@1agh/maude 0.39.0 → 0.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/README.md +1 -1
  2. package/apps/studio/acp/bridge.ts +144 -5
  3. package/apps/studio/acp/index.ts +11 -1
  4. package/apps/studio/annotations-context-toolbar.tsx +44 -1
  5. package/apps/studio/annotations-layer.tsx +253 -3
  6. package/apps/studio/annotations-model.ts +107 -6
  7. package/apps/studio/api.ts +812 -64
  8. package/apps/studio/bin/_html-playwright.mjs +9 -1
  9. package/apps/studio/bin/_pdf-playwright.mjs +8 -1
  10. package/apps/studio/bin/_png-playwright.mjs +8 -1
  11. package/apps/studio/bin/_pw-launch.mjs +54 -0
  12. package/apps/studio/bin/_svg-playwright.mjs +8 -1
  13. package/apps/studio/bin/_video-playwright.mjs +452 -0
  14. package/apps/studio/bin/prep.sh +8 -1
  15. package/apps/studio/canvas-edit.ts +1885 -104
  16. package/apps/studio/canvas-lib.tsx +19 -0
  17. package/apps/studio/canvas-list-watch.ts +6 -2
  18. package/apps/studio/canvas-shell.tsx +27 -0
  19. package/apps/studio/client/app.jsx +1029 -30
  20. package/apps/studio/client/github.js +7 -0
  21. package/apps/studio/client/panels/TimelinePanel.jsx +860 -0
  22. package/apps/studio/client/panels/timeline-parse.js +229 -0
  23. package/apps/studio/client/panels/timeline-snap.js +55 -0
  24. package/apps/studio/client/styles/3-shell-maude.css +107 -0
  25. package/apps/studio/config.schema.json +14 -0
  26. package/apps/studio/context-menu.tsx +1 -1
  27. package/apps/studio/context.ts +113 -1
  28. package/apps/studio/dist/client.bundle.js +88 -16
  29. package/apps/studio/dist/comment-mount.js +1 -1
  30. package/apps/studio/dist/runtime/.min-sizes.json +11 -1
  31. package/apps/studio/dist/runtime/@remotion_media.js +491 -0
  32. package/apps/studio/dist/runtime/@remotion_player.js +56 -0
  33. package/apps/studio/dist/runtime/@remotion_transitions.js +300 -0
  34. package/apps/studio/dist/runtime/@remotion_transitions_clock-wipe.js +1 -0
  35. package/apps/studio/dist/runtime/@remotion_transitions_fade.js +1 -0
  36. package/apps/studio/dist/runtime/@remotion_transitions_flip.js +1 -0
  37. package/apps/studio/dist/runtime/@remotion_transitions_none.js +1 -0
  38. package/apps/studio/dist/runtime/@remotion_transitions_slide.js +1 -0
  39. package/apps/studio/dist/runtime/@remotion_transitions_wipe.js +1 -0
  40. package/apps/studio/dist/runtime/REMOTION-LICENSE.md +28 -0
  41. package/apps/studio/dist/runtime/remotion.js +42 -0
  42. package/apps/studio/dist/styles.css +1 -1
  43. package/apps/studio/exporters/_browser-bundles.ts +117 -0
  44. package/apps/studio/exporters/_runtime.ts +69 -0
  45. package/apps/studio/exporters/html.ts +4 -3
  46. package/apps/studio/exporters/index.ts +28 -2
  47. package/apps/studio/exporters/pdf.ts +4 -3
  48. package/apps/studio/exporters/png.ts +5 -3
  49. package/apps/studio/exporters/pptx.ts +6 -4
  50. package/apps/studio/exporters/svg.ts +9 -5
  51. package/apps/studio/exporters/video-encode-lib.ts +200 -0
  52. package/apps/studio/exporters/video-render-lib.ts +108 -0
  53. package/apps/studio/exporters/video.ts +184 -0
  54. package/apps/studio/http.ts +535 -27
  55. package/apps/studio/input-router.tsx +7 -1
  56. package/apps/studio/runtime-bundle.ts +30 -0
  57. package/apps/studio/server.ts +34 -9
  58. package/apps/studio/test/acp-bridge.test.ts +132 -0
  59. package/apps/studio/test/acp-commands.test.ts +8 -3
  60. package/apps/studio/test/annotations-roundtrip.test.ts +47 -0
  61. package/apps/studio/test/canvas-create-api.test.ts +76 -0
  62. package/apps/studio/test/canvas-edit.test.ts +90 -0
  63. package/apps/studio/test/canvas-list-watch.test.ts +49 -0
  64. package/apps/studio/test/canvas-media-drop.test.ts +30 -1
  65. package/apps/studio/test/canvas-origin-gate.test.ts +36 -0
  66. package/apps/studio/test/clip-addressing.test.ts +732 -0
  67. package/apps/studio/test/config-reload.test.ts +230 -0
  68. package/apps/studio/test/dns-rebinding-guard.test.ts +74 -0
  69. package/apps/studio/test/edit-persistence.test.ts +91 -0
  70. package/apps/studio/test/exporters/runtime.test.ts +59 -0
  71. package/apps/studio/test/file-lock.test.ts +84 -0
