@tavus/cvi-ui 0.0.4-beta.0 → 0.0.4-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +3 -3
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -391,7 +391,7 @@ var magic_canvas_default$1 = {
|
|
|
391
391
|
extraFiles: [
|
|
392
392
|
{
|
|
393
393
|
"path": "allowlists.ts",
|
|
394
|
-
"content": "// Magic Canvas URL allowlists.\n// `sandbox_url` / `mcp_server_url` / `api_base_url` / `interaction_url` arrive\n// from the wire and decide which origins the iframe loads from and where\n// interactions get POSTed. M0 ships a hard allowlist; customers self-hosting\n// against a non-tavusapi.com backend should fork these constants until M1\n// adds a configurable surface.\n\nconst ALLOWED_CANVAS_SANDBOX_HOSTS = new Set(['mcp-ui.tavus.io']);\nconst ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES = ['.sandbox-tavus.io'];\nconst ALLOWED_CANVAS_API_HOSTS = new Set(['tavusapi.com']);\n\nexport function isAllowedCanvasSandboxUrl(rawUrl: string) {\n let url: URL;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasSandboxUrl(url)) return true;\n if (url.protocol !== 'https:') return false;\n if (ALLOWED_CANVAS_SANDBOX_HOSTS.has(url.hostname)) return true;\n return ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES.some((suffix) => url.hostname.endsWith(suffix));\n}\n\nexport function isAllowedCanvasMcpUrl(rawUrl: string) {\n return isAllowedCanvasSandboxUrl(rawUrl);\n}\n\nexport function isAllowedCanvasApiUrl(rawUrl: string) {\n let url: URL;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasUrl(url)) return true;\n return url.protocol === 'https:' && ALLOWED_CANVAS_API_HOSTS.has(url.hostname);\n}\n\nfunction isLocalCanvasSandboxUrl(url: URL) {\n return isLocalCanvasUrl(url);\n}\n\nfunction isLocalCanvasUrl(url: URL) {\n if (!isLocalHostPage()) return false;\n if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;\n return ['localhost', '127.0.0.1', '::1', '[::1]'].includes(url.hostname);\n}\n\nfunction isLocalHostPage() {\n try {\n const hostname = globalThis.location?.hostname;\n return (\n typeof hostname === 'string' && ['localhost', '127.0.0.1', '::1', '[::1]'].includes(hostname)\n );\n } catch {\n return false;\n }\n}\n"
|
|
394
|
+
"content": "// Magic Canvas URL allowlists.\n// `sandbox_url` / `mcp_server_url` / `api_base_url` / `interaction_url` arrive\n// from the wire and decide which origins the iframe loads from and where\n// interactions get POSTed. M0 ships a hard allowlist; customers self-hosting\n// against a non-tavusapi.com backend should fork these constants until M1\n// adds a configurable surface.\n\nconst ALLOWED_CANVAS_SANDBOX_HOSTS = new Set([\n 'mcp-ui.tavus.io',\n // Preview host: the components worker runs the same code as prod and has a\n // valid cert while mcp-ui.tavus.io's cert provisioning is pending. Additive\n // so prod keeps working; remove once the prod host is live.\n 'mcp-ui.tavus-preview.io',\n]);\nconst ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES = ['.sandbox-tavus.io'];\nconst ALLOWED_CANVAS_API_HOSTS = new Set(['tavusapi.com']);\n\nexport function isAllowedCanvasSandboxUrl(rawUrl: string) {\n let url: URL;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasSandboxUrl(url)) return true;\n if (url.protocol !== 'https:') return false;\n if (ALLOWED_CANVAS_SANDBOX_HOSTS.has(url.hostname)) return true;\n return ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES.some((suffix) => url.hostname.endsWith(suffix));\n}\n\nexport function isAllowedCanvasMcpUrl(rawUrl: string) {\n return isAllowedCanvasSandboxUrl(rawUrl);\n}\n\nexport function isAllowedCanvasApiUrl(rawUrl: string) {\n let url: URL;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasUrl(url)) return true;\n return url.protocol === 'https:' && ALLOWED_CANVAS_API_HOSTS.has(url.hostname);\n}\n\nfunction isLocalCanvasSandboxUrl(url: URL) {\n return isLocalCanvasUrl(url);\n}\n\nfunction isLocalCanvasUrl(url: URL) {\n if (!isLocalHostPage()) return false;\n if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;\n return ['localhost', '127.0.0.1', '::1', '[::1]'].includes(url.hostname);\n}\n\nfunction isLocalHostPage() {\n try {\n const hostname = globalThis.location?.hostname;\n return (\n typeof hostname === 'string' && ['localhost', '127.0.0.1', '::1', '[::1]'].includes(hostname)\n );\n } catch {\n return false;\n }\n}\n"
|
|
395
395
|
},
|
|
396
396
|
{
|
|
397
397
|
"path": "bridge.ts",
|
|
@@ -633,7 +633,7 @@ var magic_canvas_default = {
|
|
|
633
633
|
extraFiles: [
|
|
634
634
