@trops/dash-core 0.1.508 → 0.1.510

package/dist/electron/index.js

@@ -3,6 +3,7 @@
 var require$$0$1 = require('electron');
 var require$$1$1 = require('path');
 var require$$0$2 = require('fs');
+var require$$0$3 = require('crypto');
 var require$$9$1 = require('objects-to-csv');
 var require$$1$2 = require('readline');
 var require$$2 = require('xtreamer');
@@ -10,30 +11,29 @@ var require$$3$1 = require('xml2js');
 var require$$4 = require('JSONStream');
 var require$$5 = require('stream');
 var require$$6 = require('csv-parser');
-var require$$0$3 = require('quickjs-emscripten');
+var require$$0$4 = require('quickjs-emscripten');
 var require$$11 = require('https');
-var require$$0$5 = require('@modelcontextprotocol/sdk/client/index.js');
+var require$$0$6 = require('@modelcontextprotocol/sdk/client/index.js');
 var require$$1$3 = require('@modelcontextprotocol/sdk/client/stdio.js');
-var require$$0$4 = require('pkce-challenge');
+var require$$0$5 = require('pkce-challenge');
 var require$$2$1 = require('os');
 var require$$12 = require('child_process');
-var require$$0$6 = require('electron-store');
+var require$$0$7 = require('electron-store');
 var require$$3$2 = require('adm-zip');
 var require$$4$1 = require('url');
 var require$$2$2 = require('vm');
 var require$$1$4 = require('croner');
 var require$$2$3 = require('algoliasearch');
 var require$$3$3 = require('node:path');
-var require$$0$7 = require('openai');
-var require$$0$a = require('@anthropic-ai/sdk');
-var require$$3$4 = require('crypto');
+var require$$0$8 = require('openai');
+var require$$0$b = require('@anthropic-ai/sdk');
 var require$$8$1 = require('zod');
-var require$$0$8 = require('http');
+var require$$0$9 = require('http');
 var require$$1$5 = require('http2');
 var require$$2$4 = require('node-forge');
-var require$$0$9 = require('css');
+var require$$0$a = require('css');
 var require$$1$6 = require('node-vibrant/node');
-var require$$3$5 = require('ws');
+var require$$3$4 = require('ws');
 
 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
@@ -993,14 +993,14 @@ var events$8 = {
  * Open a dialog window for choosing files
  */
 
-const { dialog: dialog$2 } = require$$0$1;
+const { dialog: dialog$3 } = require$$0$1;
 const events$7 = events$8;
 
 const showDialog$1 = async (win, message, allowFile, extensions = ["*"]) => {
   const properties =
     allowFile === true ? ["openFile"] : ["openDirectory", "createDirectory"];
   const filters = allowFile === true ? [{ name: "Data", extensions }] : [];
-  const result = await dialog$2.showOpenDialog({ properties, filters });
+  const result = await dialog$3.showOpenDialog({ properties, filters });
   if (result.canceled || !result.filePaths[0]) return null;
   return result.filePaths[0];
 };
@@ -2083,7 +2083,7 @@ var grantedPermissions = {
  *   _resetForTest() → void                            (test-only)
  */
 
-const { BrowserWindow: BrowserWindow$2, ipcMain: ipcMain$2 } = require$$0$1;
+const { BrowserWindow: BrowserWindow$3, ipcMain: ipcMain$3 } = require$$0$1;
 
 const REQUEST_CHANNEL = "widget:permission-required";
 const RESPONSE_CHANNEL = "widget:permission-response";
@@ -2129,7 +2129,7 @@ function coalesceKeyOf(req) {
 function emitEvent(payload) {
   let wins = [];
   try {
-    wins = BrowserWindow$2.getAllWindows() || [];
+    wins = BrowserWindow$3.getAllWindows() || [];
   } catch {
     wins = [];
   }
@@ -2248,8 +2248,8 @@ let _handlersRegistered = false;
  */
 function setupJitConsentHandlers() {
   if (_handlersRegistered) return;
-  if (!ipcMain$2 || typeof ipcMain$2.on !== "function") return;
-  ipcMain$2.on(RESPONSE_CHANNEL, (_event, payload) => {
+  if (!ipcMain$3 || typeof ipcMain$3.on !== "function") return;
+  ipcMain$3.on(RESPONSE_CHANNEL, (_event, payload) => {
     _handleResponse(payload);
   });
   _handlersRegistered = true;
@@ -2265,6 +2265,93 @@ var jitConsent$1 = {
   DEFAULT_TIMEOUT_MS,
 };
 
