@abraca/nuxt 2.0.0 → 2.0.3

package/dist/runtime/plugin-abracadabra.client.js

@@ -70,6 +70,17 @@ const NUXT_UI_PRIMARY_COLORS = /* @__PURE__ */ new Set([
 ]);
 const NUXT_UI_NEUTRAL_COLORS = /* @__PURE__ */ new Set(["slate", "gray", "zinc", "neutral", "stone"]);
 const CUSTOM_TO_NUXT_UI_PRIMARY = {
+  // Identity-color names from `UI_COLORS` (types.ts) that aren't Nuxt UI standard.
+  // Without these, picking any of `coral`, `chartreuse`, `jade`, `sapphire`,
+  // `magenta`, `oxidized` would silently fall back to `blue` — and the app
+  // chrome would never reflect the user's chosen identity color.
+  coral: "orange",
+  chartreuse: "lime",
+  jade: "emerald",
+  sapphire: "blue",
+  magenta: "fuchsia",
+  oxidized: "teal",
+  // Legacy / themed names sometimes used as `primary` in app.config.ts.
   grass: "green",
   diamond: "cyan",
   gold: "amber",
@@ -78,7 +89,26 @@ const CUSTOM_TO_NUXT_UI_PRIMARY = {
   wood: "orange",
   discord: "indigo",
   steam: "lime",
-  oxidized: "teal"
+  // Neutral names occasionally mis-used as primary (e.g. playground default
+  // `primary: 'mist'`) — pick a defensible warm-neutral primary instead of
+  // collapsing to plain blue.
+  mist: "sky",
+  mauve: "violet",
+  sand: "amber",
+  dusk: "indigo",
+  bark: "orange",
+  sage: "emerald",
+  moss: "green",
+  lavender: "violet",
+  blush: "pink",
+  cream: "amber",
+  wine: "rose",
+  cobblestone: "cyan",
+  bedrock: "sky",
+  copper: "orange",
+  mint: "emerald",
+  fog: "sky",
+  peach: "orange"
 };
 const CUSTOM_TO_NUXT_UI_NEUTRAL = {
   cobblestone: "stone",
@@ -241,6 +271,16 @@ export default defineNuxtPlugin({
     const userStatusIcon = ref(localStorage.getItem("abracadabra_status_icon") ?? "");
     const userStatusText = ref(localStorage.getItem("abracadabra_status_text") ?? "");
     const userStatusAsAvatar = ref(localStorage.getItem("abracadabra_status_as_avatar") === "1");
+    const hasPassword = ref(false);
+    async function refreshHasPassword() {
+      const c = client.value;
+      if (!c) return;
+      try {
+        const me = await c.getMe();
+        hasPassword.value = !!me?.hasPassword;
+      } catch {
+      }
+    }
     watch([status, synced], ([s, sy]) => {
       try {
         const ready = s === "connected" && sy;
@@ -597,6 +637,7 @@ export default defineNuxtPlugin({
       if (!client.value) throw new Error("Not connected");
       await client.value.login(opts);
       addLog(`Logged in as ${opts.username}`, "auth");
+      hasPassword.value = true;
       if (_wsp) {
         _wsp.disconnect();
         setTimeout(() => _wsp?.connect(), 300);
@@ -607,6 +648,7 @@ export default defineNuxtPlugin({
       await client.value.register(opts);
       await client.value.login({ username: opts.username, password: opts.password });
       addLog(`Registered + logged in as ${opts.username}`, "auth");
+      hasPassword.value = true;
       if (_wsp) {
         _wsp.disconnect();
         setTimeout(() => _wsp?.connect(), 300);
@@ -625,6 +667,7 @@ export default defineNuxtPlugin({
     async function setPassword(newPassword) {
       if (!client.value) throw new Error("Not connected");
       await client.value.setPassword(newPassword);
+      hasPassword.value = true;
       addLog("Password set", "auth");
     }
     async function redeemInvite(code) {
@@ -705,18 +748,21 @@ export default defineNuxtPlugin({
       try {
         const [
           sdkModule,
-          ed,
+          edModule,
           { sha512 }
         ] = await Promise.all([
           import("@abraca/dabra"),
           import("@noble/ed25519"),
-          import("@noble/hashes/sha512")
+          import("@noble/hashes/sha2.js")
         ]);
         setSdkModule(sdkModule);
         const { AbracadabraClient, AbracadabraProvider, AbracadabraWS, CryptoIdentityKeystore } = sdkModule;
-        const edEtc = ed.etc;
-        edEtc.sha512Sync = (...m) => sha512(edEtc.concatBytes(...m));
-        edEtc.sha512Async = (...m) => Promise.resolve(edEtc.sha512Sync(...m));
+        const ed = edModule.default ?? edModule;
+        if (!ed.hashes) {
+          throw new Error("@noble/ed25519 v3: `hashes` export missing from imported namespace \u2014 check Vite optimizeDeps");
+        }
+        ed.hashes.sha512 = sha512;
+        ed.hashes.sha512Async = (m) => Promise.resolve(sha512(m));
         const ks = new CryptoIdentityKeystore();
         keystore.value = ks;
         let privKey = null;
@@ -742,7 +788,7 @@ export default defineNuxtPlugin({
             privKey = fromBase64Url(storedPrivKey);
             addLog("Using guest identity (soft key)", "auth");
           } else {
-            privKey = ed.utils.randomPrivateKey();
+            privKey = ed.utils.randomSecretKey();
             localStorage.setItem("abracadabra_privkey", toBase64Url(privKey));
             addLog("Created new guest identity (soft key)", "auth");
           }
@@ -790,7 +836,8 @@ export default defineNuxtPlugin({
         let useExistingToken = _client.isTokenValid();
         if (useExistingToken) {
           try {
-            await _client.getMe();
+            const me = await _client.getMe();
+            hasPassword.value = !!me?.hasPassword;
           } catch (e) {
             const status2 = e?.status ?? 0;
             if (status2 === 401) {
@@ -860,7 +907,7 @@ export default defineNuxtPlugin({
           }
         }
         const server = savedServers.value.find((s) => s.url === serverUrl);
-        const docId = configEntryDocId ?? server?.entryDocId ?? server?.cachedSpaces?.[0]?.id ?? spacesInfo?.spaces?.[0]?.id ?? void 0;
+        const docId = configEntryDocId ?? server?.entryDocId ?? server?.cachedSpaces?.[0]?.id ?? spacesInfo?.spaces?.[0]?.id ?? info?.root_doc_id ?? void 0;
         if (!docId) {
           connectionError.value = "No entry document found. Configure entryDocId or ensure the server has spaces.";
           addLog("No entry document \u2014 cannot connect", "system");
@@ -1140,6 +1187,8 @@ export default defineNuxtPlugin({
       confirmPasswordReset,
       changePassword,
       setPassword,
+      hasPassword,
+      refreshHasPassword,
       addServer,
       removeServer,
       switchServer,

