@nocobase/flow-engine 2.0.0-beta.21 → 2.0.0-beta.22

package/lib/JSRunner.js

@@ -35,6 +35,7 @@ const _JSRunner = class _JSRunner {
   globals;
   timeoutMs;
   constructor(options = {}) {
+    var _a, _b;
     const bindWindowFn = /* @__PURE__ */ __name((key) => {
       if (typeof window !== "undefined" && typeof window[key] === "function") {
         return window[key].bind(window);
@@ -42,13 +43,34 @@ const _JSRunner = class _JSRunner {
       const fn = globalThis[key];
       return typeof fn === "function" ? fn.bind(globalThis) : fn;
     }, "bindWindowFn");
+    const providedGlobals = options.globals || {};
+    const liftedGlobals = {};
+    if (!Object.prototype.hasOwnProperty.call(providedGlobals, "Blob")) {
+      try {
+        const blobCtor = (_a = providedGlobals.window) == null ? void 0 : _a.Blob;
+        if (typeof blobCtor !== "undefined") {
+          liftedGlobals.Blob = blobCtor;
+        }
+      } catch {
+      }
+    }
+    if (!Object.prototype.hasOwnProperty.call(providedGlobals, "URL")) {
+      try {
+        const urlCtor = (_b = providedGlobals.window) == null ? void 0 : _b.URL;
+        if (typeof urlCtor !== "undefined") {
+          liftedGlobals.URL = urlCtor;
+        }
+      } catch {
+      }
+    }
     this.globals = {
       console,
       setTimeout: bindWindowFn("setTimeout"),
       clearTimeout: bindWindowFn("clearTimeout"),
       setInterval: bindWindowFn("setInterval"),
       clearInterval: bindWindowFn("clearInterval"),
-      ...options.globals || {}
+      ...liftedGlobals,
+      ...providedGlobals
     };
     this.timeoutMs = options.timeoutMs ?? 5e3;
   }

package/lib/components/settings/wrappers/contextual/DefaultSettingsIcon.js

@@ -521,7 +521,7 @@ const DefaultSettingsIcon = /* @__PURE__ */ __name(({
             };
             items.push({
               key: uniqueKey,
-              label: /* @__PURE__ */ import_react.default.createElement(MenuLabelItem, { title: t(stepInfo.title), uiMode, itemProps })
+              label: /* @__PURE__ */ import_react.default.createElement(MenuLabelItem, { title: stepInfo.title, uiMode, itemProps })
             });
           });
           if (flow.options.divider === "bottom") {
@@ -555,7 +555,7 @@ const DefaultSettingsIcon = /* @__PURE__ */ __name(({
                 const uniqueKey = generateUniqueKey(`${flow.key}:${stepInfo.stepKey}`);
                 items.push({
                   key: uniqueKey,
-                  label: t(stepInfo.title)
+                  label: stepInfo.title
                 });
               });
             });
@@ -567,7 +567,7 @@ const DefaultSettingsIcon = /* @__PURE__ */ __name(({
                 const uniqueKey = generateUniqueKey(`${modelKey}:${flow.key}:${stepInfo.stepKey}`);
                 subMenuChildren.push({
                   key: uniqueKey,
-                  label: t(stepInfo.title)
+                  label: stepInfo.title
                 });
               });
             });

package/lib/flowContext.js

@@ -830,7 +830,8 @@ const _FlowEngineContext = class _FlowEngineContext extends BaseFlowEngineContex
       value: this.engine
     });
     this.defineProperty("sql", {
-      get: /* @__PURE__ */ __name(() => new import_resources.FlowSQLRepository(this), "get")
+      get: /* @__PURE__ */ __name((ctx) => new import_resources.FlowSQLRepository(ctx), "get"),
+      cache: false
     });
     this.defineProperty("dataSourceManager", {
       value: dataSourceManager

package/lib/resources/sqlResource.d.ts

@@ -6,7 +6,7 @@
  * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
-import { FlowEngineContext } from '../flowContext';
+import { FlowContext, FlowEngineContext } from '../flowContext';
 import { BaseRecordResource } from './baseRecordResource';
 type SQLRunOptions = {
     bind?: Record<string, any>;
@@ -20,8 +20,8 @@ type SQLSaveOptions = {
     dataSourceKey?: string;
 };
 export declare class FlowSQLRepository {
-    protected ctx: FlowEngineContext;
-    constructor(ctx: FlowEngineContext);
+    protected ctx: FlowContext;
+    constructor(ctx: FlowContext);
     run(sql: string, options?: SQLRunOptions): Promise<any>;
     save(data: SQLSaveOptions): Promise<void>;
     runById(uid: string, options?: SQLRunOptions): Promise<any>;

