@abraca/mcp 1.0.21 → 1.0.25

package/dist/abracadabra-mcp.cjs

@@ -20530,7 +20530,14 @@ function parseBlocks(markdown) {
 				i++;
 			}
 			i++;
-			blocks.push({
+			if (lang === "svg" || lang.startsWith("svg ")) {
+				const svgTitle = lang === "svg" ? "" : lang.slice(4).trim();
+				blocks.push({
+					type: "svgEmbed",
+					svg: codeLines.join("\n"),
+					title: svgTitle
+				});
+			} else blocks.push({
 				type: "codeBlock",
 				lang,
 				code: codeLines.join("\n")
@@ -20869,6 +20876,7 @@ function blockElName(b) {
 		case "fieldGroup": return "fieldGroup";
 		case "image": return "image";
 		case "docEmbed": return "docEmbed";
+		case "svgEmbed": return "svgEmbed";
 	}
 }
 function fillBlock(el, block) {
@@ -21087,6 +21095,10 @@ function fillBlock(el, block) {
 		case "docEmbed":
 			el.setAttribute("docId", block.docId);
 			break;
+		case "svgEmbed":
+			el.setAttribute("svg", block.svg);
+			if (block.title) el.setAttribute("title", block.title);
+			break;
 	}
 }
 function populateYDocFromMarkdown(fragment, markdown, fallbackTitle = "Untitled") {
@@ -21136,6 +21148,7 @@ function populateYDocFromMarkdown(fragment, markdown, fallbackTitle = "Untitled"
 				case "fieldGroup": return new yjs.XmlElement("fieldGroup");
 				case "image": return new yjs.XmlElement("image");
 				case "docEmbed": return new yjs.XmlElement("docEmbed");
+				case "svgEmbed": return new yjs.XmlElement("svgEmbed");
 			}
 		});
 		fragment.insert(0, [
@@ -21211,6 +21224,12 @@ function serializeElement(el, indent = "") {
 			const docId = el.getAttribute("docId");
 			return docId ? `![[${docId}]]` : "";
 		}
+		case "svgEmbed": {
+			const svg = el.getAttribute("svg") || "";
+			const svgTitle = el.getAttribute("title") || "";
+			if (!svg) return "";
+			return `\`\`\`svg${svgTitle ? ` ${svgTitle}` : ""}\n${svg}\n\`\`\``;
+		}
 		case "image": {
 			const src = el.getAttribute("src") || "";
 			const alt = el.getAttribute("alt") || "";
@@ -21870,6 +21889,182 @@ function registerChannelTools(mcp, server) {
 	});
 }
 