+/**
+ * mountTokenRegistry.js
+ *
+ * Trusted root of widget identity at the IPC boundary. Each time
+ * `WidgetFactory` mounts a widget it calls
+ * `framework:register-widget-mount`, which calls `register(widgetId)`
+ * here. The returned token is baked into the widget's bound API
+ * (`makeBoundApi`) and sent on every gated IPC call. Gates resolve the
+ * widgetId via `lookup(token)` instead of trusting whatever the
+ * renderer claims.
+ *
+ * Why server-generated tokens: the renderer-supplied widgetId path was
+ * the original consent-bypass surface. Tokens are produced by
+ * `crypto.randomBytes(24)` here (192 bits) and are NEVER accepted from
+ * the renderer — the renderer can only present tokens it received from
+ * a prior `register` call. A widget cannot fabricate a token for
+ * another widgetId.
+ *
+ * Limit: in single-renderer (one BrowserWindow shared across all
+ * widgets), a malicious widget can still walk the React fiber tree to
+ * find another widget's bound API and call its functions — the bound
+ * function fires IPC with the *victim's* token. Fully closing that
+ * residual requires per-widget BrowserView (multi-week refactor). The
+ * token model raises the bar from "type a widgetId string" to "walk
+ * the fiber tree and call another widget's bound function," which is
+ * a deliberate malicious step that's visible at install-time review.
+ */
+
+const crypto$1 = require$$0$3;
+
+const _byToken = new Map(); // token → widgetId
+
+function _generateToken() {
+  // 24 random bytes = 48 hex chars = 192 bits of entropy. More than
+  // enough; collision probability is negligible.
+  return crypto$1.randomBytes(24).toString("hex");
+}
+
+/**
+ * Register a widgetId mount and return a fresh token bound to it.
+ * @param {string} widgetId
+ * @returns {string} token
+ */
+function register$1(widgetId) {
+  if (typeof widgetId !== "string" || widgetId.length === 0) {
+    throw new Error(
+      "mountTokenRegistry.register: widgetId must be a non-empty string",
+    );
+  }
+  let token = _generateToken();
+  // Defensive — collision is astronomically unlikely but if it did
+  // happen we'd silently overwrite a valid mapping. Regenerate.
+  while (_byToken.has(token)) {
+    token = _generateToken();
+  }
+  _byToken.set(token, widgetId);
+  return token;
+}
+
+/**
+ * Resolve a token to the widgetId it was bound to.
+ * @param {string} token
+ * @returns {string|null}
+ */
+function lookup(token) {
+  if (typeof token !== "string") return null;
+  return _byToken.has(token) ? _byToken.get(token) : null;
+}
+
+/**
+ * Drop a token. Silent no-op for unknown tokens or non-strings —
+ * unregister is called from unmount cleanup paths and should never
+ * throw.
+ * @param {string} token
+ */
+function unregister$1(token) {
+  if (typeof token !== "string") return;
+  _byToken.delete(token);
+}
+
+/** Test-only — clears the registry between cases. */
+function _resetForTests() {
+  _byToken.clear();
+}
+
+var mountTokenRegistry = { register: register$1, lookup, unregister: unregister$1, _resetForTests };
+
 /**
  * fsGate.js
  *
@@ -2302,6 +2389,25 @@ var jitConsent$1 = {
 
 const { getGrant: getGrant$3, setGrant: setGrant$3 } = grantedPermissions;
 const { requestApproval: requestApproval$2 } = jitConsent$1;
+const { lookup: lookupMountToken$2 } = mountTokenRegistry;
+
+// If a token is supplied, the gate resolves widgetId via the mount
+// registry and ignores any renderer-supplied widgetId. Tokens are
+// server-generated and bound to a widgetId at WidgetFactory mount —
+// the renderer cannot fabricate a token for another widget. See
+// `mountTokenRegistry.js`.
+//
+// Legacy callers without a token fall through to the existing
+// widgetId-based path (Slice 1 keeps this for back-compat; Slice 2
+// flips to deny).
+function _resolveIdentity$2({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken$2(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 // Action names treated as writes. Anything not in this set is a read.
 // Conservative — when in doubt, classify as a read so write-protected
@@ -2336,7 +2442,15 @@ function _filenameMatches(filename, allowedList) {
  * Synchronous gate evaluation.
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateFsCall$1({ widgetId, action, args }) {
+function gateFsCall$1({ widgetId, token, action, args }) {
+  const resolved = _resolveIdentity$2({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason: "fs gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -2460,11 +2574,21 @@ async function gateFsCallWithJit$1(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial$2(initial.reason)) return initial;
 
+  // Resolve verified identity once (token wins over claimed widgetId).
+  // Re-using the same resolution as gateFsCall keeps the JIT prompt
+  // and grant write tied to the same identity the gate just denied.
+  const resolved = _resolveIdentity$2({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval$2(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "fs",
         action: req.action,
         args: req.args || {},
@@ -2487,7 +2611,7 @@ async function gateFsCallWithJit$1(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling fs '" +
         req.action +
         "'",
@@ -2511,9 +2635,9 @@ async function gateFsCallWithJit$1(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$3(req.widgetId);
+    const current = getGrant$3(verifiedWidgetId);
     const merged = _mergeFsGrant(current, addition);
-    setGrant$3(req.widgetId, merged);
+    setGrant$3(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -2575,6 +2699,20 @@ var fsGate = {
 
 const { getGrant: getGrant$2, setGrant: setGrant$2 } = grantedPermissions;
 const { requestApproval: requestApproval$1 } = jitConsent$1;
+const { lookup: lookupMountToken$1 } = mountTokenRegistry;
+
+// See `mountTokenRegistry.js` and the matching block in fsGate.js —
+// when a token is supplied, it's the trusted identity source; the
+// renderer-claimed widgetId is ignored. Legacy widgetId-only callers
+// still work in slice 1 (additive); slice 2 will flip to deny.
+function _resolveIdentity$1({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken$1(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 function _isNoGrantDenial$1(reason) {
   return (
@@ -2617,7 +2755,16 @@ function _parseHost(url) {
  * Synchronous gate evaluation.
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateNetworkCall$2({ widgetId, action, args }) {
+function gateNetworkCall$2({ widgetId, token, action, args }) {
+  const resolved = _resolveIdentity$1({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason:
+        "network gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -2708,11 +2855,21 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial$1(initial.reason)) return initial;
 
