@semiont/backend 0.4.22 → 0.5.1

package/dist/index.js

@@ -15565,6 +15565,10 @@ var openapi_default = {
           correlationId: {
             type: "string"
           },
+          _userId: {
+            type: "string",
+            description: "Authenticated user's DID, injected by the /bus/emit gateway. Clients do not set this."
+          },
           token: {
             type: "string"
           },
@@ -15574,9 +15578,6 @@ var openapi_default = {
           content: {
             type: "string"
           },
-          userId: {
-            type: "string"
-          },
           archiveOriginal: {
             type: "boolean"
           }
@@ -15585,8 +15586,7 @@ var openapi_default = {
           "correlationId",
           "token",
           "name",
-          "content",
-          "userId"
+          "content"
         ]
       },
       YieldCloneCreated: {
@@ -17582,7 +17582,18 @@ var securityHeaders = () => {
         "max-age=31536000; includeSubDomains"
       );
     }
-    const csp = [
+    const isSwaggerUi = c.req.path === "/api/docs" || c.req.path === "/api/swagger";
+    const csp = isSwaggerUi ? [
+      "default-src 'none'",
+      "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net",
+      "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net",
+      "img-src 'self' data: https://cdn.jsdelivr.net",
+      "font-src 'self' https://cdn.jsdelivr.net",
+      "connect-src 'self'",
+      "frame-ancestors 'none'",
+      "base-uri 'self'",
+      "form-action 'none'"
+    ].join("; ") : [
       "default-src 'none'",
       // Block everything by default
       "frame-ancestors 'none'",