package/lib/utils/safeGlobals.js

@@ -196,6 +196,8 @@ function createSafeWindow(extra) {
     Math,
     Date,
     FormData,
+    ...typeof Blob !== "undefined" ? { Blob } : {},
+    ...typeof URL !== "undefined" ? { URL } : {},
     // 事件侦听仅绑定到真实 window，便于少量需要的全局监听
     addEventListener: addEventListener.bind(window),
     // 安全的 window.open 代理

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/flow-engine",
-  "version": "2.0.0-beta.21",
+  "version": "2.0.0-beta.22",
   "private": false,
   "description": "A standalone flow engine for NocoBase, managing workflows, models, and actions.",
   "main": "lib/index.js",
@@ -8,8 +8,8 @@
   "dependencies": {
     "@formily/antd-v5": "1.x",
     "@formily/reactive": "2.x",
-    "@nocobase/sdk": "2.0.0-beta.21",
-    "@nocobase/shared": "2.0.0-beta.21",
+    "@nocobase/sdk": "2.0.0-beta.22",
+    "@nocobase/shared": "2.0.0-beta.22",
     "ahooks": "^3.7.2",
     "dayjs": "^1.11.9",
     "dompurify": "^3.0.2",
@@ -36,5 +36,5 @@
   ],
   "author": "NocoBase Team",
   "license": "AGPL-3.0",
-  "gitHead": "3ea30685d9592934ec578c0b5e8def60a7fcc3c2"
+  "gitHead": "a49874a59e48eda08c1a1570466e8baff00b8a24"
 }

package/src/JSRunner.ts

@@ -34,13 +34,41 @@ export class JSRunner {
       return typeof fn === 'function' ? fn.bind(globalThis) : fn;
     };
 
+    const providedGlobals = options.globals || {};
+    const liftedGlobals: Record<string, any> = {};
+
+    // Auto-lift selected globals from safe window into top-level sandbox globals
+    // so user code can access them directly (e.g. `new Blob(...)`).
+    if (!Object.prototype.hasOwnProperty.call(providedGlobals, 'Blob')) {
+      try {
+        const blobCtor = (providedGlobals as any).window?.Blob;
+        if (typeof blobCtor !== 'undefined') {
+          liftedGlobals.Blob = blobCtor;
+        }
+      } catch {
+        // ignore when window proxy blocks property access
+      }
+    }
+
+    if (!Object.prototype.hasOwnProperty.call(providedGlobals, 'URL')) {
+      try {
+        const urlCtor = (providedGlobals as any).window?.URL;
+        if (typeof urlCtor !== 'undefined') {
+          liftedGlobals.URL = urlCtor;
+        }
+      } catch {
+        // ignore when window proxy blocks property access
+      }
+    }
+
     this.globals = {
       console,
       setTimeout: bindWindowFn('setTimeout'),
       clearTimeout: bindWindowFn('clearTimeout'),
       setInterval: bindWindowFn('setInterval'),
       clearInterval: bindWindowFn('clearInterval'),
-      ...(options.globals || {}),
+      ...liftedGlobals,
+      ...providedGlobals,
     };
     this.timeoutMs = options.timeoutMs ?? 5000; // 默认 5 秒超时
   }

package/src/__tests__/JSRunner.test.ts

@@ -9,6 +9,7 @@
 
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { JSRunner } from '../JSRunner';
+import { createSafeWindow } from '../utils';
 
 describe('JSRunner', () => {
   let originalSearch: string;
@@ -48,6 +49,69 @@ describe('JSRunner', () => {
     expect(res2.value).toBe('baz');
   });
 
