@character-foundry/character-foundry 0.1.5 → 0.1.6

package/dist/app-framework.d.cts

@@ -681,6 +681,7 @@ export declare function flattenSchema<T extends z.ZodRawShape>(schema: z.ZodObje
 export declare function analyzeField(name: string, zodType: z.ZodTypeAny): FieldInfo;
 /**
  * Get the value at a dot-notation path from an object.
+ * SECURITY: Rejects dangerous keys (__proto__, constructor, prototype) to prevent prototype pollution.
  *
  * @example
  * ```ts
@@ -690,6 +691,7 @@ export declare function analyzeField(name: string, zodType: z.ZodTypeAny): Field
 export declare function getValueAtPath(obj: Record<string, unknown>, path: string): unknown;
 /**
  * Set a value at a dot-notation path in an object (immutably).
+ * SECURITY: Rejects dangerous keys (__proto__, constructor, prototype) to prevent prototype pollution.
  *
  * @example
  * ```ts
@@ -809,11 +811,24 @@ export declare function TextInput({ value, onChange, name, label, error, disable
  * ```
  */
 export declare function Textarea({ value, onChange, name, label, error, disabled, required, hint, }: FieldWidgetProps<string>): react_jsx_runtime.JSX.Element;
+/**
+ * Props for NumberInput - allows number | undefined since empty inputs are undefined
+ */
+export type NumberInputProps = Omit<FieldWidgetProps<number | undefined>, "onChange"> & {
+	/** Value can be number or undefined (empty) */
+	value: number | undefined;
+	/** onChange receives number or undefined (empty) */
+	onChange: (value: number | undefined) => void;
+};
 /**
  * Headless number input widget.
  * Renders a number input with min/max/step support.
+ *
+ * Note: This widget properly handles empty inputs as `undefined`,
+ * not as a type-cast lie. The form resolver handles validation
+ * for required fields.
  */
-export declare function NumberInput({ value, onChange, name, label, error, disabled, required, hint, }: FieldWidgetProps<number>): react_jsx_runtime.JSX.Element;
+export declare function NumberInput({ value, onChange, name, label, error, disabled, required, hint, }: NumberInputProps): react_jsx_runtime.JSX.Element;
 /**
  * Headless switch/toggle widget.
  * Renders a checkbox with switch semantics (role="switch").

package/dist/app-framework.d.ts

@@ -681,6 +681,7 @@ export declare function flattenSchema<T extends z.ZodRawShape>(schema: z.ZodObje
 export declare function analyzeField(name: string, zodType: z.ZodTypeAny): FieldInfo;
 /**
  * Get the value at a dot-notation path from an object.
+ * SECURITY: Rejects dangerous keys (__proto__, constructor, prototype) to prevent prototype pollution.
  *
  * @example
  * ```ts
@@ -690,6 +691,7 @@ export declare function analyzeField(name: string, zodType: z.ZodTypeAny): Field
 export declare function getValueAtPath(obj: Record<string, unknown>, path: string): unknown;
 /**
  * Set a value at a dot-notation path in an object (immutably).
+ * SECURITY: Rejects dangerous keys (__proto__, constructor, prototype) to prevent prototype pollution.
  *
  * @example
  * ```ts
@@ -809,11 +811,24 @@ export declare function TextInput({ value, onChange, name, label, error, disable
  * ```
  */
 export declare function Textarea({ value, onChange, name, label, error, disabled, required, hint, }: FieldWidgetProps<string>): react_jsx_runtime.JSX.Element;
+/**
+ * Props for NumberInput - allows number | undefined since empty inputs are undefined
+ */
+export type NumberInputProps = Omit<FieldWidgetProps<number | undefined>, "onChange"> & {
+	/** Value can be number or undefined (empty) */
+	value: number | undefined;
+	/** onChange receives number or undefined (empty) */
+	onChange: (value: number | undefined) => void;
+};
 /**
  * Headless number input widget.
  * Renders a number input with min/max/step support.
+ *
+ * Note: This widget properly handles empty inputs as `undefined`,
+ * not as a type-cast lie. The form resolver handles validation
+ * for required fields.