+  // Same identity-resolution as the sync gate — the JIT prompt and
+  // grant write must use the verified widgetId, not whatever the
+  // renderer claimed.
+  const resolved = _resolveIdentity$1({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval$1(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "network",
         action: req.action,
         args: req.args || {},
@@ -2735,7 +2892,7 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling network '" +
         req.action +
         "'",
@@ -2753,9 +2910,9 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$2(req.widgetId);
+    const current = getGrant$2(verifiedWidgetId);
     const merged = _mergeNetworkGrant(current, addition);
-    setGrant$2(req.widgetId, merged);
+    setGrant$2(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -2867,7 +3024,7 @@ function requireSafeJsExecutor () {
 	let _modulePromise = null;
 	function getModule() {
 	  if (!_modulePromise) {
-	    const { getQuickJS } = require$$0$3;
+	    const { getQuickJS } = require$$0$4;
 	    _modulePromise = getQuickJS();
 	  }
 	  return _modulePromise;
@@ -3541,13 +3698,19 @@ function _loadFlags$1() {
  *
  * @returns {Promise<boolean>}
  */
-async function _runFsGate(win, action, widgetId, args, errorEvent) {
+async function _runFsGate(win, action, widgetId, args, errorEvent, token) {
   const settings = _loadFlags$1();
   if (!readEnforceFlag$2(settings)) return true; // gate disabled
-  if (!widgetId) return true; // legacy callers without widgetId — see plan
+  // Slice 1 (additive): token is the trusted identity when present.
+  // If neither token nor widgetId is supplied, legacy bypass still
+  // applies; slice 2 will flip this to deny.
+  if (!widgetId && !token) return true;
   const gate = readJitFlag$2(settings)
-    ? await gateFsCallWithJit({ widgetId, action, args }, { enableJit: true })
-    : gateFsCall({ widgetId, action, args });
+    ? await gateFsCallWithJit(
+        { widgetId, token, action, args },
+        { enableJit: true },
+      )
+    : gateFsCall({ widgetId, token, action, args });
   if (gate.allow) return true;
   if (win && errorEvent) {
     win.webContents.send(errorEvent, {
@@ -3562,16 +3725,16 @@ async function _runFsGate(win, action, widgetId, args, errorEvent) {
  * Phase 3 network gate. Same shape as _runFsGate but for outbound
  * URLs. Mirrors fs's "disabled / no widgetId / sync vs async" branching.
  */
-async function _runNetworkGate$1(win, action, widgetId, args, errorEvent) {
+async function _runNetworkGate$1(win, action, widgetId, args, errorEvent, token) {
   const settings = _loadFlags$1();
   if (!readEnforceFlag$2(settings)) return true;
-  if (!widgetId) return true;
+  if (!widgetId && !token) return true;
   const gate = readJitFlag$2(settings)
     ? await gateNetworkCallWithJit$1(
-        { widgetId, action, args },
+        { widgetId, token, action, args },
         { enableJit: true },
       )
-    : gateNetworkCall$1({ widgetId, action, args });
+    : gateNetworkCall$1({ widgetId, token, action, args });
   if (gate.allow) return true;
   if (win && errorEvent) {
     win.webContents.send(errorEvent, {
@@ -3741,7 +3904,13 @@ const dataController$1 = {
     }
   },
 
-  readDataFromURL: async (win, url, toFilepath, widgetId = null) => {
+  readDataFromURL: async (
+    win,
+    url,
+    toFilepath,
+    widgetId = null,
+    token = null,
+  ) => {
     // Phase 3 network gate. Runs before HTTPS-protocol + safePath
     // checks so JIT can prompt the user without leaking URL parser
     // edge cases through error timing.
@@ -3751,6 +3920,7 @@ const dataController$1 = {
       widgetId,
       { url },
       events$5.READ_DATA_URL_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -3938,6 +4108,7 @@ const dataController$1 = {
     append,
     returnEmpty = {},
     widgetId = null,
+    token = null,
   ) => {
     // Phase 2 fs gate. Runs before safePath containment so JIT can
     // prompt the user without leaking path-shape information through
@@ -3948,6 +4119,7 @@ const dataController$1 = {
       widgetId,
       { filename },
       events$5.DATA_SAVE_TO_FILE_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -4043,7 +4215,13 @@ const dataController$1 = {
     }
   },
 
-  readFromFile: async (win, filename, returnIfEmpty = {}, widgetId = null) => {
+  readFromFile: async (
+    win,
+    filename,
+    returnIfEmpty = {},
+    widgetId = null,
+    token = null,
+  ) => {
     // Phase 2 fs gate — same as saveToFile.
     const gateOk = await _runFsGate(
       win,
@@ -4051,6 +4229,7 @@ const dataController$1 = {
       widgetId,
       { filename },
       events$5.DATA_READ_FROM_FILE_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -20707,7 +20886,7 @@ auth$2.exchangeAuthorization = exchangeAuthorization;
 auth$2.refreshAuthorization = refreshAuthorization;
 auth$2.fetchToken = fetchToken;
 auth$2.registerClient = registerClient;
-const pkce_challenge_1 = __importDefault$2(require$$0$4);
+const pkce_challenge_1 = __importDefault$2(require$$0$5);
 const types_js_1$5 = types$2;
 const auth_js_1$1 = auth$1;
 const auth_js_2 = auth$1;
@@ -22265,6 +22444,21 @@ streamableHttp$1.StreamableHTTPClientTransport = StreamableHTTPClientTransport$1
 const { getGrant: getGrant$1, setGrant: setGrant$1 } = grantedPermissions;
 const { safePath: safePath$1 } = safePath_1;
 const { requestApproval } = jitConsent$1;
+const { lookup: lookupMountToken } = mountTokenRegistry;
+
+// See `electron/security/mountTokenRegistry.js`. When a token is
+// supplied it's the trusted identity source — gates resolve widgetId
+// via lookupMountToken and ignore renderer-claimed widgetId. Slice 1
+// keeps the legacy widgetId-only path working (additive); slice 2 will
+// flip to deny-without-token.
+function _resolveIdentity({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 // Argument keys that look like paths. Different MCP servers use
 // different conventions; this list covers the common filesystem-style
@@ -22286,7 +22480,15 @@ function isWriteTool(toolName) {
 /**
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateToolCall$1({ widgetId, serverName, toolName, args }) {
+function gateToolCall$1({ widgetId, token, serverName, toolName, args }) {
+  const resolved = _resolveIdentity({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason: "MCP gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -22440,11 +22642,20 @@ async function gateToolCallWithJit$1(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial(initial.reason)) return initial;
 