+//#endregion
+//#region packages/mcp/src/utils/sanitizeSvg.ts
+/**
+* Lightweight SVG sanitizer for server-side use (no DOM dependency).
+* Strips dangerous elements and attributes from SVG markup using allowlists.
+*/
+const ALLOWED_ELEMENTS = new Set([
+	"svg",
+	"g",
+	"path",
+	"circle",
+	"ellipse",
+	"rect",
+	"line",
+	"polyline",
+	"polygon",
+	"text",
+	"tspan",
+	"textPath",
+	"defs",
+	"use",
+	"symbol",
+	"clipPath",
+	"mask",
+	"pattern",
+	"linearGradient",
+	"radialGradient",
+	"stop",
+	"marker",
+	"image",
+	"title",
+	"desc",
+	"metadata",
+	"animate",
+	"animateTransform",
+	"animateMotion",
+	"set",
+	"filter",
+	"feGaussianBlur",
+	"feOffset",
+	"feMerge",
+	"feMergeNode",
+	"feFlood",
+	"feComposite",
+	"feBlend",
+	"feColorMatrix",
+	"feComponentTransfer",
+	"feFuncR",
+	"feFuncG",
+	"feFuncB",
+	"feFuncA",
+	"feConvolveMatrix",
+	"feDiffuseLighting",
+	"feDisplacementMap",
+	"feDropShadow",
+	"feImage",
+	"feMorphology",
+	"fePointLight",
+	"feSpecularLighting",
+	"feSpotLight",
+	"feTile",
+	"feTurbulence"
+]);
+const FORBIDDEN_ELEMENTS = new Set([
+	"script",
+	"foreignObject",
+	"iframe",
+	"object",
+	"embed",
+	"applet"
+]);
+/** Matches event handler attributes: on* */
+const EVENT_HANDLER_RE = /\bon\w+\s*=/gi;
+/** Matches javascript: URLs in href/xlink:href */
+const JS_URL_RE = /(href\s*=\s*["'])\s*javascript:/gi;
+/** Matches a full element tag (opening or self-closing) */
+const TAG_RE = /<\/?([a-zA-Z][a-zA-Z0-9-]*)((?:\s[^>]*)?)>/g;
+/** Matches complete forbidden element blocks including content */
+function stripForbiddenBlocks(svg) {
+	for (const tag of FORBIDDEN_ELEMENTS) {
+		const blockRe = new RegExp(`<${tag}[\\s>][\\s\\S]*?</${tag}>`, "gi");
+		svg = svg.replace(blockRe, "");
+		const selfCloseRe = new RegExp(`<${tag}[\\s/][^>]*/?>`, "gi");
+		svg = svg.replace(selfCloseRe, "");
+	}
+	return svg;
+}
+/**
+* Sanitize SVG markup by removing dangerous elements and attributes.
+* Uses an allowlist approach — only known-safe SVG elements are kept.
+*/
+function sanitizeSvg(svg) {
+	if (!svg) return "";
+	let clean = stripForbiddenBlocks(svg);
+	clean = clean.replace(EVENT_HANDLER_RE, "");
+	clean = clean.replace(JS_URL_RE, "$1");
+	clean = clean.replace(TAG_RE, (match, tagName) => {
+		const lower = tagName.toLowerCase();
+		if (ALLOWED_ELEMENTS.has(lower) || ALLOWED_ELEMENTS.has(tagName)) return match;
+		return "";
+	});
+	return clean.trim();
+}
+
+//#endregion
+//#region packages/mcp/src/tools/svg.ts
+/**
+* SVG tools — insert SVG diagrams/images into documents via Y.js.
+*/
+/**
+* Find the insertion index after documentHeader and documentMeta elements.
+*/
+function findContentStart(fragment) {
+	let idx = 0;
+	for (let i = 0; i < fragment.length; i++) {
+		const child = fragment.get(i);
+		if (child instanceof yjs.XmlElement) {
+			const name = child.nodeName;
+			if (name === "documentHeader" || name === "documentMeta") idx = i + 1;
+			else break;
+		}
+	}
+	return idx;
+}
+function registerSvgTools(mcp, server) {
+	mcp.tool("write_svg", "Insert an SVG diagram or image into a document. Creates an svgEmbed block node containing the SVG markup. Use this for diagrams, charts, flowcharts, illustrations, icons, or any visual content expressed as SVG. The SVG is sanitized server-side before writing.", {
+		docId: zod.z.string().describe("Document ID to write SVG into."),
+		svg: zod.z.string().describe("Raw SVG markup string (the full <svg>...</svg> element). Will be sanitized."),
+		title: zod.z.string().optional().describe("Optional title/caption displayed above the SVG."),
+		position: zod.z.enum(["append", "prepend"]).optional().describe("Where to insert the SVG block. \"append\" adds at the end (default), \"prepend\" adds at the start of content.")
+	}, async ({ docId, svg, title, position }) => {
+		try {
+			server.setAutoStatus("writing", docId);
+			server.setActiveToolCall({
+				name: "write_svg",
+				target: docId
+			});
+			const cleanSvg = sanitizeSvg(svg);
+			if (!cleanSvg) {
+				server.setActiveToolCall(null);
+				return {
+					content: [{
+						type: "text",
+						text: "Error: SVG markup was empty or entirely stripped by sanitizer."
+					}],
+					isError: true
+				};
+			}
+			const doc = (await server.getChildProvider(docId)).document;
+			const fragment = doc.getXmlFragment("default");
+			doc.transact(() => {
+				const el = new yjs.XmlElement("svgEmbed");
+				el.setAttribute("svg", cleanSvg);
+				if (title) el.setAttribute("title", title);
+				const insertPos = position === "prepend" ? findContentStart(fragment) : fragment.length;
+				fragment.insert(insertPos, [el]);
+			});
+			server.setFocusedDoc(docId);
+			server.setActiveToolCall(null);
+			return { content: [{
+				type: "text",
+				text: `SVG inserted into document ${docId}${title ? ` ("${title}")` : ""}`
+			}] };
+		} catch (error) {
+			server.setActiveToolCall(null);
+			return {
+				content: [{
+					type: "text",
+					text: `Error writing SVG: ${error.message}`
+				}],
+				isError: true
+			};
+		}
+	});
+}
+
 //#endregion
 //#region packages/mcp/src/resources/agent-guide.ts
 const AGENT_GUIDE = `# Abracadabra AI Agent Guide
@@ -22662,6 +22857,7 @@ Read the resource at abracadabra://agent-guide for the complete guide covering p
 	registerFileTools(mcp, server);
 	registerAwarenessTools(mcp, server);
 	registerChannelTools(mcp, server);
+	registerSvgTools(mcp, server);
 	registerAgentGuide(mcp);
 	registerTreeResource(mcp, server);
 	registerServerInfoResource(mcp, server);