@archie/devtools 0.0.6 → 0.0.9

package/dist/{chunk-NYVHR4QL.mjs → chunk-6HHNPJXA.mjs}

@@ -1,6 +1,8 @@
 import {
-  getAllowedOrigins
-} from "./chunk-6MYORGLK.mjs";
+  getAllowedOriginPatterns,
+  getAllowedOrigins,
+  isPreviewOrigin
+} from "./chunk-D5EA6RR5.mjs";
 
 // src/client/inject-inspector/injectInspector.ts
 var DEFAULT_SCRIPT_ID = "archie-inspector-script";
@@ -32,12 +34,19 @@ function injectInspector(opts = {}) {
     if (allowed.length > 0) {
       win["__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__"] = allowed;
     }
+    const patterns = getAllowedOriginPatterns();
+    if (patterns.length > 0) {
+      win["__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__"] = patterns;
+    }
     let target;
     if (opts.targetOrigin !== void 0 && opts.targetOrigin !== "*") {
       target = opts.targetOrigin || void 0;
     } else if (referrer) {
       try {
-        target = new URL(referrer).origin;
+        const referrerOrigin = new URL(referrer).origin;
+        if (!isPreviewOrigin(referrerOrigin)) {
+          target = referrerOrigin;
+        }
       } catch {
         target = void 0;
       }
@@ -48,7 +57,7 @@ function injectInspector(opts = {}) {
       win["__ARCHIE_INSPECTOR_TARGET_ORIGIN__"] = target;
     }
   }
-  return import("./inspector-LTHUYUGW.mjs").then((m) => {
+  return import("./inspector-QDRZLXRP.mjs").then((m) => {
     try {
       m.default();
     } catch (err) {

package/dist/chunk-D5EA6RR5.mjs

@@ -0,0 +1,47 @@
+// src/constants/archieOrigins.ts
+var ARCHIE_HOST_ORIGINS = [
+  "https://app.dev.archie-platform.com",
+  "https://app.staging.archie-platform.com",
+  "https://app.archie.com"
+];
+var ARCHIE_PREVIEW_ORIGIN_SUFFIXES = [
+  ".staging.archie-platform.com",
+  ".archie-platform.com",
+  ".archie.com"
+];
+var PREVIEW_DEPLOY_HOST_SUFFIXES = [
+  ".previews.staging.archie-platform.com",
+  ".previews.archie-platform.com",
+  ".previews.archie.com"
+];
+var LOCAL_DEV_ORIGINS = [
+  "http://localhost:3000",
+  "http://localhost:3001"
+];
+function getAllowedOrigins(includeLocal = false) {
+  const list = [...ARCHIE_HOST_ORIGINS];
+  if (includeLocal) list.push(...LOCAL_DEV_ORIGINS);
+  return list;
+}
+function getAllowedOriginPatterns() {
+  return [...ARCHIE_PREVIEW_ORIGIN_SUFFIXES];
+}
+function isPreviewOrigin(origin) {
+  if (!origin || typeof origin !== "string") return false;
+  try {
+    const host = new URL(origin).host;
+    return PREVIEW_DEPLOY_HOST_SUFFIXES.some((suffix) => host.endsWith(suffix));
+  } catch {
+    return false;
+  }
+}
+
+export {
+  ARCHIE_HOST_ORIGINS,
+  ARCHIE_PREVIEW_ORIGIN_SUFFIXES,
+  PREVIEW_DEPLOY_HOST_SUFFIXES,
+  LOCAL_DEV_ORIGINS,
+  getAllowedOrigins,
+  getAllowedOriginPatterns,
+  isPreviewOrigin
+};

