@trops/dash-core 0.1.509 → 0.1.511

package/dist/electron/index.js

@@ -3,6 +3,7 @@
 var require$$0$1 = require('electron');
 var require$$1$1 = require('path');
 var require$$0$2 = require('fs');
+var require$$0$3 = require('crypto');
 var require$$9$1 = require('objects-to-csv');
 var require$$1$2 = require('readline');
 var require$$2 = require('xtreamer');
@@ -10,30 +11,29 @@ var require$$3$1 = require('xml2js');
 var require$$4 = require('JSONStream');
 var require$$5 = require('stream');
 var require$$6 = require('csv-parser');
-var require$$0$3 = require('quickjs-emscripten');
+var require$$0$4 = require('quickjs-emscripten');
 var require$$11 = require('https');
-var require$$0$5 = require('@modelcontextprotocol/sdk/client/index.js');
+var require$$0$6 = require('@modelcontextprotocol/sdk/client/index.js');
 var require$$1$3 = require('@modelcontextprotocol/sdk/client/stdio.js');
-var require$$0$4 = require('pkce-challenge');
+var require$$0$5 = require('pkce-challenge');
 var require$$2$1 = require('os');
 var require$$12 = require('child_process');
-var require$$0$6 = require('electron-store');
+var require$$0$7 = require('electron-store');
 var require$$3$2 = require('adm-zip');
 var require$$4$1 = require('url');
 var require$$2$2 = require('vm');
 var require$$1$4 = require('croner');
 var require$$2$3 = require('algoliasearch');
 var require$$3$3 = require('node:path');
-var require$$0$7 = require('openai');
-var require$$0$a = require('@anthropic-ai/sdk');
-var require$$3$4 = require('crypto');
+var require$$0$8 = require('openai');
+var require$$0$b = require('@anthropic-ai/sdk');
 var require$$8$1 = require('zod');
-var require$$0$8 = require('http');
+var require$$0$9 = require('http');
 var require$$1$5 = require('http2');
 var require$$2$4 = require('node-forge');
-var require$$0$9 = require('css');
+var require$$0$a = require('css');
 var require$$1$6 = require('node-vibrant/node');
-var require$$3$5 = require('ws');
+var require$$3$4 = require('ws');
 
 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
@@ -2083,7 +2083,7 @@ var grantedPermissions = {
  *   _resetForTest() → void                            (test-only)
  */
 
-const { BrowserWindow: BrowserWindow$3, ipcMain: ipcMain$2 } = require$$0$1;
+const { BrowserWindow: BrowserWindow$3, ipcMain: ipcMain$3 } = require$$0$1;
 
 const REQUEST_CHANNEL = "widget:permission-required";
 const RESPONSE_CHANNEL = "widget:permission-response";
@@ -2248,8 +2248,8 @@ let _handlersRegistered = false;
  */
 function setupJitConsentHandlers() {
   if (_handlersRegistered) return;
-  if (!ipcMain$2 || typeof ipcMain$2.on !== "function") return;
-  ipcMain$2.on(RESPONSE_CHANNEL, (_event, payload) => {
+  if (!ipcMain$3 || typeof ipcMain$3.on !== "function") return;
+  ipcMain$3.on(RESPONSE_CHANNEL, (_event, payload) => {
     _handleResponse(payload);
   });
   _handlersRegistered = true;
@@ -2265,6 +2265,93 @@ var jitConsent$1 = {
   DEFAULT_TIMEOUT_MS,
 };
 
