@seed-ship/mcp-ui-solid 2.2.11 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/dist/components/UIResourceRenderer.cjs +29 -27
  2. package/dist/components/UIResourceRenderer.cjs.map +1 -1
  3. package/dist/components/UIResourceRenderer.js +30 -28
  4. package/dist/components/UIResourceRenderer.js.map +1 -1
  5. package/dist/index.cjs +2 -0
  6. package/dist/index.cjs.map +1 -1
  7. package/dist/index.d.cts +1 -1
  8. package/dist/index.d.ts +1 -1
  9. package/dist/index.d.ts.map +1 -1
  10. package/dist/index.js +3 -1
  11. package/dist/services/index.d.ts +1 -1
  12. package/dist/services/index.d.ts.map +1 -1
  13. package/dist/services/validation.cjs +71 -1
  14. package/dist/services/validation.cjs.map +1 -1
  15. package/dist/services/validation.d.ts +21 -0
  16. package/dist/services/validation.d.ts.map +1 -1
  17. package/dist/services/validation.js +71 -1
  18. package/dist/services/validation.js.map +1 -1
  19. package/package.json +1 -1
  20. package/src/components/UIResourceRenderer.tsx +2 -2
  21. package/src/index.ts +2 -0
  22. package/src/services/index.ts +2 -0
  23. package/src/services/validation.test.ts +56 -1
  24. package/src/services/validation.ts +100 -0
  25. package/tsconfig.tsbuildinfo +1 -1
package/dist/services/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,cAAc,CAAA;AAErB,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,cAAc,CAAA;AAErB,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA"}
package/dist/services/validation.cjs CHANGED
@@ -123,7 +123,57 @@ const DEFAULT_IFRAME_DOMAINS = [
123
123
  "clinicaltrials.gov",
124
124
  "www.clinicaltrials.gov",
125
125
  "linear.app",
126
- "www.linear.app"
126
+ "www.linear.app",
127
+ // Payment platforms (v2.2.12)
128
+ "polar.sh",
129
+ "www.polar.sh",
130
+ "checkout.stripe.com",
131
+ "js.stripe.com",
132
+ "billing.stripe.com",
133
+ "buy.stripe.com",
134
+ "connect.stripe.com",
135
+ "invoice.stripe.com"
136
+ ];
137
+ const TRUSTED_IFRAME_DOMAINS = [
138
+ // Deposium (own domains)
139
+ "deposium.com",
140
+ "deposium.vip",
141
+ "deposium.ai",
142
+ "localhost",
143
+ // Google services (need auth cookies)
144
+ "docs.google.com",
145
+ "drive.google.com",
146
+ "sheets.google.com",
147
+ "slides.google.com",
148
+ "maps.google.com",
149
+ "datastudio.google.com",
150
+ "lookerstudio.google.com",
151
+ // Productivity (need auth)
152
+ "notion.so",
153
+ "www.notion.so",
154
+ "airtable.com",
155
+ "figma.com",
156
+ "www.figma.com",
157
+ "miro.com",
158
+ // Payment (need auth + cookies for checkout)
159
+ "polar.sh",
160
+ "www.polar.sh",
161
+ "checkout.stripe.com",
162
+ "js.stripe.com",
163
+ "billing.stripe.com",
164
+ "buy.stripe.com",
165
+ "connect.stripe.com",
166
+ "invoice.stripe.com",
167
+ // Business tools (need auth)
168
+ "app.hubspot.com",
169
+ "share.hubspot.com",
170
+ "app.powerbi.com",
171
+ "linear.app",
172
+ "www.linear.app",
173
+ "calendly.com",
174
+ "typeform.com",
175
+ "cal.com",
176
+ "canva.com"
127
177
  ];
128
178
  function validateGridPosition(position) {
129
179
  const errors = [];
@@ -350,6 +400,24 @@ function validateIframeDomain(url, options) {
350
400
  };
351
401
  }
352
402
  }
403
+ function getIframeSandbox(url, options) {
404
+ const baseSandbox = "allow-scripts allow-popups";
405
+ try {
406
+ const domain = new URL(url).hostname;
407
+ let trustedList = TRUSTED_IFRAME_DOMAINS;
408
+ if (options == null ? void 0 : options.customTrustedDomains) {
409
+ trustedList = [...TRUSTED_IFRAME_DOMAINS, ...options.customTrustedDomains];
410
+ }
411
+ const isTrusted = trustedList.some(
412
+ (trusted) => domain === trusted || domain.endsWith(`.${trusted}`)
413
+ );
414
+ if (isTrusted) {
415
+ return `${baseSandbox} allow-same-origin allow-forms`;
416
+ }
417
+ } catch {
418
+ }
419
+ return baseSandbox;
420
+ }
353
421
  function validateComponent(component, options) {
354
422
  const limits = (options == null ? void 0 : options.limits) ?? DEFAULT_RESOURCE_LIMITS;
355
423
  const errors = [];
@@ -654,6 +722,8 @@ function validateFormData(data, fields) {
654
722
  }
655
723
  exports.DEFAULT_IFRAME_DOMAINS = DEFAULT_IFRAME_DOMAINS;
656
724
  exports.DEFAULT_RESOURCE_LIMITS = DEFAULT_RESOURCE_LIMITS;
725
+ exports.TRUSTED_IFRAME_DOMAINS = TRUSTED_IFRAME_DOMAINS;
726
+ exports.getIframeSandbox = getIframeSandbox;
657
727
  exports.sanitizeString = sanitizeString;
658
728
  exports.validateChartComponent = validateChartComponent;
659
729
  exports.validateComponent = validateComponent;
package/dist/services/validation.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"validation.cjs","sources":["../../src/services/validation.ts"],"sourcesContent":["/**\n * Component Validation Service\n * Phase 0: Resource Limits & Schema Validation\n *\n * Validates LLM-generated components against:\n * - JSON schema\n * - Resource limits (data points, payload size, grid bounds)\n * - Security constraints (domain whitelist, XSS prevention)\n */\n\nimport type {\n UIComponent,\n UILayout,\n ValidationResult,\n ResourceLimits,\n ChartComponentParams,\n TableComponentParams,\n FormFieldParams,\n IframePolicy,\n ValidationOptions,\n ComponentType,\n} from '../types'\n\n/**\n * All known ComponentType values — used to distinguish known-but-unvalidated\n * types (pass through) from truly unknown strings (reject).\n */\nconst KNOWN_COMPONENT_TYPES: Set<string> = new Set<ComponentType>([\n 'chart', 'table', 'metric', 'text', 'grid', 'iframe', 'image', 'link',\n 'action', 'footer', 'carousel', 'artifact', 'form', 'modal',\n 'action-group', 'image-gallery', 'video', 'code', 'map',\n])\n\n/**\n * Default resource limits (configurable via env)\n */\nexport const DEFAULT_RESOURCE_LIMITS: ResourceLimits = {\n maxDataPoints: 1000,\n maxTableRows: 100,\n maxPayloadSize: 50 * 1024, // 50KB\n renderTimeout: 5000, // 5 seconds\n}\n\n/**\n * Default allowed iframe domains (whitelist)\n * Must match CSP frame-src directive\n * Updated Sprint 7: Added code, design, docs, and map providers\n *\n * This list is exported for transparency and can be extended via ValidationOptions\n */\nexport const DEFAULT_IFRAME_DOMAINS = [\n // Charts\n 'quickchart.io',\n 'www.quickchart.io',\n\n // Deposium\n 'deposium.com',\n 'deposium.vip',\n 'deposium.ai',\n\n // Development\n 'localhost',\n\n // Video providers (Sprint 5)\n 'youtube.com',\n 'www.youtube.com',\n 'youtube-nocookie.com',\n 'www.youtube-nocookie.com',\n 'youtu.be',\n 'vimeo.com',\n 'player.vimeo.com',\n\n // Code playgrounds (Sprint 7)\n 'codepen.io',\n 'codesandbox.io',\n 'stackblitz.com',\n 'jsfiddle.net',\n\n // Design tools (Sprint 7)\n 'figma.com',\n 'www.figma.com',\n 'miro.com',\n\n // Google services (Sprint 7)\n 'docs.google.com',\n 'drive.google.com',\n 'sheets.google.com',\n 'slides.google.com',\n 'maps.google.com',\n 'www.google.com',\n 'datastudio.google.com',\n 'lookerstudio.google.com',\n\n // Productivity (Sprint 7)\n 'airtable.com',\n 'notion.so',\n 'www.notion.so',\n\n // Maps (Sprint 7)\n 'openstreetmap.org',\n 'www.openstreetmap.org',\n\n // Analytics/Dashboards (Sprint 7)\n 'public.tableau.com',\n 'app.powerbi.com',\n 'observablehq.com',\n\n // Diagrams & Whiteboards (v2.0.0)\n 'mermaid.live',\n 'excalidraw.com',\n 'lucidchart.com',\n 'lucid.app',\n\n // Video - Business (v2.0.0)\n 'loom.com',\n 'www.loom.com',\n 'cloudflarestream.com',\n 'streamable.com',\n\n // Code repositories (v2.0.0)\n 'github.com',\n 'gist.github.com',\n 'gitlab.com',\n 'replit.com',\n 'glitch.com',\n\n // Business tools (v2.0.0)\n 'calendly.com',\n 'typeform.com',\n 'cal.com',\n\n // Design (v2.0.0)\n 'canva.com',\n\n // Deploy previews (v2.0.0)\n 'vercel.app',\n 'netlify.app',\n\n // E-commerce (v2.0.0)\n 'amazon.com',\n 'amazon.fr',\n 'amazon.de',\n 'amazon.co.uk',\n 'amazon.es',\n 'amazon.it',\n 'amazon.ca',\n 'amazon.co.jp',\n 'images-amazon.com',\n 'media-amazon.com',\n 'ws-na.amazon-adsystem.com',\n\n // MCP Connectors — embed-capable services (v2.2.7)\n 'gamma.app',\n 'www.gamma.app',\n 'app.hubspot.com',\n 'share.hubspot.com',\n 'www.data.gouv.fr',\n 'data.gouv.fr',\n 'clinicaltrials.gov',\n 'www.clinicaltrials.gov',\n 'linear.app',\n 'www.linear.app',\n]\n\n/**\n * Validate grid position bounds (1-12 columns)\n */\nexport function validateGridPosition(position: UIComponent['position']): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // ✅ PHASE 3 FIX: Defensive check for undefined position\n if (!position) {\n return {\n valid: false,\n errors: [\n {\n path: 'position',\n message: 'Position is required',\n code: 'MISSING_POSITION',\n },\n ],\n }\n }\n\n if (position.colStart < 1 || position.colStart > 12) {\n errors.push({\n path: 'position.colStart',\n message: 'Column start must be between 1 and 12',\n code: 'INVALID_GRID_COL_START',\n })\n }\n\n if (position.colSpan < 1 || position.colSpan > 12) {\n errors.push({\n path: 'position.colSpan',\n message: 'Column span must be between 1 and 12',\n code: 'INVALID_GRID_COL_SPAN',\n })\n }\n\n if (position.colStart + position.colSpan - 1 > 12) {\n errors.push({\n path: 'position',\n message: 'Column start + span exceeds grid width (12)',\n code: 'GRID_OVERFLOW',\n })\n }\n\n if (position.rowStart !== undefined && position.rowStart < 1) {\n errors.push({\n path: 'position.rowStart',\n message: 'Row start must be >= 1',\n code: 'INVALID_GRID_ROW_START',\n })\n }\n\n if (position.rowSpan !== undefined && position.rowSpan < 1) {\n errors.push({\n path: 'position.rowSpan',\n message: 'Row span must be >= 1',\n code: 'INVALID_GRID_ROW_SPAN',\n })\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate chart component against resource limits\n */\nexport function validateChartComponent(\n params: ChartComponentParams,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Guard: params.data must exist with labels + datasets\n if (!params?.data) {\n return { valid: false, errors: [{ path: 'params.data', message: 'Missing chart data object', code: 'MISSING_DATA' }] }\n }\n if (!Array.isArray(params.data.datasets)) {\n return { valid: false, errors: [{ path: 'params.data.datasets', message: 'Missing or invalid datasets array', code: 'MISSING_DATASETS' }] }\n }\n // Detect point-based charts (scatter/bubble) or object data (time-series line)\n const chartType = params.type || 'bar'\n const firstDataPoint = params.data.datasets[0]?.data?.