package/dist/client/inject-inspector/auto.js

@@ -87,10 +87,33 @@ function runInspector() {
       }
     }
     var ALLOWED_ORIGINS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__ || null;
+    var ALLOWED_ORIGIN_PATTERNS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__ || [];
     function isOriginAllowed(origin) {
       if (!origin) return false;
-      if (!Array.isArray(ALLOWED_ORIGINS) || ALLOWED_ORIGINS.length === 0 || ALLOWED_ORIGINS === "*") return false;
-      return ALLOWED_ORIGINS.indexOf(origin) !== -1;
+      if (Array.isArray(ALLOWED_ORIGINS) && ALLOWED_ORIGINS.length > 0 && ALLOWED_ORIGINS !== "*") {
+        if (ALLOWED_ORIGINS.indexOf(origin) !== -1) return true;
+      }
+      if (Array.isArray(ALLOWED_ORIGIN_PATTERNS) && ALLOWED_ORIGIN_PATTERNS.length > 0) {
+        try {
+          var host = new URL(origin).host;
+          for (var i = 0; i < ALLOWED_ORIGIN_PATTERNS.length; i++) {
+            if (host.endsWith(ALLOWED_ORIGIN_PATTERNS[i])) return true;
+          }
+        } catch (e) {
+        }
+      }
+      return false;
+    }
+    function isStyleValueSafe(value) {
+      if (value == null || typeof value !== "string") return false;
+      if (value.length > 1e4) return false;
+      var lower = value.toLowerCase();
+      if (lower.indexOf("javascript:") !== -1) return false;
+      if (lower.indexOf("expression(") !== -1) return false;
+      if (lower.indexOf("-moz-binding") !== -1) return false;
+      if (lower.indexOf("behavior") !== -1) return false;
+      if (lower.indexOf("vbscript:") !== -1) return false;
+      return true;
     }
     var SCROLL_LISTENER_OPTS = { capture: true, passive: true };
     var RESIZE_LISTENER_OPTS = { passive: true };
@@ -691,6 +714,17 @@ function runInspector() {
           property,
           value
         });
+        if (!property || typeof property !== "string" || property.length > 100 || !isStyleValueSafe(value)) {
+          inspectorWarn("[Inspector] Rejected invalid or unsafe style property/value");
+          postMessageToParent({
+            type: "STYLE_CHANGE_FAILED",
+            selector,
+            property: typeof property === "string" ? property : "",
+            value: value != null ? String(value).slice(0, 100) : "",
+            error: !isStyleValueSafe(value) ? "Invalid or unsafe style value" : "Invalid property"
+          });
+          return;
+        }
         let element = null;
         element = getSelectedElement();
         if (element) {
@@ -766,6 +800,7 @@ function runInspector() {
           );
           setTimeout(() => {
             try {
+              if (!isStyleValueSafe(value)) return;
               const retryElement = document.querySelector(selector);
               if (retryElement) {
                 inspectorLog("[Inspector] Found element on retry");
@@ -858,7 +893,8 @@ function runInspector() {
           });
           return;
         }
-        const classes = className.split(/\s+/).filter(Boolean);
+        var classStr = typeof className === "string" ? className.slice(0, 2e3) : "";
+        const classes = classStr.split(/\s+/).filter(Boolean).slice(0, 100);
         classes.forEach((cls) => {
           if (action === "remove") {
             element.classList.remove(cls);
@@ -898,6 +934,15 @@ function runInspector() {
         });
       } else if (event.data && event.data.type === "APPLY_TEXT_CHANGE") {
         const { selector, text } = event.data;
+        if (text != null && typeof text === "string" && text.length > 5e5) {
+          postMessageToParent({
+            type: "TEXT_CHANGE_FAILED",
+            selector,
+            text: "",
+            error: "Text value too long"
+          });
+          return;
+        }
         const element = getSelectedElement();
         if (!element) {
           postMessageToParent({
@@ -908,7 +953,7 @@ function runInspector() {
           });
           return;
         }
-        element.textContent = text;
+        element.textContent = text != null ? String(text) : "";
         postMessageToParent({
           type: "TEXT_CHANGE_APPLIED",
           selector,
@@ -1116,6 +1161,16 @@ var ARCHIE_HOST_ORIGINS = [
   "https://app.staging.archie-platform.com",
   "https://app.archie.com"
 ];
+var ARCHIE_PREVIEW_ORIGIN_SUFFIXES = [
+  ".staging.archie-platform.com",
+  ".archie-platform.com",
+  ".archie.com"
+];
+var PREVIEW_DEPLOY_HOST_SUFFIXES = [
+  ".previews.staging.archie-platform.com",
+  ".previews.archie-platform.com",
+  ".previews.archie.com"
+];
 var LOCAL_DEV_ORIGINS = [
   "http://localhost:3000",
   "http://localhost:3001"
@@ -1125,6 +1180,18 @@ function getAllowedOrigins(includeLocal = false) {
   if (includeLocal) list.push(...LOCAL_DEV_ORIGINS);
   return list;
 }
+function getAllowedOriginPatterns() {
+  return [...ARCHIE_PREVIEW_ORIGIN_SUFFIXES];
+}
+function isPreviewOrigin(origin) {
+  if (!origin || typeof origin !== "string") return false;
+  try {
+    const host = new URL(origin).host;
+    return PREVIEW_DEPLOY_HOST_SUFFIXES.some((suffix) => host.endsWith(suffix));
+  } catch {
+    return false;
+  }
+}
 