package/dist/runtime/plugin-abracadabra.server.js

@@ -68,6 +68,8 @@ export default defineNuxtPlugin({
       createInvite: async () => ({}),
       listInvites: async () => [],
       revokeInvite: noopAsync,
+      hasPassword: ref(false),
+      refreshHasPassword: noopAsync,
       init: noopAsync
     });
   }

package/dist/runtime/plugins/core.plugin.js

@@ -15,7 +15,8 @@ const OPTIONAL_BUILTIN_EXTENSIONS = /* @__PURE__ */ new Set([
   "colorSwatch",
   "mathBlock",
   "mathInline",
-  "diff"
+  "diff",
+  "svgEmbed"
 ]);
 async function loadClientExtensions() {
   const [
@@ -71,7 +72,8 @@ async function loadClientExtensions() {
     { Spoiler },
     { ColorSwatch },
     { MathBlock, MathInline },
-    { Diff }
+    { Diff },
+    { SvgEmbed }
   ] = await Promise.all([
     import("@tiptap/extension-task-list"),
     import("@tiptap/extension-task-item"),
@@ -125,7 +127,8 @@ async function loadClientExtensions() {
     import("../extensions/spoiler.js"),
     import("../extensions/color-swatch.js"),
     import("../extensions/math.js"),
-    import("../extensions/diff.js")
+    import("../extensions/diff.js"),
+    import("../extensions/svg-embed.js")
   ]);
   const lowlight = createLowlight(common);
   const extensions = [
@@ -198,7 +201,8 @@ async function loadClientExtensions() {
     ColorSwatch,
     MathBlock,
     MathInline,
-    Diff
+    Diff,
+    SvgEmbed
   ];
   try {
     const emojiPkg = "@tiptap/extension-emoji";

