@frontmcp/uipack 0.8.0 → 0.9.0

package/README.md

@@ -1,98 +1,47 @@
 # @frontmcp/uipack
 
-React-free build utilities, theming, runtime helpers, and platform adapters for FrontMCP UI development. `@frontmcp/uipack` powers HTML string templates, cacheable widgets, and discovery metadata without pulling React or DOM libraries into your server.
+React-free build utilities, theming, runtime helpers, and platform adapters for FrontMCP UI development.
 
-## Package Split
+[![NPM](https://img.shields.io/npm/v/@frontmcp/uipack.svg)](https://www.npmjs.com/package/@frontmcp/uipack)
 
-| Package            | Purpose                                                               | React Required        |
-| ------------------ | --------------------------------------------------------------------- | --------------------- |
-| `@frontmcp/uipack` | Themes, runtime helpers, build/render pipelines, validation, adapters | No                    |
-| `@frontmcp/ui`     | HTML/React components, layouts, widgets, web components               | Yes (peer dependency) |
+## Package Split
 
-Install `@frontmcp/uipack` when you need HTML-first tooling, template validation, or platform adapters. Install `@frontmcp/ui` alongside it for ready-made components.
+| Package            | Purpose                                                               | React Required |
+| ------------------ | --------------------------------------------------------------------- | -------------- |
+| `@frontmcp/uipack` | Themes, runtime helpers, build/render pipelines, validation, adapters | No             |
+| `@frontmcp/ui`     | HTML/React components, layouts, widgets, web components               | Yes (peer dep) |
 
-## Installation
+## Install
 
 ```bash
 npm install @frontmcp/uipack
-# or
-yarn add @frontmcp/uipack
 ```
 
 ## Features
 
-- **Theme system** – Configure Tailwind-style palettes, fonts, and CDN assets, then inline or externalize scripts per platform.
-- **Build API** – Compile tool templates with esbuild/SWC, emit static widgets, and ship cached manifests for serverless environments.
-- **Build modes** – Choose static, dynamic, or hybrid rendering plus multi-platform bundler helpers so the same widget rehydrates on OpenAI, Claude, and Gemini.
-- **Runtime helpers** – Wrap HTML/React/MDX templates with CSP, sanitize user content, and expose MCP Bridge metadata.
-- **Platform adapters** – Generate OpenAI/Claude/Gemini discovery metadata, resolve serving modes, and understand host capabilities.
-- **Validation** – Extract schema paths, validate Handlebars templates, and render error boxes before code hits production.
-- **Bundler/cache** – File-system and Redis caches, transpile/render caches, and hashing utilities for incremental builds.
-
-## Quick Start
-
-### Theme + layout utilities
-
-```ts
-import { DEFAULT_THEME, createTheme, buildCdnScriptsFromTheme } from '@frontmcp/uipack/theme';
-
-const customTheme = createTheme({
-  name: 'brand',
-  colors: {
-    semantic: {
-      primary: '#0BA5EC',
-      secondary: '#6366F1',
-    },
-  },
-});
-
-const scripts = await buildCdnScriptsFromTheme(customTheme, { inline: true });
-```
+- **Theme system** — Tailwind-style palettes, fonts, CDN assets, platform-aware inlining ([docs][docs-theme])
+- **Build API** — compile tool templates with esbuild/SWC, emit static widgets, cached manifests ([docs][docs-build])
+- **Build modes** — static, dynamic, or hybrid rendering; multi-platform bundler helpers ([docs][docs-build-modes])
+- **Runtime helpers** — wrap HTML/React/MDX with CSP, sanitize content, expose MCP Bridge metadata ([docs][docs-runtime])
+- **Platform adapters** — OpenAI/Claude/Gemini discovery metadata, serving modes, host capabilities ([docs][docs-adapters])
+- **Validation** — schema path extraction, Handlebars template validation, error boxes ([docs][docs-validation])
+- **Bundler/cache** — filesystem and Redis caches, transpile/render caches, hashing utilities ([docs][docs-bundler])
 
