@sylergydigital/issue-pin-sdk 0.6.2 → 0.6.3

package/dist/index.d.cts

@@ -279,4 +279,16 @@ declare const Z: {
     readonly flash: 99998;
 };
 
-export { type AnchorResolution, type AnnotationSurface, IssuePin as ElementWhisperer, FeedbackButton, type FeedbackMode, FeedbackOverlay, FeedbackProvider, IssuePin, type LauncherRenderProps, type ModalCaptureRenderProps, type PendingPin, type PendingScreenshotPin, ReviewSurfaceOverlay, ScreenshotFeedback, type ScrollContainerBinding, SdkCommentPopover, type ThreadData, ThreadPins, Z, useFeedback, useFeedbackSafe, useIssuePinAnchor };
+/** Convert any string user ID to a valid UUID. Already-valid UUIDs pass through unchanged. */
+declare function normalizeUserId(userId: string): string;
+
+/** CSP directives required by the IssuePin SDK.
+ *  Keyed by CSP directive name, values are source expressions to allow.
+ *  Use wildcards (*.supabase.co) for zero-config — narrow to your project URL in production if preferred. */
+declare const CSP_REQUIREMENTS: {
+    readonly "connect-src": readonly ["https://*.supabase.co", "wss://*.supabase.co"];
+    readonly "img-src": readonly ["data:", "blob:"];
+    readonly "style-src": readonly ["'unsafe-inline'"];
+};
+
+export { type AnchorResolution, type AnnotationSurface, CSP_REQUIREMENTS, IssuePin as ElementWhisperer, FeedbackButton, type FeedbackMode, FeedbackOverlay, FeedbackProvider, IssuePin, type LauncherRenderProps, type ModalCaptureRenderProps, type PendingPin, type PendingScreenshotPin, ReviewSurfaceOverlay, ScreenshotFeedback, type ScrollContainerBinding, SdkCommentPopover, type ThreadData, ThreadPins, Z, normalizeUserId, useFeedback, useFeedbackSafe, useIssuePinAnchor };

package/dist/index.d.ts

@@ -279,4 +279,16 @@ declare const Z: {
     readonly flash: 99998;
 };
 
-export { type AnchorResolution, type AnnotationSurface, IssuePin as ElementWhisperer, FeedbackButton, type FeedbackMode, FeedbackOverlay, FeedbackProvider, IssuePin, type LauncherRenderProps, type ModalCaptureRenderProps, type PendingPin, type PendingScreenshotPin, ReviewSurfaceOverlay, ScreenshotFeedback, type ScrollContainerBinding, SdkCommentPopover, type ThreadData, ThreadPins, Z, useFeedback, useFeedbackSafe, useIssuePinAnchor };
+/** Convert any string user ID to a valid UUID. Already-valid UUIDs pass through unchanged. */
+declare function normalizeUserId(userId: string): string;
+
+/** CSP directives required by the IssuePin SDK.
+ *  Keyed by CSP directive name, values are source expressions to allow.
+ *  Use wildcards (*.supabase.co) for zero-config — narrow to your project URL in production if preferred. */
+declare const CSP_REQUIREMENTS: {
+    readonly "connect-src": readonly ["https://*.supabase.co", "wss://*.supabase.co"];
+    readonly "img-src": readonly ["data:", "blob:"];
+    readonly "style-src": readonly ["'unsafe-inline'"];
+};
+
+export { type AnchorResolution, type AnnotationSurface, CSP_REQUIREMENTS, IssuePin as ElementWhisperer, FeedbackButton, type FeedbackMode, FeedbackOverlay, FeedbackProvider, IssuePin, type LauncherRenderProps, type ModalCaptureRenderProps, type PendingPin, type PendingScreenshotPin, ReviewSurfaceOverlay, ScreenshotFeedback, type ScrollContainerBinding, SdkCommentPopover, type ThreadData, ThreadPins, Z, normalizeUserId, useFeedback, useFeedbackSafe, useIssuePinAnchor };

package/dist/index.js

@@ -77,6 +77,51 @@ var T = {
   ring: "#6366f1"
 };
 