package/dist/runtime/server/plugins/abracadabra-service.js

@@ -1,6 +1,8 @@
 import { defineNitroPlugin } from "nitropack/runtime/plugin";
 import { useRuntimeConfig } from "nitropack/runtime/config";
 import { useStorage } from "nitropack/runtime/storage";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
 import { registerServerPlugin, bootRunners, shutdownAllRunners } from "../utils/serverRunner.js";
 import { createDocCacheAPI } from "../utils/docCache.js";
 import { docTreeCacheRunner } from "../runners/doc-tree-cache.js";
@@ -16,39 +18,125 @@ function toBase64Url(bytes) {
   for (const byte of bytes) b += String.fromCharCode(byte);
   return btoa(b).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
+async function loadOrCreateAutoIdentity(opts) {
+  if (existsSync(opts.cachePath)) {
+    try {
+      const cached = JSON.parse(readFileSync(opts.cachePath, "utf-8"));
+      if (cached?.publicKey && cached?.privateKey && cached?.serverUrl === opts.serverUrl) {
+        console.log("[abracadabra-service] using cached auto-bootstrap identity:", cached.username);
+        return cached;
+      }
+    } catch {
+    }
+  }
+  let info = null;
+  try {
+    const r = await fetch(`${opts.serverUrl}/info`);
+    if (r.ok) info = await r.json();
+  } catch {
+  }
+  if (!info) {
+    console.warn(`[abracadabra-service] auto-bootstrap aborted: ${opts.serverUrl}/info unreachable`);
+    return null;
+  }
+  if (!info.registration_allowed) {
+    console.warn(
+      "[abracadabra-service] auto-bootstrap aborted: server has registration_allowed=false. Set abracadabra.service.{publicKey,privateKey} module options to use a pre-registered service account."
+    );
+    return null;
+  }
+  const sk = opts.ed.utils.randomSecretKey();
+  const pk = await opts.ed.getPublicKey(sk);
+  const publicKey = toBase64Url(pk);
+  const privateKey = toBase64Url(sk);
+  const username = `runner-${publicKey.replace(/[^a-zA-Z0-9]/g, "").slice(0, 16).toLowerCase()}`;
+  console.log(`[abracadabra-service] auto-registering ${username} on ${opts.serverUrl}\u2026`);
+  const res = await fetch(`${opts.serverUrl}/auth/register`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      username,
+      identityPublicKey: publicKey,
+      deviceName: "nuxt-runner",
+      displayName: "Nuxt Runner"
+    })
+  });
+  if (!res.ok && res.status !== 409) {
+    console.error(`[abracadabra-service] auto-register failed: ${res.status} ${await res.text()}`);
+    return null;
+  }
+  const identity = {
+    username,
+    publicKey,
+    privateKey,
+    serverUrl: opts.serverUrl,
+    createdAt: Date.now()
+  };
+  try {
+    mkdirSync(dirname(opts.cachePath), { recursive: true });
+    writeFileSync(opts.cachePath, JSON.stringify(identity, null, 2), "utf-8");
+    console.log(`[abracadabra-service] cached identity at ${opts.cachePath}`);
+  } catch (e) {
+    console.warn("[abracadabra-service] failed to cache identity (will re-register on next boot):", e instanceof Error ? e.message : e);
+  }
+  return identity;
+}
 export default defineNitroPlugin(async (nitroApp) => {
   const config = useRuntimeConfig();
   const abraConfig = config.abracadabra;
   const storage = useStorage();
   initSlugMap(storage);
   await loadPersistedSlugMap();
-  const pubKeyB64 = abraConfig?.servicePublicKey ?? "";
-  const privKeyB64 = abraConfig?.servicePrivateKey ?? "";
+  const explicitPubKey = abraConfig?.servicePublicKey ?? "";
+  const explicitPrivKey = abraConfig?.servicePrivateKey ?? "";
