+
// DDR-148 — Timeline drag-to-retime is a source-write, MAIN-ORIGIN ONLY.
|
|
74
|
+
'/_api/retime-sequence',
|
|
75
|
+
// DDR-150 P2 — the clip enumerator reads project source structure, so it
|
|
76
|
+
// is MAIN-ORIGIN ONLY (same boundary as /_api/canvas-source): the
|
|
77
|
+
// untrusted canvas iframe must never enumerate the comp it renders.
|
|
78
|
+
'/_api/comp-clips',
|
|
79
|
+
// DDR-150 P3 — clip removal is a source-write, MAIN-ORIGIN ONLY.
|
|
80
|
+
'/_api/remove-sequence',
|
|
81
|
+
// DDR-150 P4 — clip insert is a source-write, MAIN-ORIGIN ONLY.
|
|
82
|
+
'/_api/insert-sequence',
|
|
83
|
+
// DDR-150 P5 — z-order reorder is a source-write, MAIN-ORIGIN ONLY.
|
|
84
|
+
'/_api/reorder-sequence',
|
|
85
|
+
// DDR-150 dogfood — array-src replace is a source-write, MAIN-ORIGIN ONLY.
|
|
86
|
+
'/_api/edit-array-src',
|
|
87
|
+
// DDR-150 dogfood — clip hide/show is a source-write, MAIN-ORIGIN ONLY.
|
|
88
|
+
'/_api/toggle-hide',
|
|
70
89
|
// Phase 12.1 (DDR-138) — node-move reorder is a source-write, MAIN-ORIGIN
|
|
71
90
|
// ONLY. The canvas iframe requests a reorder over the dgn:* bus; the shell
|
|
72
91
|
// performs the write. A GET here 403s at the gate (route unreachable on
|
|
@@ -141,9 +160,26 @@ describe('canvas-origin gate — A1/A2 traversal + privilege containment', () =>
|
|
|
141
160
|
const shell = await fetch(`${canvas}/_canvas-shell.html`);
|
|
142
161
|
const csp = shell.headers.get('content-security-policy') ?? '';
|
|
143
162
|
expect(csp).toContain("connect-src 'self'");
|
|
163
|
+
// DDR-148 — media-src must be present so a video-comp's <Video>/<Audio>
|
|
164
|
+
// isn't blocked by default-src 'none' (black video / silent audio).
|
|
165
|
+
expect(csp).toContain("media-src 'self'");
|
|
144
166
|
expect(csp).toContain("webrtc 'block'");
|
|
145
167
|
expect(csp).toContain('frame-ancestors');
|
|
146
168
|
expect(csp).toContain(`http://localhost:${port}`);
|
|
169
|
+
|
|
170
|
+
// (5) DDR-148 attacker F1 — the EXPORT/CAPTURE render (?hide-chrome=1) on
|
|
171
|
+
// the MAIN origin (where the normal shell CSP is off) MUST carry the
|
|
172
|
+
// network-locked capture CSP, else a canvas <Video src="http://internal">
|
|
173
|
+
// or comp fetch() turns ⌘E into read-SSRF + exfil-via-artifact.
|
|
174
|
+
const capMain = await fetch(`http://localhost:${port}/_canvas-shell.html?hide-chrome=1`);
|
|
175
|
+
const capCsp = capMain.headers.get('content-security-policy') ?? '';
|
|
176
|
+
expect(capCsp).toContain("media-src 'self'"); // <Video src=external> blocked
|
|
177
|
+
expect(capCsp).toContain("connect-src 'self'"); // comp fetch(external) blocked
|
|
178
|
+
expect(capCsp).toContain("img-src 'self'");
|
|
179
|
+
expect(capCsp).toContain("object-src 'none'");
|
|
180
|
+
// A normal main-origin shell (no capture flag) stays CSP-off (back-compat).
|
|
181
|
+
const plainMain = await fetch(`http://localhost:${port}/_canvas-shell.html`);
|
|
182
|
+
expect(plainMain.headers.get('content-security-policy')).toBeNull();
|
|
147
183
|
} finally {
|
|
148
184
|
await killProc(proc);
|
|
149
185
|
}
|