npm - @trops/dash-core - Versions diffs - 0.1.507 → 0.1.509 - Mend

@trops/dash-core 0.1.507 → 0.1.509

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/electron/index.js +208 -18
package/dist/electron/index.js.map +1 -1
package/package.json +1 -1

package/dist/electron/index.js CHANGED Viewed

@@ -993,14 +993,14 @@ var events$8 = {
  * Open a dialog window for choosing files
  */
-const { dialog: dialog$2 } = require$$0$1;
+const { dialog: dialog$3 } = require$$0$1;
 const events$7 = events$8;
 const showDialog$1 = async (win, message, allowFile, extensions = ["*"]) => {
   const properties =
     allowFile === true ? ["openFile"] : ["openDirectory", "createDirectory"];
   const filters = allowFile === true ? [{ name: "Data", extensions }] : [];
-  const result = await dialog$2.showOpenDialog({ properties, filters });
+  const result = await dialog$3.showOpenDialog({ properties, filters });
   if (result.canceled || !result.filePaths[0]) return null;
   return result.filePaths[0];
 };
@@ -2083,7 +2083,7 @@ var grantedPermissions = {
  *   _resetForTest() → void                            (test-only)
  */
-const { BrowserWindow: BrowserWindow$2, ipcMain: ipcMain$2 } = require$$0$1;
+const { BrowserWindow: BrowserWindow$3, ipcMain: ipcMain$2 } = require$$0$1;
 const REQUEST_CHANNEL = "widget:permission-required";
 const RESPONSE_CHANNEL = "widget:permission-response";
@@ -2129,7 +2129,7 @@ function coalesceKeyOf(req) {
 function emitEvent(payload) {
   let wins = [];
   try {
-    wins = BrowserWindow$2.getAllWindows() || [];
+    wins = BrowserWindow$3.getAllWindows() || [];
   } catch {
     wins = [];
   }
@@ -2586,9 +2586,23 @@ function _hostMatches(host, allowedList) {
   if (!Array.isArray(allowedList) || allowedList.length === 0) return false;
   if (allowedList.includes("*")) return true;
   const lower = host.toLowerCase();
-  return allowedList.some(
-    (h) => typeof h === "string" && h.toLowerCase() === lower,
-  );
+  for (const entry of allowedList) {
+    if (typeof entry !== "string") continue;
+    const entryLower = entry.toLowerCase();
+    // Exact match.
+    if (entryLower === lower) return true;
+    // Subdomain wildcard: "*.example.com" matches "example.com" and
+    // any host ending in ".example.com". The leading dot on the
+    // suffix-test is required — otherwise "*.example.com" would also
+    // match "attackerexample.com", which is the kind of confusion
+    // this feature is meant to avoid.
+    if (entryLower.startsWith("*.")) {
+      const base = entryLower.slice(2); // "example.com"
+      if (lower === base) return true;
+      if (lower.endsWith("." + base)) return true;
+    }
+  }
+  return false;
 }
 function _parseHost(url) {
@@ -48726,7 +48740,7 @@ var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaProperty
 const https$1 = require$$11;
 const { randomUUID } = require$$3$4;
-const { BrowserWindow: BrowserWindow$1 } = require$$0$1;
+const { BrowserWindow: BrowserWindow$2 } = require$$0$1;
 const { McpServer } = mcp;
 const {
   StreamableHTTPServerTransport,
@@ -48770,7 +48784,7 @@ function broadcastStateChanged(toolName, result) {
     /* leave null */
   }
   const payload = { toolName, result: parsed };
-  for (const win of BrowserWindow$1.getAllWindows()) {
+  for (const win of BrowserWindow$2.getAllWindows()) {
     if (!win.isDestroyed()) {
       try {
         win.webContents.send("dash-mcp:state-changed", payload);
@@ -57551,7 +57565,7 @@ function requireWidgetPublishManifest () {
  * and registry interaction.
  */
 const path$4 = require$$1$1;
-const { app: app$4, dialog: dialog$1 } = require$$0$1;
+const { app: app$4, dialog: dialog$2 } = require$$0$1;
 const AdmZip$2 = require$$3$2;
 const themeController$3 = themeController_1;
@@ -57750,7 +57764,7 @@ async function prepareThemeForPublish$1(win, appId, themeKey, options = {}) {
     const sanitizedName = sanitizeName(themeKey);
     const defaultFilename = `theme-${sanitizedName}-v${manifest.version}.zip`;
-    const saveResult = await dialog$1.showSaveDialog(win, {
+    const saveResult = await dialog$2.showSaveDialog(win, {
       title: "Save Theme Package",
       defaultPath: defaultFilename,
       filters: [{ name: "ZIP Files", extensions: ["zip"] }],
@@ -58289,7 +58303,7 @@ var themeRegistryController$1 = {
  * applies event wiring. (Import is implemented in DASH-13.)