   const rootDocIdOverride = abraConfig?.serviceRootDocId ?? "";
   const disabled = abraConfig?.serviceDisabled ?? false;
-  if (disabled || !pubKeyB64 || !privKeyB64) {
+  const serverUrl = config.public?.abracadabra?.url;
+  if (disabled) return;
+  if (!serverUrl) {
+    console.warn("[abracadabra-service] no abracadabra.url configured \u2014 service plugin disabled");
     return;
   }
   let wsp = null;
   try {
     const [
       { AbracadabraClient, AbracadabraProvider, AbracadabraWS },
-      ed,
+      edModule,
       { sha512 },
-      Y
+      Y,
+      wsModule
     ] = await Promise.all([
       import("@abraca/dabra"),
       import("@noble/ed25519"),
-      import("@noble/hashes/sha512"),
-      import("yjs")
+      import("@noble/hashes/sha2.js"),
+      import("yjs"),
+      import("ws")
     ]);
-    const edEtc = ed.etc;
-    edEtc.sha512Sync = (...m) => sha512(edEtc.concatBytes(...m));
-    edEtc.sha512Async = (...m) => Promise.resolve(edEtc.sha512Sync(...m));
+    const ed = edModule.default ?? edModule;
+    const WSImpl = wsModule.WebSocket ?? wsModule.default;
+    if (typeof globalThis.WebSocket === "undefined" && WSImpl) {
+      ;
+      globalThis.WebSocket = WSImpl;
+    }
+    if (!ed.hashes) {
+      throw new Error("@noble/ed25519 v3: `hashes` export missing \u2014 check Vite optimizeDeps");
+    }
+    ed.hashes.sha512 = sha512;
+    ed.hashes.sha512Async = (m) => Promise.resolve(sha512(m));
+    let pubKeyB64 = explicitPubKey;
+    let privKeyB64 = explicitPrivKey;
+    if (!pubKeyB64 || !privKeyB64) {
+      const cachePath = join(process.cwd(), ".data", "abracadabra-runner-identity.json");
+      const id = await loadOrCreateAutoIdentity({ serverUrl, cachePath, ed });
+      if (!id) {
+        return;
+      }
+      pubKeyB64 = id.publicKey;
+      privKeyB64 = id.privateKey;
+    }
     const privKey = fromBase64Url(privKeyB64);
     const client = new AbracadabraClient({
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Nuxt runtime config augmentation not resolved in Nitro
-      url: config.public?.abracadabra?.url,
+      url: serverUrl,
       persistAuth: false
     });
     await client.loginWithKey(pubKeyB64, async (challenge) => {
@@ -64,7 +152,8 @@ export default defineNitroPlugin(async (nitroApp) => {
       maxDelay: 3e4,
       factor: 2,
       jitter: true,
-      maxAttempts: 50
+      maxAttempts: 50,
+      WebSocketPolyfill: WSImpl
     });
     let rootDocId = rootDocIdOverride;
     if (!rootDocId) {

package/dist/runtime/types.d.ts

@@ -500,6 +500,17 @@ export interface AbracadabraState {
     }) => Promise<void>;
     /** Add a password to a key-only account. 409s if one is already set. */
     setPassword: (newPassword: string) => Promise<void>;
+    /**
+     * Whether the current user has a password set on the server. Drives the
+     * "Set password" vs "Change password" branching in `<AClaimAccountModal>`,
+     * `<AAccountSwitcherModal>`, and consumer settings panels. Populated from
+     * `getMe().hasPassword` after each successful auth event.
+     */
+    hasPassword: Ref<boolean>;
+    /** Force-refresh `hasPassword` from `getMe()`. Call after a successful
+     *  `setPassword`/`changePassword` if the consumer wants to read the
+     *  server's authoritative state instead of trusting the optimistic flip. */
+    refreshHasPassword: () => Promise<void>;
     reconnect: () => void;
     addServer: (url: string) => Promise<void>;
     removeServer: (url: string) => void;

