@aiworkbench/vibe-bridge 0.0.4 → 0.0.5

package/dist/components/VibeHost.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"VibeHost.d.ts","sourceRoot":"","sources":["../../src/components/VibeHost.tsx"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAiFnD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,aAAa,2CAiB5C"}
+{"version":3,"file":"VibeHost.d.ts","sourceRoot":"","sources":["../../src/components/VibeHost.tsx"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAkFnD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,aAAa,2CAiB5C"}

package/dist/core/loader.d.ts

@@ -1,3 +1,35 @@
-export declare function loadScript(src: string): Promise<void>;
+/**
+ * Register shared dependencies that mini-app bundles may import as bare
+ * specifiers. Call this once at app startup, *before* any VibeHost renders.
+ *
+ * Example:
+ *   setSharedDependencies({
+ *     "react":            "https://esm.sh/react@19",
+ *     "react/jsx-runtime":"https://esm.sh/react@19/jsx-runtime",
+ *     "react-dom":        "https://esm.sh/react-dom@19",
+ *     "react-dom/client":  "https://esm.sh/react-dom@19/client",
+ *   });
+ */
+export declare function setSharedDependencies(deps: Record<string, string>): void;
+/**
+ * Configure the set of trusted origins for mini-app bundles.
+ * Call this once at app startup before any VibeHost renders.
+ *
+ * Example:
+ *   setAllowedOrigins([
+ *     "https://vibedevstore.blob.core.windows.net",
+ *     "https://vibestagingstore.blob.core.windows.net",
+ *   ]);
+ */
+export declare function setAllowedOrigins(origins: string[]): void;
+export interface LoadScriptOptions {
+    /** SRI integrity hash (e.g. "sha384-..."). If provided, the browser will
+     *  refuse to execute the script if the content doesn't match. */
+    integrity?: string;
+    /** CORS setting for the script. Required for SRI on cross-origin scripts.
+     *  Defaults to "anonymous" when integrity is provided. */
+    crossOrigin?: string;
+}
+export declare function loadScript(src: string, options?: LoadScriptOptions): Promise<void>;
 export declare function waitForElement(tagName: string): Promise<void>;
 //# sourceMappingURL=loader.d.ts.map

package/dist/core/loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/core/loader.ts"],"names":[],"mappings":"AAmBA,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA8BrD;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7D"}
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/core/loader.ts"],"names":[],"mappings":"AAoBA;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CASxE;AAgBD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAQzD;AAwBD,MAAM,WAAW,iBAAiB;IAChC;qEACiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;8DAC0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,UAAU,CACxB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,iBAAiB,GAC1B,OAAO,CAAC,IAAI,CAAC,CA8Cf;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7D"}

package/dist/core/types.d.ts

@@ -5,6 +5,10 @@ export interface VibeHostProps {
     manifest: VibeManifest;
     /** URL to the built JS bundle for the mini-app. */
     src: string;
+    /** SRI integrity hash (e.g. "sha384-...") from the registry entry.
+     *  When provided, the browser refuses to execute the script if the
+     *  content doesn't match — preventing tampered bundles from running. */
+    integrity?: string;
     /** Shown while the script loads and custom element registers. */
     fallback?: ReactNode;
     /** Shown when the script fails to load or the element fails to mount. */

package/dist/core/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,MAAM,EACN,YAAY,EACZ,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,aAAa,EACb,YAAY,EACb,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,iEAAiE;IACjE,QAAQ,EAAE,YAAY,CAAC;IACvB,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IACZ,iEAAiE;IACjE,QAAQ,CAAC,EAAE,SAAS,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,SAAS,CAAC;IAC5C,iDAAiD;IACjD,QAAQ,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrC,uEAAuE;IACvE,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,sCAAsC;IACtC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,UAAU,CAAC;IACjB,GAAG,EAAE,SAAS,CAAC;IACf,UAAU,EAAE,gBAAgB,CAAC;IAC7B,KAAK,EAAE,WAAW,CAAC;IACnB,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;AAEzD,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,SAAS,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,KAAK,CAAC;IAC1D,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;CACvC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,MAAM,EACN,YAAY,EACZ,UAAU,EACV,SAAS,EACT,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,aAAa,EACb,YAAY,EACb,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,iEAAiE;IACjE,QAAQ,EAAE,YAAY,CAAC;IACvB,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IACZ;;4EAEwE;IACxE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iEAAiE;IACjE,QAAQ,CAAC,EAAE,SAAS,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,SAAS,CAAC;IAC5C,iDAAiD;IACjD,QAAQ,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrC,uEAAuE;IACvE,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,sCAAsC;IACtC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,UAAU,CAAC;IACjB,GAAG,EAAE,SAAS,CAAC;IACf,UAAU,EAAE,gBAAgB,CAAC;IAC7B,KAAK,EAAE,WAAW,CAAC;IACnB,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;AAEzD,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,SAAS,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,KAAK,CAAC;IAC1D,SAAS,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;CACvC"}

package/dist/hooks/useVibeLoader.d.ts

@@ -1,3 +1,3 @@
 import type { UseVibeLoaderResult } from "../core/types";
-export declare function useVibeLoader(src: string, tagName: string): UseVibeLoaderResult;
+export declare function useVibeLoader(src: string, tagName: string, integrity?: string): UseVibeLoaderResult;
 //# sourceMappingURL=useVibeLoader.d.ts.map

