@pixelbyte-software/pixcode 1.54.5 → 1.54.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html CHANGED
@@ -35,7 +35,7 @@
35
35
 
36
36
  <!-- Prevent zoom on iOS -->
37
37
  <meta name="format-detection" content="telephone=no" />
38
- <script type="module" crossorigin src="/assets/index-C8DB6Dud.js"></script>
38
+ <script type="module" crossorigin src="/assets/index-D-4VRH1a.js"></script>
39
39
  <link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
40
40
  <link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
41
41
  <link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
@@ -88,7 +88,17 @@ function resolveMonacoAssetsPath() {
88
88
  import { c } from './utils/colors.js';
89
89
  // Server port is logged after binding in startServer() — avoid leaking
90
90
  // env configuration to stdout on every import.
91
- import pty from 'node-pty';
91
+ // node-pty is a native module — use dynamic require so the server doesn't
92
+ // crash on startup if it isn't compiled (allow-scripts blocking, etc.)
93
+ let pty;
94
+ try {
95
+ pty = require('node-pty');
96
+ }
97
+ catch (e) {
98
+ console.warn('[WARN] node-pty native module not available. Terminal/shell features will be disabled.');
99
+ console.warn('[WARN] Run: npm install -g --allow-scripts=better-sqlite3,node-pty @pixelbyte-software/pixcode');
100
+ pty = null;
101
+ }
92
102
  import mime from 'mime-types';
93
103
  import { getProjects, getSessions, renameProject, deleteSession, deleteProject, extractProjectDirectory, clearProjectDirectoryCache, searchConversations } from './projects.js';
94
104
  import { queryClaudeSDK, abortClaudeSDKSession, isClaudeSDKSessionActive, getActiveClaudeSDKSessions, resolveToolApproval, getPendingApprovalsForSession, reconnectSessionWriter } from './claude-sdk.js';
@@ -1563,32 +1573,17 @@ app.use(cors({
1563
1573
  credentials: true,
1564
1574
  exposedHeaders: ['X-Refreshed-Token'],
1565
1575
  }));
1566
- // Security headers middleware (replaces helmet which isn't installed).
1576
+ // Security headers kept lightweight for self-hosted tool compatibility.
1577
+ // CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
1578
+ // IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
1579
+ // headers that don't break anything.
1567
1580
  app.use((req, res, next) => {
1568
1581
  res.setHeader('X-Content-Type-Options', 'nosniff');
1569
1582
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
1570
1583
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
1571
- res.setHeader('X-XSS-Protection', '1; mode=block');
1572
- res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
1573
- // Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
1574
- // so local dev doesn't pin an HSTS policy on localhost.
1575
1584
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1576
1585
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1577
1586
  }
1578
- // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1579
- // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1580
- // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1581
- res.setHeader('Content-Security-Policy', [
1582
- "default-src 'self'",
1583
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1584
- "style-src 'self' 'unsafe-inline'",
1585
- "img-src 'self' data: blob: https:",
1586
- "font-src 'self' data:",
1587
- "connect-src 'self' ws: wss: http: https:",
1588
- "frame-ancestors 'self'",
1589
- "base-uri 'self'",
1590
- "form-action 'self'",
1591
- ].join('; '));
1592
1587
  next();
1593
1588
  });
1594
1589
  app.use(express.json({
@@ -4115,6 +4110,10 @@ function handleShellConnection(ws, request) {
4115
4110
  // already sandboxed, so the flag is safe to use.
4116
4111
  ...(isRunningAsRoot ? { IS_SANDBOX: '1' } : {}),
4117
4112
  };
4113
+ if (!pty) {
4114
+ ws.send(JSON.stringify({ type: 'error', message: 'Terminal not available — node-pty native module is not installed. Run: npm install -g --allow-scripts=better-sqlite3,node-pty @pixelbyte-software/pixcode' }));
4115
+ return;
4116
+ }
4118
4117
  shellProcess = pty.spawn(shell, shellArgs, {
4119
4118
  name: 'xterm-256color',
4120
4119
  cols: termCols,