[0]\n const hasObjectData = typeof firstDataPoint === 'object' && firstDataPoint !== null && 'x' in firstDataPoint\n const isPointChart = chartType === 'scatter' || chartType === 'bubble' || hasObjectData\n\n // Labels required only for categorical charts (not scatter/bubble/time-series)\n if (!isPointChart) {\n if (!Array.isArray(params.data.labels)) {\n return { valid: false, errors: [{ path: 'params.data.labels', message: 'Missing or invalid labels array', code: 'MISSING_LABELS' }] }\n }\n }\n\n // Validate data points count\n const totalDataPoints = params.data.datasets.reduce(\n (sum, dataset) => sum + (Array.isArray(dataset.data) ? dataset.data.length : 0),\n 0\n )\n\n if (totalDataPoints > limits.maxDataPoints) {\n errors.push({\n path: 'params.data',\n message: `Chart exceeds max data points: ${totalDataPoints} > ${limits.maxDataPoints}`,\n code: 'RESOURCE_LIMIT_EXCEEDED',\n })\n }\n\n // Length mismatch check — only for categorical charts, skip empty datasets\n if (!isPointChart && Array.isArray(params.data.labels)) {\n const expectedLength = params.data.labels.length\n for (const [index, dataset] of params.data.datasets.entries()) {\n if (Array.isArray(dataset.data) && dataset.data.length > 0 && dataset.data.length !== expectedLength) {\n errors.push({\n path: `params.data.datasets[${index}]`,\n message: `Dataset length mismatch: expected ${expectedLength}, got ${dataset.data.length}`,\n code: 'DATA_LENGTH_MISMATCH',\n })\n }\n }\n }\n\n // Data type validation — numbers for categorical, {x,y} objects for point charts\n for (const [index, dataset] of params.data.datasets.entries()) {\n if (!Array.isArray(dataset.data)) continue\n for (const [dataIndex, value] of dataset.data.entries()) {\n if (isPointChart) {\n const vObj = value as any\n if (typeof value !== 'object' || value === null || vObj.x == null || typeof vObj.y !== 'number') {\n errors.push({\n path: `params.data.datasets[${index}].data[${dataIndex}]`,\n message: `Invalid point data: expected {x, y} object`,\n code: 'INVALID_POINT_DATA',\n })\n }\n } else {\n if (typeof value !== 'number' || !Number.isFinite(value)) {\n errors.push({\n path: `params.data.datasets[${index}].data[${dataIndex}]`,\n message: `Invalid data value: ${value} (must be finite number)`,\n code: 'INVALID_DATA_TYPE',\n })\n }\n }\n }\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate table component against resource limits\n */\nexport function validateTableComponent(\n params: TableComponentParams,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Validate row count\n if (params.rows.length > limits.maxTableRows) {\n errors.push({\n path: 'params.rows',\n message: `Table exceeds max rows: ${params.rows.length} > ${limits.maxTableRows}`,\n code: 'RESOURCE_LIMIT_EXCEEDED',\n })\n }\n\n // Validate columns\n if (params.columns.length === 0) {\n errors.push({\n path: 'params.columns',\n message: 'Table must have at least one column',\n code: 'EMPTY_COLUMNS',\n })\n }\n\n // Validate column keys are unique\n const columnKeys = new Set<string>()\n for (const [index, column] of params.columns.entries()) {\n if (columnKeys.has(column.key)) {\n errors.push({\n path: `params.columns[${index}]`,\n message: `Duplicate column key: ${column.key}`,\n code: 'DUPLICATE_COLUMN_KEY',\n })\n }\n columnKeys.add(column.key)\n }\n\n // Validate rows have valid data for defined columns\n for (const [rowIndex, row] of params.rows.entries()) {\n for (const column of params.columns) {\n if (!(column.key in row)) {\n errors.push({\n path: `params.rows[${rowIndex}]`,\n message: `Missing column key: ${column.key}`,\n code: 'MISSING_COLUMN_DATA',\n })\n }\n }\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate payload size\n */\nexport function validatePayloadSize(\n component: UIComponent,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const payloadSize = JSON.stringify(component).length\n\n if (payloadSize > limits.maxPayloadSize) {\n return {\n valid: false,\n errors: [\n {\n path: 'component',\n message: `Payload size exceeds limit: ${payloadSize} > ${limits.maxPayloadSize} bytes`,\n code: 'PAYLOAD_TOO_LARGE',\n },\n ],\n }\n }\n\n return { valid: true }\n}\n\n/**\n * Sanitize string to prevent XSS\n * Basic implementation - DOMPurify used at render time\n */\nexport function sanitizeString(input: string): string {\n return input\n .replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/gi, '')\n .replace(/on\\w+=\"[^\"]*\"/gi, '')\n .replace(/javascript:/gi, '')\n}\n\n/**\n * Validate iframe domain against whitelist\n *\n * @param url - The URL to validate\n * @param options - Optional validation options\n * @param options.policy - 'strict' (default), 'extend', or 'allow-all'\n * @param options.customDomains - Additional domains when policy is 'extend'\n */\nexport function validateIframeDomain(\n url: string,\n options?: { policy?: IframePolicy; customDomains?: string[] }\n): ValidationResult {\n // If allow-all, skip validation\n if (options?.policy === 'allow-all') {\n return { valid: true }\n }\n\n try {\n const parsedUrl = new URL(url)\n const domain = parsedUrl.hostname\n\n // Build effective whitelist\n let effectiveWhitelist = DEFAULT_IFRAME_DOMAINS\n if (options?.policy === 'extend' && options.customDomains) {\n effectiveWhitelist = [...DEFAULT_IFRAME_DOMAINS, ...options.customDomains]\n }\n\n const isAllowed = effectiveWhitelist.some(\n (allowed) => domain === allowed || domain.endsWith(`.${allowed}`) || allowed === 'localhost'\n )\n\n if (!isAllowed) {\n return {\n valid: false,\n errors: [\n {\n path: 'url',\n message: `Domain not whitelisted: ${domain}`,\n code: 'DOMAIN_NOT_WHITELISTED',\n },\n ],\n }\n }\n\n return { valid: true }\n } catch (error) {\n return {\n valid: false,\n errors: [\n {\n path: 'url',\n message: 'Invalid URL format',\n code: 'INVALID_URL',\n },\n ],\n }\n }\n}\n\n/**\n * Validate entire component\n *\n * @param component - The component to validate\n * @param options - Optional validation options (limits, iframePolicy, customIframeDomains)\n */\nexport function validateComponent(\n component: UIComponent,\n options?: ValidationOptions\n): ValidationResult {\n const limits = options?.limits ?? DEFAULT_RESOURCE_LIMITS\n const errors: ValidationResult['errors'] = []\n\n // Guard: params must exist\n if (!component.params) {\n return { valid: false, errors: [{ path: 'params', message: 'Missing component params', code: 'MISSING_PARAMS' }] }\n }\n\n // Validate grid position\n const gridResult = validateGridPosition(component.position)\n if (!gridResult.valid) {\n errors.push(...(gridResult.errors || []))\n }\n\n // Validate payload size\n const sizeResult = validatePayloadSize(component, limits)\n if (!sizeResult.valid) {\n errors.push(...(sizeResult.errors || []))\n }\n\n // Type-specific validation\n switch (component.type) {\n case 'chart': {\n const chartResult = validateChartComponent(component.params as ChartComponentParams, limits)\n if (!chartResult.valid) {\n errors.push(...(chartResult.errors || []))\n }\n break\n }\n\n case 'table': {\n const tableResult = validateTableComponent(component.params as TableComponentParams, limits)\n if (!tableResult.valid) {\n errors.push(...(tableResult.errors || []))\n }\n break\n }\n\n case 'metric': {\n // Basic validation for metrics\n const metricParams = component.params as any\n if (!metricParams.title || !metricParams.value) {\n errors.push({\n path: 'params',\n message: 'Metric must have title and value',\n code: 'INVALID_METRIC',\n })\n }\n break\n }\n\n case 'text': {\n // Basic validation for text\n const textParams = component.params as any\n if (!textParams.content) {\n errors.push({\n path: 'params',\n message: 'Text component must have content',\n code: 'INVALID_TEXT',\n })\n }\n break\n }\n\n case 'iframe': {\n // Basic validation for iframe\n const iframeParams = component.params as any\n if (!iframeParams.url) {\n errors.push({\n path: 'params',\n message: 'Iframe component must have url',\n code: 'INVALID_IFRAME',\n })\n } else {\n // Validate iframe domain against whitelist\n const iframeResult = validateIframeDomain(iframeParams.url, {\n policy: options?.iframePolicy,\n customDomains: options?.customIframeDomains,\n })\n if (!iframeResult.valid) {\n errors.push(...(iframeResult.errors || []))\n }\n }\n break\n }\n\n case 'image': {\n // Basic validation for image\n const imageParams = component.params as any\n if (!imageParams.url) {\n errors.push({\n path: 'params',\n message: 'Image component must have url',\n code: 'INVALID_IMAGE',\n })\n }\n break\n }\n\n case 'link': {\n // Basic validation for link\n const linkParams = component.params as any\n if (!linkParams.url) {\n errors.push({\n path: 'params',\n message: 'Link component must have url',\n code: 'INVALID_LINK',\n })\n }\n break\n }\n\n case 'action': {\n // Basic validation for action\n const actionParams = component.params as any\n if (!actionParams.label) {\n errors.push({\n path: 'params',\n message: 'Action component must have label',\n code: 'INVALID_ACTION',\n })\n }\n break\n }\n\n case 'video': {\n const videoParams = component.params as any\n if (!videoParams.url) {\n errors.push({ path: 'params', message: 'Video component must have url', code: 'INVALID_VIDEO' })\n } else {\n // Reuse iframe domain validation for video URLs\n const videoResult = validateIframeDomain(videoParams.url, {\n policy: options?.iframePolicy,\n customDomains: options?.customIframeDomains,\n })\n if (!videoResult.valid) {\n errors.push(...