  */
-export declare function NumberInput({ value, onChange, name, label, error, disabled, required, hint, }: FieldWidgetProps<number>): react_jsx_runtime.JSX.Element;
+export declare function NumberInput({ value, onChange, name, label, error, disabled, required, hint, }: NumberInputProps): react_jsx_runtime.JSX.Element;
 /**
  * Headless switch/toggle widget.
  * Renders a checkbox with switch semantics (role="switch").

package/dist/app-framework.js

@@ -1,5 +1,5 @@
 // ../app-framework/dist/index.js
-import { useMemo, useEffect as useEffect2, useCallback as useCallback5, useRef as useRef3 } from "react";
+import { useMemo as useMemo2, useEffect as useEffect2, useCallback as useCallback5, useRef as useRef3, useState as useState5 } from "react";
 import "zod";
 import { useForm, Controller, FormProvider } from "react-hook-form";
 import { zodResolver } from "@hookform/resolvers/zod";
@@ -10,7 +10,7 @@ import { jsx as jsx2, jsxs as jsxs2 } from "react/jsx-runtime";
 import { jsx as jsx3, jsxs as jsxs3 } from "react/jsx-runtime";
 import { jsx as jsx4, jsxs as jsxs4 } from "react/jsx-runtime";
 import { jsx as jsx5, jsxs as jsxs5 } from "react/jsx-runtime";
-import { useState, useCallback, useRef, useEffect } from "react";
+import { useState, useCallback, useRef, useEffect, useMemo } from "react";
 import { jsx as jsx6, jsxs as jsxs6 } from "react/jsx-runtime";
 import { useState as useState2, useCallback as useCallback2 } from "react";
 import { jsx as jsx7, jsxs as jsxs7 } from "react/jsx-runtime";
@@ -20,7 +20,7 @@ import { useState as useState4, useCallback as useCallback4, useRef as useRef2 }
 import { jsx as jsx9, jsxs as jsxs9 } from "react/jsx-runtime";
 import { jsx as jsx10, jsxs as jsxs10 } from "react/jsx-runtime";
 import { Fragment, jsx as jsx11, jsxs as jsxs11 } from "react/jsx-runtime";
-import { useState as useState5, useCallback as useCallback6 } from "react";
+import { useState as useState6, useCallback as useCallback6 } from "react";
 import { jsx as jsx12, jsxs as jsxs12 } from "react/jsx-runtime";
 var noopServices = {
   toast: {
@@ -352,13 +352,23 @@ function analyzeField(name, zodType) {
     constraints: extractConstraints(currentType)
   };
 }
+var DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function isSafeKey(key) {
+  return !DANGEROUS_KEYS.has(key);
+}
 function getValueAtPath(obj, path) {
   const parts = path.split(".");
   let current = obj;
   for (const part of parts) {
+    if (!isSafeKey(part)) {
+      return void 0;
+    }
     if (current == null || typeof current !== "object") {
       return void 0;
     }
+    if (!Object.hasOwn(current, part)) {
+      return void 0;
+    }
     current = current[part];
   }
   return current;
@@ -368,12 +378,16 @@ function setValueAtPath(obj, path, value) {
   if (parts.length === 0 || parts[0] === void 0) {
     return obj;
   }
+  const first = parts[0];
+  if (!isSafeKey(first)) {
+    console.warn(`Rejected dangerous property key in path: ${first}`);
+    return obj;
+  }
   if (parts.length === 1) {
-    return { ...obj, [parts[0]]: value };
+    return { ...obj, [first]: value };
   }
-  const first = parts[0];
   const rest = parts.slice(1);
-  const nested = obj[first] ?? {};
+  const nested = (Object.hasOwn(obj, first) ? obj[first] : {}) ?? {};
   return {
     ...obj,
     [first]: setValueAtPath(nested, rest.join("."), value)
@@ -765,11 +779,31 @@ function SearchableSelect({
   const [isOpen, setIsOpen] = useState(false);
   const [searchTerm, setSearchTerm] = useState("");
   const [highlightedIndex, setHighlightedIndex] = useState(-1);
-  const options = hint?.options ?? [];
-  const filteredOptions = searchTerm ? options.filter(
-    (opt) => opt.label.toLowerCase().includes(searchTerm.toLowerCase()) || opt.value.toLowerCase().includes(searchTerm.toLowerCase())
-  ) : options;
-  const selectedOption = options.find((opt) => opt.value === value);
+  const rawOptions = hint?.options ?? [];
+  const indexedOptions = useMemo(() => {