 // src/client/inject-inspector/injectInspector.ts
 var DEFAULT_SCRIPT_ID = "archie-inspector-script";
@@ -1156,12 +1223,19 @@ function injectInspector(opts = {}) {
     if (allowed.length > 0) {
       win["__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__"] = allowed;
     }
+    const patterns = getAllowedOriginPatterns();
+    if (patterns.length > 0) {
+      win["__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__"] = patterns;
+    }
     let target;
     if (opts.targetOrigin !== void 0 && opts.targetOrigin !== "*") {
       target = opts.targetOrigin || void 0;
     } else if (referrer) {
       try {
-        target = new URL(referrer).origin;
+        const referrerOrigin = new URL(referrer).origin;
+        if (!isPreviewOrigin(referrerOrigin)) {
+          target = referrerOrigin;
+        }
       } catch {
         target = void 0;
       }

package/dist/client/inject-inspector/auto.mjs

@@ -1,7 +1,7 @@
 import {
   injectInspector
-} from "../../chunk-NYVHR4QL.mjs";
-import "../../chunk-6MYORGLK.mjs";
+} from "../../chunk-6HHNPJXA.mjs";
+import "../../chunk-D5EA6RR5.mjs";
 
 // src/client/inject-inspector/auto.ts
 injectInspector();

package/dist/client/inject-inspector/injectInspector.d.mts

@@ -8,8 +8,10 @@ type InjectOptions = {
      */
     allowedOrigins?: string | string[];
     /**
-     * Origin to which the inspector sends postMessage replies.
-     * If not set and in an iframe, uses document.referrer origin.
+     * Origin to which the inspector sends postMessage replies (the parent window).
+     * If not set and in an iframe, uses document.referrer origin — except when the page
+     * is a preview iframe (*.previews.staging.archie-platform.com), in which case you
+     * must pass the parent app origin (e.g. https://app.dev.archie-platform.com).
      * "*" is not allowed.
      */
     targetOrigin?: string;
@@ -24,7 +26,10 @@ type InjectOptions = {
  * Safe to call multiple times: avoids duplicate execution by id.
  * No-op when run outside the browser (e.g. SSR).
  *
- * Origin restrictions are always set (never "*"): Archie host origins, and in dev optionally localhost.
+ * Security: Origin restrictions are always set (never "*"). We do not inject
+ * script via eval/Function or write HTML (innerHTML/insertAdjacentHTML).
+ * The inspector only accepts postMessage from allowlisted origins and
+ * sanitizes style values before applying to the DOM.
  *
  * @returns Promise that resolves to the marker script element, or null if not in browser / already present
  */

package/dist/client/inject-inspector/injectInspector.d.ts

@@ -8,8 +8,10 @@ type InjectOptions = {
      */
     allowedOrigins?: string | string[];
     /**
-     * Origin to which the inspector sends postMessage replies.
-     * If not set and in an iframe, uses document.referrer origin.
+     * Origin to which the inspector sends postMessage replies (the parent window).
+     * If not set and in an iframe, uses document.referrer origin — except when the page
+     * is a preview iframe (*.previews.staging.archie-platform.com), in which case you
+     * must pass the parent app origin (e.g. https://app.dev.archie-platform.com).
      * "*" is not allowed.
      */
     targetOrigin?: string;
@@ -24,7 +26,10 @@ type InjectOptions = {
  * Safe to call multiple times: avoids duplicate execution by id.
  * No-op when run outside the browser (e.g. SSR).
  *
- * Origin restrictions are always set (never "*"): Archie host origins, and in dev optionally localhost.
+ * Security: Origin restrictions are always set (never "*"). We do not inject
+ * script via eval/Function or write HTML (innerHTML/insertAdjacentHTML).
+ * The inspector only accepts postMessage from allowlisted origins and
+ * sanitizes style values before applying to the DOM.
  *
  * @returns Promise that resolves to the marker script element, or null if not in browser / already present
  */