(videoResult.errors || []))\n }\n }\n break\n }\n\n case 'carousel': {\n const carouselParams = component.params as any\n if (!Array.isArray(carouselParams.items) || carouselParams.items.length === 0) {\n errors.push({ path: 'params.items', message: 'Carousel must have non-empty items array', code: 'EMPTY_CAROUSEL' })\n }\n break\n }\n\n case 'image-gallery': {\n const galleryParams = component.params as any\n if (!Array.isArray(galleryParams.images) || galleryParams.images.length === 0) {\n errors.push({ path: 'params.images', message: 'Gallery must have non-empty images array', code: 'EMPTY_GALLERY' })\n }\n break\n }\n\n case 'form': {\n const formParams = component.params as any\n if (!Array.isArray(formParams.fields) || formParams.fields.length === 0) {\n errors.push({ path: 'params.fields', message: 'Form must have non-empty fields array', code: 'EMPTY_FORM' })\n }\n break\n }\n\n case 'action-group': {\n const agParams = component.params as any\n if (!Array.isArray(agParams.actions) || agParams.actions.length === 0) {\n errors.push({ path: 'params.actions', message: 'Action group must have non-empty actions array', code: 'EMPTY_ACTION_GROUP' })\n }\n break\n }\n\n case 'code': {\n const codeParams = component.params as any\n if (!codeParams.code) {\n errors.push({ path: 'params.code', message: 'Code component must have code content', code: 'INVALID_CODE' })\n }\n break\n }\n\n case 'map': {\n // Map can auto-detect center from markers, so center is not strictly required\n const mapParams = component.params as any\n if (!mapParams.center && (!Array.isArray(mapParams.markers) || mapParams.markers.length === 0)) {\n errors.push({ path: 'params', message: 'Map must have center or markers', code: 'INVALID_MAP' })\n }\n break\n }\n\n case 'modal': {\n // Modal is valid with minimal params (title optional, content can be children)\n break\n }\n\n case 'artifact': {\n const artifactParams = component.params as any\n if (!artifactParams.content) {\n errors.push({ path: 'params.content', message: 'Artifact must have content', code: 'INVALID_ARTIFACT' })\n }\n break\n }\n\n default:\n // Known types without specific validation pass through — renderer handles errors\n // Truly unknown types (e.g. typos in streamed JSON) are rejected\n if (!KNOWN_COMPONENT_TYPES.has(component.type)) {\n errors.push({\n path: 'type',\n message: `Unknown component type: ${component.type}`,\n code: 'UNKNOWN_COMPONENT_TYPE',\n })\n }\n break\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate entire layout\n *\n * @param layout - The layout to validate\n * @param options - Optional validation options (limits, iframePolicy, customIframeDomains)\n */\nexport function validateLayout(\n layout: UILayout,\n options?: ValidationOptions\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Validate component count\n if (layout.components.length === 0) {\n errors.push({\n path: 'components',\n message: 'Layout must have at least one component',\n code: 'EMPTY_LAYOUT',\n })\n }\n\n if (layout.components.length > 12) {\n errors.push({\n path: 'components',\n message: `Layout exceeds max components: ${layout.components.length} > 12`,\n code: 'TOO_MANY_COMPONENTS',\n })\n }\n\n // Validate each component\n for (const [index, component] of layout.components.entries()) {\n const result = validateComponent(component, options)\n if (!result.valid) {\n errors.push(\n ...(result.errors?.map((error) => ({\n ...error,\n path: `components[${index}].${error.path}`,\n })) || [])\n )\n }\n }\n\n // Validate grid configuration\n if (layout.grid.columns !== 12) {\n errors.push({\n path: 'grid.columns',\n message: 'Grid must have 12 columns (Bootstrap-like)',\n code: 'INVALID_GRID_COLUMNS',\n })\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate a single form field value against field rules\n */\nexport function validateFieldValue(\n value: any,\n field: FormFieldParams\n): { valid: boolean; error?: string } {\n // Required check\n if (field.required) {\n if (value === undefined || value === null || value === '') {\n return { valid: false, error: `${field.label || field.name} is required` }\n }\n if (field.type === 'checkbox' && value !== true) {\n return { valid: false, error: `${field.label || field.name} must be checked` }\n }\n }\n\n // Skip further validation if value is empty and not required\n if (value === undefined || value === null || value === '') {\n return { valid: true }\n }\n\n // Type-specific validation\n switch (field.type) {\n case 'text':\n case 'textarea':\n case 'password':\n if (field.minLength && String(value).length < field.minLength) {\n return { valid: false, error: `Minimum ${field.minLength} characters required` }\n }\n if (field.maxLength && String(value).length > field.maxLength) {\n return { valid: false, error: `Maximum ${field.maxLength} characters allowed` }\n }\n if (field.pattern && !new RegExp(field.pattern).test(String(value))) {\n return { valid: false, error: 'Invalid format' }\n }\n break\n\n case 'email':\n if (!/^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/.test(String(value))) {\n return { valid: false, error: 'Invalid email address' }\n }\n break\n\n case 'number': {\n const numValue = Number(value)\n if (isNaN(numValue)) {\n return { valid: false, error: 'Must be a valid number' }\n }\n if (field.min !== undefined && numValue < field.min) {\n return { valid: false, error: `Minimum value is ${field.min}` }\n }\n if (field.max !== undefined && numValue > field.max) {\n return { valid: false, error: `Maximum value is ${field.max}` }\n }\n break\n }\n\n case 'date':\n if (field.minDate && value < field.minDate) {\n return { valid: false, error: `Date must be after ${field.minDate}` }\n }\n if (field.maxDate && value > field.maxDate) {\n return { valid: false, error: `Date must be before ${field.maxDate}` }\n }\n break\n\n case 'select':\n case 'radio':\n // Validate that value is one of the options\n if (field.options && field.options.length > 0) {\n const validValues = field.options.map((opt) => opt.value)\n if (!validValues.includes(String(value))) {\n return { valid: false, error: 'Please select a valid option' }\n }\n }\n break\n }\n\n return { valid: true }\n}\n\n/**\n * Validate entire form data against field definitions\n */\nexport function validateFormData(\n data: Record<string, any>,\n fields: FormFieldParams[]\n): { valid: boolean; errors: Record<string, string> } {\n const errors: Record<string, string> = {}\n\n for (const field of fields) {\n const result = validateFieldValue(data[field.name], field)\n if (!result.valid && result.error) {\n errors[field.name] = result.error\n }\n }\n\n return {\n valid: Object.keys(errors).length === 0,\n errors,\n }\n}\n"],"names":[],"mappings":";;AA2BA,MAAM,4CAAyC,IAAmB;AAAA,EAChE;AAAA,EAAS;AAAA,EAAS;AAAA,EAAU;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAU;AAAA,EAAS;AAAA,EAC/D;AAAA,EAAU;AAAA,EAAU;AAAA,EAAY;AAAA,EAAY;AAAA,EAAQ;AAAA,EACpD;AAAA,EAAgB;AAAA,EAAiB;AAAA,EAAS;AAAA,EAAQ;AACpD,CAAC;AAKM,MAAM,0BAA0C;AAAA,EACrD,eAAe;AAAA,EACf,cAAc;AAAA,EACd,gBAAgB,KAAK;AAAA;AAAA,EACrB,eAAe;AAAA;AACjB;AASO,MAAM,yBAAyB;AAAA;AAAA,EAEpC;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKO,SAAS,qBAAqB,UAAqD;AACxF,QAAM,SAAqC,CAAA;AAG3C,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AAEA,MAAI,SAAS,WAAW,KAAK,SAAS,WAAW,IAAI;AACnD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,UAAU,KAAK,SAAS,UAAU,IAAI;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,WAAW,SAAS,UAAU,IAAI,IAAI;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,aAAa,UAAa,SAAS,WAAW,GAAG;AAC5D,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,YAAY,UAAa,SAAS,UAAU,GAAG;AAC1D,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,uBACd,QACA,SAAyB,yBACP;;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,EAAC,iCAAQ,OAAM;AACjB,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,eAAe,SAAS,6BAA6B,MAAM,eAAA,CAAgB,EAAA;AAAA,EACrH;AACA,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,GAAG;AACxC,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,wBAAwB,SAAS,qCAAqC,MAAM,mBAAA,CAAoB,EAAA;AAAA,EAC1I;AAEA,QAAM,YAAY,OAAO,QAAQ;AACjC,QAAM,kBAAiB,kBAAO,KAAK,SAAS,CAAC,MAAtB,mBAAyB,SAAzB,mBAAgC;AACvD,QAAM,gBAAgB,OAAO,mBAAmB,YAAY,mBAAmB,QAAQ,OAAO;AAC9F,QAAM,eAAe,cAAc,aAAa,cAAc,YAAY;AAG1E,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,MAAM,GAAG;AACtC,aAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,sBAAsB,SAAS,mCAAmC,MAAM,iBAAA,CAAkB,EAAA;AAAA,IACpI;AAAA,EACF;AAGA,QAAM,kBAAkB,OAAO,KAAK,SAAS;AAAA,IAC3C,CAAC,KAAK,YAAY,OAAO,MAAM,QAAQ,QAAQ,IAAI,IAAI,QAAQ,KAAK,SAAS;AAAA,IAC7E;AAAA,EAAA;AAGF,MAAI,kBAAkB,OAAO,eAAe;AAC1C,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,kCAAkC,eAAe,MAAM,OAAO,aAAa;AAAA,MACpF,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,MAAI,CAAC,gBAAgB,MAAM,QAAQ,OAAO,KAAK,MAAM,GAAG;AACtD,UAAM,iBAAiB,OAAO,KAAK,OAAO;AAC1C,eAAW,CAAC,OAAO,OAAO,KAAK,OAAO,KAAK,SAAS,WAAW;AAC7D,UAAI,MAAM,QAAQ,QAAQ,IAAI,KAAK,QAAQ,KAAK,SAAS,KAAK,QAAQ,KAAK,WAAW,gBAAgB;AACpG,eAAO,KAAK;AAAA,UACV,MAAM,wBAAwB,KAAK;AAAA,UACnC,SAAS,qCAAqC,cAAc,SAAS,QAAQ,KAAK,MAAM;AAAA,UACxF,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAGA,aAAW,CAAC,OAAO,OAAO,KAAK,OAAO,KAAK,SAAS,WAAW;AAC7D,QAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,EAAG;AAClC,eAAW,CAAC,WAAW,KAAK,KAAK,QAAQ,KAAK,WAAW;AACvD,UAAI,cAAc;AAChB,cAAM,OAAO;AACb,YAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,KAAK,KAAK,QAAQ,OAAO,KAAK,MAAM,UAAU;AAC/F,iBAAO,KAAK;AAAA,YACV,MAAM,wBAAwB,KAAK,UAAU,SAAS;AAAA,YACtD,SAAS;AAAA,YACT,MAAM;AAAA,UAAA,CACP;AAAA,QACH;AAAA,MACF,OAAO;AACL,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,KAAK,GAAG;AACxD,iBAAO,KAAK;AAAA,YACV,MAAM,wBAAwB,KAAK,UAAU,SAAS;AAAA,YACtD,SAAS,uBAAuB,KAAK;AAAA,YACrC,MAAM;AAAA,UAAA,CACP;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,uBACd,QACA,SAAyB,yBACP;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,OAAO,KAAK,SAAS,OAAO,cAAc;AAC5C,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,2BAA2B,OAAO,KAAK,MAAM,MAAM,OAAO,YAAY;AAAA,MAC/E,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,MAAI,OAAO,QAAQ,WAAW,GAAG;AAC/B,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,QAAM,iCAAiB,IAAA;AACvB,aAAW,CAAC,OAAO,MAAM,KAAK,OAAO,QAAQ,WAAW;AACtD,QAAI,WAAW,IAAI,OAAO,GAAG,GAAG;AAC9B,aAAO,KAAK;AAAA,QACV,MAAM,kBAAkB,KAAK;AAAA,QAC7B,SAAS,yBAAyB,OAAO,GAAG;AAAA,QAC5C,MAAM;AAAA,MAAA,CACP;AAAA,IACH;AACA,eAAW,IAAI,OAAO,GAAG;AAAA,EAC3B;AAGA,aAAW,CAAC,UAAU,GAAG,KAAK,OAAO,KAAK,WAAW;AACnD,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,EAAE,OAAO,OAAO,MAAM;AACxB,eAAO,KAAK;AAAA,UACV,MAAM,eAAe,QAAQ;AAAA,UAC7B,SAAS,uBAAuB,OAAO,GAAG;AAAA,UAC1C,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,oBACd,WACA,SAAyB,yBACP;AAClB,QAAM,cAAc,KAAK,UAAU,SAAS,EAAE;AAE9C,MAAI,cAAc,OAAO,gBAAgB;AACvC,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS,+BAA+B,WAAW,MAAM,OAAO,cAAc;AAAA,UAC9E,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AAEA,SAAO,EAAE,OAAO,KAAA;AAClB;AAMO,SAAS,eAAe,OAAuB;AACpD,SAAO,MACJ,QAAQ,uDAAuD,EAAE,EACjE,QAAQ,mBAAmB,EAAE,EAC7B,QAAQ,iBAAiB,EAAE;AAChC;AAUO,SAAS,qBACd,KACA,SACkB;AAElB,OAAI,mCAAS,YAAW,aAAa;AACnC,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB;AAEA,MAAI;AACF,UAAM,YAAY,IAAI,IAAI,GAAG;AAC7B,UAAM,SAAS,UAAU;AAGzB,QAAI,qBAAqB;AACzB,SAAI,mCAAS,YAAW,YAAY,QAAQ,eAAe;AACzD,2BAAqB,CAAC,GAAG,wBAAwB,GAAG,QAAQ,aAAa;AAAA,IAC3E;AAEA,UAAM,YAAY,mBAAmB;AAAA,MACnC,CAAC,YAAY,WAAW,WAAW,OAAO,SAAS,IAAI,OAAO,EAAE,KAAK,YAAY;AAAA,IAAA;AAGnF,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL,OAAO;AAAA,QACP,QAAQ;AAAA,UACN;AAAA,YACE,MAAM;AAAA,YACN,SAAS,2BAA2B,MAAM;AAAA,YAC1C,MAAM;AAAA,UAAA;AAAA,QACR;AAAA,MACF;AAAA,IAEJ;AAEA,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AACF;AAQO,SAAS,kBACd,WACA,SACkB;AAClB,QAAM,UAAS,mCAAS,WAAU;AAClC,QAAM,SAAqC,CAAA;AAG3C,MAAI,CAAC,UAAU,QAAQ;AACrB,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,UAAU,SAAS,4BAA4B,MAAM,iBAAA,CAAkB,EAAA;AAAA,EACjH;AAGA,QAAM,aAAa,qBAAqB,UAAU,QAAQ;AAC1D,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,KAAK,GAAI,WAAW,UAAU,CAAA,CAAG;AAAA,EAC1C;AAGA,QAAM,aAAa,oBAAoB,WAAW,MAAM;AACxD,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,KAAK,GAAI,WAAW,UAAU,CAAA,CAAG;AAAA,EAC1C;AAGA,UAAQ,UAAU,MAAA;AAAA,IAChB,KAAK,SAAS;AACZ,YAAM,cAAc,uBAAuB,UAAU,QAAgC,MAAM;AAC3F,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,MAC3C;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AACZ,YAAM,cAAc,uBAAuB,UAAU,QAAgC,MAAM;AAC3F,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,MAC3C;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,SAAS,CAAC,aAAa,OAAO;AAC9C,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AAEX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,SAAS;AACvB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,KAAK;AACrB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH,OAAO;AAEL,cAAM,eAAe,qBAAqB,aAAa,KAAK;AAAA,UAC1D,QAAQ,mCAAS;AAAA,UACjB,eAAe,mCAAS;AAAA,QAAA,CACzB;AACD,YAAI,CAAC,aAAa,OAAO;AACvB,iBAAO,KAAK,GAAI,aAAa,UAAU,CAAA,CAAG;AAAA,QAC5C;AAAA,MACF;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AAEZ,YAAM,cAAc,UAAU;AAC9B,UAAI,CAAC,YAAY,KAAK;AACpB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AAEX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,KAAK;AACnB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,OAAO;AACvB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AACZ,YAAM,cAAc,UAAU;AAC9B,UAAI,CAAC,YAAY,KAAK;AACpB,eAAO,KAAK,EAAE,MAAM,UAAU,SAAS,iCAAiC,MAAM,iBAAiB;AAAA,MACjG,OAAO;AAEL,cAAM,cAAc,qBAAqB,YAAY,KAAK;AAAA,UACxD,QAAQ,mCAAS;AAAA,UACjB,eAAe,mCAAS;AAAA,QAAA,CACzB;AACD,YAAI,CAAC,YAAY,OAAO;AACtB,iBAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,QAC3C;AAAA,MACF;AACA;AAAA,IACF;AAAA,IAEA,KAAK,YAAY;AACf,YAAM,iBAAiB,UAAU;AACjC,UAAI,CAAC,MAAM,QAAQ,eAAe,KAAK,KAAK,eAAe,MAAM,WAAW,GAAG;AAC7E,eAAO,KAAK,EAAE,MAAM,gBAAgB,SAAS,4CAA4C,MAAM,kBAAkB;AAAA,MACnH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,iBAAiB;AACpB,YAAM,gBAAgB,UAAU;AAChC,UAAI,CAAC,MAAM,QAAQ,cAAc,MAAM,KAAK,cAAc,OAAO,WAAW,GAAG;AAC7E,eAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,4CAA4C,MAAM,iBAAiB;AAAA,MACnH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AACX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,MAAM,QAAQ,WAAW,MAAM,KAAK,WAAW,OAAO,WAAW,GAAG;AACvE,eAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,yCAAyC,MAAM,cAAc;AAAA,MAC7G;AACA;AAAA,IACF;AAAA,IAEA,KAAK,gBAAgB;AACnB,YAAM,WAAW,UAAU;AAC3B,UAAI,CAAC,MAAM,QAAQ,SAAS,OAAO,KAAK,SAAS,QAAQ,WAAW,GAAG;AACrE,eAAO,KAAK,EAAE,MAAM,kBAAkB,SAAS,kDAAkD,MAAM,sBAAsB;AAAA,MAC/H;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AACX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,MAAM;AACpB,eAAO,KAAK,EAAE,MAAM,eAAe,SAAS,yCAAyC,MAAM,gBAAgB;AAAA,MAC7G;AACA;AAAA,IACF;AAAA,IAEA,KAAK,OAAO;AAEV,YAAM,YAAY,UAAU;AAC5B,UAAI,CAAC,UAAU,WAAW,CAAC,MAAM,QAAQ,UAAU,OAAO,KAAK,UAAU,QAAQ,WAAW,IAAI;AAC9F,eAAO,KAAK,EAAE,MAAM,UAAU,SAAS,mCAAmC,MAAM,eAAe;AAAA,MACjG;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AAEZ;AAAA,IACF;AAAA,IAEA,KAAK,YAAY;AACf,YAAM,iBAAiB,UAAU;AACjC,UAAI,CAAC,eAAe,SAAS;AAC3B,eAAO,KAAK,EAAE,MAAM,kBAAkB,SAAS,8BAA8B,MAAM,oBAAoB;AAAA,MACzG;AACA;AAAA,IACF;AAAA,IAEA;AAGE,UAAI,CAAC,sBAAsB,IAAI,UAAU,IAAI,GAAG;AAC9C,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS,2BAA2B,UAAU,IAAI;AAAA,UAClD,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,EAAA;AAGJ,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAQO,SAAS,eACd,QACA,SACkB;;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,OAAO,WAAW,WAAW,GAAG;AAClC,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,OAAO,WAAW,SAAS,IAAI;AACjC,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,kCAAkC,OAAO,WAAW,MAAM;AAAA,MACnE,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,aAAW,CAAC,OAAO,SAAS,KAAK,OAAO,WAAW,WAAW;AAC5D,UAAM,SAAS,kBAAkB,WAAW,OAAO;AACnD,QAAI,CAAC,OAAO,OAAO;AACjB,aAAO;AAAA,QACL,KAAI,YAAO,WAAP,mBAAe,IAAI,CAAC,WAAW;AAAA,UACjC,GAAG;AAAA,UACH,MAAM,cAAc,KAAK,KAAK,MAAM,IAAI;AAAA,QAAA,QACnC,CAAA;AAAA,MAAC;AAAA,IAEZ;AAAA,EACF;AAGA,MAAI,OAAO,KAAK,YAAY,IAAI;AAC9B,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,mBACd,OACA,OACoC;AAEpC,MAAI,MAAM,UAAU;AAClB,QAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,IAAI;AACzD,aAAO,EAAE,OAAO,OAAO,OAAO,GAAG,MAAM,SAAS,MAAM,IAAI,eAAA;AAAA,IAC5D;AACA,QAAI,MAAM,SAAS,cAAc,UAAU,MAAM;AAC/C,aAAO,EAAE,OAAO,OAAO,OAAO,GAAG,MAAM,SAAS,MAAM,IAAI,mBAAA;AAAA,IAC5D;AAAA,EACF;AAGA,MAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,IAAI;AACzD,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB;AAGA,UAAQ,MAAM,MAAA;AAAA,IACZ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,UAAI,MAAM,aAAa,OAAO,KAAK,EAAE,SAAS,MAAM,WAAW;AAC7D,eAAO,EAAE,OAAO,OAAO,OAAO,WAAW,MAAM,SAAS,uBAAA;AAAA,MAC1D;AACA,UAAI,MAAM,aAAa,OAAO,KAAK,EAAE,SAAS,MAAM,WAAW;AAC7D,eAAO,EAAE,OAAO,OAAO,OAAO,WAAW,MAAM,SAAS,sBAAA;AAAA,MAC1D;AACA,UAAI,MAAM,WAAW,CAAC,IAAI,OAAO,MAAM,OAAO,EAAE,KAAK,OAAO,KAAK,CAAC,GAAG;AACnE,eAAO,EAAE,OAAO,OAAO,OAAO,iBAAA;AAAA,MAChC;AACA;AAAA,IAEF,KAAK;AACH,UAAI,CAAC,6BAA6B,KAAK,OAAO,KAAK,CAAC,GAAG;AACrD,eAAO,EAAE,OAAO,OAAO,OAAO,wBAAA;AAAA,MAChC;AACA;AAAA,IAEF,KAAK,UAAU;AACb,YAAM,WAAW,OAAO,KAAK;AAC7B,UAAI,MAAM,QAAQ,GAAG;AACnB,eAAO,EAAE,OAAO,OAAO,OAAO,yBAAA;AAAA,MAChC;AACA,UAAI,MAAM,QAAQ,UAAa,WAAW,MAAM,KAAK;AACnD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,MAAM,GAAG,GAAA;AAAA,MAC7D;AACA,UAAI,MAAM,QAAQ,UAAa,WAAW,MAAM,KAAK;AACnD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,MAAM,GAAG,GAAA;AAAA,MAC7D;AACA;AAAA,IACF;AAAA,IAEA,KAAK;AACH,UAAI,MAAM,WAAW,QAAQ,MAAM,SAAS;AAC1C,eAAO,EAAE,OAAO,OAAO,OAAO,sBAAsB,MAAM,OAAO,GAAA;AAAA,MACnE;AACA,UAAI,MAAM,WAAW,QAAQ,MAAM,SAAS;AAC1C,eAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,MAAM,OAAO,GAAA;AAAA,MACpE;AACA;AAAA,IAEF,KAAK;AAAA,IACL,KAAK;AAEH,UAAI,MAAM,WAAW,MAAM,QAAQ,SAAS,GAAG;AAC7C,cAAM,cAAc,MAAM,QAAQ,IAAI,CAAC,QAAQ,IAAI,KAAK;AACxD,YAAI,CAAC,YAAY,SAAS,OAAO,KAAK,CAAC,GAAG;AACxC,iBAAO,EAAE,OAAO,OAAO,OAAO,+BAAA;AAAA,QAChC;AAAA,MACF;AACA;AAAA,EAAA;AAGJ,SAAO,EAAE,OAAO,KAAA;AAClB;AAKO,SAAS,iBACd,MACA,QACoD;AACpD,QAAM,SAAiC,CAAA;AAEvC,aAAW,SAAS,QAAQ;AAC1B,UAAM,SAAS,mBAAmB,KAAK,MAAM,IAAI,GAAG,KAAK;AACzD,QAAI,CAAC,OAAO,SAAS,OAAO,OAAO;AACjC,aAAO,MAAM,IAAI,IAAI,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,KAAK,MAAM,EAAE,WAAW;AAAA,IACtC;AAAA,EAAA;AAEJ;;;;;;;;;;;;;"}
1
+ {"version":3,"file":"validation.cjs","sources":["../../src/services/validation.ts"],"sourcesContent":["/**\n * Component Validation Service\n * Phase 0: Resource Limits & Schema Validation\n *\n * Validates LLM-generated components against:\n * - JSON schema\n * - Resource limits (data points, payload size, grid bounds)\n * - Security constraints (domain whitelist, XSS prevention)\n */\n\nimport type {\n UIComponent,\n UILayout,\n ValidationResult,\n ResourceLimits,\n ChartComponentParams,\n TableComponentParams,\n FormFieldParams,\n IframePolicy,\n ValidationOptions,\n ComponentType,\n} from '../types'\n\n/**\n * All known ComponentType values — used to distinguish known-but-unvalidated\n * types (pass through) from truly unknown strings (reject).\n */\nconst KNOWN_COMPONENT_TYPES: Set<string> = new Set<ComponentType>([\n 'chart', 'table', 'metric', 'text', 'grid', 'iframe', 'image', 'link',\n 'action', 'footer', 'carousel', 'artifact', 'form', 'modal',\n 'action-group', 'image-gallery', 'video', 'code', 'map',\n])\n\n/**\n * Default resource limits (configurable via env)\n */\nexport const DEFAULT_RESOURCE_LIMITS: ResourceLimits = {\n maxDataPoints: 1000,\n maxTableRows: 100,\n maxPayloadSize: 50 * 1024, // 50KB\n renderTimeout: 5000, // 5 seconds\n}\n\n/**\n * Default allowed iframe domains (whitelist)\n * Must match CSP frame-src directive\n * Updated Sprint 7: Added code, design, docs, and map providers\n *\n * This list is exported for transparency and can be extended via ValidationOptions\n */\nexport const DEFAULT_IFRAME_DOMAINS = [\n // Charts\n 'quickchart.io',\n 'www.quickchart.io',\n\n // Deposium\n 'deposium.com',\n 'deposium.vip',\n 'deposium.ai',\n\n // Development\n 'localhost',\n\n // Video providers (Sprint 5)\n 'youtube.com',\n 'www.youtube.com',\n 'youtube-nocookie.com',\n 'www.youtube-nocookie.com',\n 'youtu.be',\n 'vimeo.com',\n 'player.vimeo.com',\n\n // Code playgrounds (Sprint 7)\n 'codepen.io',\n 'codesandbox.io',\n 'stackblitz.com',\n 'jsfiddle.net',\n\n // Design tools (Sprint 7)\n 'figma.com',\n 'www.figma.com',\n 'miro.com',\n\n // Google services (Sprint 7)\n 'docs.google.com',\n 'drive.google.com',\n 'sheets.google.com',\n 'slides.google.com',\n 'maps.google.com',\n 'www.google.com',\n 'datastudio.google.com',\n 'lookerstudio.google.com',\n\n // Productivity (Sprint 7)\n 'airtable.com',\n 'notion.so',\n 'www.notion.so',\n\n // Maps (Sprint 7)\n 'openstreetmap.org',\n 'www.openstreetmap.org',\n\n // Analytics/Dashboards (Sprint 7)\n 'public.tableau.com',\n 'app.powerbi.com',\n 'observablehq.com',\n\n // Diagrams & Whiteboards (v2.0.0)\n 'mermaid.live',\n 'excalidraw.com',\n 'lucidchart.com',\n 'lucid.app',\n\n // Video - Business (v2.0.0)\n 'loom.com',\n 'www.loom.com',\n 'cloudflarestream.com',\n 'streamable.com',\n\n // Code repositories (v2.0.0)\n 'github.com',\n 'gist.github.com',\n 'gitlab.com',\n 'replit.com',\n 'glitch.com',\n\n // Business tools (v2.0.0)\n 'calendly.com',\n 'typeform.com',\n 'cal.com',\n\n // Design (v2.0.0)\n 'canva.com',\n\n // Deploy previews (v2.0.0)\n 'vercel.app',\n 'netlify.app',\n\n // E-commerce (v2.0.0)\n 'amazon.com',\n 'amazon.fr',\n 'amazon.de',\n 'amazon.co.uk',\n 'amazon.es',\n 'amazon.it',\n 'amazon.ca',\n 'amazon.co.jp',\n 'images-amazon.com',\n 'media-amazon.com',\n 'ws-na.amazon-adsystem.com',\n\n // MCP Connectors — embed-capable services (v2.2.7)\n 'gamma.app',\n 'www.gamma.app',\n 'app.hubspot.com',\n 'share.hubspot.com',\n 'www.data.gouv.fr',\n 'data.gouv.fr',\n 'clinicaltrials.gov',\n 'www.clinicaltrials.gov',\n 'linear.app',\n 'www.linear.app',\n\n // Payment platforms (v2.2.12)\n 'polar.sh',\n 'www.polar.sh',\n 'checkout.stripe.com',\n 'js.stripe.com',\n 'billing.stripe.com',\n 'buy.stripe.com',\n 'connect.stripe.com',\n 'invoice.stripe.com',\n]\n\n/**\n * Trusted iframe domains that require allow-same-origin to function.