+    return rawOptions.map((opt) => ({
+      option: opt,
+      labelLower: opt.label.toLowerCase(),
+      valueLower: opt.value.toLowerCase()
+    }));
+  }, [rawOptions]);
+  const optionsByValue = useMemo(() => {
+    const map = /* @__PURE__ */ new Map();
+    for (const opt of rawOptions) {
+      map.set(opt.value, opt);
+    }
+    return map;
+  }, [rawOptions]);
+  const filteredOptions = useMemo(() => {
+    if (!searchTerm) {
+      return rawOptions;
+    }
+    const searchLower = searchTerm.toLowerCase();
+    return indexedOptions.filter(
+      (indexed) => indexed.labelLower.includes(searchLower) || indexed.valueLower.includes(searchLower)
+    ).map((indexed) => indexed.option);
+  }, [searchTerm, indexedOptions, rawOptions]);
+  const selectedOption = optionsByValue.get(value ?? "");
   const displayValue = selectedOption?.label ?? value ?? "";
   useEffect(() => {
     function handleClickOutside(e) {
@@ -1392,9 +1426,9 @@ function AutoForm({
   widgetRegistry: widgetRegistry2,
   children
 }) {
-  const fieldInfoMap = useMemo(() => analyzeSchema(schema), [schema]);
-  const flatFieldInfoMap = useMemo(() => flattenSchema(schema), [schema]);
-  const schemaDefaults = useMemo(() => {
+  const fieldInfoMap = useMemo2(() => analyzeSchema(schema), [schema]);
+  const flatFieldInfoMap = useMemo2(() => flattenSchema(schema), [schema]);
+  const schemaDefaults = useMemo2(() => {
     const defaults = {};
     function extractDefaults(fields, prefix = "") {
       fields.forEach((info, key) => {
@@ -1410,33 +1444,84 @@ function AutoForm({
     extractDefaults(fieldInfoMap);
     return defaults;
   }, [fieldInfoMap]);
+  const mergedDefaults = useMemo2(() => {
+    return deepMerge(
+      deepMerge(schemaDefaults, defaultValues ?? {}),
+      values ?? {}
+    );
+  }, [schemaDefaults, defaultValues, values]);
   const methods = useForm({
     resolver: zodResolver(schema),
-    defaultValues: {
-      ...schemaDefaults,
-      ...defaultValues,
-      ...values
-    },
+    defaultValues: mergedDefaults,
     mode: "onChange",
     shouldUnregister: true
   });
-  const { control, handleSubmit, watch, formState, reset } = methods;
-  const watchedValues = watch();
+  const { control, handleSubmit, watch, formState, reset, getValues } = methods;
   const prevValuesRef = useRef3(values);
+  const conditionFields = useMemo2(() => {
+    const fields = /* @__PURE__ */ new Set();
+    const extractConditionFields = (hints, prefix = "") => {
+      for (const [key, value] of Object.entries(hints)) {
+        if (!value || typeof value !== "object") continue;
+        const hint = value;
+        if (hint.condition && typeof hint.condition === "object") {
+          const condition = hint.condition;
+          if (condition.field) {
+            fields.add(condition.field);
+          }
+        }
+        if (!("widget" in hint) && !("label" in hint) && !("condition" in hint)) {
+          extractConditionFields(hint, prefix ? `${prefix}.${key}` : key);
+        }
+      }
+    };
+    extractConditionFields(uiHints);
+    return Array.from(fields);
+  }, [uiHints]);
+  const [conditionValues, setConditionValues] = useState5({});
+  useEffect2(() => {
+    if (conditionFields.length === 0) return;
+    const initial = {};
+    const currentValues = getValues();
+    for (const field of conditionFields) {
+      initial[field] = getValueAtPath(currentValues, field);
+    }
+    setConditionValues(initial);
+    const subscription = watch((formValues, { name }) => {
+      if (name && conditionFields.includes(name)) {
+        setConditionValues((prev) => ({
+          ...prev,
+          [name]: getValueAtPath(formValues, name)
+        }));
+      }
+    });
+    return () => subscription.unsubscribe();
+  }, [conditionFields, watch, getValues]);
   useEffect2(() => {
     if (values && !shallowEqual(values, prevValuesRef.current)) {
       prevValuesRef.current = values;