+  it('auto-lifts Blob from injected window to top-level globals', async () => {
+    if (typeof Blob === 'undefined') {
+      return;
+    }
+
+    const runner = new JSRunner({
+      globals: {
+        window: createSafeWindow(),
+      },
+    });
+
+    const result = await runner.run('return new Blob(["x"]).size');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(1);
+  });
+
+  it('keeps explicit globals.Blob higher priority than auto-lifted Blob', async () => {
+    const explicitBlob = function ExplicitBlob(this: any, chunks: any[]) {
+      this.size = Array.isArray(chunks) ? chunks.length : 0;
+    } as any;
+
+    const runner = new JSRunner({
+      globals: {
+        window: createSafeWindow(),
+        Blob: explicitBlob,
+      },
+    });
+
+    const result = await runner.run('const b = new Blob([1,2,3]); return b.size;');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(3);
+  });
+
+  it('auto-lifts URL from injected window to top-level globals', async () => {
+    const runner = new JSRunner({
+      globals: {
+        window: createSafeWindow(),
+      },
+    });
+
+    const result = await runner.run('return typeof URL.createObjectURL === "function"');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(true);
+  });
+
+  it('keeps explicit globals.URL higher priority than auto-lifted URL', async () => {
+    const explicitURL = {
+      createObjectURL: () => 'explicit://url',
+      revokeObjectURL: (_url: string) => undefined,
+    };
+
+    const runner = new JSRunner({
+      globals: {
+        window: createSafeWindow(),
+        URL: explicitURL,
+      },
+    });
+
+    const result = await runner.run('return URL.createObjectURL(new Blob(["x"]))');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('explicit://url');
+  });
+
   it('exposes console in sandbox by default', async () => {
     const runner = new JSRunner();
     const result = await runner.run('return typeof console !== "undefined"');

package/src/__tests__/flowContext.test.ts

@@ -759,6 +759,84 @@ describe('FlowEngine context', () => {
     expect(engine.context.appName).toBe('NocoBase');
   });
 
+  it('ctx.sql should resolve template variables from caller context in delegate chain', async () => {
+    const engine = new FlowEngine();
+    const request = vi.fn(async () => ({ data: { data: [] } }));
+    engine.context.defineProperty('api', {
+      value: { request },
+    });
+    engine.context.defineProperty('minId', {
+      get: () => 999,
+      cache: false,
+    });
+
+    const callerCtx = new FlowContext();
+    callerCtx.addDelegate(engine.context);
+    callerCtx.defineProperty('minId', {
+      get: () => 1,
+      cache: false,
+    });
+
+    await callerCtx.sql.run('SELECT * FROM users WHERE id > {{ctx.minId}}', { type: 'selectRows' });
+
+    expect(request).toHaveBeenCalledTimes(1);
+    const config = request.mock.calls[0]?.[0];
+    expect(config?.url).toBe('flowSql:run');
+    expect(config?.data.bind.__var1).toBe(1);
+  });
+
+  it('ctx.sql should not share repository instance between different caller contexts', async () => {
+    const engine = new FlowEngine();
+    const request = vi.fn(async () => ({ data: { data: [] } }));
+    engine.context.defineProperty('api', {
+      value: { request },
+    });
+
+    const caller1 = new FlowContext();
+    caller1.addDelegate(engine.context);
+    caller1.defineProperty('minId', {
+      get: () => 1,
+      cache: false,
+    });
+
+    const caller2 = new FlowContext();
+    caller2.addDelegate(engine.context);
+    caller2.defineProperty('minId', {
+      get: () => 2,
+      cache: false,
+    });
+
+    expect(caller1.sql).not.toBe(caller2.sql);
+
+    await caller1.sql.run('SELECT * FROM users WHERE id > {{ctx.minId}}', { type: 'selectRows' });
+    await caller2.sql.run('SELECT * FROM users WHERE id > {{ctx.minId}}', { type: 'selectRows' });
+
+    expect(request).toHaveBeenCalledTimes(2);
+    const config1 = request.mock.calls[0]?.[0];
+    const config2 = request.mock.calls[1]?.[0];
+    expect(config1?.data.bind.__var1).toBe(1);
+    expect(config2?.data.bind.__var1).toBe(2);
+  });
+
+  it('engine.context.sql should keep working when accessed directly', async () => {
+    const engine = new FlowEngine();
+    const request = vi.fn(async () => ({ data: { data: [] } }));
+    engine.context.defineProperty('api', {
+      value: { request },
+    });
+    engine.context.defineProperty('minId', {
+      get: () => 3,
+      cache: false,
+    });
+
+    await engine.context.sql.run('SELECT * FROM users WHERE id > {{ctx.minId}}', { type: 'selectRows' });
+
+    expect(request).toHaveBeenCalledTimes(1);
+    const config = request.mock.calls[0]?.[0];
+    expect(config?.url).toBe('flowSql:run');
+    expect(config?.data.bind.__var1).toBe(3);
+  });
+
   it('engine.context.getVar should resolve variable by path', async () => {
     const engine = new FlowEngine();
     engine.context.defineProperty('foo', { value: { bar: 1 } });