\n * These domains need access to their own cookies/storage for auth.\n * All other whitelisted domains get a restrictive sandbox without allow-same-origin.\n */\nexport const TRUSTED_IFRAME_DOMAINS = [\n // Deposium (own domains)\n 'deposium.com',\n 'deposium.vip',\n 'deposium.ai',\n 'localhost',\n\n // Google services (need auth cookies)\n 'docs.google.com',\n 'drive.google.com',\n 'sheets.google.com',\n 'slides.google.com',\n 'maps.google.com',\n 'datastudio.google.com',\n 'lookerstudio.google.com',\n\n // Productivity (need auth)\n 'notion.so',\n 'www.notion.so',\n 'airtable.com',\n 'figma.com',\n 'www.figma.com',\n 'miro.com',\n\n // Payment (need auth + cookies for checkout)\n 'polar.sh',\n 'www.polar.sh',\n 'checkout.stripe.com',\n 'js.stripe.com',\n 'billing.stripe.com',\n 'buy.stripe.com',\n 'connect.stripe.com',\n 'invoice.stripe.com',\n\n // Business tools (need auth)\n 'app.hubspot.com',\n 'share.hubspot.com',\n 'app.powerbi.com',\n 'linear.app',\n 'www.linear.app',\n 'calendly.com',\n 'typeform.com',\n 'cal.com',\n 'canva.com',\n]\n\n/**\n * Validate grid position bounds (1-12 columns)\n */\nexport function validateGridPosition(position: UIComponent['position']): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // ✅ PHASE 3 FIX: Defensive check for undefined position\n if (!position) {\n return {\n valid: false,\n errors: [\n {\n path: 'position',\n message: 'Position is required',\n code: 'MISSING_POSITION',\n },\n ],\n }\n }\n\n if (position.colStart < 1 || position.colStart > 12) {\n errors.push({\n path: 'position.colStart',\n message: 'Column start must be between 1 and 12',\n code: 'INVALID_GRID_COL_START',\n })\n }\n\n if (position.colSpan < 1 || position.colSpan > 12) {\n errors.push({\n path: 'position.colSpan',\n message: 'Column span must be between 1 and 12',\n code: 'INVALID_GRID_COL_SPAN',\n })\n }\n\n if (position.colStart + position.colSpan - 1 > 12) {\n errors.push({\n path: 'position',\n message: 'Column start + span exceeds grid width (12)',\n code: 'GRID_OVERFLOW',\n })\n }\n\n if (position.rowStart !== undefined && position.rowStart < 1) {\n errors.push({\n path: 'position.rowStart',\n message: 'Row start must be >= 1',\n code: 'INVALID_GRID_ROW_START',\n })\n }\n\n if (position.rowSpan !== undefined && position.rowSpan < 1) {\n errors.push({\n path: 'position.rowSpan',\n message: 'Row span must be >= 1',\n code: 'INVALID_GRID_ROW_SPAN',\n })\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate chart component against resource limits\n */\nexport function validateChartComponent(\n params: ChartComponentParams,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Guard: params.data must exist with labels + datasets\n if (!params?.data) {\n return { valid: false, errors: [{ path: 'params.data', message: 'Missing chart data object', code: 'MISSING_DATA' }] }\n }\n if (!Array.isArray(params.data.datasets)) {\n return { valid: false, errors: [{ path: 'params.data.datasets', message: 'Missing or invalid datasets array', code: 'MISSING_DATASETS' }] }\n }\n // Detect point-based charts (scatter/bubble) or object data (time-series line)\n const chartType = params.type || 'bar'\n const firstDataPoint = params.data.datasets[0]?.data?.[0]\n const hasObjectData = typeof firstDataPoint === 'object' && firstDataPoint !== null && 'x' in firstDataPoint\n const isPointChart = chartType === 'scatter' || chartType === 'bubble' || hasObjectData\n\n // Labels required only for categorical charts (not scatter/bubble/time-series)\n if (!isPointChart) {\n if (!Array.isArray(params.data.labels)) {\n return { valid: false, errors: [{ path: 'params.data.labels', message: 'Missing or invalid labels array', code: 'MISSING_LABELS' }] }\n }\n }\n\n // Validate data points count\n const totalDataPoints = params.data.datasets.reduce(\n (sum, dataset) => sum + (Array.isArray(dataset.data) ? dataset.data.length : 0),\n 0\n )\n\n if (totalDataPoints > limits.maxDataPoints) {\n errors.push({\n path: 'params.data',\n message: `Chart exceeds max data points: ${totalDataPoints} > ${limits.maxDataPoints}`,\n code: 'RESOURCE_LIMIT_EXCEEDED',\n })\n }\n\n // Length mismatch check — only for categorical charts, skip empty datasets\n if (!isPointChart && Array.isArray(params.data.labels)) {\n const expectedLength = params.data.labels.length\n for (const [index, dataset] of params.data.datasets.entries()) {\n if (Array.isArray(dataset.data) && dataset.data.length > 0 && dataset.data.length !== expectedLength) {\n errors.push({\n path: `params.data.datasets[${index}]`,\n message: `Dataset length mismatch: expected ${expectedLength}, got ${dataset.data.length}`,\n code: 'DATA_LENGTH_MISMATCH',\n })\n }\n }\n }\n\n // Data type validation — numbers for categorical, {x,y} objects for point charts\n for (const [index, dataset] of params.data.datasets.entries()) {\n if (!Array.isArray(dataset.data)) continue\n for (const [dataIndex, value] of dataset.data.entries()) {\n if (isPointChart) {\n const vObj = value as any\n if (typeof value !== 'object' || value === null || vObj.x == null || typeof vObj.y !== 'number') {\n errors.push({\n path: `params.data.datasets[${index}].data[${dataIndex}]`,\n message: `Invalid point data: expected {x, y} object`,\n code: 'INVALID_POINT_DATA',\n })\n }\n } else {\n if (typeof value !== 'number' || !Number.isFinite(value)) {\n errors.push({\n path: `params.data.datasets[${index}].data[${dataIndex}]`,\n message: `Invalid data value: ${value} (must be finite number)`,\n code: 'INVALID_DATA_TYPE',\n })\n }\n }\n }\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate table component against resource limits\n */\nexport function validateTableComponent(\n params: TableComponentParams,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Validate row count\n if (params.rows.length > limits.maxTableRows) {\n errors.push({\n path: 'params.rows',\n message: `Table exceeds max rows: ${params.rows.length} > ${limits.maxTableRows}`,\n code: 'RESOURCE_LIMIT_EXCEEDED',\n })\n }\n\n // Validate columns\n if (params.columns.length === 0) {\n errors.push({\n path: 'params.columns',\n message: 'Table must have at least one column',\n code: 'EMPTY_COLUMNS',\n })\n }\n\n // Validate column keys are unique\n const columnKeys = new Set<string>()\n for (const [index, column] of params.columns.entries()) {\n if (columnKeys.has(column.key)) {\n errors.push({\n path: `params.columns[${index}]`,\n message: `Duplicate column key: ${column.key}`,\n code: 'DUPLICATE_COLUMN_KEY',\n })\n }\n columnKeys.add(column.key)\n }\n\n // Validate rows have valid data for defined columns\n for (const [rowIndex, row] of params.rows.entries()) {\n for (const column of params.columns) {\n if (!(column.key in row)) {\n errors.push({\n path: `params.rows[${rowIndex}]`,\n message: `Missing column key: ${column.key}`,\n code: 'MISSING_COLUMN_DATA',\n })\n }\n }\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate payload size\n */\nexport function validatePayloadSize(\n component: UIComponent,\n limits: ResourceLimits = DEFAULT_RESOURCE_LIMITS\n): ValidationResult {\n const payloadSize = JSON.stringify(component).length\n\n if (payloadSize > limits.maxPayloadSize) {\n return {\n valid: false,\n errors: [\n {\n path: 'component',\n message: `Payload size exceeds limit: ${payloadSize} > ${limits.maxPayloadSize} bytes`,\n code: 'PAYLOAD_TOO_LARGE',\n },\n ],\n }\n }\n\n return { valid: true }\n}\n\n/**\n * Sanitize string to prevent XSS\n * Basic implementation - DOMPurify used at render time\n */\nexport function sanitizeString(input: string): string {\n return input\n .replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/gi, '')\n .replace(/on\\w+=\"[^\"]*\"/gi, '')\n .replace(/javascript:/gi, '')\n}\n\n/**\n * Validate iframe domain against whitelist\n *\n * @param url - The URL to validate\n * @param options - Optional validation options\n * @param options.policy - 'strict' (default), 'extend', or 'allow-all'\n * @param options.customDomains - Additional domains when policy is 'extend'\n */\nexport function validateIframeDomain(\n url: string,\n options?: { policy?: IframePolicy; customDomains?: string[] }\n): ValidationResult {\n // If allow-all, skip validation\n if (options?.policy === 'allow-all') {\n return { valid: true }\n }\n\n try {\n const parsedUrl = new URL(url)\n const domain = parsedUrl.hostname\n\n // Build effective whitelist\n let effectiveWhitelist = DEFAULT_IFRAME_DOMAINS\n if (options?.policy === 'extend' && options.customDomains) {\n effectiveWhitelist = [...DEFAULT_IFRAME_DOMAINS, ...options.customDomains]\n }\n\n const isAllowed = effectiveWhitelist.some(\n (allowed) => domain === allowed || domain.endsWith(`.${allowed}`) || allowed === 'localhost'\n )\n\n if (!isAllowed) {\n return {\n valid: false,\n errors: [\n {\n path: 'url',\n message: `Domain not whitelisted: ${domain}`,\n code: 'DOMAIN_NOT_WHITELISTED',\n },\n ],\n }\n }\n\n return { valid: true }\n } catch (error) {\n return {\n valid: false,\n errors: [\n {\n path: 'url',\n message: 'Invalid URL format',\n code: 'INVALID_URL',\n },\n ],\n }\n }\n}\n\n/**\n * Get the appropriate sandbox attribute for an iframe URL.\n *\n * Trusted domains (Google, Deposium, payment, auth-requiring services) get\n * `allow-same-origin` so they can access their own cookies/storage.\n * All other whitelisted domains get a restrictive sandbox without it,\n * preventing access to the parent page's localStorage/cookies.