package/dist/client/inject-inspector/injectInspector.js

@@ -98,10 +98,33 @@ function runInspector() {
       }
     }
     var ALLOWED_ORIGINS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__ || null;
+    var ALLOWED_ORIGIN_PATTERNS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__ || [];
     function isOriginAllowed(origin) {
       if (!origin) return false;
-      if (!Array.isArray(ALLOWED_ORIGINS) || ALLOWED_ORIGINS.length === 0 || ALLOWED_ORIGINS === "*") return false;
-      return ALLOWED_ORIGINS.indexOf(origin) !== -1;
+      if (Array.isArray(ALLOWED_ORIGINS) && ALLOWED_ORIGINS.length > 0 && ALLOWED_ORIGINS !== "*") {
+        if (ALLOWED_ORIGINS.indexOf(origin) !== -1) return true;
+      }
+      if (Array.isArray(ALLOWED_ORIGIN_PATTERNS) && ALLOWED_ORIGIN_PATTERNS.length > 0) {
+        try {
+          var host = new URL(origin).host;
+          for (var i = 0; i < ALLOWED_ORIGIN_PATTERNS.length; i++) {
+            if (host.endsWith(ALLOWED_ORIGIN_PATTERNS[i])) return true;
+          }
+        } catch (e) {
+        }
+      }
+      return false;
+    }
+    function isStyleValueSafe(value) {
+      if (value == null || typeof value !== "string") return false;
+      if (value.length > 1e4) return false;
+      var lower = value.toLowerCase();
+      if (lower.indexOf("javascript:") !== -1) return false;
+      if (lower.indexOf("expression(") !== -1) return false;
+      if (lower.indexOf("-moz-binding") !== -1) return false;
+      if (lower.indexOf("behavior") !== -1) return false;
+      if (lower.indexOf("vbscript:") !== -1) return false;
+      return true;
     }
     var SCROLL_LISTENER_OPTS = { capture: true, passive: true };
     var RESIZE_LISTENER_OPTS = { passive: true };
@@ -702,6 +725,17 @@ function runInspector() {
           property,
           value
         });
+        if (!property || typeof property !== "string" || property.length > 100 || !isStyleValueSafe(value)) {
+          inspectorWarn("[Inspector] Rejected invalid or unsafe style property/value");
+          postMessageToParent({
+            type: "STYLE_CHANGE_FAILED",
+            selector,
+            property: typeof property === "string" ? property : "",
+            value: value != null ? String(value).slice(0, 100) : "",
+            error: !isStyleValueSafe(value) ? "Invalid or unsafe style value" : "Invalid property"
+          });
+          return;
+        }
         let element = null;
         element = getSelectedElement();
         if (element) {
@@ -777,6 +811,7 @@ function runInspector() {
           );
           setTimeout(() => {
             try {
+              if (!isStyleValueSafe(value)) return;
               const retryElement = document.querySelector(selector);
               if (retryElement) {
                 inspectorLog("[Inspector] Found element on retry");
@@ -869,7 +904,8 @@ function runInspector() {
           });
           return;
         }
-        const classes = className.split(/\s+/).filter(Boolean);
+        var classStr = typeof className === "string" ? className.slice(0, 2e3) : "";
+        const classes = classStr.split(/\s+/).filter(Boolean).slice(0, 100);
         classes.forEach((cls) => {
           if (action === "remove") {
             element.classList.remove(cls);
@@ -909,6 +945,15 @@ function runInspector() {
         });
       } else if (event.data && event.data.type === "APPLY_TEXT_CHANGE") {
         const { selector, text } = event.data;
+        if (text != null && typeof text === "string" && text.length > 5e5) {
+          postMessageToParent({
+            type: "TEXT_CHANGE_FAILED",
+            selector,
+            text: "",
+            error: "Text value too long"
+          });
+          return;
+        }
         const element = getSelectedElement();
         if (!element) {
           postMessageToParent({
@@ -919,7 +964,7 @@ function runInspector() {
           });
           return;
         }
-        element.textContent = text;
+        element.textContent = text != null ? String(text) : "";
         postMessageToParent({
           type: "TEXT_CHANGE_APPLIED",
           selector,
@@ -1134,6 +1179,16 @@ var ARCHIE_HOST_ORIGINS = [
   "https://app.staging.archie-platform.com",
   "https://app.archie.com"
 ];
+var ARCHIE_PREVIEW_ORIGIN_SUFFIXES = [
+  ".staging.archie-platform.com",
+  ".archie-platform.com",
+  ".archie.com"
+];
+var PREVIEW_DEPLOY_HOST_SUFFIXES = [
+  ".previews.staging.archie-platform.com",
+  ".previews.archie-platform.com",
+  ".previews.archie.com"
+];
 var LOCAL_DEV_ORIGINS = [
   "http://localhost:3000",
   "http://localhost:3001"
@@ -1143,6 +1198,18 @@ function getAllowedOrigins(includeLocal = false) {
   if (includeLocal) list.push(...LOCAL_DEV_ORIGINS);
   return list;
 }
+function getAllowedOriginPatterns() {
+  return [...ARCHIE_PREVIEW_ORIGIN_SUFFIXES];
+}
+function isPreviewOrigin(origin) {
+  if (!origin || typeof origin !== "string") return false;
+  try {
+    const host = new URL(origin).host;
+    return PREVIEW_DEPLOY_HOST_SUFFIXES.some((suffix) => host.endsWith(suffix));
+  } catch {
+    return false;
+  }
+}
 