|
{
|
|
635
635
|
"path": "allowlists.js",
|
|
636
|
-
"content": "// Magic Canvas URL allowlists.\n// `sandbox_url` / `mcp_server_url` / `api_base_url` / `interaction_url` arrive\n// from the wire and decide which origins the iframe loads from and where\n// interactions get POSTed. M0 ships a hard allowlist; customers self-hosting\n// against a non-tavusapi.com backend should fork these constants until M1\n// adds a configurable surface.\n\nconst ALLOWED_CANVAS_SANDBOX_HOSTS = new Set(['mcp-ui.tavus.io']);\nconst ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES = ['.sandbox-tavus.io'];\nconst ALLOWED_CANVAS_API_HOSTS = new Set(['tavusapi.com']);\n\nexport function isAllowedCanvasSandboxUrl(rawUrl) {\n let url;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasSandboxUrl(url)) return true;\n if (url.protocol !== 'https:') return false;\n if (ALLOWED_CANVAS_SANDBOX_HOSTS.has(url.hostname)) return true;\n return ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES.some((suffix) => url.hostname.endsWith(suffix));\n}\n\nexport function isAllowedCanvasMcpUrl(rawUrl) {\n return isAllowedCanvasSandboxUrl(rawUrl);\n}\n\nexport function isAllowedCanvasApiUrl(rawUrl) {\n let url;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasUrl(url)) return true;\n return url.protocol === 'https:' && ALLOWED_CANVAS_API_HOSTS.has(url.hostname);\n}\n\nfunction isLocalCanvasSandboxUrl(url) {\n return isLocalCanvasUrl(url);\n}\n\nfunction isLocalCanvasUrl(url) {\n if (!isLocalHostPage()) return false;\n if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;\n return ['localhost', '127.0.0.1', '::1', '[::1]'].includes(url.hostname);\n}\n\nfunction isLocalHostPage() {\n try {\n const hostname = globalThis.location?.hostname;\n return (\n typeof hostname === 'string' && ['localhost', '127.0.0.1', '::1', '[::1]'].includes(hostname)\n );\n } catch {\n return false;\n }\n}\n"
|
|
636
|
+
"content": "// Magic Canvas URL allowlists.\n// `sandbox_url` / `mcp_server_url` / `api_base_url` / `interaction_url` arrive\n// from the wire and decide which origins the iframe loads from and where\n// interactions get POSTed. M0 ships a hard allowlist; customers self-hosting\n// against a non-tavusapi.com backend should fork these constants until M1\n// adds a configurable surface.\n\nconst ALLOWED_CANVAS_SANDBOX_HOSTS = new Set([\n 'mcp-ui.tavus.io',\n // Preview host: the components worker runs the same code as prod and has a\n // valid cert while mcp-ui.tavus.io's cert provisioning is pending. Additive\n // so prod keeps working; remove once the prod host is live.\n 'mcp-ui.tavus-preview.io',\n]);\nconst ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES = ['.sandbox-tavus.io'];\nconst ALLOWED_CANVAS_API_HOSTS = new Set(['tavusapi.com']);\n\nexport function isAllowedCanvasSandboxUrl(rawUrl) {\n let url;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasSandboxUrl(url)) return true;\n if (url.protocol !== 'https:') return false;\n if (ALLOWED_CANVAS_SANDBOX_HOSTS.has(url.hostname)) return true;\n return ALLOWED_CANVAS_SANDBOX_HOST_SUFFIXES.some((suffix) => url.hostname.endsWith(suffix));\n}\n\nexport function isAllowedCanvasMcpUrl(rawUrl) {\n return isAllowedCanvasSandboxUrl(rawUrl);\n}\n\nexport function isAllowedCanvasApiUrl(rawUrl) {\n let url;\n try {\n url = new URL(rawUrl);\n } catch {\n return false;\n }\n\n if (isLocalCanvasUrl(url)) return true;\n return url.protocol === 'https:' && ALLOWED_CANVAS_API_HOSTS.has(url.hostname);\n}\n\nfunction isLocalCanvasSandboxUrl(url) {\n return isLocalCanvasUrl(url);\n}\n\nfunction isLocalCanvasUrl(url) {\n if (!isLocalHostPage()) return false;\n if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;\n return ['localhost', '127.0.0.1', '::1', '[::1]'].includes(url.hostname);\n}\n\nfunction isLocalHostPage() {\n try {\n const hostname = globalThis.location?.hostname;\n return (\n typeof hostname === 'string' && ['localhost', '127.0.0.1', '::1', '[::1]'].includes(hostname)\n );\n } catch {\n return false;\n }\n}\n"
|
|
637
637
|
},
|
|
638
638
|
{
|
|
639
639
|
"path": "bridge.js",
|
|
@@ -1439,7 +1439,7 @@ const info = new Command().name("info").description("get information about your
|
|
|
1439
1439
|
});
|
|
1440
1440
|
//#endregion
|
|
1441
1441
|
//#region package.json
|
|
1442
|
-
var version = "0.0.4-beta.
|
|
1442
|
+
var version = "0.0.4-beta.1";
|
|
1443
1443
|
//#endregion
|
|
1444
1444
|
//#region src/index.ts
|
|
1445
1445
|
process.on("SIGINT", () => process.exit(0));
|