package/dist/runtime/utils/awareRingStyle.js

@@ -11,6 +11,6 @@ export function awareRingStyle(input) {
   return {
     boxShadow: layers.join(", "),
     borderRadius: radius ?? "var(--ui-radius, 0.375rem)",
-    transition: "box-shadow 100ms ease, filter 120ms ease"
+    transition: "box-shadow var(--aa-state-fade-shadow), filter var(--aa-state-fade-filter)"
   };
 }

package/dist/runtime/utils/sanitizeSvg.d.ts

@@ -0,0 +1,19 @@
+/**
+ * sanitizeSvg — modular SVG sanitizer.
+ *
+ * Tries to use DOMPurify (if the consumer installed it) for industry-grade
+ * sanitization. Falls back to a strict built-in allowlist that strips:
+ *   - <script>, <foreignObject>, <iframe>, <embed>, <object>
+ *   - `on*` event-handler attributes
+ *   - `href` / `xlink:href` values that aren't `#anchor` (blocks `javascript:`)
+ *
+ * The built-in is intentionally conservative — it errs on the side of
+ * removing benign content rather than allowing risky content through.
+ * Apps that need more permissive sanitization (CSS classes, animations,
+ * external refs they own) should install DOMPurify and configure it.
+ */
+/**
+ * Sanitize an SVG string. Async because DOMPurify is loaded lazily.
+ * Returns the safe SVG markup, or empty string if nothing safe remained.
+ */
+export declare function sanitizeSvg(svg: string): Promise<string>;

