@floless/app 0.9.2 → 0.11.0

package/dist/floless-server.cjs

@@ -51978,6 +51978,18 @@ function env() {
     webBase: process.env.FLOLESS_WEB_BASE || base.webBase
   };
 }
+function isLoopback(host) {
+  return host === "127.0.0.1" || host === "localhost" || host === "::1" || host.endsWith(".localhost");
+}
+var TRUSTED_API_ORIGINS = /* @__PURE__ */ new Set(["https://api.floless.io", "https://api.stage.floless.io"]);
+function isTrustedFlolessHost(url) {
+  try {
+    const u = new URL(url);
+    return isLoopback(u.hostname) || TRUSTED_API_ORIGINS.has(u.origin);
+  } catch {
+    return false;
+  }
+}
 var OFFLINE_GRACE_MS = 24 * 60 * 60 * 1e3;
 var MEM_CACHE_MS = 60 * 1e3;
 var REFRESH_SKEW_MS = 60 * 1e3;
@@ -52059,6 +52071,7 @@ async function resolveToken() {
   const t = readTokens();
   if (!t) return { token: null, reason: "signed-out" };
   if (Date.now() < t.expiresAt - REFRESH_SKEW_MS) return { token: t.accessToken };
+  if (!isTrustedFlolessHost(env().apiBase)) return { token: null, reason: "session-expired" };
   let res;
   try {
     res = await fetch(`${env().apiBase}/auth/refresh`, {
@@ -52361,7 +52374,7 @@ function appVersion() {
   return resolveVersion({
     isSea: isSea2(),
     sqVersionXml: readSqVersionXml(),
-    define: true ? "0.9.2" : void 0,
+    define: true ? "0.11.0" : void 0,
     pkgVersion: readPkgVersion()
   });
 }
@@ -52371,7 +52384,7 @@ function resolveChannel(s) {
   return "dev";
 }
 function appChannel() {
-  return resolveChannel({ isSea: isSea2(), define: true ? "0.9.2" : void 0 });
+  return resolveChannel({ isSea: isSea2(), define: true ? "0.11.0" : void 0 });
 }
 
 // oauth-presets.ts
@@ -52468,6 +52481,45 @@ function bakeFloSource(source, inputs) {
   return doc.toString();
 }
 
+// report-badge.ts
+var BADGE_MARKER = "fla-credit";
+var DEFAULT_URL = "https://floless.io/made-with-floless?utm_source=report_badge";
+function escapeAttr(value) {
+  return value.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function badgeHtml(url) {
+  return `
+<style>
+  #fla-credit { margin-top: 32px; padding-top: 16px; border-top: 1px solid rgba(0,0,0,0.10); display: flex; justify-content: flex-end; }
+  #fla-badge { display: inline-flex; align-items: center; height: 26px; padding: 0 10px; border-radius: 999px; background: #161d28; border: 1px solid #2a3548; box-shadow: 0 1px 4px rgba(0,0,0,0.18); text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif; font-size: 11px; line-height: 1; transition: background 0.15s ease, border-color 0.15s ease; }
+  #fla-badge:hover { background: rgba(74,158,255,0.10); border-color: #2c5f9e; }
+  #fla-badge:focus-visible { outline: 2px solid #4a9eff; outline-offset: 2px; }
+  #fla-badge .fla-prefix { color: #9aa5b6; font-weight: 400; }
+  #fla-badge .fla-name { color: #4a9eff; font-weight: 600; margin-left: 4px; }
+  #fla-badge:hover .fla-name { color: #67b3ff; }
+  @media print { #fla-badge { background: transparent; border-color: #9aa5b6; box-shadow: none; } #fla-badge .fla-prefix { color: #555; } #fla-badge .fla-name { color: #1a56c4; } }
+</style>
+<div id="${BADGE_MARKER}">
+  <a id="fla-badge" href="${escapeAttr(url)}" target="_blank" rel="noopener noreferrer" aria-label="Made with FloLess \u2014 visit floless.io">
+    <span class="fla-prefix">Made with</span><span class="fla-name">FloLess</span>
+  </a>
+</div>`.trim();
+}
+function injectBadge(html, opts = {}) {
+  if (!html || !html.trim()) return html;
+  if (html.includes(`id="${BADGE_MARKER}"`)) return html;
+  const badge = badgeHtml(opts.url ?? DEFAULT_URL);
+  let last = -1;
+  for (const m of html.matchAll(/<\/body\s*>/gi)) last = m.index ?? last;
+  return last === -1 ? `${html}
+${badge}` : `${html.slice(0, last)}${badge}
+${html.slice(last)}`;
+}
+function withBadge(report, opts) {
+  if (!report) return report;
+  return { ...report, html: injectBadge(report.html, opts) };
+}
+
 // index.ts
 var import_node_crypto5 = require("node:crypto");
 