\n *\n * @param url - The iframe URL\n * @param options - Optional custom trusted domains\n * @returns sandbox attribute string\n */\nexport function getIframeSandbox(\n url: string,\n options?: { customTrustedDomains?: string[] }\n): string {\n const baseSandbox = 'allow-scripts allow-popups'\n\n try {\n const domain = new URL(url).hostname\n let trustedList = TRUSTED_IFRAME_DOMAINS\n if (options?.customTrustedDomains) {\n trustedList = [...TRUSTED_IFRAME_DOMAINS, ...options.customTrustedDomains]\n }\n\n const isTrusted = trustedList.some(\n (trusted) => domain === trusted || domain.endsWith(`.${trusted}`)\n )\n\n if (isTrusted) {\n return `${baseSandbox} allow-same-origin allow-forms`\n }\n } catch {\n // Invalid URL — use restrictive sandbox\n }\n\n return baseSandbox\n}\n\n/**\n * Validate entire component\n *\n * @param component - The component to validate\n * @param options - Optional validation options (limits, iframePolicy, customIframeDomains)\n */\nexport function validateComponent(\n component: UIComponent,\n options?: ValidationOptions\n): ValidationResult {\n const limits = options?.limits ?? DEFAULT_RESOURCE_LIMITS\n const errors: ValidationResult['errors'] = []\n\n // Guard: params must exist\n if (!component.params) {\n return { valid: false, errors: [{ path: 'params', message: 'Missing component params', code: 'MISSING_PARAMS' }] }\n }\n\n // Validate grid position\n const gridResult = validateGridPosition(component.position)\n if (!gridResult.valid) {\n errors.push(...(gridResult.errors || []))\n }\n\n // Validate payload size\n const sizeResult = validatePayloadSize(component, limits)\n if (!sizeResult.valid) {\n errors.push(...(sizeResult.errors || []))\n }\n\n // Type-specific validation\n switch (component.type) {\n case 'chart': {\n const chartResult = validateChartComponent(component.params as ChartComponentParams, limits)\n if (!chartResult.valid) {\n errors.push(...(chartResult.errors || []))\n }\n break\n }\n\n case 'table': {\n const tableResult = validateTableComponent(component.params as TableComponentParams, limits)\n if (!tableResult.valid) {\n errors.push(...(tableResult.errors || []))\n }\n break\n }\n\n case 'metric': {\n // Basic validation for metrics\n const metricParams = component.params as any\n if (!metricParams.title || !metricParams.value) {\n errors.push({\n path: 'params',\n message: 'Metric must have title and value',\n code: 'INVALID_METRIC',\n })\n }\n break\n }\n\n case 'text': {\n // Basic validation for text\n const textParams = component.params as any\n if (!textParams.content) {\n errors.push({\n path: 'params',\n message: 'Text component must have content',\n code: 'INVALID_TEXT',\n })\n }\n break\n }\n\n case 'iframe': {\n // Basic validation for iframe\n const iframeParams = component.params as any\n if (!iframeParams.url) {\n errors.push({\n path: 'params',\n message: 'Iframe component must have url',\n code: 'INVALID_IFRAME',\n })\n } else {\n // Validate iframe domain against whitelist\n const iframeResult = validateIframeDomain(iframeParams.url, {\n policy: options?.iframePolicy,\n customDomains: options?.customIframeDomains,\n })\n if (!iframeResult.valid) {\n errors.push(...(iframeResult.errors || []))\n }\n }\n break\n }\n\n case 'image': {\n // Basic validation for image\n const imageParams = component.params as any\n if (!imageParams.url) {\n errors.push({\n path: 'params',\n message: 'Image component must have url',\n code: 'INVALID_IMAGE',\n })\n }\n break\n }\n\n case 'link': {\n // Basic validation for link\n const linkParams = component.params as any\n if (!linkParams.url) {\n errors.push({\n path: 'params',\n message: 'Link component must have url',\n code: 'INVALID_LINK',\n })\n }\n break\n }\n\n case 'action': {\n // Basic validation for action\n const actionParams = component.params as any\n if (!actionParams.label) {\n errors.push({\n path: 'params',\n message: 'Action component must have label',\n code: 'INVALID_ACTION',\n })\n }\n break\n }\n\n case 'video': {\n const videoParams = component.params as any\n if (!videoParams.url) {\n errors.push({ path: 'params', message: 'Video component must have url', code: 'INVALID_VIDEO' })\n } else {\n // Reuse iframe domain validation for video URLs\n const videoResult = validateIframeDomain(videoParams.url, {\n policy: options?.iframePolicy,\n customDomains: options?.customIframeDomains,\n })\n if (!videoResult.valid) {\n errors.push(...(videoResult.errors || []))\n }\n }\n break\n }\n\n case 'carousel': {\n const carouselParams = component.params as any\n if (!Array.isArray(carouselParams.items) || carouselParams.items.length === 0) {\n errors.push({ path: 'params.items', message: 'Carousel must have non-empty items array', code: 'EMPTY_CAROUSEL' })\n }\n break\n }\n\n case 'image-gallery': {\n const galleryParams = component.params as any\n if (!Array.isArray(galleryParams.images) || galleryParams.images.length === 0) {\n errors.push({ path: 'params.images', message: 'Gallery must have non-empty images array', code: 'EMPTY_GALLERY' })\n }\n break\n }\n\n case 'form': {\n const formParams = component.params as any\n if (!Array.isArray(formParams.fields) || formParams.fields.length === 0) {\n errors.push({ path: 'params.fields', message: 'Form must have non-empty fields array', code: 'EMPTY_FORM' })\n }\n break\n }\n\n case 'action-group': {\n const agParams = component.params as any\n if (!Array.isArray(agParams.actions) || agParams.actions.length === 0) {\n errors.push({ path: 'params.actions', message: 'Action group must have non-empty actions array', code: 'EMPTY_ACTION_GROUP' })\n }\n break\n }\n\n case 'code': {\n const codeParams = component.params as any\n if (!codeParams.code) {\n errors.push({ path: 'params.code', message: 'Code component must have code content', code: 'INVALID_CODE' })\n }\n break\n }\n\n case 'map': {\n // Map can auto-detect center from markers, so center is not strictly required\n const mapParams = component.params as any\n if (!mapParams.center && (!Array.isArray(mapParams.markers) || mapParams.markers.length === 0)) {\n errors.push({ path: 'params', message: 'Map must have center or markers', code: 'INVALID_MAP' })\n }\n break\n }\n\n case 'modal': {\n // Modal is valid with minimal params (title optional, content can be children)\n break\n }\n\n case 'artifact': {\n const artifactParams = component.params as any\n if (!artifactParams.content) {\n errors.push({ path: 'params.content', message: 'Artifact must have content', code: 'INVALID_ARTIFACT' })\n }\n break\n }\n\n default:\n // Known types without specific validation pass through — renderer handles errors\n // Truly unknown types (e.g. typos in streamed JSON) are rejected\n if (!KNOWN_COMPONENT_TYPES.has(component.type)) {\n errors.push({\n path: 'type',\n message: `Unknown component type: ${component.type}`,\n code: 'UNKNOWN_COMPONENT_TYPE',\n })\n }\n break\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate entire layout\n *\n * @param layout - The layout to validate\n * @param options - Optional validation options (limits, iframePolicy, customIframeDomains)\n */\nexport function validateLayout(\n layout: UILayout,\n options?: ValidationOptions\n): ValidationResult {\n const errors: ValidationResult['errors'] = []\n\n // Validate component count\n if (layout.components.length === 0) {\n errors.push({\n path: 'components',\n message: 'Layout must have at least one component',\n code: 'EMPTY_LAYOUT',\n })\n }\n\n if (layout.components.length > 12) {\n errors.push({\n path: 'components',\n message: `Layout exceeds max components: ${layout.components.length} > 12`,\n code: 'TOO_MANY_COMPONENTS',\n })\n }\n\n // Validate each component\n for (const [index, component] of layout.components.entries()) {\n const result = validateComponent(component, options)\n if (!result.valid) {\n errors.push(\n ...(result.errors?.map((error) => ({\n ...error,\n path: `components[${index}].${error.path}`,\n })) || [])\n )\n }\n }\n\n // Validate grid configuration\n if (layout.grid.columns !== 12) {\n errors.push({\n path: 'grid.columns',\n message: 'Grid must have 12 columns (Bootstrap-like)',\n code: 'INVALID_GRID_COLUMNS',\n })\n }\n\n return {\n valid: errors.length === 0,\n errors: errors.length > 0 ? errors : undefined,\n }\n}\n\n/**\n * Validate a single form field value against field rules\n */\nexport function validateFieldValue(\n value: any,\n field: FormFieldParams\n): { valid: boolean; error?: string } {\n // Required check\n if (field.required) {\n if (value === undefined || value === null || value === '') {\n return { valid: false, error: `${field.label || field.name} is required` }\n }\n if (field.type === 'checkbox' && value !== true) {\n return { valid: false, error: `${field.label || field.name} must be checked` }\n }\n }\n\n // Skip further validation if value is empty and not required\n if (value === undefined || value === null || value === '') {\n return { valid: true }\n }\n\n // Type-specific validation\n switch (field.type) {\n case 'text':\n case 'textarea':\n case 'password':\n if (field.minLength && String(value).length < field.minLength) {\n return { valid: false, error: `Minimum ${field.minLength} characters required` }\n }\n if (field.maxLength && String(value).length > field.maxLength) {\n return { valid: false, error: `Maximum ${field.maxLength} characters allowed` }\n }\n if (field.pattern && !new RegExp(field.pattern).test(String(value))) {\n return { valid: false, error: 'Invalid format' }\n }\n break\n\n case 'email':\n if (!/^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/.test(String(value))) {\n return { valid: false, error: 'Invalid email address' }\n }\n break\n\n case 'number': {\n const numValue = Number(value)\n if (isNaN(numValue)) {\n return { valid: false, error: 'Must be a valid number' }\n }\n if (field.min !== undefined && numValue < field.min) {\n return { valid: false, error: `Minimum value is ${field.min}` }\n }\n if (field.max !