-### Build tool UI HTML
+## Quick Example
 
 ```ts
 import { buildToolUI } from '@frontmcp/uipack/build';
 
 const result = await buildToolUI({
-  template: '<div>{{output.temperature}} °C</div>',
-  context: {
-    input: { location: 'London' },
-    output: { temperature: 18 },
-  },
+  template: '<div>{{output.temperature}} C</div>',
+  context: { input: { location: 'London' }, output: { temperature: 18 } },
   platform: 'openai',
 });
-
-console.log(result.html);
 ```
 
-### Wrap tool responses with MCP metadata
-
-```ts
-import { wrapToolUI, createTemplateHelpers } from '@frontmcp/uipack/runtime';
+> Full guide: [UI Overview][docs-overview]
 
-The helpers = createTemplateHelpers();
-const html = `<div>${helpers.escapeHtml(ctx.output.summary)}</div>`;
-
-const response = wrapToolUI({
-  html,
-  displayMode: 'inline',
-  servingMode: 'auto',
-  widgetDescription: 'Summarized status card',
-});
-```
-
-### Resolve platform capabilities
-
-```ts
-import { getPlatform, canUseCdn, needsInlineScripts } from '@frontmcp/uipack/theme';
-
-const claude = getPlatform('claude');
-const inline = needsInlineScripts(claude);
-const cdnOk = canUseCdn(claude);
-```
-
-## Entry points
+## Entry Points
 
 | Path                          | Purpose                                                  |
 | ----------------------------- | -------------------------------------------------------- |
@@ -107,45 +56,36 @@ const cdnOk = canUseCdn(claude);
 | `@frontmcp/uipack/types`      | Shared template/context types                            |
 | `@frontmcp/uipack/utils`      | Escaping, safe stringify, helper utilities               |
 
-## Template validation
+## Docs
 
-```ts
-import { validateTemplate } from '@frontmcp/uipack/validation';
-import { z } from 'zod';
+| Topic             | Link                            |
+| ----------------- | ------------------------------- |
+| Overview          | [UI Overview][docs-overview]    |
+| Theme system      | [Theming][docs-theme]           |
+| Build API         | [Build Tools][docs-build]       |
+| Build modes       | [Build Modes][docs-build-modes] |
+| Runtime helpers   | [Runtime][docs-runtime]         |
+| Platform adapters | [Adapters][docs-adapters]       |
+| Validation        | [Validation][docs-validation]   |
+| Bundler           | [Bundler][docs-bundler]         |
 
-const outputSchema = z.object({
-  temperature: z.number(),
-  city: z.string(),
-});
+## Related Packages
 
-const result = validateTemplate('<div>{{output.city}}</div>', outputSchema);
-if (!result valid) {
-  console.warn(result.errors);
-}
-```
-
-## Cache + bundler helpers
-
-```ts
-import { createFilesystemBuilder } from '@frontmcp/uipack/bundler/file-cache';
+- [`@frontmcp/ui`](../ui) — React components that consume these helpers
+- [`@frontmcp/sdk`](../sdk) — core framework and decorators
+- [`@frontmcp/testing`](../testing) — UI assertions for automated testing
 
-const builder = await createFilesystemBuilder('.frontmcp-cache/builds');
-const manifest = await builder.build({ entry: './widgets/weather.tsx' });
-```
-
-## Development
-
-```bash
-yarn nx build uipack
-yarn nx test uipack
-```
-
-## Related packages
+## License
 
-- [`@frontmcp/ui`](../ui/README.md) – Component library that consumes these helpers
-- [`@frontmcp/sdk`](../sdk/README.md) – Core SDK and decorators
-- [`@frontmcp/testing`](../testing/README.md) – UI assertions for automated testing
+Apache-2.0 — see [LICENSE](../../LICENSE).
 