package/dist/hooks/useVibeLoader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useVibeLoader.d.ts","sourceRoot":"","sources":["../../src/hooks/useVibeLoader.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAgB,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEvE,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,GACd,mBAAmB,CAkCrB"}
+{"version":3,"file":"useVibeLoader.d.ts","sourceRoot":"","sources":["../../src/hooks/useVibeLoader.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAgB,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEvE,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM,GACjB,mBAAmB,CAkCrB"}

package/dist/index.d.ts

@@ -12,6 +12,7 @@ export { createStorageAdapter } from "./adapters/storage";
 export { createEventsAdapter } from "./adapters/events";
 export { filterByPermissions } from "./core/permissions";
 export { getEventBus, emitEvent } from "./core/event-bus";
+export { setAllowedOrigins, setSharedDependencies } from "./core/loader";
 export type { VibeHostProps, AdapterOverrides, LoaderStatus, UseVibeLoaderResult, } from "./core/types";
 export type { AuthAdapterDeps } from "./adapters/auth";
 export type { ApiAdapterDeps } from "./adapters/api";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAGnE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAG1D,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACnE,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAGnE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGzE,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACnE,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -7,6 +7,31 @@ import { useState, useEffect } from "react";
 // src/core/loader.ts
 var loadedScripts = new Set;
 var ALLOWED_PROTOCOLS = new Set(["https:", "http:"]);
+var allowedOrigins = null;
+var sharedDeps = null;
+var importMapInjected = false;
+function setSharedDependencies(deps) {
+  if (importMapInjected) {
+    console.warn("[vibe-bridge] setSharedDependencies() called after an import map " + "was already injected. The new entries will be ignored.");
+    return;
+  }
+  sharedDeps = { ...deps };
+}
+function ensureImportMap() {
+  if (importMapInjected || !sharedDeps)
+    return;
+  const script = document.createElement("script");
+  script.type = "importmap";
+  script.textContent = JSON.stringify({ imports: sharedDeps });
+  document.head.appendChild(script);
+  importMapInjected = true;
+}
+function setAllowedOrigins(origins) {
+  allowedOrigins = new Set(origins.map((o) => {
+    const url = new URL(o);
+    return url.origin;
+  }));
+}
 function validateScriptSrc(src) {
   let url;
   try {
@@ -17,9 +42,12 @@ function validateScriptSrc(src) {
   if (!ALLOWED_PROTOCOLS.has(url.protocol)) {
     return `Refused to load vibe app script with disallowed protocol "${url.protocol}": ${src}`;
   }
+  if (allowedOrigins && !allowedOrigins.has(url.origin)) {
+    return `Refused to load vibe app script from untrusted origin "${url.origin}": ${src}. ` + `Allowed origins: ${[...allowedOrigins].join(", ")}`;
+  }
   return null;
 }
-function loadScript(src) {
+function loadScript(src, options) {
   const validationError = validateScriptSrc(src);
   if (validationError) {
     return Promise.reject(new Error(validationError));
@@ -37,13 +65,19 @@ function loadScript(src) {
     const script = document.createElement("script");
     script.type = "module";
     script.src = src;
+    if (options?.integrity) {
+      script.integrity = options.integrity;
+      script.crossOrigin = options.crossOrigin ?? "anonymous";
+    }
     script.onload = () => {
       loadedScripts.add(src);
       resolve();
     };
     script.onerror = () => {
-      reject(new Error(`Failed to load vibe app script: ${src}`));
+      const integrityHint = options?.integrity ? " This may be an SRI integrity mismatch — the bundle content doesn't match the expected hash." : "";
+      reject(new Error(`Failed to load vibe app script: ${src}.${integrityHint}`));
     };
+    ensureImportMap();
     document.head.appendChild(script);
   });
 }
@@ -57,14 +91,14 @@ function waitForElement(tagName) {
 }
 
 // src/hooks/useVibeLoader.ts
-function useVibeLoader(src, tagName) {
+function useVibeLoader(src, tagName, integrity) {
   const [status, setStatus] = useState("loading");
   const [error, setError] = useState(null);
   useEffect(() => {
     let cancelled = false;
     setStatus("loading");
     setError(null);
-    loadScript(src).then(() => waitForElement(tagName)).then(() => {
+    loadScript(src, integrity ? { integrity } : undefined).then(() => waitForElement(tagName)).then(() => {
       if (!cancelled) {
         setStatus("ready");
       }
@@ -78,7 +112,7 @@ function useVibeLoader(src, tagName) {
     return () => {
       cancelled = true;
     };
-  }, [src, tagName]);
+  }, [src, tagName, integrity]);
   return { status, error };
 }
 
@@ -339,6 +373,7 @@ import { jsxDEV, Fragment } from "react/jsx-dev-runtime";
 function VibeHostInner({
   manifest,
   src,
+  integrity,
   fallback,
   errorFallback,
   adapters,
@@ -350,7 +385,7 @@ function VibeHostInner({
   const containerRef = useRef(null);
   const elementRef = useRef(null);
   const readyFiredRef = useRef(false);
-  const { status, error: loadError } = useVibeLoader(src, manifest.id);
+  const { status, error: loadError } = useVibeLoader(src, manifest.id, integrity);
   const bridge = useVibeBridge({
     appId: manifest.id,
     permissions: manifest.permissions,
@@ -435,6 +470,8 @@ export {
   useVibeLoader,
   useVibeEvents,
   useVibeBridge,
+  setSharedDependencies,
+  setAllowedOrigins,
   getEventBus,
   filterByPermissions,
   emitEvent,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiworkbench/vibe-bridge",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "publishConfig": { "access": "public" },
   "type": "module",
   "main": "dist/index.js",