@@ -53763,18 +53815,6 @@ function feedUrl() {
   const env2 = (process.env.FLOLESS_UPDATE_URL ?? "").trim().replace(/\/+$/, "");
   return env2 || updateApiBase();
 }
-function isLoopback(host) {
-  return host === "127.0.0.1" || host === "localhost" || host === "::1" || host.endsWith(".localhost");
-}
-var TRUSTED_FEED_ORIGINS = /* @__PURE__ */ new Set(["https://api.floless.io", "https://api.stage.floless.io"]);
-function isTrustedFlolessHost(url) {
-  try {
-    const u = new URL(url);
-    return isLoopback(u.hostname) || TRUSTED_FEED_ORIGINS.has(u.origin);
-  } catch {
-    return false;
-  }
-}
 async function authedFetch(url, init = {}) {
   const headers = new Headers(init.headers);
   if (isTrustedFlolessHost(url)) {
@@ -53941,6 +53981,43 @@ async function reportIssue(input) {
   return { ok: true, ref };
 }
 
+// report-share.ts
+var SHARE_TIMEOUT_MS = 3e4;
+async function shareReport(input) {
+  let token;
+  try {
+    token = await accessToken();
+  } catch {
+    return { ok: false, error: "offline" };
+  }
+  if (!token) return { ok: false, error: "signed_out" };
+  const url = `${apiBaseUrl()}/reports`;
+  let res;
+  try {
+    res = await authedFetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(SHARE_TIMEOUT_MS)
+    });
+  } catch {
+    return { ok: false, error: "offline" };
+  }
+  if (res.status === 401) return { ok: false, error: "signed_out" };
+  if (res.status === 403) return { ok: false, error: "no_subscription" };
+  if (res.status === 429) return { ok: false, error: "rate_limited" };
+  if (res.status === 413) return { ok: false, error: "too_large" };
+  if (!res.ok) return { ok: false, error: "offline" };
+  try {
+    const b = await res.json();
+    if (typeof b.url === "string" && b.url && new URL(b.url).protocol === "https:") {
+      return { ok: true, url: b.url };
+    }
+  } catch {
+  }
+  return { ok: false, error: "offline" };
+}
+
 // release-notes.ts
 var FETCH_TIMEOUT_MS = 8e3;
 var AWARE_REPO = "aware-aeco/aware";
@@ -56509,6 +56586,9 @@ async function startServer() {
       app.log.warn({ detail: err.detail }, err.message);
       return reply.status(502).send({ ok: false, error: err.message, detail: err.detail ?? null });
     }
+    if (err.statusCode === 413) {
+      return reply.status(413).send({ ok: false, error: "too_large" });
+    }
     app.log.error(err);
     return reply.status(500).send({ ok: false, error: err.message });
   });
@@ -56589,6 +56669,20 @@ async function startServer() {
       return reply.status(status).send({ ok: false, error: result.error });
     }
   );
+  app.post(
+    "/api/share-report",
+    { bodyLimit: 6 * 1024 * 1024 },
+    async (req, reply) => {
+      const b = req.body ?? {};
+      const html = typeof b.html === "string" ? b.html : "";
+      const title = typeof b.title === "string" ? b.title.trim().slice(0, 200) : "";
+      if (!html) return reply.status(400).send({ ok: false, error: "html is required" });
+      const result = await shareReport({ title: title || "FloLess report", html });
+      if (result.ok) return { ok: true, url: result.url };
+      const status = result.error === "signed_out" ? 401 : result.error === "no_subscription" ? 403 : result.error === "rate_limited" ? 429 : result.error === "too_large" ? 413 : 503;
+      return reply.status(status).send({ ok: false, error: result.error });
+    }
+  );
   app.get("/api/autostart", async () => {
     const supported = autostartSupported();
     return { ok: true, supported, enabled: supported ? autostartPresent() : false };
@@ -56866,7 +56960,8 @@ async function startServer() {
           return { id: c.integration, label: friendlyIntegrationName(c.integration) };
         }
       }
-    } catch {
+    } catch (err) {
+      console.warn(`[floless] credential-issue detection failed for app "${id}" (treating as no credential issue):`, err);
     }
     return null;
   }
@@ -56907,7 +57002,7 @@ async function startServer() {
       broadcast({ type: "run-started", id, dryRun: !!dryRun, simulate: !!simulate, runId: result.runId });
       for (const ev of events) broadcast({ type: "trace", id, event: ev });
       broadcast({ type: "run-ended", id, runId: result.runId });
-      const report = extractReportHtml(events);
+      const report = withBadge(extractReportHtml(events));
       const credentialIssue = !simulate && hasAuthFailure(events) ? await detectCredentialIssue(id) : null;
       return { ok: true, runId: result.runId, tracePath: result.tracePath, events, report, credentialIssue };
     }
@@ -56965,7 +57060,7 @@ async function startServer() {
       broadcast({ type: "debug-ended", id, nodeId });
       const r = result.result ?? {};
       const html = typeof r.html === "string" ? r.html : null;
-      return { ok: true, result, report: html ? { nodeId, html } : null };
+      return { ok: true, result, report: withBadge(html ? { nodeId, html } : null) };
     }
   );
   app.get("/api/routines", async () => ({