  */
-const { app: app$3, dialog } = require$$0$1;
+const { app: app$3, dialog: dialog$1 } = require$$0$1;
 const path$3 = require$$1$1;
 const AdmZip$1 = require$$3$2;
 const { getFileContents: getFileContents$1 } = file;
@@ -58451,7 +58465,7 @@ async function exportDashboardConfig$1(
       .replace(/\s+/g, "-")
       .toLowerCase();
-    const { canceled, filePath } = await dialog.showSaveDialog(win, {
+    const { canceled, filePath } = await dialog$1.showSaveDialog(win, {
       title: "Export Dashboard as ZIP",
       defaultPath: path$3.join(
         app$3.getPath("desktop"),
@@ -58505,7 +58519,7 @@ async function exportDashboardConfig$1(
  */
 async function selectDashboardFile$1(win) {
   try {
-    const { canceled, filePaths } = await dialog.showOpenDialog(win, {
+    const { canceled, filePaths } = await dialog$1.showOpenDialog(win, {
       title: "Import Dashboard Configuration",
       filters: [{ name: "ZIP Archive", extensions: ["zip"] }],
       properties: ["openFile"],
@@ -58612,7 +58626,7 @@ async function importDashboardConfig$1(
       zipPath = options.filePath;
     } else {
       // Show file picker
-      const { canceled, filePaths } = await dialog.showOpenDialog(win, {
+      const { canceled, filePaths } = await dialog$1.showOpenDialog(win, {
         title: "Import Dashboard Configuration",
         filters: [{ name: "ZIP Archive", extensions: ["zip"] }],
         properties: ["openFile"],
@@ -59960,7 +59974,7 @@ async function prepareDashboardForPublish$1(
     // 9. Show save dialog for the publish package
     const sanitizedName = manifest.name;
-    const { canceled, filePath } = await dialog.showSaveDialog(win, {
+    const { canceled, filePath } = await dialog$1.showSaveDialog(win, {
       title: "Save Dashboard Package for Registry",
       defaultPath: path$3.join(
         app$3.getPath("desktop"),
@@ -61458,6 +61472,133 @@ function buildGrantsListing$1(
 var widgetMcpGrantsListing = { buildGrantsListing: buildGrantsListing$1 };
+/**
+ * grantDiff.js
+ *
+ * Pure-function diff between two grant blobs. Used by the
+ * `widget-mcp:set-grant` IPC handler to decide whether the change
+ * needs OS-native confirmation (broadening permissions) or can pass
+ * through silently (revocations / equal / narrowing).
+ *
+ * Returns { broadening: boolean, summary: string[] }. `summary` is a
+ * list of human-readable additions used to populate the native
+ * confirm dialog.
+ *
+ * Broadening dimensions checked:
+ *   - servers: new server name present in newGrant.servers but not in
+ *     currentGrant.servers
+ *   - server tools: new tool name in an existing server's `tools[]`
+ *   - server paths: new entry in `readPaths[]` or `writePaths[]`
+ *     (including `*` wildcard added)
+ *   - domains.fs: new block, or new `readPaths[]` / `writePaths[]`
+ *     entry within an existing block (including `*`)
+ *   - domains.network: new block, or new `hosts[]` entry (including
+ *     `*` and `*.<base>` wildcards)
+ *
+ * Reductions, equality, and "no permission" → "no permission"
+ * transitions are NOT broadening.
+ */
+function _arr(x) {
+  return Array.isArray(x) ? x : [];
+}
+function _added(currentList, newList) {
+  const cur = new Set(_arr(currentList));
+  const out = [];
+  for (const item of _arr(newList)) {
+    if (!cur.has(item)) out.push(item);
+  }
+  return out;
+}
+function _diffServer(serverName, currentSrv, newSrv) {
+  const summary = [];
+  const cur = currentSrv || {};
+  const nxt = newSrv || {};
+  for (const tool of _added(cur.tools, nxt.tools)) {
+    summary.push(`server "${serverName}" tool "${tool}"`);
+  }
+  for (const p of _added(cur.readPaths, nxt.readPaths)) {
+    summary.push(`server "${serverName}" readPath "${p}"`);
+  }
+  for (const p of _added(cur.writePaths, nxt.writePaths)) {
+    summary.push(`server "${serverName}" writePath "${p}"`);
+  }
+  return summary;
+}
+function _diffServers(curServers, nxtServers) {
+  const summary = [];
+  const cur = curServers || {};
+  const nxt = nxtServers || {};
+  for (const name of Object.keys(nxt)) {
+    if (!cur[name]) {
+      // Whole new server entry → list each component as broadening.
+      const srv = nxt[name];
+      const tools = _arr(srv?.tools);
+      const reads = _arr(srv?.readPaths);
+      const writes = _arr(srv?.writePaths);
+      if (tools.length === 0 && reads.length === 0 && writes.length === 0) {
+        // Empty-shell server entry — no actual permissions added.
+        // Skip; not a meaningful broadening.