 // src/client/inject-inspector/injectInspector.ts
 var DEFAULT_SCRIPT_ID = "archie-inspector-script";
@@ -1174,12 +1241,19 @@ function injectInspector(opts = {}) {
     if (allowed.length > 0) {
       win["__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__"] = allowed;
     }
+    const patterns = getAllowedOriginPatterns();
+    if (patterns.length > 0) {
+      win["__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__"] = patterns;
+    }
     let target;
     if (opts.targetOrigin !== void 0 && opts.targetOrigin !== "*") {
       target = opts.targetOrigin || void 0;
     } else if (referrer) {
       try {
-        target = new URL(referrer).origin;
+        const referrerOrigin = new URL(referrer).origin;
+        if (!isPreviewOrigin(referrerOrigin)) {
+          target = referrerOrigin;
+        }
       } catch {
         target = void 0;
       }

package/dist/client/inject-inspector/injectInspector.mjs

@@ -1,7 +1,7 @@
 import {
   injectInspector
-} from "../../chunk-NYVHR4QL.mjs";
-import "../../chunk-6MYORGLK.mjs";
+} from "../../chunk-6HHNPJXA.mjs";
+import "../../chunk-D5EA6RR5.mjs";
 export {
   injectInspector
 };

package/dist/constants/archieOrigins.d.mts

@@ -6,6 +6,19 @@
  * @see https://app.archie.com
  */
 declare const ARCHIE_HOST_ORIGINS: readonly ["https://app.dev.archie-platform.com", "https://app.staging.archie-platform.com", "https://app.archie.com"];
+/**
+ * Origin suffix patterns for Archie preview iframes (e.g. deploy previews).
+ * The inspector allows any origin whose host ends with one of these suffixes
+ * to send messages to the inspector (allowlist).
+ */
+declare const ARCHIE_PREVIEW_ORIGIN_SUFFIXES: readonly [".staging.archie-platform.com", ".archie-platform.com", ".archie.com"];
+/**
+ * Host suffixes that identify a **preview deploy** iframe (e.g. 0cf7f787-....previews.staging.archie-platform.com).
+ * Used only by isPreviewOrigin() to decide "don't use referrer as targetOrigin" when the *current page*
+ * is a preview iframe. Must be narrower than ARCHIE_PREVIEW_ORIGIN_SUFFIXES so that the parent
+ * (e.g. app.dev.archie-platform.com) is not treated as a preview and its origin is used as targetOrigin.
+ */
+declare const PREVIEW_DEPLOY_HOST_SUFFIXES: readonly [".previews.staging.archie-platform.com", ".previews.archie-platform.com", ".previews.archie.com"];
 /**
  * Common local origins for development. Add these when testing the inspector
  * with the host running on localhost (e.g. host on :3000, preview iframe on :5173).
@@ -20,5 +33,16 @@ type ArchieHostOrigin = (typeof ARCHIE_HOST_ORIGINS)[number];
  * @param includeLocal - If true, appends LOCAL_DEV_ORIGINS for local testing
  */
 declare function getAllowedOrigins(includeLocal?: boolean): string[];
+/**
+ * Returns origin suffix patterns for preview iframes. The inspector allows any origin
+ * one of these suffixes (after the protocol).
+ */
+declare function getAllowedOriginPatterns(): string[];
+/**
+ * Returns true if the given origin is a preview **deploy** iframe (e.g. xxx.previews.staging.archie-platform.com).
+ * Used so we don't use that origin as postMessage targetOrigin; the target must be the parent app.
+ * Does not match app.dev.archie-platform.com / app.staging.archie-platform.com (so they can be used as target).
+ */
+declare function isPreviewOrigin(origin: string): boolean;
 