+  // Same identity-resolution as the sync gate — JIT prompt and grant
+  // write must use the verified widgetId.
+  const resolved = _resolveIdentity({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "mcp",
         action: "callTool",
         args: {
@@ -22471,7 +22682,7 @@ async function gateToolCallWithJit$1(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling '" +
         req.toolName +
         "' on '" +
@@ -22501,9 +22712,9 @@ async function gateToolCallWithJit$1(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$1(req.widgetId);
+    const current = getGrant$1(verifiedWidgetId);
     const merged = _mergeGrant(current, addition);
-    setGrant$1(req.widgetId, merged);
+    setGrant$1(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -22716,7 +22927,7 @@ var mcpScopeResolver = {
  * Uses @modelcontextprotocol/sdk for protocol handling.
  */
 
-const { Client } = require$$0$5;
+const { Client } = require$$0$6;
 const {
   StdioClientTransport,
 } = require$$1$3;
@@ -23521,6 +23732,7 @@ const mcpController$3 = {
     allowedTools = null,
     widgetId = null,
     workspaceId = null,
+    token = null,
   ) => {
     const key = serverKey(workspaceId, serverName);
     try {
@@ -23544,8 +23756,12 @@ const mcpController$3 = {
       // startServer happens after the gate decides — and (b) avoids
       // leaking server-running state through error timing to a
       // probing widget that doesn't have permission anyway.
-      if (isWidgetPermissionEnforcementEnabled() && widgetId) {
-        const gateReq = { widgetId, serverName, toolName, args };
+      // Slice 1 (additive): if a mount token is supplied it's the
+      // trusted identity source; widgetId is verified-or-overwritten
+      // inside the gate via mountTokenRegistry. Gate gets to run
+      // whenever EITHER token or widgetId is present.
+      if (isWidgetPermissionEnforcementEnabled() && (widgetId || token)) {
+        const gateReq = { widgetId, token, serverName, toolName, args };
         const gate = isJitConsentEnabled()
           ? await gateToolCallWithJit(gateReq, { enableJit: true })
           : gateToolCall(gateReq);
@@ -24099,7 +24315,7 @@ const REGISTRY_BASE_URL$1 =
 let store$3 = null;
 function getStore$1() {
   if (!store$3) {
-    const Store = require$$0$6;
+    const Store = require$$0$7;
     store$3 = new Store({
       name: "dash-registry-auth",
       encryptionKey: "dash-registry-v1",
@@ -25384,7 +25600,7 @@ var manifestScanner = {
  * and dispatching task-fired events to renderer windows.
  */
 
-const Store$1 = require$$0$6;
+const Store$1 = require$$0$7;
 const { Cron } = require$$1$4;
 
 const store$2 = new Store$1({ name: "dash-scheduler" });
@@ -28600,7 +28816,7 @@ const algoliaController$1 = {
 
 var algoliaController_1 = algoliaController$1;
 
-const OpenAI = require$$0$7;
+const OpenAI = require$$0$8;
 const events$2 = events$8;
 
 const openaiController$1 = {
@@ -34803,13 +35019,20 @@ boolean.parseBooleanDef = parseBooleanDef;
 
 var branded = {};
 
-Object.defineProperty(branded, "__esModule", { value: true });
-branded.parseBrandedDef = void 0;
-const parseDef_js_1$1 = requireParseDef();
-function parseBrandedDef(_def, refs) {
-    return (0, parseDef_js_1$1.parseDef)(_def.type._def, refs);
+var hasRequiredBranded;
+
+function requireBranded () {
+	if (hasRequiredBranded) return branded;
+	hasRequiredBranded = 1;
+	Object.defineProperty(branded, "__esModule", { value: true });
+	branded.parseBrandedDef = void 0;
+	const parseDef_js_1 = requireParseDef();
+	function parseBrandedDef(_def, refs) {
+	    return (0, parseDef_js_1.parseDef)(_def.type._def, refs);
+	}
+	branded.parseBrandedDef = parseBrandedDef;
+	return branded;
 }
-branded.parseBrandedDef = parseBrandedDef;
 
 var _catch = {};
 
@@ -35392,7 +35615,7 @@ function requireRecord () {
 	const v3_1 = v3;
 	const parseDef_js_1 = requireParseDef();
 	const string_js_1 = string;
-	const branded_js_1 = branded;
+	const branded_js_1 = requireBranded();
 	const any_js_1 = any;
 	function parseRecordDef(def, refs) {
 	    if (refs.target === "openAi") {
@@ -36043,7 +36266,7 @@ function requireSelectParser () {
 	const array_js_1 = requireArray();
 	const bigint_js_1 = bigint;
 	const boolean_js_1 = boolean;
-	const branded_js_1 = branded;
+	const branded_js_1 = requireBranded();
 	const catch_js_1 = require_catch();
 	const date_js_1 = date;
 	const default_js_1 = require_default();
@@ -36342,7 +36565,7 @@ zodToJsonSchema$1.zodToJsonSchema = zodToJsonSchema;
 	__exportStar(requireArray(), exports);
 	__exportStar(bigint, exports);
 	__exportStar(boolean, exports);
-	__exportStar(branded, exports);
+	__exportStar(requireBranded(), exports);
 	__exportStar(require_catch(), exports);
 	__exportStar(date, exports);
 	__exportStar(require_default(), exports);
@@ -46953,7 +47176,7 @@ __export(src_exports, {
 var dist = __toCommonJS(src_exports);
 