+/**
+ * mountTokenRegistry.js
+ *
+ * Trusted root of widget identity at the IPC boundary. Each time
+ * `WidgetFactory` mounts a widget it calls
+ * `framework:register-widget-mount`, which calls `register(widgetId)`
+ * here. The returned token is baked into the widget's bound API
+ * (`makeBoundApi`) and sent on every gated IPC call. Gates resolve the
+ * widgetId via `lookup(token)` instead of trusting whatever the
+ * renderer claims.
+ *
+ * Why server-generated tokens: the renderer-supplied widgetId path was
+ * the original consent-bypass surface. Tokens are produced by
+ * `crypto.randomBytes(24)` here (192 bits) and are NEVER accepted from
+ * the renderer — the renderer can only present tokens it received from
+ * a prior `register` call. A widget cannot fabricate a token for
+ * another widgetId.
+ *
+ * Limit: in single-renderer (one BrowserWindow shared across all
+ * widgets), a malicious widget can still walk the React fiber tree to
+ * find another widget's bound API and call its functions — the bound
+ * function fires IPC with the *victim's* token. Fully closing that
+ * residual requires per-widget BrowserView (multi-week refactor). The
+ * token model raises the bar from "type a widgetId string" to "walk
+ * the fiber tree and call another widget's bound function," which is
+ * a deliberate malicious step that's visible at install-time review.
+ */
+
+const crypto$1 = require$$0$3;
+
+const _byToken = new Map(); // token → widgetId
+
+function _generateToken() {
+  // 24 random bytes = 48 hex chars = 192 bits of entropy. More than
+  // enough; collision probability is negligible.
+  return crypto$1.randomBytes(24).toString("hex");
+}
+
+/**
+ * Register a widgetId mount and return a fresh token bound to it.
+ * @param {string} widgetId
+ * @returns {string} token
+ */
+function register$1(widgetId) {
+  if (typeof widgetId !== "string" || widgetId.length === 0) {
+    throw new Error(
+      "mountTokenRegistry.register: widgetId must be a non-empty string",
+    );
+  }
+  let token = _generateToken();
+  // Defensive — collision is astronomically unlikely but if it did
+  // happen we'd silently overwrite a valid mapping. Regenerate.
+  while (_byToken.has(token)) {
+    token = _generateToken();
+  }
+  _byToken.set(token, widgetId);
+  return token;
+}
+
+/**
+ * Resolve a token to the widgetId it was bound to.
+ * @param {string} token
+ * @returns {string|null}
+ */
+function lookup(token) {
+  if (typeof token !== "string") return null;
+  return _byToken.has(token) ? _byToken.get(token) : null;
+}
+
+/**
+ * Drop a token. Silent no-op for unknown tokens or non-strings —
+ * unregister is called from unmount cleanup paths and should never
+ * throw.
+ * @param {string} token
+ */
+function unregister$1(token) {
+  if (typeof token !== "string") return;
+  _byToken.delete(token);
+}
+
+/** Test-only — clears the registry between cases. */
+function _resetForTests() {
+  _byToken.clear();
+}
+
+var mountTokenRegistry = { register: register$1, lookup, unregister: unregister$1, _resetForTests };
+
 /**
  * fsGate.js
  *
@@ -2302,6 +2389,25 @@ var jitConsent$1 = {
 
 const { getGrant: getGrant$3, setGrant: setGrant$3 } = grantedPermissions;
 const { requestApproval: requestApproval$2 } = jitConsent$1;
+const { lookup: lookupMountToken$2 } = mountTokenRegistry;
+
+// If a token is supplied, the gate resolves widgetId via the mount
+// registry and ignores any renderer-supplied widgetId. Tokens are
+// server-generated and bound to a widgetId at WidgetFactory mount —
+// the renderer cannot fabricate a token for another widget. See
+// `mountTokenRegistry.js`.
+//
+// Legacy callers without a token fall through to the existing
+// widgetId-based path (Slice 1 keeps this for back-compat; Slice 2
+// flips to deny).
+function _resolveIdentity$2({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken$2(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 // Action names treated as writes. Anything not in this set is a read.
 // Conservative — when in doubt, classify as a read so write-protected
@@ -2336,7 +2442,15 @@ function _filenameMatches(filename, allowedList) {
  * Synchronous gate evaluation.
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateFsCall$1({ widgetId, action, args }) {
+function gateFsCall$1({ widgetId, token, action, args }) {
+  const resolved = _resolveIdentity$2({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason: "fs gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -2460,11 +2574,21 @@ async function gateFsCallWithJit$1(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial$2(initial.reason)) return initial;
 