-export { ARCHIE_HOST_ORIGINS, type ArchieHostOrigin, LOCAL_DEV_ORIGINS, getAllowedOrigins };
+export { ARCHIE_HOST_ORIGINS, ARCHIE_PREVIEW_ORIGIN_SUFFIXES, type ArchieHostOrigin, LOCAL_DEV_ORIGINS, PREVIEW_DEPLOY_HOST_SUFFIXES, getAllowedOriginPatterns, getAllowedOrigins, isPreviewOrigin };

package/dist/constants/archieOrigins.d.ts

@@ -6,6 +6,19 @@
  * @see https://app.archie.com
  */
 declare const ARCHIE_HOST_ORIGINS: readonly ["https://app.dev.archie-platform.com", "https://app.staging.archie-platform.com", "https://app.archie.com"];
+/**
+ * Origin suffix patterns for Archie preview iframes (e.g. deploy previews).
+ * The inspector allows any origin whose host ends with one of these suffixes
+ * to send messages to the inspector (allowlist).
+ */
+declare const ARCHIE_PREVIEW_ORIGIN_SUFFIXES: readonly [".staging.archie-platform.com", ".archie-platform.com", ".archie.com"];
+/**
+ * Host suffixes that identify a **preview deploy** iframe (e.g. 0cf7f787-....previews.staging.archie-platform.com).
+ * Used only by isPreviewOrigin() to decide "don't use referrer as targetOrigin" when the *current page*
+ * is a preview iframe. Must be narrower than ARCHIE_PREVIEW_ORIGIN_SUFFIXES so that the parent
+ * (e.g. app.dev.archie-platform.com) is not treated as a preview and its origin is used as targetOrigin.
+ */
+declare const PREVIEW_DEPLOY_HOST_SUFFIXES: readonly [".previews.staging.archie-platform.com", ".previews.archie-platform.com", ".previews.archie.com"];
 /**
  * Common local origins for development. Add these when testing the inspector
  * with the host running on localhost (e.g. host on :3000, preview iframe on :5173).
@@ -20,5 +33,16 @@ type ArchieHostOrigin = (typeof ARCHIE_HOST_ORIGINS)[number];
  * @param includeLocal - If true, appends LOCAL_DEV_ORIGINS for local testing
  */
 declare function getAllowedOrigins(includeLocal?: boolean): string[];
+/**
+ * Returns origin suffix patterns for preview iframes. The inspector allows any origin
+ * one of these suffixes (after the protocol).
+ */
+declare function getAllowedOriginPatterns(): string[];
+/**
+ * Returns true if the given origin is a preview **deploy** iframe (e.g. xxx.previews.staging.archie-platform.com).
+ * Used so we don't use that origin as postMessage targetOrigin; the target must be the parent app.
+ * Does not match app.dev.archie-platform.com / app.staging.archie-platform.com (so they can be used as target).
+ */
+declare function isPreviewOrigin(origin: string): boolean;
 
-export { ARCHIE_HOST_ORIGINS, type ArchieHostOrigin, LOCAL_DEV_ORIGINS, getAllowedOrigins };
+export { ARCHIE_HOST_ORIGINS, ARCHIE_PREVIEW_ORIGIN_SUFFIXES, type ArchieHostOrigin, LOCAL_DEV_ORIGINS, PREVIEW_DEPLOY_HOST_SUFFIXES, getAllowedOriginPatterns, getAllowedOrigins, isPreviewOrigin };