package/src/components/settings/wrappers/contextual/DefaultSettingsIcon.tsx

@@ -614,7 +614,7 @@ export const DefaultSettingsIcon: React.FC<DefaultSettingsIconProps> = ({
             };
             items.push({
               key: uniqueKey,
-              label: <MenuLabelItem title={t(stepInfo.title)} uiMode={uiMode} itemProps={itemProps} />,
+              label: <MenuLabelItem title={stepInfo.title} uiMode={uiMode} itemProps={itemProps} />,
             });
           });
           if (flow.options.divider === 'bottom') {
@@ -656,7 +656,7 @@ export const DefaultSettingsIcon: React.FC<DefaultSettingsIconProps> = ({
 
                 items.push({
                   key: uniqueKey,
-                  label: t(stepInfo.title),
+                  label: stepInfo.title,
                 });
               });
             });
@@ -671,7 +671,7 @@ export const DefaultSettingsIcon: React.FC<DefaultSettingsIconProps> = ({
 
                 subMenuChildren.push({
                   key: uniqueKey,
-                  label: t(stepInfo.title),
+                  label: stepInfo.title,
                 });
               });
             });

package/src/flowContext.ts

@@ -1144,7 +1144,8 @@ export class FlowEngineContext extends BaseFlowEngineContext {
       value: this.engine,
     });
     this.defineProperty('sql', {
-      get: () => new FlowSQLRepository(this),
+      get: (ctx) => new FlowSQLRepository(ctx),
+      cache: false,
     });
     this.defineProperty('dataSourceManager', {
       value: dataSourceManager,

package/src/resources/sqlResource.ts

@@ -27,10 +27,10 @@ type SQLSaveOptions = {
 };
 
 export class FlowSQLRepository {
-  protected ctx: FlowEngineContext;
+  protected ctx: FlowContext;
 
-  constructor(ctx: FlowEngineContext) {
-    this.ctx = new FlowContext() as FlowEngineContext;
+  constructor(ctx: FlowContext) {
+    this.ctx = new FlowContext();
     this.ctx.addDelegate(ctx);
     this.ctx.defineProperty('offset', {
       get: () => 0,

package/src/utils/__tests__/safeGlobals.test.ts

@@ -28,6 +28,14 @@ describe('safeGlobals', () => {
     expect(win.console).toBeDefined();
     expect(win.foo).toBe(123);
     expect(new win.FormData()).toBeInstanceOf(window.FormData);
+    if (typeof window.Blob !== 'undefined') {
+      expect(typeof win.Blob).toBe('function');
+      expect(new win.Blob(['x'])).toBeInstanceOf(window.Blob);
+    }
+    if (typeof window.URL !== 'undefined') {
+      expect(win.URL).toBe(window.URL);
+      expect(typeof win.URL.createObjectURL).toBe('function');
+    }
     // access to location proxy is allowed, but sensitive props throw
     expect(() => win.location.href).toThrow(/not allowed/);
   });

package/src/utils/safeGlobals.ts

@@ -9,7 +9,7 @@
 
 /**
  * 统一的安全全局对象代理：window/document/navigator
- * - window：仅允许常用的定时器、console、Math、Date、FormData、addEventListener、open（安全包装）、location（安全代理）
+ * - window：仅允许常用的定时器、console、Math、Date、FormData、Blob、URL、addEventListener、open（安全包装）、location（安全代理）
  * - document：仅允许 createElement/querySelector/querySelectorAll
  * - navigator：仅提供极少量低风险能力（clipboard.writeText、onLine、language、languages）
  * - 不允许随意访问未声明的属性，最小权限原则
@@ -211,6 +211,8 @@ export function createSafeWindow(extra?: Record<string, any>) {
     Math,
     Date,
     FormData,
+    ...(typeof Blob !== 'undefined' ? { Blob } : {}),
+    ...(typeof URL !== 'undefined' ? { URL } : {}),
     // 事件侦听仅绑定到真实 window，便于少量需要的全局监听
     addEventListener: addEventListener.bind(window),
     // 安全的 window.open 代理