 // src/server.ts
-var import_node_http = require$$0$8;
+var import_node_http = require$$0$9;
 
 // src/listener.ts
 var import_node_http22 = require$$1$5;
@@ -47304,7 +47527,7 @@ var buildOutgoingHttpHeaders = (headers) => {
 var X_ALREADY_SENT = "x-hono-already-sent";
 
 // src/globals.ts
-var import_node_crypto = __toESM(require$$3$4);
+var import_node_crypto = __toESM(require$$0$3);
 if (typeof commonjsGlobal.crypto === "undefined") {
   commonjsGlobal.crypto = import_node_crypto.default;
 }
@@ -48732,8 +48955,8 @@ var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaProperty
  */
 
 const https$1 = require$$11;
-const { randomUUID } = require$$3$4;
-const { BrowserWindow: BrowserWindow$1 } = require$$0$1;
+const { randomUUID } = require$$0$3;
+const { BrowserWindow: BrowserWindow$2 } = require$$0$1;
 const { McpServer } = mcp;
 const {
   StreamableHTTPServerTransport,
@@ -48777,7 +49000,7 @@ function broadcastStateChanged(toolName, result) {
     /* leave null */
   }
   const payload = { toolName, result: parsed };
-  for (const win of BrowserWindow$1.getAllWindows()) {
+  for (const win of BrowserWindow$2.getAllWindows()) {
     if (!win.isDestroyed()) {
       try {
         win.webContents.send("dash-mcp:state-changed", payload);
@@ -50538,10 +50761,10 @@ var themeFromUrlErrors$1 = {
  * computed styles, and favicon/logo images (via node-vibrant).
  */
 
-const css = require$$0$9;
+const css = require$$0$a;
 const { Vibrant } = require$$1$6;
 const https = require$$11;
-const http = require$$0$8;
+const http = require$$0$9;
 const { URL: URL$1 } = require$$4$1;
 const {
   UrlUnreachableError,
@@ -55101,7 +55324,7 @@ var toolHandlers$1 = {
  * per-request, receiving the full messages array each time.
  */
 
-const Anthropic = require$$0$a;
+const Anthropic = require$$0$b;
 const mcpController$2 = mcpControllerExports;
 const cliController$1 = cliController_1;
 const toolDefinitions = toolDefinitions$1;
@@ -57558,7 +57781,7 @@ function requireWidgetPublishManifest () {
  * and registry interaction.
  */
 const path$4 = require$$1$1;
-const { app: app$4, dialog: dialog$1 } = require$$0$1;
+const { app: app$4, dialog: dialog$2 } = require$$0$1;
 const AdmZip$2 = require$$3$2;
 
 const themeController$3 = themeController_1;
@@ -57757,7 +57980,7 @@ async function prepareThemeForPublish$1(win, appId, themeKey, options = {}) {
     const sanitizedName = sanitizeName(themeKey);
     const defaultFilename = `theme-${sanitizedName}-v${manifest.version}.zip`;
 
-    const saveResult = await dialog$1.showSaveDialog(win, {
+    const saveResult = await dialog$2.showSaveDialog(win, {
       title: "Save Theme Package",
       defaultPath: defaultFilename,
       filters: [{ name: "ZIP Files", extensions: ["zip"] }],
@@ -58296,7 +58519,7 @@ var themeRegistryController$1 = {
  * applies event wiring. (Import is implemented in DASH-13.)
  */
 
-const { app: app$3, dialog } = require$$0$1;
+const { app: app$3, dialog: dialog$1 } = require$$0$1;
 const path$3 = require$$1$1;
 const AdmZip$1 = require$$3$2;
 const { getFileContents: getFileContents$1 } = file;
@@ -58458,7 +58681,7 @@ async function exportDashboardConfig$1(
       .replace(/\s+/g, "-")
       .toLowerCase();
 
-    const { canceled, filePath } = await dialog.showSaveDialog(win, {
+    const { canceled, filePath } = await dialog$1.showSaveDialog(win, {
       title: "Export Dashboard as ZIP",
       defaultPath: path$3.join(
         app$3.getPath("desktop"),
@@ -58512,7 +58735,7 @@ async function exportDashboardConfig$1(
  */
 async function selectDashboardFile$1(win) {
   try {
-    const { canceled, filePaths } = await dialog.showOpenDialog(win, {
+    const { canceled, filePaths } = await dialog$1.showOpenDialog(win, {
       title: "Import Dashboard Configuration",
       filters: [{ name: "ZIP Archive", extensions: ["zip"] }],
       properties: ["openFile"],
@@ -58619,7 +58842,7 @@ async function importDashboardConfig$1(
       zipPath = options.filePath;
     } else {
       // Show file picker
-      const { canceled, filePaths } = await dialog.showOpenDialog(win, {
+      const { canceled, filePaths } = await dialog$1.showOpenDialog(win, {
         title: "Import Dashboard Configuration",
         filters: [{ name: "ZIP Archive", extensions: ["zip"] }],
         properties: ["openFile"],
@@ -59967,7 +60190,7 @@ async function prepareDashboardForPublish$1(
 
     // 9. Show save dialog for the publish package
     const sanitizedName = manifest.name;
-    const { canceled, filePath } = await dialog.showSaveDialog(win, {
+    const { canceled, filePath } = await dialog$1.showSaveDialog(win, {
       title: "Save Dashboard Package for Registry",
       defaultPath: path$3.join(
         app$3.getPath("desktop"),
@@ -60266,7 +60489,7 @@ var dashboardConfigController$1 = {
  */
 
 const { Notification } = require$$0$1;
-const Store = require$$0$6;
+const Store = require$$0$7;
 
 const store$1 = new Store({ name: "dash-notifications" });
 