package/dist/constants/archieOrigins.js

@@ -21,8 +21,12 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var archieOrigins_exports = {};
 __export(archieOrigins_exports, {
   ARCHIE_HOST_ORIGINS: () => ARCHIE_HOST_ORIGINS,
+  ARCHIE_PREVIEW_ORIGIN_SUFFIXES: () => ARCHIE_PREVIEW_ORIGIN_SUFFIXES,
   LOCAL_DEV_ORIGINS: () => LOCAL_DEV_ORIGINS,
-  getAllowedOrigins: () => getAllowedOrigins
+  PREVIEW_DEPLOY_HOST_SUFFIXES: () => PREVIEW_DEPLOY_HOST_SUFFIXES,
+  getAllowedOriginPatterns: () => getAllowedOriginPatterns,
+  getAllowedOrigins: () => getAllowedOrigins,
+  isPreviewOrigin: () => isPreviewOrigin
 });
 module.exports = __toCommonJS(archieOrigins_exports);
 var ARCHIE_HOST_ORIGINS = [
@@ -30,6 +34,16 @@ var ARCHIE_HOST_ORIGINS = [
   "https://app.staging.archie-platform.com",
   "https://app.archie.com"
 ];
+var ARCHIE_PREVIEW_ORIGIN_SUFFIXES = [
+  ".staging.archie-platform.com",
+  ".archie-platform.com",
+  ".archie.com"
+];
+var PREVIEW_DEPLOY_HOST_SUFFIXES = [
+  ".previews.staging.archie-platform.com",
+  ".previews.archie-platform.com",
+  ".previews.archie.com"
+];
 var LOCAL_DEV_ORIGINS = [
   "http://localhost:3000",
   "http://localhost:3001"
@@ -39,9 +53,25 @@ function getAllowedOrigins(includeLocal = false) {
   if (includeLocal) list.push(...LOCAL_DEV_ORIGINS);
   return list;
 }
+function getAllowedOriginPatterns() {
+  return [...ARCHIE_PREVIEW_ORIGIN_SUFFIXES];
+}
+function isPreviewOrigin(origin) {
+  if (!origin || typeof origin !== "string") return false;
+  try {
+    const host = new URL(origin).host;
+    return PREVIEW_DEPLOY_HOST_SUFFIXES.some((suffix) => host.endsWith(suffix));
+  } catch {
+    return false;
+  }
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ARCHIE_HOST_ORIGINS,
+  ARCHIE_PREVIEW_ORIGIN_SUFFIXES,
   LOCAL_DEV_ORIGINS,
-  getAllowedOrigins
+  PREVIEW_DEPLOY_HOST_SUFFIXES,
+  getAllowedOriginPatterns,
+  getAllowedOrigins,
+  isPreviewOrigin
 });

package/dist/constants/archieOrigins.mjs

@@ -1,10 +1,18 @@
 import {
   ARCHIE_HOST_ORIGINS,
+  ARCHIE_PREVIEW_ORIGIN_SUFFIXES,
   LOCAL_DEV_ORIGINS,
-  getAllowedOrigins
-} from "../chunk-6MYORGLK.mjs";
+  PREVIEW_DEPLOY_HOST_SUFFIXES,
+  getAllowedOriginPatterns,
+  getAllowedOrigins,
+  isPreviewOrigin
+} from "../chunk-D5EA6RR5.mjs";
 export {
   ARCHIE_HOST_ORIGINS,
+  ARCHIE_PREVIEW_ORIGIN_SUFFIXES,
   LOCAL_DEV_ORIGINS,
-  getAllowedOrigins
+  PREVIEW_DEPLOY_HOST_SUFFIXES,
+  getAllowedOriginPatterns,
+  getAllowedOrigins,
+  isPreviewOrigin
 };

