npm - @mrclrchtr/supi-web - Versions diffs - 0.1.0 → 1.0.0 - Mend

@mrclrchtr/supi-web 0.1.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/node_modules/@mrclrchtr/supi-core/package.json +1 -5
package/package.json +4 -10
package/src/convert.ts +17 -4
package/src/web.ts +25 -7

package/node_modules/@mrclrchtr/supi-core/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mrclrchtr/supi-core",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "SuPi core — shared infrastructure for SuPi extensions (XML context tags, config system)",
   "license": "MIT",
   "repository": {
@@ -22,9 +22,5 @@
     "@earendil-works/pi-coding-agent": "*",
     "@earendil-works/pi-tui": "*"
   },
-  "devDependencies": {
-    "@types/node": "^25.6.0",
-    "vitest": "^4.1.4"
-  },
   "main": "src/index.ts"
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mrclrchtr/supi-web",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "SuPi Web extension — fetch web pages as clean Markdown (web_fetch_md) and library docs via Context7 (web_docs_search, web_docs_fetch)",
   "license": "MIT",
   "repository": {
@@ -20,12 +20,12 @@
     "README.md"
   ],
   "dependencies": {
-    "@mrclrchtr/supi-core": "workspace:*",
     "@upstash/context7-sdk": "^0.3.0",
-    "jsdom": "^26.1.0",
+    "jsdom": "^29.0.0",
     "@mozilla/readability": "^0.6.0",
     "turndown": "^7.2.0",
-    "turndown-plugin-gfm": "^1.0.2"
+    "turndown-plugin-gfm": "^1.0.2",
+    "@mrclrchtr/supi-core": "1.0.0"
   },
   "bundledDependencies": [
     "@mrclrchtr/supi-core"
@@ -34,12 +34,6 @@
     "@earendil-works/pi-coding-agent": "*",
     "typebox": "*"
   },
-  "devDependencies": {
-    "vitest": "^4.1.5",
-    "@types/jsdom": "^21.1.7",
-    "@types/turndown": "^5.0.6",
-    "@mrclrchtr/supi-test-utils": "workspace:*"
-  },
   "pi": {
     "extensions": [
       "./src/web.ts",

package/src/convert.ts CHANGED Viewed

@@ -110,6 +110,17 @@ function absolutizeLinks(root: Element, baseUrl: string): void {
   }
 }
+/** Dangerous URI schemes that must never be used in href/src attributes. */
+const DANGEROUS_SCHEMES = ["javascript:", "data:", "vbscript:", "file:"];
+function hasDangerousScheme(value: string): boolean {
+  // Case-insensitive scheme check: split on first ':' and compare lowercased
+  const colonIndex = value.indexOf(":");
+  if (colonIndex === -1) return false;
+  const scheme = value.slice(0, colonIndex + 1).toLowerCase();
+  return DANGEROUS_SCHEMES.includes(scheme);
+}
 function resolveUrl(href: string, baseUrl: string): string {
   const trimmed = String(href || "").trim();
   if (
@@ -120,14 +131,16 @@ function resolveUrl(href: string, baseUrl: string): string {
   ) {
     return trimmed;
   }
-  if (trimmed.startsWith("javascript:")) {
+  if (hasDangerousScheme(trimmed)) {
     return "";
   }
   try {
     const resolved = new URL(trimmed, baseUrl);
-    return resolved.protocol === "http:" || resolved.protocol === "https:"
-      ? resolved.toString()
-      : trimmed;
+    // Even after URL resolution, reject any non-http/https protocols
+    if (resolved.protocol !== "http:" && resolved.protocol !== "https:") {
+      return "";
+    }
+    return resolved.toString();
   } catch {
     return trimmed;
   }

package/src/web.ts CHANGED Viewed

@@ -2,6 +2,7 @@
  * SuPi Web extension entry point — registers the `web_fetch_md` tool with pi.
  */
+import { spawnSync } from "node:child_process";
 import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
 import { Type } from "typebox";
 import { htmlToMarkdown, wrapAsCodeBlock } from "./convert.ts";
@@ -26,12 +27,29 @@ Links and images are absolutized by default. Use \`abs_links: false\` to keep th
 const PROMPT_SNIPPET =
   "web_fetch_md — fetch a URL and convert it to clean Markdown suitable for LLM ingestion.";
-const PROMPT_GUIDELINES = [
-  "Use web_fetch_md to fetch web pages and convert them to clean Markdown for LLM ingestion.",
-  "Only accept real `http://` or `https://` URLs; stop and ask the user for an allowed source if the page is access-controlled.",
-  "Prefer `output_mode: auto` (default) so large pages are written to temp files instead of flooding the context window.",
-  "Set `abs_links: false` only when relative links are intentional (e.g., local documentation).",
-];
+function isGhAvailable(): boolean {
+  try {
+    const result = spawnSync("gh", ["--version"], { stdio: "ignore" });
+    return result.status === 0;
+  } catch {
+    return false;
+  }
+}
+function buildPromptGuidelines(): string[] {
+  const guidelines = [
+    "Use web_fetch_md to fetch web pages and convert them to clean Markdown for LLM ingestion.",
+    "Only accept real `http://` or `https://` URLs; stop and ask the user for an allowed source if the page is access-controlled.",
+    "Prefer `output_mode: auto` (default) so large pages are written to temp files instead of flooding the context window.",
+    "Set `abs_links: false` only when relative links are intentional (e.g., local documentation).",
+  ];
+  if (isGhAvailable()) {
+    guidelines.push(
+      "For GitHub URLs (e.g., repos, issues, PRs, releases), prefer the `gh` CLI via `bash` over this tool.",
+    );
+  }
+  return guidelines;
+}
 const OutputModeEnum = Type.Union(
   [Type.Literal("auto"), Type.Literal("inline"), Type.Literal("file")],
@@ -44,7 +62,7 @@ export default function webExtension(pi: ExtensionAPI): void {
     label: TOOL_LABEL,
     description: TOOL_DESCRIPTION,
     promptSnippet: PROMPT_SNIPPET,
-    promptGuidelines: PROMPT_GUIDELINES,
+    promptGuidelines: buildPromptGuidelines(),
     parameters: Type.Object({
       url: Type.String({ description: "http(s) URL to fetch" }),
       output_mode: Type.Optional(OutputModeEnum),