@@ -60529,7 +60752,7 @@ var notificationController_1 = notificationController$2;
 const { app: app$2 } = require$$0$1;
 const fs$1 = require$$0$2;
 const path$2 = require$$1$1;
-const WebSocket = require$$3$5;
+const WebSocket = require$$3$4;
 const {
   gateNetworkCall,
   gateNetworkCallWithJit,
@@ -60550,16 +60773,16 @@ function _loadFlags() {
   }
 }
 
-async function _runNetworkGate(action, widgetId, args) {
+async function _runNetworkGate(action, widgetId, args, token) {
   const settings = _loadFlags();
   if (!readEnforceFlag(settings)) return { allow: true };
-  if (!widgetId) return { allow: true }; // legacy callers
+  if (!widgetId && !token) return { allow: true }; // legacy callers
   return readJitFlag(settings)
     ? await gateNetworkCallWithJit(
-        { widgetId, action, args },
+        { widgetId, token, action, args },
         { enableJit: true },
       )
-    : gateNetworkCall({ widgetId, action, args });
+    : gateNetworkCall({ widgetId, token, action, args });
 }
 
 /**
@@ -60991,17 +61214,20 @@ const webSocketController$1 = {
    * @param {object} config - { url, headers, subprotocols, credentials }
    * @returns {{ success, providerName, status } | { error, message }}
    */
-  connect: async (win, providerName, config, widgetId = null) => {
-    // Phase 3 network gate — fires only when an explicit widgetId is
-    // supplied. The interpolated URL (with credentials substituted) is
-    // what we actually open the socket to, so the gate uses it for
+  connect: async (win, providerName, config, widgetId = null, token = null) => {
+    // Phase 3 network gate — fires when an explicit widgetId or token
+    // is supplied. The interpolated URL (with credentials substituted)
+    // is what we actually open the socket to, so the gate uses it for
     // hostname extraction.
     const interpolatedForGate = config?.credentials
       ? interpolate(config.url, config.credentials)
       : config?.url;
-    const gateResult = await _runNetworkGate("wsConnect", widgetId, {
-      url: interpolatedForGate,
-    });
+    const gateResult = await _runNetworkGate(
+      "wsConnect",
+      widgetId,
+      { url: interpolatedForGate },
+      token,
+    );
     if (!gateResult.allow) {
       return {
         error: true,
@@ -61465,6 +61691,133 @@ function buildGrantsListing$1(
 
 var widgetMcpGrantsListing = { buildGrantsListing: buildGrantsListing$1 };
 
+/**
+ * grantDiff.js
+ *
+ * Pure-function diff between two grant blobs. Used by the
+ * `widget-mcp:set-grant` IPC handler to decide whether the change
+ * needs OS-native confirmation (broadening permissions) or can pass
+ * through silently (revocations / equal / narrowing).
+ *
+ * Returns { broadening: boolean, summary: string[] }. `summary` is a
+ * list of human-readable additions used to populate the native
+ * confirm dialog.
+ *
+ * Broadening dimensions checked:
+ *   - servers: new server name present in newGrant.servers but not in
+ *     currentGrant.servers
+ *   - server tools: new tool name in an existing server's `tools[]`
+ *   - server paths: new entry in `readPaths[]` or `writePaths[]`
+ *     (including `*` wildcard added)
+ *   - domains.fs: new block, or new `readPaths[]` / `writePaths[]`
+ *     entry within an existing block (including `*`)
+ *   - domains.network: new block, or new `hosts[]` entry (including
+ *     `*` and `*.<base>` wildcards)
+ *
+ * Reductions, equality, and "no permission" → "no permission"
+ * transitions are NOT broadening.
+ */
+
+function _arr(x) {
+  return Array.isArray(x) ? x : [];
+}
+
+function _added(currentList, newList) {
+  const cur = new Set(_arr(currentList));
+  const out = [];
+  for (const item of _arr(newList)) {
+    if (!cur.has(item)) out.push(item);
+  }
+  return out;
+}
+
+function _diffServer(serverName, currentSrv, newSrv) {
+  const summary = [];
+  const cur = currentSrv || {};
+  const nxt = newSrv || {};
+
+  for (const tool of _added(cur.tools, nxt.tools)) {
+    summary.push(`server "${serverName}" tool "${tool}"`);
+  }
+  for (const p of _added(cur.readPaths, nxt.readPaths)) {
+    summary.push(`server "${serverName}" readPath "${p}"`);
+  }
+  for (const p of _added(cur.writePaths, nxt.writePaths)) {
+    summary.push(`server "${serverName}" writePath "${p}"`);
+  }
+  return summary;
+}
+
+function _diffServers(curServers, nxtServers) {
+  const summary = [];
+  const cur = curServers || {};
+  const nxt = nxtServers || {};
+  for (const name of Object.keys(nxt)) {
+    if (!cur[name]) {
+      // Whole new server entry → list each component as broadening.
+      const srv = nxt[name];
+      const tools = _arr(srv?.tools);
+      const reads = _arr(srv?.readPaths);
+      const writes = _arr(srv?.writePaths);
+      if (tools.length === 0 && reads.length === 0 && writes.length === 0) {
+        // Empty-shell server entry — no actual permissions added.
+        // Skip; not a meaningful broadening.
+        continue;
+      }
+      summary.push(`new server "${name}"`);
+      for (const t of tools) summary.push(`  tool "${t}"`);
+      for (const p of reads) summary.push(`  readPath "${p}"`);
+      for (const p of writes) summary.push(`  writePath "${p}"`);
+    } else {
+      summary.push(..._diffServer(name, cur[name], nxt[name]));
+    }
+  }
+  return summary;
+}
+
+function _diffDomainsFs(curFs, nxtFs) {
+  const summary = [];
+  const cur = curFs || {};
+  const nxt = nxtFs || {};
+  for (const p of _added(cur.readPaths, nxt.readPaths)) {
+    summary.push(`fs readPath "${p}"`);
+  }
+  for (const p of _added(cur.writePaths, nxt.writePaths)) {
+    summary.push(`fs writePath "${p}"`);
+  }
+  return summary;
+}
+
+function _diffDomainsNetwork(curNet, nxtNet) {
+  const summary = [];
+  const cur = curNet || {};
+  const nxt = nxtNet || {};
+  for (const h of _added(cur.hosts, nxt.hosts)) {
+    summary.push(`network host "${h}"`);
+  }
+  return summary;
+}
+
+/**
+ * @param {object|null|undefined} currentGrant
+ * @param {object|null|undefined} newGrant
+ * @returns {{ broadening: boolean, summary: string[] }}
+ */
+function isBroadening$1(currentGrant, newGrant) {
+  const cur = currentGrant || {};
+  const nxt = newGrant || {};
+
+  const summary = [
+    ..._diffServers(cur.servers, nxt.servers),
+    ..._diffDomainsFs(cur?.domains?.fs, nxt?.domains?.fs),
+    ..._diffDomainsNetwork(cur?.domains?.network, nxt?.domains?.network),
+  ];
+
+  return { broadening: summary.length > 0, summary };
+}
+
+var grantDiff = { isBroadening: isBroadening$1 };
+
 /**
  * widgetMcpGrantsController.js
  *
@@ -61480,7 +61833,7 @@ var widgetMcpGrantsListing = { buildGrantsListing: buildGrantsListing$1 };
  * grant are also surfaced — those are the install-consent retroactive prompts.
  */
 
