@treeseed/core 0.6.24 → 0.6.25

package/dist/site.js

@@ -19,6 +19,7 @@ import {
   resolveTreeseedSiteResource,
   resolveTreeseedStyleEntrypoint
 } from "./site-resources.js";
+import { deriveTreeseedAstroAllowedDomains } from "./utils/astro-security.js";
 import { isSiteRenderedModel } from "./utils/site-models.js";
 const TENANT_THEME_VIRTUAL_ID = "virtual:treeseed/tenant-theme.css";
 const RESOLVED_TENANT_THEME_VIRTUAL_ID = "\0treeseed:tenant-theme.css";
@@ -234,6 +235,7 @@ function createTreeseedSite(tenantConfig, { starlight }) {
   const injectedDeployConfig = JSON.stringify(deployConfig);
   const resolvedGlobalCss = resolveTreeseedStyleEntrypoint(siteLayers, "styles/global.css");
   const serverRendered = deployConfig.surfaces?.web?.provider === "cloudflare" || deployConfig.providers.deploy === "cloudflare";
+  const allowedDomains = deriveTreeseedAstroAllowedDomains(deployConfig, { siteUrl: siteConfig.site.siteUrl });
   const publishedRuntime = getTreeseedContentServingMode() === "published_runtime";
   const packageRoutes = [
     ...PACKAGE_ROUTE_ENTRIES,
@@ -246,6 +248,10 @@ function createTreeseedSite(tenantConfig, { starlight }) {
     adapter: serverRendered ? cloudflare({ imageService: "compile" }) : void 0,
     output: serverRendered ? "server" : "static",
     session: serverRendered ? { driver: "null" } : void 0,
+    security: {
+      checkOrigin: true,
+      allowedDomains
+    },
     site: siteConfig.site.siteUrl,
     image: {
       service: {

package/dist/utils/astro-security.js

@@ -0,0 +1,37 @@
+const LOCAL_ASTRO_HOSTS = ["localhost", "127.0.0.1"];
+function hostnameFromUrlLike(value) {
+  const trimmed = value?.trim();
+  if (!trimmed) return null;
+  const candidate = URL.canParse(trimmed) ? trimmed : URL.canParse(`https://${trimmed}`) ? `https://${trimmed}` : null;
+  if (!candidate) return null;
+  const url = new URL(candidate);
+  return url.hostname.trim().toLowerCase() || null;
+}
+function appendHostname(hostnames, value) {
+  const hostname = hostnameFromUrlLike(value);
+  if (hostname && !hostnames.includes(hostname)) {
+    hostnames.push(hostname);
+  }
+}
+function appendEnvironmentHostnames(hostnames, environments) {
+  for (const environment of environments) {
+    appendHostname(hostnames, environment?.domain);
+    appendHostname(hostnames, environment?.baseUrl);
+  }
+}
+function deriveTreeseedAstroAllowedDomains(deployConfig, options = {}) {
+  const hostnames = [];
+  const webSurface = deployConfig.surfaces?.web;
+  appendHostname(hostnames, deployConfig.siteUrl);
+  appendHostname(hostnames, options.siteUrl);
+  appendHostname(hostnames, webSurface?.publicBaseUrl);
+  appendHostname(hostnames, webSurface?.localBaseUrl);
+  appendEnvironmentHostnames(hostnames, Object.values(webSurface?.environments ?? {}));
+  for (const hostname of LOCAL_ASTRO_HOSTS) {
+    appendHostname(hostnames, hostname);
+  }
+  return hostnames.map((hostname) => ({ hostname }));
+}
+export {
+  deriveTreeseedAstroAllowedDomains
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/core",
-  "version": "0.6.24",
+  "version": "0.6.25",
   "description": "Treeseed integrated platform starter for Astro/Starlight web runtimes and Hono API runtimes.",
   "license": "AGPL-3.0-only",
   "repository": {
@@ -76,7 +76,7 @@
     "@astrojs/sitemap": "3.7.0",
     "@astrojs/starlight": "0.37.6",
     "@tailwindcss/vite": "^4.1.4",
-    "@treeseed/sdk": "0.6.23",
+    "@treeseed/sdk": "0.6.24",
     "astro": "^5.6.1",
     "esbuild": "^0.28.0",
     "hono": "^4.8.2",