-## License
+<!-- links -->
 
-Apache-2.0
+[docs-overview]: https://docs.agentfront.dev/frontmcp/ui/overview
+[docs-theme]: https://docs.agentfront.dev/frontmcp/ui/theming
+[docs-build]: https://docs.agentfront.dev/frontmcp/ui/build-tools
+[docs-build-modes]: https://docs.agentfront.dev/frontmcp/ui/build-modes
+[docs-runtime]: https://docs.agentfront.dev/frontmcp/ui/runtime
+[docs-adapters]: https://docs.agentfront.dev/frontmcp/ui/adapters
+[docs-validation]: https://docs.agentfront.dev/frontmcp/ui/validation
+[docs-bundler]: https://docs.agentfront.dev/frontmcp/ui/bundler

package/bundler/index.js

@@ -1023,7 +1023,7 @@ function throwOnViolations(violations) {
 }
 
 // libs/uipack/src/bundler/sandbox/enclave-adapter.ts
-var import_enclave_vm = require("enclave-vm");
+var import_core = require("@enclave-vm/core");
 var DEFAULT_ENCLAVE_OPTIONS = {
   securityLevel: "SECURE",
   timeout: 5e3,
@@ -1189,7 +1189,7 @@ async function executeCode(code, context = {}) {
     }
   };
   globals["require"] = buildRequireFunction(context);
-  const enclave = new import_enclave_vm.Enclave({
+  const enclave = new import_core.Enclave({
     ...DEFAULT_ENCLAVE_OPTIONS,
     timeout: context.timeout ?? DEFAULT_ENCLAVE_OPTIONS.timeout,
     maxIterations: context.maxIterations ?? DEFAULT_ENCLAVE_OPTIONS.maxIterations,

package/esm/bundler/index.mjs

@@ -959,7 +959,7 @@ function throwOnViolations(violations) {
 }
 
 // libs/uipack/src/bundler/sandbox/enclave-adapter.ts
-import { Enclave } from "enclave-vm";
+import { Enclave } from "@enclave-vm/core";
 var DEFAULT_ENCLAVE_OPTIONS = {
   securityLevel: "SECURE",
   timeout: 5e3,

package/esm/index.mjs

@@ -797,6 +797,184 @@ var init_theme2 = __esm({
   }
 });
 