-const { ipcMain: ipcMain$1 } = require$$0$1;
+const { ipcMain: ipcMain$2, dialog, BrowserWindow: BrowserWindow$1 } = require$$0$1;
 const {
   getGrant,
   setGrant,
@@ -61491,21 +61844,70 @@ const {
 const { getWidgetMcpPermissions } = widgetPermissions;
 const { getWidgetRegistry } = widgetRegistryExports;
 const { buildGrantsListing } = widgetMcpGrantsListing;
+const { isBroadening } = grantDiff;
+
+// Native confirm dialog for any set-grant call that broadens the
+// widget's current permissions. The dialog runs at OS level — a
+// renderer (including a malicious widget) cannot dismiss it
+// programmatically. This is the defense-in-depth fix for the
+// `widget-mcp:set-grant` consent-bypass gap documented in the IPC
+// audit doc: a widget calling `mainApi.widgetMcp.setGrant("@self",
+// {wide-open perms})` now triggers a system-level prompt the user
+// must explicitly approve. Reductions / equality pass unprompted.
+async function _confirmBroadening(event, widgetId, summary) {
+  const senderWindow =
+    BrowserWindow$1.fromWebContents(event.sender) ||
+    BrowserWindow$1.getFocusedWindow();
+  // Cap the listed lines so the dialog body stays readable.
+  const MAX_LINES = 20;
+  const trimmed = summary.slice(0, MAX_LINES);
+  const overflow =
+    summary.length > MAX_LINES
+      ? `\n  …and ${summary.length - MAX_LINES} more`
+      : "";
+  const detail =
+    "Widget '" +
+    widgetId +
+    "' will be granted the following NEW permissions:\n\n  " +
+    trimmed.join("\n  ") +
+    overflow +
+    "\n\nIf you didn't initiate this from Settings → Privacy & Security, " +
+    "click Cancel — a malicious widget may be trying to escalate its own " +
+    "permissions.";
+
+  const result = await dialog.showMessageBox(senderWindow, {
+    type: "warning",
+    title: "Confirm permissions change",
+    message: "Allow new permissions for " + widgetId + "?",
+    detail,
+    buttons: ["Cancel", "Allow"],
+    defaultId: 0,
+    cancelId: 0,
+    noLink: true,
+  });
+  return result.response === 1;
+}
 
 function setupWidgetMcpGrantsHandlers() {
-  ipcMain$1.handle("widget-mcp:get-grant", (event, widgetId) => {
+  ipcMain$2.handle("widget-mcp:get-grant", (event, widgetId) => {
     return getGrant(widgetId);
   });
 
-  ipcMain$1.handle("widget-mcp:set-grant", (event, widgetId, perms) => {
+  ipcMain$2.handle("widget-mcp:set-grant", async (event, widgetId, perms) => {
+    const current = getGrant(widgetId);
+    const diff = isBroadening(current, perms);
+    if (diff.broadening) {
+      const approved = await _confirmBroadening(event, widgetId, diff.summary);
+      if (!approved) return false;
+    }
     return setGrant(widgetId, perms);
   });
 
-  ipcMain$1.handle("widget-mcp:revoke", (event, widgetId) => {
+  ipcMain$2.handle("widget-mcp:revoke", (event, widgetId) => {
     return revokeGrant(widgetId);
   });
 
-  ipcMain$1.handle("widget-mcp:revoke-server", (event, widgetId, serverName) => {
+  ipcMain$2.handle("widget-mcp:revoke-server", (event, widgetId, serverName) => {
     return revokeServer(widgetId, serverName);
   });
 
@@ -61515,7 +61917,7 @@ function setupWidgetMcpGrantsHandlers() {
   // "Grant manually" for unmanifested widgets. Plus orphan-grant rows for
   // granted-but-uninstalled cases. Logic delegated to
   // widgetMcpGrantsListing.buildGrantsListing for unit-testability.
-  ipcMain$1.handle("widget-mcp:list-all", () => {
+  ipcMain$2.handle("widget-mcp:list-all", () => {
     const grantsByWidget = new Map();
     for (const { widgetId, granted } of listAllGrants()) {
       grantsByWidget.set(widgetId, granted);
@@ -61546,6 +61948,46 @@ function setupWidgetMcpGrantsHandlers() {
 
 var widgetMcpGrantsController$1 = { setupWidgetMcpGrantsHandlers };
 
