@pixelbyte-software/pixcode 1.54.5 → 1.54.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/{index-C8DB6Dud.js → index-D-4VRH1a.js} +1 -1
- package/dist/index.html +1 -1
- package/dist-server/server/index.js +19 -20
- package/dist-server/server/index.js.map +1 -1
- package/dist-server/server/projects.js +10 -2
- package/dist-server/server/projects.js.map +1 -1
- package/package.json +1 -1
- package/server/index.js +18 -20
- package/server/projects.js +9 -3
package/dist/index.html
CHANGED
|
@@ -35,7 +35,7 @@
|
|
|
35
35
|
|
|
36
36
|
<!-- Prevent zoom on iOS -->
|
|
37
37
|
<meta name="format-detection" content="telephone=no" />
|
|
38
|
-
<script type="module" crossorigin src="/assets/index-
|
|
38
|
+
<script type="module" crossorigin src="/assets/index-D-4VRH1a.js"></script>
|
|
39
39
|
<link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
|
|
40
40
|
<link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
|
|
41
41
|
<link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
|
|
@@ -88,7 +88,17 @@ function resolveMonacoAssetsPath() {
|
|
|
88
88
|
import { c } from './utils/colors.js';
|
|
89
89
|
// Server port is logged after binding in startServer() — avoid leaking
|
|
90
90
|
// env configuration to stdout on every import.
|
|
91
|
-
|
|
91
|
+
// node-pty is a native module — use dynamic require so the server doesn't
|
|
92
|
+
// crash on startup if it isn't compiled (allow-scripts blocking, etc.)
|
|
93
|
+
let pty;
|
|
94
|
+
try {
|
|
95
|
+
pty = require('node-pty');
|
|
96
|
+
}
|
|
97
|
+
catch (e) {
|
|
98
|
+
console.warn('[WARN] node-pty native module not available. Terminal/shell features will be disabled.');
|
|
99
|
+
console.warn('[WARN] Run: npm install -g --allow-scripts=better-sqlite3,node-pty @pixelbyte-software/pixcode');
|
|
100
|
+
pty = null;
|
|
101
|
+
}
|
|
92
102
|
import mime from 'mime-types';
|
|
93
103
|
import { getProjects, getSessions, renameProject, deleteSession, deleteProject, extractProjectDirectory, clearProjectDirectoryCache, searchConversations } from './projects.js';
|
|
94
104
|
import { queryClaudeSDK, abortClaudeSDKSession, isClaudeSDKSessionActive, getActiveClaudeSDKSessions, resolveToolApproval, getPendingApprovalsForSession, reconnectSessionWriter } from './claude-sdk.js';
|
|
@@ -1563,32 +1573,17 @@ app.use(cors({
|
|
|
1563
1573
|
credentials: true,
|
|
1564
1574
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1565
1575
|
}));
|
|
1566
|
-
// Security headers
|
|
1576
|
+
// Security headers — kept lightweight for self-hosted tool compatibility.
|
|
1577
|
+
// CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
|
|
1578
|
+
// IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
|
|
1579
|
+
// headers that don't break anything.
|
|
1567
1580
|
app.use((req, res, next) => {
|
|
1568
1581
|
res.setHeader('X-Content-Type-Options', 'nosniff');
|
|
1569
1582
|
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
|
1570
1583
|
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
1571
|
-
res.setHeader('X-XSS-Protection', '1; mode=block');
|
|
1572
|
-
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
|
|
1573
|
-
// Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
|
|
1574
|
-
// so local dev doesn't pin an HSTS policy on localhost.
|
|
1575
1584
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1576
1585
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1577
1586
|
}
|
|
1578
|
-
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1579
|
-
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1580
|
-
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1581
|
-
res.setHeader('Content-Security-Policy', [
|
|
1582
|
-
"default-src 'self'",
|
|
1583
|
-
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1584
|
-
"style-src 'self' 'unsafe-inline'",
|
|
1585
|
-
"img-src 'self' data: blob: https:",
|
|
1586
|
-
"font-src 'self' data:",
|
|
1587
|
-
"connect-src 'self' ws: wss: http: https:",
|
|
1588
|
-
"frame-ancestors 'self'",
|
|
1589
|
-
"base-uri 'self'",
|
|
1590
|
-
"form-action 'self'",
|
|
1591
|
-
].join('; '));
|
|
1592
1587
|
next();
|
|
1593
1588
|
});
|
|
1594
1589
|
app.use(express.json({
|
|
@@ -4115,6 +4110,10 @@ function handleShellConnection(ws, request) {
|
|
|
4115
4110
|
// already sandboxed, so the flag is safe to use.
|
|
4116
4111
|
...(isRunningAsRoot ? { IS_SANDBOX: '1' } : {}),
|
|
4117
4112
|
};
|
|
4113
|
+
if (!pty) {
|
|
4114
|
+
ws.send(JSON.stringify({ type: 'error', message: 'Terminal not available — node-pty native module is not installed. Run: npm install -g --allow-scripts=better-sqlite3,node-pty @pixelbyte-software/pixcode' }));
|
|
4115
|
+
return;
|
|
4116
|
+
}
|
|
4118
4117
|
shellProcess = pty.spawn(shell, shellArgs, {
|
|
4119
4118
|
name: 'xterm-256color',
|
|
4120
4119
|
cols: termCols,
|