+// libs/uipack/src/runtime/sanitizer.ts
+import DOMPurify from "dompurify";
+function isEmail(value) {
+  return PII_PATTERNS.email.test(value);
+}
+function isPhone(value) {
+  return PII_PATTERNS.phone.test(value);
+}
+function isCreditCard(value) {
+  const digits = value.replace(/[-\s]/g, "");
+  return digits.length >= 13 && digits.length <= 19 && PII_PATTERNS.creditCard.test(value);
+}
+function isSSN(value) {
+  return PII_PATTERNS.ssn.test(value);
+}
+function isIPv4(value) {
+  return PII_PATTERNS.ipv4.test(value);
+}
+function detectPIIType(value) {
+  if (isEmail(value)) return "EMAIL";
+  if (isCreditCard(value)) return "CARD";
+  if (isSSN(value)) return "ID";
+  if (isPhone(value)) return "PHONE";
+  if (isIPv4(value)) return "IP";
+  return null;
+}
+function redactPIIFromText(text) {
+  if (text.length > MAX_PII_TEXT_LENGTH) {
+    return text;
+  }
+  let result = text;
+  result = result.replace(PII_PATTERNS.creditCardInText, REDACTION_TOKENS.CARD);
+  result = result.replace(PII_PATTERNS.ssnInText, REDACTION_TOKENS.ID);
+  result = result.replace(PII_PATTERNS.emailInText, REDACTION_TOKENS.EMAIL);
+  result = result.replace(PII_PATTERNS.phoneInText, REDACTION_TOKENS.PHONE);
+  result = result.replace(PII_PATTERNS.ipv4InText, REDACTION_TOKENS.IP);
+  return result;
+}
+function sanitizeValue(key, value, path, options, depth, visited) {
+  const maxDepth = options.maxDepth ?? 10;
+  if (depth > maxDepth) {
+    return value;
+  }
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (typeof options.mode === "function") {
+    return options.mode(key, value, path);
+  }
+  if (Array.isArray(options.mode)) {
+    const lowerKey = key.toLowerCase();
+    if (options.mode.some((f) => f.toLowerCase() === lowerKey)) {
+      return REDACTION_TOKENS.REDACTED;
+    }
+  }
+  if (typeof value === "string") {
+    if (options.mode === true) {
+      const piiType = detectPIIType(value);
+      if (piiType) {
+        return REDACTION_TOKENS[piiType];
+      }
+      if (options.sanitizeInText !== false) {
+        const redacted = redactPIIFromText(value);
+        if (redacted !== value) {
+          return redacted;
+        }
+      }
+    }
+    return value;
+  }
+  if (Array.isArray(value)) {
+    if (visited.has(value)) {
+      return REDACTION_TOKENS.REDACTED;
+    }
+    visited.add(value);
+    return value.map(
+      (item, index) => sanitizeValue(String(index), item, [...path, String(index)], options, depth + 1, visited)
+    );
+  }
+  if (typeof value === "object") {
+    if (visited.has(value)) {
+      return REDACTION_TOKENS.REDACTED;
+    }
+    visited.add(value);
+    const result = {};
+    for (const [k, v] of Object.entries(value)) {
+      result[k] = sanitizeValue(k, v, [...path, k], options, depth + 1, visited);
+    }
+    return result;
+  }
+  return value;
+}
+function sanitizeInput(input, mode = true) {
+  if (!input || typeof input !== "object") {
+    return {};
+  }
+  const options = {
+    mode,
+    maxDepth: 10,
+    sanitizeInText: true
+  };
+  const visited = /* @__PURE__ */ new WeakSet();
+  return sanitizeValue("", input, [], options, 0, visited);
+}
+function createSanitizer(mode = true) {
+  return (input) => sanitizeInput(input, mode);
+}
+function detectPII(input, options) {
+  const maxDepth = options?.maxDepth ?? 10;
+  const fields = [];
+  const visited = /* @__PURE__ */ new WeakSet();
+  const check = (value, path, depth) => {
+    if (depth > maxDepth) return;
+    if (value === null || value === void 0) return;
+    if (typeof value === "string") {
+      if (detectPIIType(value)) {
+        fields.push(path.join("."));
+      }
+      return;
+    }
+    if (Array.isArray(value)) {
+      if (visited.has(value)) return;
+      visited.add(value);
+      value.forEach((item, index) => check(item, [...path, String(index)], depth + 1));
+      return;
+    }
+    if (typeof value === "object") {
+      if (visited.has(value)) return;
+      visited.add(value);
+      for (const [k, v] of Object.entries(value)) {
+        check(v, [...path, k], depth + 1);
+      }
+    }
+  };
+  check(input, [], 0);
+  return {
+    hasPII: fields.length > 0,
+    fields
+  };
+}
+var REDACTION_TOKENS, PII_PATTERNS, MAX_PII_TEXT_LENGTH;
+var init_sanitizer = __esm({
+  "libs/uipack/src/runtime/sanitizer.ts"() {