== undefined && numValue > field.max) {\n return { valid: false, error: `Maximum value is ${field.max}` }\n }\n break\n }\n\n case 'date':\n if (field.minDate && value < field.minDate) {\n return { valid: false, error: `Date must be after ${field.minDate}` }\n }\n if (field.maxDate && value > field.maxDate) {\n return { valid: false, error: `Date must be before ${field.maxDate}` }\n }\n break\n\n case 'select':\n case 'radio':\n // Validate that value is one of the options\n if (field.options && field.options.length > 0) {\n const validValues = field.options.map((opt) => opt.value)\n if (!validValues.includes(String(value))) {\n return { valid: false, error: 'Please select a valid option' }\n }\n }\n break\n }\n\n return { valid: true }\n}\n\n/**\n * Validate entire form data against field definitions\n */\nexport function validateFormData(\n data: Record<string, any>,\n fields: FormFieldParams[]\n): { valid: boolean; errors: Record<string, string> } {\n const errors: Record<string, string> = {}\n\n for (const field of fields) {\n const result = validateFieldValue(data[field.name], field)\n if (!result.valid && result.error) {\n errors[field.name] = result.error\n }\n }\n\n return {\n valid: Object.keys(errors).length === 0,\n errors,\n }\n}\n"],"names":[],"mappings":";;AA2BA,MAAM,4CAAyC,IAAmB;AAAA,EAChE;AAAA,EAAS;AAAA,EAAS;AAAA,EAAU;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAU;AAAA,EAAS;AAAA,EAC/D;AAAA,EAAU;AAAA,EAAU;AAAA,EAAY;AAAA,EAAY;AAAA,EAAQ;AAAA,EACpD;AAAA,EAAgB;AAAA,EAAiB;AAAA,EAAS;AAAA,EAAQ;AACpD,CAAC;AAKM,MAAM,0BAA0C;AAAA,EACrD,eAAe;AAAA,EACf,cAAc;AAAA,EACd,gBAAgB,KAAK;AAAA;AAAA,EACrB,eAAe;AAAA;AACjB;AASO,MAAM,yBAAyB;AAAA;AAAA,EAEpC;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAOO,MAAM,yBAAyB;AAAA;AAAA,EAEpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKO,SAAS,qBAAqB,UAAqD;AACxF,QAAM,SAAqC,CAAA;AAG3C,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AAEA,MAAI,SAAS,WAAW,KAAK,SAAS,WAAW,IAAI;AACnD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,UAAU,KAAK,SAAS,UAAU,IAAI;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,WAAW,SAAS,UAAU,IAAI,IAAI;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,aAAa,UAAa,SAAS,WAAW,GAAG;AAC5D,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,SAAS,YAAY,UAAa,SAAS,UAAU,GAAG;AAC1D,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,uBACd,QACA,SAAyB,yBACP;;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,EAAC,iCAAQ,OAAM;AACjB,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,eAAe,SAAS,6BAA6B,MAAM,eAAA,CAAgB,EAAA;AAAA,EACrH;AACA,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,GAAG;AACxC,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,wBAAwB,SAAS,qCAAqC,MAAM,mBAAA,CAAoB,EAAA;AAAA,EAC1I;AAEA,QAAM,YAAY,OAAO,QAAQ;AACjC,QAAM,kBAAiB,kBAAO,KAAK,SAAS,CAAC,MAAtB,mBAAyB,SAAzB,mBAAgC;AACvD,QAAM,gBAAgB,OAAO,mBAAmB,YAAY,mBAAmB,QAAQ,OAAO;AAC9F,QAAM,eAAe,cAAc,aAAa,cAAc,YAAY;AAG1E,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,MAAM,GAAG;AACtC,aAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,sBAAsB,SAAS,mCAAmC,MAAM,iBAAA,CAAkB,EAAA;AAAA,IACpI;AAAA,EACF;AAGA,QAAM,kBAAkB,OAAO,KAAK,SAAS;AAAA,IAC3C,CAAC,KAAK,YAAY,OAAO,MAAM,QAAQ,QAAQ,IAAI,IAAI,QAAQ,KAAK,SAAS;AAAA,IAC7E;AAAA,EAAA;AAGF,MAAI,kBAAkB,OAAO,eAAe;AAC1C,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,kCAAkC,eAAe,MAAM,OAAO,aAAa;AAAA,MACpF,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,MAAI,CAAC,gBAAgB,MAAM,QAAQ,OAAO,KAAK,MAAM,GAAG;AACtD,UAAM,iBAAiB,OAAO,KAAK,OAAO;AAC1C,eAAW,CAAC,OAAO,OAAO,KAAK,OAAO,KAAK,SAAS,WAAW;AAC7D,UAAI,MAAM,QAAQ,QAAQ,IAAI,KAAK,QAAQ,KAAK,SAAS,KAAK,QAAQ,KAAK,WAAW,gBAAgB;AACpG,eAAO,KAAK;AAAA,UACV,MAAM,wBAAwB,KAAK;AAAA,UACnC,SAAS,qCAAqC,cAAc,SAAS,QAAQ,KAAK,MAAM;AAAA,UACxF,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAGA,aAAW,CAAC,OAAO,OAAO,KAAK,OAAO,KAAK,SAAS,WAAW;AAC7D,QAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,EAAG;AAClC,eAAW,CAAC,WAAW,KAAK,KAAK,QAAQ,KAAK,WAAW;AACvD,UAAI,cAAc;AAChB,cAAM,OAAO;AACb,YAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,KAAK,KAAK,QAAQ,OAAO,KAAK,MAAM,UAAU;AAC/F,iBAAO,KAAK;AAAA,YACV,MAAM,wBAAwB,KAAK,UAAU,SAAS;AAAA,YACtD,SAAS;AAAA,YACT,MAAM;AAAA,UAAA,CACP;AAAA,QACH;AAAA,MACF,OAAO;AACL,YAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,KAAK,GAAG;AACxD,iBAAO,KAAK;AAAA,YACV,MAAM,wBAAwB,KAAK,UAAU,SAAS;AAAA,YACtD,SAAS,uBAAuB,KAAK;AAAA,YACrC,MAAM;AAAA,UAAA,CACP;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,uBACd,QACA,SAAyB,yBACP;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,OAAO,KAAK,SAAS,OAAO,cAAc;AAC5C,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,2BAA2B,OAAO,KAAK,MAAM,MAAM,OAAO,YAAY;AAAA,MAC/E,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,MAAI,OAAO,QAAQ,WAAW,GAAG;AAC/B,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,QAAM,iCAAiB,IAAA;AACvB,aAAW,CAAC,OAAO,MAAM,KAAK,OAAO,QAAQ,WAAW;AACtD,QAAI,WAAW,IAAI,OAAO,GAAG,GAAG;AAC9B,aAAO,KAAK;AAAA,QACV,MAAM,kBAAkB,KAAK;AAAA,QAC7B,SAAS,yBAAyB,OAAO,GAAG;AAAA,QAC5C,MAAM;AAAA,MAAA,CACP;AAAA,IACH;AACA,eAAW,IAAI,OAAO,GAAG;AAAA,EAC3B;AAGA,aAAW,CAAC,UAAU,GAAG,KAAK,OAAO,KAAK,WAAW;AACnD,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,EAAE,OAAO,OAAO,MAAM;AACxB,eAAO,KAAK;AAAA,UACV,MAAM,eAAe,QAAQ;AAAA,UAC7B,SAAS,uBAAuB,OAAO,GAAG;AAAA,UAC1C,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,oBACd,WACA,SAAyB,yBACP;AAClB,QAAM,cAAc,KAAK,UAAU,SAAS,EAAE;AAE9C,MAAI,cAAc,OAAO,gBAAgB;AACvC,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS,+BAA+B,WAAW,MAAM,OAAO,cAAc;AAAA,UAC9E,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AAEA,SAAO,EAAE,OAAO,KAAA;AAClB;AAMO,SAAS,eAAe,OAAuB;AACpD,SAAO,MACJ,QAAQ,uDAAuD,EAAE,EACjE,QAAQ,mBAAmB,EAAE,EAC7B,QAAQ,iBAAiB,EAAE;AAChC;AAUO,SAAS,qBACd,KACA,SACkB;AAElB,OAAI,mCAAS,YAAW,aAAa;AACnC,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB;AAEA,MAAI;AACF,UAAM,YAAY,IAAI,IAAI,GAAG;AAC7B,UAAM,SAAS,UAAU;AAGzB,QAAI,qBAAqB;AACzB,SAAI,mCAAS,YAAW,YAAY,QAAQ,eAAe;AACzD,2BAAqB,CAAC,GAAG,wBAAwB,GAAG,QAAQ,aAAa;AAAA,IAC3E;AAEA,UAAM,YAAY,mBAAmB;AAAA,MACnC,CAAC,YAAY,WAAW,WAAW,OAAO,SAAS,IAAI,OAAO,EAAE,KAAK,YAAY;AAAA,IAAA;AAGnF,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL,OAAO;AAAA,QACP,QAAQ;AAAA,UACN;AAAA,YACE,MAAM;AAAA,YACN,SAAS,2BAA2B,MAAM;AAAA,YAC1C,MAAM;AAAA,UAAA;AAAA,QACR;AAAA,MACF;AAAA,IAEJ;AAEA,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ;AAAA,QACN;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA;AAAA,MACR;AAAA,IACF;AAAA,EAEJ;AACF;AAcO,SAAS,iBACd,KACA,SACQ;AACR,QAAM,cAAc;AAEpB,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,GAAG,EAAE;AAC5B,QAAI,cAAc;AAClB,QAAI,mCAAS,sBAAsB;AACjC,oBAAc,CAAC,GAAG,wBAAwB,GAAG,QAAQ,oBAAoB;AAAA,IAC3E;AAEA,UAAM,YAAY,YAAY;AAAA,MAC5B,CAAC,YAAY,WAAW,WAAW,OAAO,SAAS,IAAI,OAAO,EAAE;AAAA,IAAA;AAGlE,QAAI,WAAW;AACb,aAAO,GAAG,WAAW;AAAA,IACvB;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;AAQO,SAAS,kBACd,WACA,SACkB;AAClB,QAAM,UAAS,mCAAS,WAAU;AAClC,QAAM,SAAqC,CAAA;AAG3C,MAAI,CAAC,UAAU,QAAQ;AACrB,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,UAAU,SAAS,4BAA4B,MAAM,iBAAA,CAAkB,EAAA;AAAA,EACjH;AAGA,QAAM,aAAa,qBAAqB,UAAU,QAAQ;AAC1D,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,KAAK,GAAI,WAAW,UAAU,CAAA,CAAG;AAAA,EAC1C;AAGA,QAAM,aAAa,oBAAoB,WAAW,MAAM;AACxD,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,KAAK,GAAI,WAAW,UAAU,CAAA,CAAG;AAAA,EAC1C;AAGA,UAAQ,UAAU,MAAA;AAAA,IAChB,KAAK,SAAS;AACZ,YAAM,cAAc,uBAAuB,UAAU,QAAgC,MAAM;AAC3F,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,MAC3C;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AACZ,YAAM,cAAc,uBAAuB,UAAU,QAAgC,MAAM;AAC3F,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,MAC3C;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,SAAS,CAAC,aAAa,OAAO;AAC9C,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AAEX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,SAAS;AACvB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,KAAK;AACrB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH,OAAO;AAEL,cAAM,eAAe,qBAAqB,aAAa,KAAK;AAAA,UAC1D,QAAQ,mCAAS;AAAA,UACjB,eAAe,mCAAS;AAAA,QAAA,CACzB;AACD,YAAI,CAAC,aAAa,OAAO;AACvB,iBAAO,KAAK,GAAI,aAAa,UAAU,CAAA,CAAG;AAAA,QAC5C;AAAA,MACF;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AAEZ,YAAM,cAAc,UAAU;AAC9B,UAAI,CAAC,YAAY,KAAK;AACpB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AAEX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,KAAK;AACnB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,UAAU;AAEb,YAAM,eAAe,UAAU;AAC/B,UAAI,CAAC,aAAa,OAAO;AACvB,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS;AAAA,UACT,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AACZ,YAAM,cAAc,UAAU;AAC9B,UAAI,CAAC,YAAY,KAAK;AACpB,eAAO,KAAK,EAAE,MAAM,UAAU,SAAS,iCAAiC,MAAM,iBAAiB;AAAA,MACjG,OAAO;AAEL,cAAM,cAAc,qBAAqB,YAAY,KAAK;AAAA,UACxD,QAAQ,mCAAS;AAAA,UACjB,eAAe,mCAAS;AAAA,QAAA,CACzB;AACD,YAAI,CAAC,YAAY,OAAO;AACtB,iBAAO,KAAK,GAAI,YAAY,UAAU,CAAA,CAAG;AAAA,QAC3C;AAAA,MACF;AACA;AAAA,IACF;AAAA,IAEA,KAAK,YAAY;AACf,YAAM,iBAAiB,UAAU;AACjC,UAAI,CAAC,MAAM,QAAQ,eAAe,KAAK,KAAK,eAAe,MAAM,WAAW,GAAG;AAC7E,eAAO,KAAK,EAAE,MAAM,gBAAgB,SAAS,4CAA4C,MAAM,kBAAkB;AAAA,MACnH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,iBAAiB;AACpB,YAAM,gBAAgB,UAAU;AAChC,UAAI,CAAC,MAAM,QAAQ,cAAc,MAAM,KAAK,cAAc,OAAO,WAAW,GAAG;AAC7E,eAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,4CAA4C,MAAM,iBAAiB;AAAA,MACnH;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AACX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,MAAM,QAAQ,WAAW,MAAM,KAAK,WAAW,OAAO,WAAW,GAAG;AACvE,eAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,yCAAyC,MAAM,cAAc;AAAA,MAC7G;AACA;AAAA,IACF;AAAA,IAEA,KAAK,gBAAgB;AACnB,YAAM,WAAW,UAAU;AAC3B,UAAI,CAAC,MAAM,QAAQ,SAAS,OAAO,KAAK,SAAS,QAAQ,WAAW,GAAG;AACrE,eAAO,KAAK,EAAE,MAAM,kBAAkB,SAAS,kDAAkD,MAAM,sBAAsB;AAAA,MAC/H;AACA;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AACX,YAAM,aAAa,UAAU;AAC7B,UAAI,CAAC,WAAW,MAAM;AACpB,eAAO,KAAK,EAAE,MAAM,eAAe,SAAS,yCAAyC,MAAM,gBAAgB;AAAA,MAC7G;AACA;AAAA,IACF;AAAA,IAEA,KAAK,OAAO;AAEV,YAAM,YAAY,UAAU;AAC5B,UAAI,CAAC,UAAU,WAAW,CAAC,MAAM,QAAQ,UAAU,OAAO,KAAK,UAAU,QAAQ,WAAW,IAAI;AAC9F,eAAO,KAAK,EAAE,MAAM,UAAU,SAAS,mCAAmC,MAAM,eAAe;AAAA,MACjG;AACA;AAAA,IACF;AAAA,IAEA,KAAK,SAAS;AAEZ;AAAA,IACF;AAAA,IAEA,KAAK,YAAY;AACf,YAAM,iBAAiB,UAAU;AACjC,UAAI,CAAC,eAAe,SAAS;AAC3B,eAAO,KAAK,EAAE,MAAM,kBAAkB,SAAS,8BAA8B,MAAM,oBAAoB;AAAA,MACzG;AACA;AAAA,IACF;AAAA,IAEA;AAGE,UAAI,CAAC,sBAAsB,IAAI,UAAU,IAAI,GAAG;AAC9C,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS,2BAA2B,UAAU,IAAI;AAAA,UAClD,MAAM;AAAA,QAAA,CACP;AAAA,MACH;AACA;AAAA,EAAA;AAGJ,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAQO,SAAS,eACd,QACA,SACkB;;AAClB,QAAM,SAAqC,CAAA;AAG3C,MAAI,OAAO,WAAW,WAAW,GAAG;AAClC,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,MAAI,OAAO,WAAW,SAAS,IAAI;AACjC,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,kCAAkC,OAAO,WAAW,MAAM;AAAA,MACnE,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAGA,aAAW,CAAC,OAAO,SAAS,KAAK,OAAO,WAAW,WAAW;AAC5D,UAAM,SAAS,kBAAkB,WAAW,OAAO;AACnD,QAAI,CAAC,OAAO,OAAO;AACjB,aAAO;AAAA,QACL,KAAI,YAAO,WAAP,mBAAe,IAAI,CAAC,WAAW;AAAA,UACjC,GAAG;AAAA,UACH,MAAM,cAAc,KAAK,KAAK,MAAM,IAAI;AAAA,QAAA,QACnC,CAAA;AAAA,MAAC;AAAA,IAEZ;AAAA,EACF;AAGA,MAAI,OAAO,KAAK,YAAY,IAAI;AAC9B,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,IAAA,CACP;AAAA,EACH;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB,QAAQ,OAAO,SAAS,IAAI,SAAS;AAAA,EAAA;AAEzC;AAKO,SAAS,mBACd,OACA,OACoC;AAEpC,MAAI,MAAM,UAAU;AAClB,QAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,IAAI;AACzD,aAAO,EAAE,OAAO,OAAO,OAAO,GAAG,MAAM,SAAS,MAAM,IAAI,eAAA;AAAA,IAC5D;AACA,QAAI,MAAM,SAAS,cAAc,UAAU,MAAM;AAC/C,aAAO,EAAE,OAAO,OAAO,OAAO,GAAG,MAAM,SAAS,MAAM,IAAI,mBAAA;AAAA,IAC5D;AAAA,EACF;AAGA,MAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,IAAI;AACzD,WAAO,EAAE,OAAO,KAAA;AAAA,EAClB;AAGA,UAAQ,MAAM,MAAA;AAAA,IACZ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACH,UAAI,MAAM,aAAa,OAAO,KAAK,EAAE,SAAS,MAAM,WAAW;AAC7D,eAAO,EAAE,OAAO,OAAO,OAAO,WAAW,MAAM,SAAS,uBAAA;AAAA,MAC1D;AACA,UAAI,MAAM,aAAa,OAAO,KAAK,EAAE,SAAS,MAAM,WAAW;AAC7D,eAAO,EAAE,OAAO,OAAO,OAAO,WAAW,MAAM,SAAS,sBAAA;AAAA,MAC1D;AACA,UAAI,MAAM,WAAW,CAAC,IAAI,OAAO,MAAM,OAAO,EAAE,KAAK,OAAO,KAAK,CAAC,GAAG;AACnE,eAAO,EAAE,OAAO,OAAO,OAAO,iBAAA;AAAA,MAChC;AACA;AAAA,IAEF,KAAK;AACH,UAAI,CAAC,6BAA6B,KAAK,OAAO,KAAK,CAAC,GAAG;AACrD,eAAO,EAAE,OAAO,OAAO,OAAO,wBAAA;AAAA,MAChC;AACA;AAAA,IAEF,KAAK,UAAU;AACb,YAAM,WAAW,OAAO,KAAK;AAC7B,UAAI,MAAM,QAAQ,GAAG;AACnB,eAAO,EAAE,OAAO,OAAO,OAAO,yBAAA;AAAA,MAChC;AACA,UAAI,MAAM,QAAQ,UAAa,WAAW,MAAM,KAAK;AACnD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,MAAM,GAAG,GAAA;AAAA,MAC7D;AACA,UAAI,MAAM,QAAQ,UAAa,WAAW,MAAM,KAAK;AACnD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,MAAM,GAAG,GAAA;AAAA,MAC7D;AACA;AAAA,IACF;AAAA,IAEA,KAAK;AACH,UAAI,MAAM,WAAW,QAAQ,MAAM,SAAS;AAC1C,eAAO,EAAE,OAAO,OAAO,OAAO,sBAAsB,MAAM,OAAO,GAAA;AAAA,MACnE;AACA,UAAI,MAAM,WAAW,QAAQ,MAAM,SAAS;AAC1C,eAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,MAAM,OAAO,GAAA;AAAA,MACpE;AACA;AAAA,IAEF,KAAK;AAAA,IACL,KAAK;AAEH,UAAI,MAAM,WAAW,MAAM,QAAQ,SAAS,GAAG;AAC7C,cAAM,cAAc,MAAM,QAAQ,IAAI,CAAC,QAAQ,IAAI,KAAK;AACxD,YAAI,CAAC,YAAY,SAAS,OAAO,KAAK,CAAC,GAAG;AACxC,iBAAO,EAAE,OAAO,OAAO,OAAO,+BAAA;AAAA,QAChC;AAAA,MACF;AACA;AAAA,EAAA;AAGJ,SAAO,EAAE,OAAO,KAAA;AAClB;AAKO,SAAS,iBACd,MACA,QACoD;AACpD,QAAM,SAAiC,CAAA;AAEvC,aAAW,SAAS,QAAQ;AAC1B,UAAM,SAAS,mBAAmB,KAAK,MAAM,IAAI,GAAG,KAAK;AACzD,QAAI,CAAC,OAAO,SAAS,OAAO,OAAO;AACjC,aAAO,MAAM,IAAI,IAAI,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,KAAK,MAAM,EAAE,WAAW;AAAA,IACtC;AAAA,EAAA;AAEJ;;;;;;;;;;;;;;;"}
package/dist/services/validation.d.ts CHANGED
@@ -20,6 +20,12 @@ export declare const DEFAULT_RESOURCE_LIMITS: ResourceLimits;
20
20
  * This list is exported for transparency and can be extended via ValidationOptions
21
21
  */
22
22
  export declare const DEFAULT_IFRAME_DOMAINS: string[];
23
+ /**
24
+ * Trusted iframe domains that require allow-same-origin to function.
25
+ * These domains need access to their own cookies/storage for auth.
26
+ * All other whitelisted domains get a restrictive sandbox without allow-same-origin.
27
+ */
28
+ export declare const TRUSTED_IFRAME_DOMAINS: string[];
23
29
  /**
24
30
  * Validate grid position bounds (1-12 columns)
25
31
  */
@@ -53,6 +59,21 @@ export declare function validateIframeDomain(url: string, options?: {
53
59
  policy?: IframePolicy;
54
60
  customDomains?: string[];
55
61
  }): ValidationResult;
62
+ /**
63
+ * Get the appropriate sandbox attribute for an iframe URL.
64
+ *
65
+ * Trusted domains (Google, Deposium, payment, auth-requiring services) get
66
+ * `allow-same-origin` so they can access their own cookies/storage.
67
+ * All other whitelisted domains get a restrictive sandbox without it,
68
+ * preventing access to the parent page's localStorage/cookies.
69
+ *
70
+ * @param url - The iframe URL
71
+ * @param options - Optional custom trusted domains
72
+ * @returns sandbox attribute string
73
+ */
74
+ export declare function getIframeSandbox(url: string, options?: {
75
+ customTrustedDomains?: string[];
76
+ }): string;
56
77
  /**
57
78
  * Validate entire component
58
79
  *
package/dist/services/validation.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/services/validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EAElB,MAAM,UAAU,CAAA;AAYjB;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAKrC,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,UAgHlC,CAAA;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,gBAAgB,CA6DxF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,oBAAoB,EAC5B,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAgFlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,oBAAoB,EAC5B,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAmDlB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,WAAW,EACtB,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAiBlB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,YAAY,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC5D,gBAAgB,CA8ClB;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,WAAW,EACtB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,gBAAgB,CA8NlB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,QAAQ,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,gBAAgB,CA8ClB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,eAAe,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CA0EpC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,eAAe,EAAE,GACxB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CAcpD"}
1
+ {"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/services/validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EAElB,MAAM,UAAU,CAAA;AAYjB;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAKrC,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,UA0HlC,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,UA4ClC,CAAA;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,gBAAgB,CA6DxF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,oBAAoB,EAC5B,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAgFlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,oBAAoB,EAC5B,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAmDlB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,WAAW,EACtB,MAAM,GAAE,cAAwC,GAC/C,gBAAgB,CAiBlB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,YAAY,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC5D,gBAAgB,CA8ClB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;IAAE,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC5C,MAAM,CAsBR;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,WAAW,EACtB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,gBAAgB,CA8NlB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,QAAQ,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,gBAAgB,CA8ClB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,eAAe,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CA0EpC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,eAAe,EAAE,GACxB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CAcpD"}
package/dist/services/validation.js CHANGED
@@ -121,7 +121,57 @@ const DEFAULT_IFRAME_DOMAINS = [
121
121
  "clinicaltrials.gov",
122
122
  "www.clinicaltrials.gov",
123
123
  "linear.app",
124
- "www.linear.app"
124
+ "www.linear.app",
125
+ // Payment platforms (v2.2.12)
126
+ "polar.sh",
127
+ "www.polar.sh",
128
+ "checkout.stripe.com",
129
+ "js.stripe.com",
130
+ "billing.stripe.com",
131
+ "buy.stripe.com",
132
+ "connect.stripe.com",
133
+ "invoice.stripe.com"
134
+ ];
135
+ const TRUSTED_IFRAME_DOMAINS = [
136
+ // Deposium (own domains)
137
+ "deposium.com",
138
+ "deposium.vip",
139
+ "deposium.ai",
140
+ "localhost",
141
+ // Google services (need auth cookies)
142
+ "docs.google.com",
143
+ "drive.google.com",
144
+ "sheets.google.com",
145
+ "slides.google.com",
146
+ "maps.google.com",
147
+ "datastudio.google.com",
148
+ "lookerstudio.google.com",
149
+ // Productivity (need auth)
150
+ "notion.so",
151
+ "www.notion.so",
152
+ "airtable.com",
153
+ "figma.com",
154
+ "www.figma.com",
155
+ "miro.com",
156
+ // Payment (need auth + cookies for checkout)
157
+ "polar.sh",
158
+ "www.polar.sh",
159
+ "checkout.stripe.com",
160
+ "js.stripe.com",
161
+ "billing.stripe.com",
162
+ "buy.stripe.com",
163
+ "connect.stripe.com",
164
+ "invoice.stripe.com",
165
+ // Business tools (need auth)
166
+ "app.hubspot.com",
167
+ "share.hubspot.com",
168
+ "app.powerbi.com",
169
+ "linear.app",
170
+ "www.linear.app",
171
+ "calendly.com",
172
+ "typeform.com",
173
+ "cal.com",
174
+ "canva.com"
125
175
  ];
126
176
  function validateGridPosition(position) {
127
177
  const errors = [];
@@ -348,6 +398,24 @@ function validateIframeDomain(url, options) {
348
398
  };
349
399
  }
350
400
  }
401
+ function getIframeSandbox(url, options) {
402
+ const baseSandbox = "allow-scripts allow-popups";
403
+ try {
404
+ const domain = new URL(url).hostname;
405
+ let trustedList = TRUSTED_IFRAME_DOMAINS;
406
+ if (options == null ? void 0 : options.customTrustedDomains) {
407
+ trustedList = [...TRUSTED_IFRAME_DOMAINS, ...options.customTrustedDomains];
408
+ }
409
+ const isTrusted = trustedList.some(
410
+ (trusted) => domain === trusted || domain.endsWith(`.${trusted}`)
411
+ );
412
+ if (isTrusted) {
413
+ return `${baseSandbox} allow-same-origin allow-forms`;
414
+ }
415
+ } catch {
416
+ }
417
+ return baseSandbox;
418
+ }
351
419
  function validateComponent(component, options) {
352
420
  const limits = (options == null ? void 0 : options.limits) ?? DEFAULT_RESOURCE_LIMITS;
353
421
  const errors = [];
@@ -653,6 +721,8 @@ function validateFormData(data, fields) {
653
721
  export {
654
722
  DEFAULT_IFRAME_DOMAINS,
655
723
  DEFAULT_RESOURCE_LIMITS,
724
+ TRUSTED_IFRAME_DOMAINS,
725
+ getIframeSandbox,
656
726
  sanitizeString,
657
727
  validateChartComponent,
658
728
  validateComponent,