@nsxbet/admin-sdk 0.9.0 → 0.9.2

package/README.md

@@ -454,7 +454,7 @@ TypeScript declarations for environment variables and platform API:
 
 declare global {
   interface ImportMetaEnv {
-    readonly VITE_ALLOWED_MODULE_ORIGINS?: string;
+    readonly VITE_ALLOWED_MODULE_ORIGINS?: string; // legacy build-time fallback
   }
 
   interface ImportMeta {
@@ -501,7 +501,7 @@ MOCK_AUTH=true
 # Module URL allowlist (shell mode only). Comma-separated patterns.
 # Supports *.domain wildcard (e.g. *.nsx.dev matches modules.nsx.dev, nsx.dev).
 # In dev mode, localhost and 127.0.0.1 are always allowed.
-# VITE_ALLOWED_MODULE_ORIGINS=*.nsx.dev,*.nsx.services
+# ALLOWED_MODULE_ORIGINS=*.nsx.dev,*.nsx.services
 ```
 
 ## Manifest Schema (`admin.module.json`)
@@ -1129,13 +1129,15 @@ ADMIN_GATEWAY_URL=https://admin-bff-stg.nsx.dev
 
 ## Module URL Allowlist (Shell Mode)
 
-When the shell loads modules dynamically from URLs, it validates each URL against `VITE_ALLOWED_MODULE_ORIGINS` before `import()` or `loadScript()`.
+When the shell loads modules dynamically from URLs, it validates each URL against `ALLOWED_MODULE_ORIGINS` before `import()` or `loadScript()`.
+
+**Resolution order:** `window.__ENV__.ALLOWED_MODULE_ORIGINS` (runtime) → `import.meta.env.VITE_ALLOWED_MODULE_ORIGINS` (build-time fallback).
 
 **Format:** Comma-separated patterns supporting `*.domain` wildcard (e.g. `*.nsx.dev` matches `modules.nsx.dev`, `cdn.nsx.dev`, and apex `nsx.dev`).
 
 **Dev mode:** `localhost` and `127.0.0.1` are always allowed regardless of the allowlist, so local dev servers work without configuration.
 
-**Production:** Set `VITE_ALLOWED_MODULE_ORIGINS` in your build environment. If unset or empty, all module loads fail with a clear error.
+**Production:** Set `ALLOWED_MODULE_ORIGINS` in your environment (K8s `envs`, Docker `-e`, or `.env` locally). If unset or empty, all module loads fail with a clear error.
 
 ## BFF / Okta cookie auth (recommended)
 

package/dist/router/url-allowlist.d.ts

@@ -1,12 +1,16 @@
 /**
  * Module URL allowlist validation
  *
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
  * import() or loadScript() to prevent loading code from untrusted origins.
+ *
+ * Resolution order:
+ *   1. window.__ENV__.ALLOWED_MODULE_ORIGINS  (runtime — Docker/K8s)
+ *   2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS  (build-time — local dev)
  */
 /** Options for validateModuleUrl (used by tests to override env) */
 export interface ValidateModuleUrlOptions {
-    /** Override allowlist (comma-separated patterns). Default: VITE_ALLOWED_MODULE_ORIGINS */
+    /** Override allowlist (comma-separated patterns). Default: ALLOWED_MODULE_ORIGINS */
     allowlist?: string;
     /** Override dev mode. Default: import.meta.env.DEV */
     isDev?: boolean;

package/dist/router/url-allowlist.js

@@ -1,8 +1,12 @@
 /**
  * Module URL allowlist validation
  *
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
  * import() or loadScript() to prevent loading code from untrusted origins.
+ *
+ * Resolution order:
+ *   1. window.__ENV__.ALLOWED_MODULE_ORIGINS  (runtime — Docker/K8s)
+ *   2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS  (build-time — local dev)
  */
 /**
  * Parse allowlist patterns from comma-separated string.
@@ -48,14 +52,16 @@ export function validateModuleUrl(url, options) {
     }
     const hostname = parsed.hostname;
     const isDev = options?.isDev ?? import.meta.env.DEV === true;
-    const rawAllowlist = options?.allowlist ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
+    const rawAllowlist = options?.allowlist
+        ?? (typeof window !== 'undefined' ? window.__ENV__?.ALLOWED_MODULE_ORIGINS : undefined)
+        ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
     // Dev mode: always allow localhost and 127.0.0.1
     if (isDev && (hostname === 'localhost' || hostname === '127.0.0.1')) {
         return;
     }
     const patterns = getAllowlistPatterns(rawAllowlist);
     if (patterns.length === 0) {
-        throw new Error(`[DynamicModule] Module URL "${url}" rejected: VITE_ALLOWED_MODULE_ORIGINS is not set or empty. ` +
+        throw new Error(`[DynamicModule] Module URL "${url}" rejected: ALLOWED_MODULE_ORIGINS is not set or empty. ` +
             'Configure trusted origins (e.g. *.nsx.dev,*.nsx.services) in your environment.');
     }
     const allowed = patterns.some((p) => hostnameMatchesPattern(hostname, p));

package/dist/sdk-version.js

@@ -2,4 +2,4 @@
  * Semver of @nsxbet/admin-sdk (synced from package.json by scripts/write-sdk-version.mjs).
  * Do not edit manually — run `node scripts/write-sdk-version.mjs` after version bumps.
  */
-export const SDK_PACKAGE_VERSION = "0.9.0";
+export const SDK_PACKAGE_VERSION = "0.9.2";

package/dist/vite/config.js

@@ -134,10 +134,14 @@ export function adminModule(options = {}) {
     }
     const buildConfigPlugin = {
         name: "admin-module-build-config",
-        config(_config, { command }) {
+        config(_config, { command, mode }) {
             if (command !== "build" || !isModuleBuild())
                 return;
             return {
+                define: {
+                    "process.env": {},
+                    "process.env.NODE_ENV": JSON.stringify(mode === "development" ? "development" : "production"),
+                },
                 build: {
                     outDir,
                     emptyOutDir: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nsxbet/admin-sdk",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "SDK for building NSX Admin modules with integrated shell",
   "type": "module",
   "main": "./dist/index.js",