+    "use strict";
+    REDACTION_TOKENS = {
+      EMAIL: "[EMAIL]",
+      PHONE: "[PHONE]",
+      CARD: "[CARD]",
+      ID: "[ID]",
+      IP: "[IP]",
+      REDACTED: "[REDACTED]"
+    };
+    PII_PATTERNS = {
+      // Email: user@domain.tld
+      email: /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/,
+      // Email embedded in text
+      emailInText: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+      // Phone: Various formats (US-centric but flexible)
+      phone: /^[+]?[(]?[0-9]{1,4}[)]?[-\s.]?[0-9]{1,4}[-\s.]?[0-9]{1,9}$/,
+      // Phone embedded in text
+      phoneInText: /(?:\+?1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}/g,
+      // Credit card: 13-19 digits (with optional separators)
+      creditCard: /^(?:[0-9]{4}[-\s]?){3,4}[0-9]{1,4}$/,
+      // Credit card embedded in text
+      creditCardInText: /\b(?:[0-9]{4}[-\s]?){3,4}[0-9]{1,4}\b/g,
+      // SSN: XXX-XX-XXXX
+      ssn: /^[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}$/,
+      // SSN embedded in text
+      ssnInText: /\b[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}\b/g,
+      // IPv4 address
+      ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
+      // IPv4 embedded in text
+      ipv4InText: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g
+    };
+    MAX_PII_TEXT_LENGTH = 1e5;
+  }
+});
+
 // libs/uipack/src/renderers/utils/detect.ts
 function isReactComponent(value) {
   if (typeof value !== "function") {
@@ -6491,8 +6669,14 @@ var MCP_BRIDGE_RUNTIME = `
 </script>
 `;
 function getMCPBridgeScript() {
-  const match = MCP_BRIDGE_RUNTIME.match(/<script>([\s\S]*?)<\/script>/);
-  return match ? match[1].trim() : "";
+  const openTag = "<script>";
+  const closeTag = "</script>";
+  const startIdx = MCP_BRIDGE_RUNTIME.indexOf(openTag);
+  const endIdx = MCP_BRIDGE_RUNTIME.lastIndexOf(closeTag);
+  if (startIdx === -1 || endIdx === -1 || endIdx <= startIdx) {
+    return "";
+  }
+  return MCP_BRIDGE_RUNTIME.slice(startIdx + openTag.length, endIdx).trim();
 }
 function isMCPBridgeSupported() {
   if (typeof window === "undefined") return false;
@@ -6587,179 +6771,7 @@ function sanitizeCSPDomains(domains) {
 // libs/uipack/src/runtime/wrapper.ts
 init_theme2();
 init_utils();
-
-// libs/uipack/src/runtime/sanitizer.ts
-var REDACTION_TOKENS = {
-  EMAIL: "[EMAIL]",
-  PHONE: "[PHONE]",
-  CARD: "[CARD]",
-  ID: "[ID]",
-  IP: "[IP]",
-  REDACTED: "[REDACTED]"
-};
-var PII_PATTERNS = {
-  // Email: user@domain.tld
-  email: /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/,
-  // Email embedded in text
-  emailInText: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
-  // Phone: Various formats (US-centric but flexible)
-  phone: /^[+]?[(]?[0-9]{1,4}[)]?[-\s.]?[0-9]{1,4}[-\s.]?[0-9]{1,9}$/,
-  // Phone embedded in text
-  phoneInText: /(?:\+?1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}/g,
-  // Credit card: 13-19 digits (with optional separators)
-  creditCard: /^(?:[0-9]{4}[-\s]?){3,4}[0-9]{1,4}$/,
-  // Credit card embedded in text
-  creditCardInText: /\b(?:[0-9]{4}[-\s]?){3,4}[0-9]{1,4}\b/g,
-  // SSN: XXX-XX-XXXX
-  ssn: /^[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}$/,
-  // SSN embedded in text
-  ssnInText: /\b[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}\b/g,
-  // IPv4 address
-  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
-  // IPv4 embedded in text
-  ipv4InText: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g
-};
-function isEmail(value) {
-  return PII_PATTERNS.email.test(value);
-}
-function isPhone(value) {
-  return PII_PATTERNS.phone.test(value);
-}
-function isCreditCard(value) {
-  const digits = value.replace(/[-\s]/g, "");
-  return digits.length >= 13 && digits.length <= 19 && PII_PATTERNS.creditCard.test(value);
-}
-function isSSN(value) {
-  return PII_PATTERNS.ssn.test(value);
-}
-function isIPv4(value) {
-  return PII_PATTERNS.ipv4.test(value);
-}
-function detectPIIType(value) {
-  if (isEmail(value)) return "EMAIL";
-  if (isCreditCard(value)) return "CARD";
-  if (isSSN(value)) return "ID";
-  if (isPhone(value)) return "PHONE";
-  if (isIPv4(value)) return "IP";
-  return null;
-}
-var MAX_PII_TEXT_LENGTH = 1e5;
-function redactPIIFromText(text) {
-  if (text.length > MAX_PII_TEXT_LENGTH) {
-    return text;