package/dist/web/aware.js

@@ -22,6 +22,7 @@
   const $reportTitle = document.getElementById('report-title');
   const $reportSub = document.getElementById('report-sub');
   const $reportOpen = document.getElementById('report-open');
+  const $reportShare = document.getElementById('report-share');
   const $reportClose = document.getElementById('report-close');
 
   // One persistent array the inspect Execution tab reads; we mutate in place so
@@ -908,7 +909,9 @@
     try { await api('/api/run/stop', { method: 'POST' }); } catch { /* the run's own catch surfaces it */ }
   }
 
-  function paintReport(html) { $reportFrame.srcdoc = html; $reportOverlay.hidden = true; $reportOverlay.innerHTML = ''; }
+  // Share is visible exactly when the frame holds a report (the empty state HIDES it —
+  // never a disabled affordance with no path forward).
+  function paintReport(html) { $reportFrame.srcdoc = html; $reportOverlay.hidden = true; $reportOverlay.replaceChildren(); $reportShare.hidden = false; }
 
   // Double-click the HTML Viewer node → LOAD the last report (no run; running is
   // the header "▶ Run workflow" button's job). Shows a prompt if nothing has run yet.
@@ -925,6 +928,7 @@
       paintReport(cached.html);
     } else {
       $reportFrame.srcdoc = '';
+      $reportShare.hidden = true; // nothing to share — hide, don't disable
       $reportOverlay.hidden = false;
       $reportOverlay.innerHTML = `<div>No report yet. Click <strong>▶ Run workflow</strong> (top right) to run it against the live model, then double-click to view it any time.</div>`;
       $reportSub.textContent = 'Double-click loads the last report; ▶ Run workflow generates a fresh one.';
@@ -948,6 +952,7 @@
     $reportTitle.textContent = `HTML Viewer · ${app.displayName}`;
     $reportSub.innerHTML = `Live run of <code>${escapeHtml(nodeId)}</code>${inputBadge ? ' · ' + escapeHtml(inputBadge) : ''} — rendered from the node's output, never composed by the UI.`;
     $reportFrame.srcdoc = ''; // clear any previously rendered report while this run is in flight
+    $reportShare.hidden = true; // the frame is blank — only a painted report is shareable
     $reportOverlay.hidden = false;
     $reportOverlay.innerHTML = opts.debug
       ? `<div class="spinner"></div><div>Launching the .NET debugger for <code>${escapeHtml(nodeId)}</code> — a Windows picker will pop; choose your <strong>Visual Studio</strong> to attach to <code>aware-tekla.exe</code>, then step through. The report renders when you let it finish.</div>`
@@ -1022,6 +1027,7 @@
 
   function showCredentialReconnect(cred) {
     $reportFrame.srcdoc = '';
+    $reportShare.hidden = true;
     $reportOverlay.hidden = false;
     $reportOverlay.replaceChildren();
 