+        continue;
+      }
+      summary.push(`new server "${name}"`);
+      for (const t of tools) summary.push(`  tool "${t}"`);
+      for (const p of reads) summary.push(`  readPath "${p}"`);
+      for (const p of writes) summary.push(`  writePath "${p}"`);
+    } else {
+      summary.push(..._diffServer(name, cur[name], nxt[name]));
+    }
+  }
+  return summary;
+}
+function _diffDomainsFs(curFs, nxtFs) {
+  const summary = [];
+  const cur = curFs || {};
+  const nxt = nxtFs || {};
+  for (const p of _added(cur.readPaths, nxt.readPaths)) {
+    summary.push(`fs readPath "${p}"`);
+  }
+  for (const p of _added(cur.writePaths, nxt.writePaths)) {
+    summary.push(`fs writePath "${p}"`);
+  }
+  return summary;
+}
+function _diffDomainsNetwork(curNet, nxtNet) {
+  const summary = [];
+  const cur = curNet || {};
+  const nxt = nxtNet || {};
+  for (const h of _added(cur.hosts, nxt.hosts)) {
+    summary.push(`network host "${h}"`);
+  }
+  return summary;
+}
+/**
+ * @param {object|null|undefined} currentGrant
+ * @param {object|null|undefined} newGrant
+ * @returns {{ broadening: boolean, summary: string[] }}
+ */
+function isBroadening$1(currentGrant, newGrant) {
+  const cur = currentGrant || {};
+  const nxt = newGrant || {};
+  const summary = [
+    ..._diffServers(cur.servers, nxt.servers),
+    ..._diffDomainsFs(cur?.domains?.fs, nxt?.domains?.fs),
+    ..._diffDomainsNetwork(cur?.domains?.network, nxt?.domains?.network),
+  ];
+  return { broadening: summary.length > 0, summary };
+}
+var grantDiff = { isBroadening: isBroadening$1 };
 /**
  * widgetMcpGrantsController.js
  *
@@ -61473,7 +61614,7 @@ var widgetMcpGrantsListing = { buildGrantsListing: buildGrantsListing$1 };
  * grant are also surfaced — those are the install-consent retroactive prompts.
  */
-const { ipcMain: ipcMain$1 } = require$$0$1;
+const { ipcMain: ipcMain$1, dialog, BrowserWindow: BrowserWindow$1 } = require$$0$1;
 const {
   getGrant,
   setGrant,
@@ -61484,13 +61625,62 @@ const {
 const { getWidgetMcpPermissions } = widgetPermissions;
 const { getWidgetRegistry } = widgetRegistryExports;
 const { buildGrantsListing } = widgetMcpGrantsListing;
+const { isBroadening } = grantDiff;
+// Native confirm dialog for any set-grant call that broadens the
+// widget's current permissions. The dialog runs at OS level — a
+// renderer (including a malicious widget) cannot dismiss it
+// programmatically. This is the defense-in-depth fix for the
+// `widget-mcp:set-grant` consent-bypass gap documented in the IPC
+// audit doc: a widget calling `mainApi.widgetMcp.setGrant("@self",
+// {wide-open perms})` now triggers a system-level prompt the user
+// must explicitly approve. Reductions / equality pass unprompted.
+async function _confirmBroadening(event, widgetId, summary) {
+  const senderWindow =
+    BrowserWindow$1.fromWebContents(event.sender) ||
+    BrowserWindow$1.getFocusedWindow();
+  // Cap the listed lines so the dialog body stays readable.
+  const MAX_LINES = 20;
+  const trimmed = summary.slice(0, MAX_LINES);
+  const overflow =
+    summary.length > MAX_LINES
+      ? `\n  …and ${summary.length - MAX_LINES} more`
+      : "";
+  const detail =
+    "Widget '" +
+    widgetId +
+    "' will be granted the following NEW permissions:\n\n  " +
+    trimmed.join("\n  ") +
+    overflow +
+    "\n\nIf you didn't initiate this from Settings → Privacy & Security, " +
+    "click Cancel — a malicious widget may be trying to escalate its own " +
+    "permissions.";
+  const result = await dialog.showMessageBox(senderWindow, {
+    type: "warning",
+    title: "Confirm permissions change",
+    message: "Allow new permissions for " + widgetId + "?",
+    detail,
+    buttons: ["Cancel", "Allow"],
+    defaultId: 0,
+    cancelId: 0,
+    noLink: true,
+  });
+  return result.response === 1;
+}
 function setupWidgetMcpGrantsHandlers() {
   ipcMain$1.handle("widget-mcp:get-grant", (event, widgetId) => {
     return getGrant(widgetId);
   });
-  ipcMain$1.handle("widget-mcp:set-grant", (event, widgetId, perms) => {
+  ipcMain$1.handle("widget-mcp:set-grant", async (event, widgetId, perms) => {
+    const current = getGrant(widgetId);
+    const diff = isBroadening(current, perms);
+    if (diff.broadening) {
+      const approved = await _confirmBroadening(event, widgetId, diff.summary);
+      if (!approved) return false;
+    }
     return setGrant(widgetId, perms);
   });