-  }
-  let result = text;
-  result = result.replace(PII_PATTERNS.creditCardInText, REDACTION_TOKENS.CARD);
-  result = result.replace(PII_PATTERNS.ssnInText, REDACTION_TOKENS.ID);
-  result = result.replace(PII_PATTERNS.emailInText, REDACTION_TOKENS.EMAIL);
-  result = result.replace(PII_PATTERNS.phoneInText, REDACTION_TOKENS.PHONE);
-  result = result.replace(PII_PATTERNS.ipv4InText, REDACTION_TOKENS.IP);
-  return result;
-}
-function sanitizeValue(key, value, path, options, depth, visited) {
-  const maxDepth = options.maxDepth ?? 10;
-  if (depth > maxDepth) {
-    return value;
-  }
-  if (value === null || value === void 0) {
-    return value;
-  }
-  if (typeof options.mode === "function") {
-    return options.mode(key, value, path);
-  }
-  if (Array.isArray(options.mode)) {
-    const lowerKey = key.toLowerCase();
-    if (options.mode.some((f) => f.toLowerCase() === lowerKey)) {
-      return REDACTION_TOKENS.REDACTED;
-    }
-  }
-  if (typeof value === "string") {
-    if (options.mode === true) {
-      const piiType = detectPIIType(value);
-      if (piiType) {
-        return REDACTION_TOKENS[piiType];
-      }
-      if (options.sanitizeInText !== false) {
-        const redacted = redactPIIFromText(value);
-        if (redacted !== value) {
-          return redacted;
-        }
-      }
-    }
-    return value;
-  }
-  if (Array.isArray(value)) {
-    if (visited.has(value)) {
-      return REDACTION_TOKENS.REDACTED;
-    }
-    visited.add(value);
-    return value.map(
-      (item, index) => sanitizeValue(String(index), item, [...path, String(index)], options, depth + 1, visited)
-    );
-  }
-  if (typeof value === "object") {
-    if (visited.has(value)) {
-      return REDACTION_TOKENS.REDACTED;
-    }
-    visited.add(value);
-    const result = {};
-    for (const [k, v] of Object.entries(value)) {
-      result[k] = sanitizeValue(k, v, [...path, k], options, depth + 1, visited);
-    }
-    return result;
-  }
-  return value;
-}
-function sanitizeInput(input, mode = true) {
-  if (!input || typeof input !== "object") {
-    return {};
-  }
-  const options = {
-    mode,
-    maxDepth: 10,
-    sanitizeInText: true
-  };
-  const visited = /* @__PURE__ */ new WeakSet();
-  return sanitizeValue("", input, [], options, 0, visited);
-}
-function createSanitizer(mode = true) {
-  return (input) => sanitizeInput(input, mode);
-}
-function detectPII(input, options) {
-  const maxDepth = options?.maxDepth ?? 10;
-  const fields = [];
-  const visited = /* @__PURE__ */ new WeakSet();
-  const check = (value, path, depth) => {
-    if (depth > maxDepth) return;
-    if (value === null || value === void 0) return;
-    if (typeof value === "string") {
-      if (detectPIIType(value)) {
-        fields.push(path.join("."));
-      }
-      return;
-    }
-    if (Array.isArray(value)) {
-      if (visited.has(value)) return;
-      visited.add(value);
-      value.forEach((item, index) => check(item, [...path, String(index)], depth + 1));
-      return;
-    }
-    if (typeof value === "object") {
-      if (visited.has(value)) return;
-      visited.add(value);
-      for (const [k, v] of Object.entries(value)) {
-        check(v, [...path, k], depth + 1);
-      }
-    }
-  };
-  check(input, [], 0);
-  return {
-    hasPII: fields.length > 0,
-    fields
-  };
-}
-
-// libs/uipack/src/runtime/wrapper.ts
+init_sanitizer();
 function createTemplateHelpers() {
   let idCounter2 = 0;
   return {
@@ -10909,6 +10921,9 @@ async function buildToolUIMulti(options) {
   };
 }
 
+// libs/uipack/src/runtime/index.ts
+init_sanitizer();
+
 // libs/uipack/src/preview/openai-preview.ts
 init_utils();
 var DEFAULT_WIDGET_CSP = {

package/esm/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/uipack",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "FrontMCP UIpack - Bundling, build tools, and platform adapters for MCP UI development (React-free core)",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -58,9 +58,10 @@
     "node": ">=22.0.0"
   },
   "dependencies": {
-    "@frontmcp/utils": "0.8.0",
+    "@frontmcp/utils": "0.9.0",
     "@swc/core": "^1.5.0",
-    "enclave-vm": "^2.7.0",
+    "@enclave-vm/core": "^2.10.1",
+    "dompurify": "^3.3.1",
     "esbuild": "^0.27.1",
     "handlebars": "^4.7.8",
     "zod": "^4.0.0"