package/dist/runtime/utils/sanitizeSvg.js

@@ -0,0 +1,87 @@
+let domPurifyCache = null;
+let loadingPromise = null;
+let warnedMissing = false;
+async function tryLoadDomPurify() {
+  if (domPurifyCache) return domPurifyCache;
+  if (loadingPromise) return loadingPromise;
+  loadingPromise = (async () => {
+    try {
+      const pkg = "dompurify";
+      const mod = await import(
+        /* @vite-ignore */
+        pkg
+      );
+      domPurifyCache = mod?.default ?? mod;
+      return domPurifyCache;
+    } catch {
+      if (import.meta.dev && !warnedMissing) {
+        warnedMissing = true;
+        console.warn(
+          "[abracadabra] svg-embed: `dompurify` peer dependency not installed. Falling back to a strict built-in SVG sanitizer. Install with `pnpm add dompurify` for richer SVG support (CSS, animations, etc.)."
+        );
+      }
+      return null;
+    } finally {
+      loadingPromise = null;
+    }
+  })();
+  return loadingPromise;
+}
+const DANGEROUS_TAGS = /* @__PURE__ */ new Set([
+  "script",
+  "foreignobject",
+  "iframe",
+  "embed",
+  "object",
+  "meta",
+  "link"
+]);
+const ALLOWED_PROTOCOL_PREFIXES = ["#", "data:image/"];
+function strictBuiltinSanitize(svg) {
+  const stripped = svg.replace(/<\?xml[^?]*\?>/gi, "").replace(/<!DOCTYPE[^>]*>/gi, "").trim();
+  if (!stripped) return "";
+  if (typeof DOMParser === "undefined") {
+    return "";
+  }
+  const doc = new DOMParser().parseFromString(stripped, "image/svg+xml");
+  if (doc.querySelector("parsererror")) return "";
+  const walker = doc.createTreeWalker(doc.documentElement, NodeFilter.SHOW_ELEMENT);
+  const toRemove = [];
+  let node = doc.documentElement;
+  while (node) {
+    if (DANGEROUS_TAGS.has(node.tagName.toLowerCase())) {
+      toRemove.push(node);
+    } else {
+      for (const attr of Array.from(node.attributes)) {
+        const name = attr.name.toLowerCase();
+        if (name.startsWith("on")) {
+          node.removeAttribute(attr.name);
+          continue;
+        }
+        if (name === "href" || name === "xlink:href") {
+          const v = attr.value.trim().toLowerCase();
+          if (!ALLOWED_PROTOCOL_PREFIXES.some((p) => v.startsWith(p))) {
+            node.removeAttribute(attr.name);
+          }
+        }
+      }
+    }
+    node = walker.nextNode();
+  }
+  for (const el of toRemove) el.remove();
+  return doc.documentElement.outerHTML;
+}
+export async function sanitizeSvg(svg) {
+  if (!svg) return "";
+  const purify = await tryLoadDomPurify();
+  if (purify) {
+    const stripped = svg.replace(/<\?xml[^?]*\?>/gi, "").replace(/<!DOCTYPE[^>]*>/gi, "").trim();
+    return purify.sanitize(stripped, {
+      USE_PROFILES: { svg: true, svgFilters: true },
+      ADD_TAGS: ["use", "style"],
+      FORBID_TAGS: ["script", "foreignObject", "iframe", "embed", "object"],
+      FORBID_ATTR: ["onload", "onerror", "onclick", "onmouseover", "onfocus", "onblur"]
+    });
+  }
+  return strictBuiltinSanitize(svg);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abraca/nuxt",
-  "version": "2.0.0",
+  "version": "2.0.3",
   "description": "First-class Nuxt module for the Abracadabra CRDT collaboration platform",
   "repository": "abracadabra/abracadabra-nuxt",
   "license": "MIT",
@@ -26,7 +26,6 @@
     "access": "public"
   },
   "scripts": {
-    "seed": "node --experimental-strip-types scripts/seed-playground.ts",
     "prepack": "nuxt-module-build build",
     "dev": "npm run dev:prepare && nuxt dev playground",
     "dev:build": "nuxt build playground",
@@ -49,9 +48,9 @@
     "nanoevents": "^9.1.0"
   },
   "peerDependencies": {
-    "@abraca/dabra": "^2.0.0",
-    "@noble/ed25519": "~2.3.0",
-    "@noble/hashes": "^1.8.0",
+    "@abraca/dabra": "^2.0.3",
+    "@noble/ed25519": "^3.1.0",
+    "@noble/hashes": "^2.2.0",
     "@nuxt/ui": "^3.0.0",
     "@tanstack/vue-virtual": "^3.10.0",
     "@tiptap/core": "^3.0.0",
@@ -97,10 +96,10 @@
     }
   },
   "devDependencies": {
-    "@abraca/dabra": "^2.0.0",
+    "@abraca/dabra": "^2.0.3",
     "@iconify-json/lucide": "^1.2.105",
-    "@noble/ed25519": "~2.3.0",
-    "@noble/hashes": "^1.8.0",
+    "@noble/ed25519": "^3.1.0",
+    "@noble/hashes": "^2.2.0",
     "@nuxt/eslint-config": "^1.15.2",
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.4.4",

package/dist/runtime/components/renderers/ASpatialRenderer.d.vue.ts

@@ -1,19 +0,0 @@
-import { type RendererBaseProps } from '../../composables/useRendererBase.js';
-import type { AbracadabraLocale } from '../../locale.js';
-type __VLS_Props = RendererBaseProps & {
-    labels?: Partial<AbracadabraLocale['renderers']>;
-    editable?: boolean;
-};
-declare const __VLS_export: import("vue").DefineComponent<__VLS_Props, {
-    connectedUsers: import("vue").ComputedRef<{
-        clientId: number;
-        name: string;
-        color: string;
-        avatar: string | undefined;
-        publicKey: any;
-    }[]>;
-}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{}>, {
-    editable: boolean;
-}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
-declare const _default: typeof __VLS_export;
-export default _default;