-      reset({ ...schemaDefaults, ...defaultValues, ...values });
+      const resetValues = deepMerge(
+        deepMerge(schemaDefaults, defaultValues ?? {}),
+        values ?? {}
+      );
+      reset(resetValues);
     }
   }, [values, reset, schemaDefaults, defaultValues]);
+  const onChangeRef = useRef3(onChange);
+  onChangeRef.current = onChange;
+  const schemaRef = useRef3(schema);
+  schemaRef.current = schema;
   useEffect2(() => {
-    if (onChange) {
-      const result = schema.safeParse(watchedValues);
-      if (result.success) {
-        onChange(result.data);
+    if (!onChangeRef.current) return;
+    const subscription = watch((formValues, { type }) => {
+      if (type !== "change") return;
+      const result = schemaRef.current.safeParse(formValues);
+      if (result.success && onChangeRef.current) {
+        onChangeRef.current(result.data);
       }
-    }
-  }, [watchedValues, onChange, schema]);
+    });
+    return () => subscription.unsubscribe();
+  }, [watch]);
   const HINT_KEYS = /* @__PURE__ */ new Set([
     "widget",
     "label",
@@ -1482,9 +1567,9 @@ function AutoForm({
   const isConditionMet = useCallback5(
     (condition) => {
       if (!condition) return true;
-      const fieldValue = getValueAtPath(watchedValues, condition.field);
+      const fieldValue = conditionFields.length > 0 ? conditionValues[condition.field] : getValueAtPath(getValues(), condition.field);
       if (condition.when) {
-        return condition.when(fieldValue, watchedValues);
+        return condition.when(fieldValue, getValues());
       }
       if ("equals" in condition && condition.equals !== void 0) {
         return fieldValue === condition.equals;
@@ -1500,9 +1585,9 @@ function AutoForm({
       }
       return true;
     },
-    [watchedValues]
+    [conditionFields, conditionValues, getValues]
   );
-  const orderedFields = useMemo(() => {
+  const orderedFields = useMemo2(() => {
     if (fieldOrder) {
       return fieldOrder.map((f) => String(f));
     }
@@ -1594,19 +1679,51 @@ function AutoForm({
   }
   return formContent;
 }
+function deepMerge(base, override) {
+  const result = { ...base };
+  for (const key of Object.keys(override)) {
+    if (!isSafeKey2(key)) continue;
+    const baseVal = base[key];
+    const overrideVal = override[key];
+    if (isPlainObject(baseVal) && isPlainObject(overrideVal)) {
+      result[key] = deepMerge(
+        baseVal,
+        overrideVal
+      );
+    } else if (overrideVal !== void 0) {
+      result[key] = overrideVal;
+    }
+  }
+  return result;
+}
+function isPlainObject(val) {
+  return val !== null && typeof val === "object" && !Array.isArray(val) && Object.getPrototypeOf(val) === Object.prototype;
+}
+var DANGEROUS_KEYS2 = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function isSafeKey2(key) {
+  return !DANGEROUS_KEYS2.has(key);
+}
 function setNestedValue(obj, path, value) {
   const parts = path.split(".");
   let current = obj;
   for (let i = 0; i < parts.length - 1; i++) {
     const part = parts[i];
     if (part === void 0) continue;
-    if (!(part in current) || typeof current[part] !== "object") {
+    if (!isSafeKey2(part)) {
+      console.warn(`Rejected dangerous property key in path: ${part}`);
+      return;
+    }
+    if (!Object.hasOwn(current, part) || typeof current[part] !== "object") {
       current[part] = {};
     }
     current = current[part];
   }
   const lastPart = parts[parts.length - 1];
   if (lastPart !== void 0) {
+    if (!isSafeKey2(lastPart)) {
+      console.warn(`Rejected dangerous property key in path: ${lastPart}`);
+      return;
+    }
     current[lastPart] = value;
   }
 }
@@ -1636,7 +1753,7 @@ function FieldGroup({
   className,
   children
 }) {
-  const [isCollapsed, setIsCollapsed] = useState5(defaultCollapsed);
+  const [isCollapsed, setIsCollapsed] = useState6(defaultCollapsed);
   const toggleCollapsed = useCallback6(() => {
     if (collapsible) {
       setIsCollapsed((prev) => !prev);