  72. package/apps/studio/test/fixtures/mock-acp-agent.mjs +24 -1
  73. package/apps/studio/test/fixtures/video-comp-fixture.tsx +82 -0
  74. package/apps/studio/test/timeline-parse.test.ts +127 -0
  75. package/apps/studio/test/timeline-snap.test.ts +85 -0
  76. package/apps/studio/test/video-asset.test.ts +163 -0
  77. package/apps/studio/test/video-comp-fixture.test.ts +50 -0
  78. package/apps/studio/test/video-comp.test.ts +168 -0
  79. package/apps/studio/test/video-render-bridge.test.ts +149 -0
  80. package/apps/studio/use-annotation-resize.tsx +6 -3
  81. package/apps/studio/use-canvas-media-drop.tsx +66 -4
  82. package/apps/studio/video-comp.tsx +444 -0
  83. package/apps/studio/whats-new.json +36 -0
  84. package/apps/studio/ws.ts +5 -0
  85. package/package.json +8 -8
  86. package/plugins/design/templates/_shell.html +25 -2
  87. package/plugins/design/templates/design-system-inspiration/_MAPPING.md +1 -1
@@ -67,6 +67,25 @@ describe('canvas-origin gate — A1/A2 traversal + privilege containment', () =>
67
67
  '/_api/edit-css',
68
68
  '/_api/edit-text',
69
69
  '/_api/edit-attr',
70
+ // DDR-148 — raw canvas source for the Timeline parser is MAIN-ORIGIN
71
+ // ONLY (the untrusted canvas iframe must never read project source).
72
+ '/_api/canvas-source',
73
+ // DDR-148 — Timeline drag-to-retime is a source-write, MAIN-ORIGIN ONLY.
74
+ '/_api/retime-sequence',
75
+ // DDR-150 P2 — the clip enumerator reads project source structure, so it
76
+ // is MAIN-ORIGIN ONLY (same boundary as /_api/canvas-source): the
77
+ // untrusted canvas iframe must never enumerate the comp it renders.
78
+ '/_api/comp-clips',
79
+ // DDR-150 P3 — clip removal is a source-write, MAIN-ORIGIN ONLY.
80
+ '/_api/remove-sequence',
81
+ // DDR-150 P4 — clip insert is a source-write, MAIN-ORIGIN ONLY.
82
+ '/_api/insert-sequence',
83
+ // DDR-150 P5 — z-order reorder is a source-write, MAIN-ORIGIN ONLY.
84
+ '/_api/reorder-sequence',
85
+ // DDR-150 dogfood — array-src replace is a source-write, MAIN-ORIGIN ONLY.
86
+ '/_api/edit-array-src',
87
+ // DDR-150 dogfood — clip hide/show is a source-write, MAIN-ORIGIN ONLY.
88
+ '/_api/toggle-hide',
70
89
  // Phase 12.1 (DDR-138) — node-move reorder is a source-write, MAIN-ORIGIN
71
90
  // ONLY. The canvas iframe requests a reorder over the dgn:* bus; the shell
72
91
  // performs the write. A GET here 403s at the gate (route unreachable on
@@ -141,9 +160,26 @@ describe('canvas-origin gate — A1/A2 traversal + privilege containment', () =>
141
160
  const shell = await fetch(`${canvas}/_canvas-shell.html`);
142
161
  const csp = shell.headers.get('content-security-policy') ?? '';
143
162
  expect(csp).toContain("connect-src 'self'");
163
+ // DDR-148 — media-src must be present so a video-comp's <Video>/<Audio>
164
+ // isn't blocked by default-src 'none' (black video / silent audio).
165
+ expect(csp).toContain("media-src 'self'");
144
166
  expect(csp).toContain("webrtc 'block'");
145
167
  expect(csp).toContain('frame-ancestors');
146
168
  expect(csp).toContain(`http://localhost:${port}`);
169
+
170
+ // (5) DDR-148 attacker F1 — the EXPORT/CAPTURE render (?hide-chrome=1) on
171
+ // the MAIN origin (where the normal shell CSP is off) MUST carry the
172
+ // network-locked capture CSP, else a canvas <Video src="http://internal">
173
+ // or comp fetch() turns ⌘E into read-SSRF + exfil-via-artifact.
174
+ const capMain = await fetch(`http://localhost:${port}/_canvas-shell.html?hide-chrome=1`);
175
+ const capCsp = capMain.headers.get('content-security-policy') ?? '';
176
+ expect(capCsp).toContain("media-src 'self'"); // <Video src=external> blocked
177
+ expect(capCsp).toContain("connect-src 'self'"); // comp fetch(external) blocked
178
+ expect(capCsp).toContain("img-src 'self'");
179
+ expect(capCsp).toContain("object-src 'none'");
180
+ // A normal main-origin shell (no capture flag) stays CSP-off (back-compat).
181
+ const plainMain = await fetch(`http://localhost:${port}/_canvas-shell.html`);
182
+ expect(plainMain.headers.get('content-security-policy')).toBeNull();
147
183
  } finally {
148
184
  await killProc(proc);
149
185
  }