+/**
+ * widgetMountTokenController.js
+ *
+ * IPC handlers for the widget mount-token registry. Called by
+ * `WidgetFactory` at React mount/unmount time. Returns a fresh
+ * server-generated token that the widget framework bakes into the
+ * widget's bound API; the renderer never picks the token itself.
+ *
+ * See `electron/security/mountTokenRegistry.js` for the registry and
+ * the longer threat-model note.
+ *
+ * Channels:
+ *   - "framework:register-widget-mount" (widgetId) → token string
+ *   - "framework:unregister-widget-mount" (token) → boolean (true = unregistered)
+ */
+
+const { ipcMain: ipcMain$1 } = require$$0$1;
+const { register, unregister } = mountTokenRegistry;
+
+function setupWidgetMountTokenHandlers() {
+  ipcMain$1.handle("framework:register-widget-mount", (_event, widgetId) => {
+    if (typeof widgetId !== "string" || widgetId.length === 0) {
+      return null;
+    }
+    try {
+      return register(widgetId);
+    } catch {
+      return null;
+    }
+  });
+
+  ipcMain$1.handle("framework:unregister-widget-mount", (_event, token) => {
+    if (typeof token !== "string" || token.length === 0) return false;
+    unregister(token);
+    return true;
+  });
+}
+
+var widgetMountTokenController$1 = { setupWidgetMountTokenHandlers };
+
 /**
  * clientFactories.js
  *
@@ -61569,7 +62011,7 @@ clientCache$1.registerFactory("algolia", (credentials) => {
 
 // --- OpenAI ---
 clientCache$1.registerFactory("openai", (credentials) => {
-  const OpenAI = require$$0$7;
+  const OpenAI = require$$0$8;
   return new OpenAI({ apiKey: credentials.apiKey });
 });
 
@@ -61588,7 +62030,7 @@ const MAX_RECENTS = 20;
 let store = null;
 function getStore() {
   if (!store) {
-    const Store = require$$0$6;
+    const Store = require$$0$7;
     store = new Store({ name: "dash-session" });
   }
   return store;
@@ -63044,8 +63486,8 @@ const dataApi$2 = {
     ipcRenderer$l.invoke(READ_JSON, { filepath, objectCount });
   },
 
-  readDataFromURL: (url, toFilepath, widgetId = null) => {
-    ipcRenderer$l.invoke(READ_DATA_URL, { url, toFilepath, widgetId });
+  readDataFromURL: (url, toFilepath, widgetId = null, token = null) => {
+    ipcRenderer$l.invoke(READ_DATA_URL, { url, toFilepath, widgetId, token });
   },
 
   /*
@@ -63053,13 +63495,21 @@ const dataApi$2 = {
    * @param {object} options { filename, extension }
    * @param {object} returnEmpty the return empty object
    */
-  saveData: (data, filename, append, returnEmpty, widgetId = null) =>
+  saveData: (
+    data,
+    filename,
+    append,
+    returnEmpty,
+    widgetId = null,
+    token = null,
+  ) =>
     ipcRenderer$l.invoke(DATA_SAVE_TO_FILE, {
       data,
       filename,
       append,
       returnEmpty,
       widgetId,
+      token,
     }),
 
   /*
@@ -63071,11 +63521,12 @@ const dataApi$2 = {
    *   for legacy callers (`enforceWidgetMcpPermissions` flag still
    *   gates the gate itself).
    */
-  readData: (filename, returnEmpty = [], widgetId = null) =>
+  readData: (filename, returnEmpty = [], widgetId = null, token = null) =>
     ipcRenderer$l.invoke(DATA_READ_FROM_FILE, {
       filename,
       returnEmpty,
       widgetId,
+      token,
     }),
 
   /**
@@ -63848,6 +64299,7 @@ const mcpApi$2 = {
     allowedTools = null,
     widgetId = null,
     workspaceId = null,
+    token = null,
   ) =>
     ipcRenderer$g.invoke(MCP_CALL_TOOL, {
       serverName,
@@ -63856,6 +64308,7 @@ const mcpApi$2 = {
       allowedTools,
       widgetId,
       workspaceId,
+      token,
     }),
 
   /**
@@ -65031,8 +65484,8 @@ const webSocketApi$2 = {
    * @param {object} config { url, headers, subprotocols, credentials }
    * @returns {Promise<{ success, providerName, status } | { error, message }>}
    */
-  connect: (providerName, config, widgetId = null) =>
-    ipcRenderer$4.invoke(WS_CONNECT, { providerName, config, widgetId }),
+  connect: (providerName, config, widgetId = null, token = null) =>
+    ipcRenderer$4.invoke(WS_CONNECT, { providerName, config, widgetId, token }),
 
   /**
    * disconnect
@@ -66552,6 +67005,7 @@ const webSocketController = webSocketController_1;
 const extractionCacheController = extractionCacheController_1;
 const mcpDashServerController = mcpDashServerController_1;
 const widgetMcpGrantsController = widgetMcpGrantsController$1;
+const widgetMountTokenController = widgetMountTokenController$1;
 const jitConsent = jitConsent$1;
 
 // --- Errors ---
@@ -66655,6 +67109,7 @@ var electron = {
   extractionCacheController,
   mcpDashServerController,
   widgetMcpGrantsController,
+  widgetMountTokenController,
   jitConsent,
 
   // Controller functions (flat) — spread for convenient destructuring