+// src/uuid.ts
+import { v5 as uuidv5 } from "uuid";
+var NAMESPACE = "8920e263-ef53-4df0-8108-968cd5d8939e";
+var UUID_SHAPE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function normalizeUserId(userId) {
+  if (UUID_SHAPE.test(userId)) return userId;
+  return uuidv5(userId, NAMESPACE);
+}
+
+// src/csp.ts
+var CSP_REQUIREMENTS = {
+  "connect-src": ["https://*.supabase.co", "wss://*.supabase.co"],
+  "img-src": ["data:", "blob:"],
+  "style-src": ["'unsafe-inline'"]
+};
+var warnedDirectives = /* @__PURE__ */ new Set();
+function isIssuePinViolation(event) {
+  const blocked = event.blockedURI;
+  const directive = event.violatedDirective;
+  if (directive.startsWith("connect-src") && blocked.includes("supabase.co")) return true;
+  if (directive.startsWith("img-src") && (blocked === "data" || blocked === "blob")) return true;
+  if (directive.startsWith("style-src") && (blocked === "inline" || blocked === "'unsafe-inline'")) return true;
+  return false;
+}
+function handleViolation(event) {
+  if (!isIssuePinViolation(event)) return;
+  const directive = event.violatedDirective.split(" ")[0];
+  if (warnedDirectives.has(directive)) return;
+  warnedDirectives.add(directive);
+  const sources = CSP_REQUIREMENTS[directive];
+  const fix = sources ? sources.join(" ") : event.blockedURI;
+  console.warn(
+    `[IssuePin] CSP violation: ${directive} blocked "${event.blockedURI}". Add to your Content-Security-Policy: ${directive} ${fix}`
+  );
+}
+function subscribeCspDetection() {
+  if (typeof document === "undefined") return () => {
+  };
+  const handler = (e) => handleViolation(e);
+  document.addEventListener("securitypolicyviolation", handler);
+  return () => {
+    document.removeEventListener("securitypolicyviolation", handler);
+  };
+}
+
 // src/FeedbackProvider.tsx
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 var FeedbackContext = createContext(null);
@@ -128,11 +173,11 @@ function setThreadsSchemaMode(workspaceId, mode) {
   threadsSchemaModeByWorkspace.set(workspaceId, mode);
 }
 function resolveIssuePinActorUserId(opts) {
-  if (opts.explicitUserId) return opts.explicitUserId;
+  if (opts.explicitUserId) return normalizeUserId(opts.explicitUserId);
   if (opts.hasApiKey && !opts.skipFederation && opts.autoIdentityUserId) {
     return opts.federatedLocalUserId;
   }
-  return opts.autoIdentityUserId;
+  return opts.autoIdentityUserId ? normalizeUserId(opts.autoIdentityUserId) : opts.autoIdentityUserId;
 }
 function resolveIssuePinActorReady(opts) {
   if (!opts.authReady) return false;
@@ -369,6 +414,10 @@ function FeedbackProvider({
     hasApiKey: !!config.apiKey,
     skipFederation: config.skipFederation
   });
+  const rawUserId = config.userId ?? autoIdentity.userId;
+  if (config.debug && rawUserId && effectiveUserId && rawUserId !== effectiveUserId) {
+    console.log(`[EW SDK] User ID normalized: "${rawUserId}" -> "${effectiveUserId}"`);
+  }
   const actorReady = resolveIssuePinActorReady({
     authReady,
     explicitUserId: config.userId,
@@ -453,12 +502,13 @@ function FeedbackProviderInner({
     console.log(`[EW SDK] ${message}`, extra);
   }, [debug]);
   useEffect(() => {
+    if (!authReady) return;
     if (!userDisplayName && !userEmail) {
       console.warn(
         '[IssuePin] No user identity provided \u2014 comments will appear as "Unknown". Pass supabaseClient={supabase} for automatic identity, or user={{ email, displayName }} for manual attribution. See https://github.com/sylergydigital/issue-pin/blob/main/sdk/README.md#user-identity-avoiding-unknown-comments'
       );
     }
-  }, []);
+  }, [authReady, userDisplayName, userEmail]);
   const client = useMemo(() => {
     try {
       return createClient(supabaseUrl, supabaseAnonKey, {
@@ -565,6 +615,10 @@ function FeedbackProviderInner({
       debugLog("FeedbackProvider unmounted", { workspaceId, path: pathname });
     };
   }, [debugLog, workspaceId, pathname]);
+  useEffect(() => {
+    const unsubscribe = subscribeCspDetection();
+    return unsubscribe;
+  }, []);
   useEffect(() => {
     debugLog("mode / feedbackActive", { mode, feedbackActive });
   }, [debugLog, mode, feedbackActive]);
@@ -2434,6 +2488,7 @@ function PinsSlot() {
   return /* @__PURE__ */ jsx9(ThreadPins, {});
 }
 export {
+  CSP_REQUIREMENTS,
   IssuePin as ElementWhisperer,
   FeedbackButton,
   FeedbackOverlay,
@@ -2444,6 +2499,7 @@ export {
   SdkCommentPopover,
   ThreadPins,
   Z,
+  normalizeUserId,
   useFeedback,
   useFeedbackSafe,
   useIssuePinAnchor