package/dist/{inspector-LTHUYUGW.mjs → inspector-QDRZLXRP.mjs}

@@ -72,10 +72,33 @@ function runInspector() {
       }
     }
     var ALLOWED_ORIGINS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGINS__ || null;
+    var ALLOWED_ORIGIN_PATTERNS = typeof window !== "undefined" && window.__ARCHIE_INSPECTOR_ALLOWED_ORIGIN_PATTERNS__ || [];
     function isOriginAllowed(origin) {
       if (!origin) return false;
-      if (!Array.isArray(ALLOWED_ORIGINS) || ALLOWED_ORIGINS.length === 0 || ALLOWED_ORIGINS === "*") return false;
-      return ALLOWED_ORIGINS.indexOf(origin) !== -1;
+      if (Array.isArray(ALLOWED_ORIGINS) && ALLOWED_ORIGINS.length > 0 && ALLOWED_ORIGINS !== "*") {
+        if (ALLOWED_ORIGINS.indexOf(origin) !== -1) return true;
+      }
+      if (Array.isArray(ALLOWED_ORIGIN_PATTERNS) && ALLOWED_ORIGIN_PATTERNS.length > 0) {
+        try {
+          var host = new URL(origin).host;
+          for (var i = 0; i < ALLOWED_ORIGIN_PATTERNS.length; i++) {
+            if (host.endsWith(ALLOWED_ORIGIN_PATTERNS[i])) return true;
+          }
+        } catch (e) {
+        }
+      }
+      return false;
+    }
+    function isStyleValueSafe(value) {
+      if (value == null || typeof value !== "string") return false;
+      if (value.length > 1e4) return false;
+      var lower = value.toLowerCase();
+      if (lower.indexOf("javascript:") !== -1) return false;
+      if (lower.indexOf("expression(") !== -1) return false;
+      if (lower.indexOf("-moz-binding") !== -1) return false;
+      if (lower.indexOf("behavior") !== -1) return false;
+      if (lower.indexOf("vbscript:") !== -1) return false;
+      return true;
     }
     var SCROLL_LISTENER_OPTS = { capture: true, passive: true };
     var RESIZE_LISTENER_OPTS = { passive: true };
@@ -676,6 +699,17 @@ function runInspector() {
           property,
           value
         });
+        if (!property || typeof property !== "string" || property.length > 100 || !isStyleValueSafe(value)) {
+          inspectorWarn("[Inspector] Rejected invalid or unsafe style property/value");
+          postMessageToParent({
+            type: "STYLE_CHANGE_FAILED",
+            selector,
+            property: typeof property === "string" ? property : "",
+            value: value != null ? String(value).slice(0, 100) : "",
+            error: !isStyleValueSafe(value) ? "Invalid or unsafe style value" : "Invalid property"
+          });
+          return;
+        }
         let element = null;
         element = getSelectedElement();
         if (element) {
@@ -751,6 +785,7 @@ function runInspector() {
           );
           setTimeout(() => {
             try {
+              if (!isStyleValueSafe(value)) return;
               const retryElement = document.querySelector(selector);
               if (retryElement) {
                 inspectorLog("[Inspector] Found element on retry");
@@ -843,7 +878,8 @@ function runInspector() {
           });
           return;
         }
-        const classes = className.split(/\s+/).filter(Boolean);
+        var classStr = typeof className === "string" ? className.slice(0, 2e3) : "";
+        const classes = classStr.split(/\s+/).filter(Boolean).slice(0, 100);
         classes.forEach((cls) => {
           if (action === "remove") {
             element.classList.remove(cls);
@@ -883,6 +919,15 @@ function runInspector() {
         });
       } else if (event.data && event.data.type === "APPLY_TEXT_CHANGE") {
         const { selector, text } = event.data;
+        if (text != null && typeof text === "string" && text.length > 5e5) {
+          postMessageToParent({
+            type: "TEXT_CHANGE_FAILED",
+            selector,
+            text: "",
+            error: "Text value too long"
+          });
+          return;
+        }
         const element = getSelectedElement();
         if (!element) {
           postMessageToParent({
@@ -893,7 +938,7 @@ function runInspector() {
           });
           return;
         }
-        element.textContent = text;
+        element.textContent = text != null ? String(text) : "";
         postMessageToParent({
           type: "TEXT_CHANGE_APPLIED",
           selector,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archie/devtools",
-  "version": "0.0.6",
+  "version": "0.0.9",
   "description": "DevTools for Archie generated applications - Route synchronization and editor communication",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/dist/chunk-6MYORGLK.mjs

@@ -1,21 +0,0 @@
-// src/constants/archieOrigins.ts
-var ARCHIE_HOST_ORIGINS = [
-  "https://app.dev.archie-platform.com",
-  "https://app.staging.archie-platform.com",
-  "https://app.archie.com"
-];
-var LOCAL_DEV_ORIGINS = [
-  "http://localhost:3000",
-  "http://localhost:3001"
-];
-function getAllowedOrigins(includeLocal = false) {
-  const list = [...ARCHIE_HOST_ORIGINS];
-  if (includeLocal) list.push(...LOCAL_DEV_ORIGINS);
-  return list;
-}
-
-export {
-  ARCHIE_HOST_ORIGINS,
-  LOCAL_DEV_ORIGINS,
-  getAllowedOrigins
-};