@@ -1267,6 +1273,51 @@
     window.open(url, '_blank');
     setTimeout(() => URL.revokeObjectURL(url), 30000);
   };
+
+  // Share the on-screen report → a hosted floless.io link. The local server does the
+  // upload (the bearer never reaches this page); we relay exactly the HTML the run
+  // produced and surface the returned link. Disabled while in flight (double-click =
+  // double upload), and the link lands in $reportSub as a real DOM anchor (mkEl, not
+  // markup) so a server-returned URL can never inject HTML.
+  $reportShare.onclick = async () => {
+    const cached = currentId && lastReportByApp.get(currentId);
+    // Share exactly what's on screen — the frame's srcdoc — so the link can never carry
+    // a different report than the one the user is looking at (e.g. another app's cache).
+    const html = $reportFrame.srcdoc;
+    if (!html || !cached) return; // button is hidden in this state; belt-and-braces
+    const app = apps.get(currentId);
+    const title = `${app ? app.displayName : currentId}${cached.label ? ' · ' + cached.label : ''}`;
+    $reportShare.disabled = true;
+    const prev = $reportShare.textContent;
+    $reportShare.textContent = 'Sharing…';
+    try {
+      const res = await api('/api/share-report', { method: 'POST', body: JSON.stringify({ title, html }) });
+      await navigator.clipboard.writeText(res.url).catch(() => {});
+      const link = mkEl('a', null, res.url.replace(/^https:\/\//, ''));
+      link.href = res.url;
+      link.target = '_blank';
+      link.rel = 'noopener';
+      $reportSub.replaceChildren(
+        document.createTextNode('Shared — '),
+        link,
+        document.createTextNode(' — copied to clipboard. Anyone with the link can view this frozen report.'),
+      );
+      showToast('Link copied to clipboard', 'ok');
+    } catch (e) {
+      const err = e && e.body && e.body.error;
+      const msg =
+        err === 'signed_out' ? 'Your FloLess sign-in has expired — sign in again to share reports.' :
+        err === 'no_subscription' || err === 'subscription required'
+          ? 'A FloLess subscription is required to share reports — sign in to continue.' :
+        err === 'rate_limited' ? 'Share limit reached (30 per hour) — try again in a few minutes.' :
+        err === 'too_large' ? 'Report is too large to share (over 5 MB).' :
+        'Couldn’t reach FloLess — check your connection and try sharing again.';
+      showToast(msg, 'warn');
+    } finally {
+      $reportShare.disabled = false;
+      $reportShare.textContent = prev;
+    }
+  };
   $promptSel.onchange = () => { loadApp($promptSel.value).catch(reportErr); };
 
   $compileBtn.onclick = async () => {

package/dist/web/index.html

@@ -246,12 +246,17 @@
           <div class="modal-sub" id="report-sub">Rendered from the live run — never composed by the UI.</div>
         </div>
         <div class="report-actions">
+          <button id="report-share" class="ghost" hidden data-tip="Share this report as a link anyone can view — hosted on floless.io">↗ Share</button>
           <button id="report-open" class="ghost" data-tip="Open the report in a new browser tab">↗ Open</button>
           <button id="report-close" data-tip="Close">×</button>
         </div>
       </div>
       <div class="report-stage" id="report-stage">
-        <iframe id="report-frame" sandbox="allow-same-origin" title="Report"></iframe>
+        <!-- allow-popups (+ escape): the report's own links — the "Made with FloLess"
+             badge above all — must open in a real, unsandboxed tab. Scripts stay
+             blocked and there is NO allow-same-origin: the report remains an opaque
+             origin with zero access to the app page. -->
+        <iframe id="report-frame" sandbox="allow-popups allow-popups-to-escape-sandbox" title="Report"></iframe>
         <div class="report-overlay" id="report-overlay" hidden></div>
       </div>
     </div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floless/app",
-  "version": "0.9.2",
+  "version": "0.11.0",
   "type": "module",
   "description": "Thin localhost host for floless.app — serves web/ and shells the aware CLI. No engine, no LLM.",
   "bin": {