+  // Resolve verified identity once (token wins over claimed widgetId).
+  // Re-using the same resolution as gateFsCall keeps the JIT prompt
+  // and grant write tied to the same identity the gate just denied.
+  const resolved = _resolveIdentity$2({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval$2(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "fs",
         action: req.action,
         args: req.args || {},
@@ -2487,7 +2611,7 @@ async function gateFsCallWithJit$1(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling fs '" +
         req.action +
         "'",
@@ -2511,9 +2635,9 @@ async function gateFsCallWithJit$1(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$3(req.widgetId);
+    const current = getGrant$3(verifiedWidgetId);
     const merged = _mergeFsGrant(current, addition);
-    setGrant$3(req.widgetId, merged);
+    setGrant$3(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -2575,6 +2699,20 @@ var fsGate = {
 
 const { getGrant: getGrant$2, setGrant: setGrant$2 } = grantedPermissions;
 const { requestApproval: requestApproval$1 } = jitConsent$1;
+const { lookup: lookupMountToken$1 } = mountTokenRegistry;
+
+// See `mountTokenRegistry.js` and the matching block in fsGate.js —
+// when a token is supplied, it's the trusted identity source; the
+// renderer-claimed widgetId is ignored. Legacy widgetId-only callers
+// still work in slice 1 (additive); slice 2 will flip to deny.
+function _resolveIdentity$1({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken$1(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 function _isNoGrantDenial$1(reason) {
   return (
@@ -2617,7 +2755,16 @@ function _parseHost(url) {
  * Synchronous gate evaluation.
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateNetworkCall$2({ widgetId, action, args }) {
+function gateNetworkCall$2({ widgetId, token, action, args }) {
+  const resolved = _resolveIdentity$1({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason:
+        "network gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -2708,11 +2855,21 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial$1(initial.reason)) return initial;
 
+  // Same identity-resolution as the sync gate — the JIT prompt and
+  // grant write must use the verified widgetId, not whatever the
+  // renderer claimed.
+  const resolved = _resolveIdentity$1({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval$1(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "network",
         action: req.action,
         args: req.args || {},
@@ -2735,7 +2892,7 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling network '" +
         req.action +
         "'",
@@ -2753,9 +2910,9 @@ async function gateNetworkCallWithJit$2(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$2(req.widgetId);
+    const current = getGrant$2(verifiedWidgetId);
     const merged = _mergeNetworkGrant(current, addition);
-    setGrant$2(req.widgetId, merged);
+    setGrant$2(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -2867,7 +3024,7 @@ function requireSafeJsExecutor () {
 	let _modulePromise = null;
 	function getModule() {
 	  if (!_modulePromise) {
-	    const { getQuickJS } = require$$0$3;
+	    const { getQuickJS } = require$$0$4;
 	    _modulePromise = getQuickJS();
 	  }
 	  return _modulePromise;
@@ -3541,13 +3698,19 @@ function _loadFlags$1() {
  *
  * @returns {Promise<boolean>}
  */
-async function _runFsGate(win, action, widgetId, args, errorEvent) {
+async function _runFsGate(win, action, widgetId, args, errorEvent, token) {
   const settings = _loadFlags$1();
   if (!readEnforceFlag$2(settings)) return true; // gate disabled
-  if (!widgetId) return true; // legacy callers without widgetId — see plan
+  // Slice 1 (additive): token is the trusted identity when present.
+  // If neither token nor widgetId is supplied, legacy bypass still
+  // applies; slice 2 will flip this to deny.
+  if (!widgetId && !token) return true;
   const gate = readJitFlag$2(settings)
-    ? await gateFsCallWithJit({ widgetId, action, args }, { enableJit: true })
-    : gateFsCall({ widgetId, action, args });
+    ? await gateFsCallWithJit(
+        { widgetId, token, action, args },
+        { enableJit: true },
+      )
+    : gateFsCall({ widgetId, token, action, args });
   if (gate.allow) return true;
   if (win && errorEvent) {
     win.webContents.send(errorEvent, {
@@ -3562,16 +3725,16 @@ async function _runFsGate(win, action, widgetId, args, errorEvent) {
  * Phase 3 network gate. Same shape as _runFsGate but for outbound
  * URLs. Mirrors fs's "disabled / no widgetId / sync vs async" branching.
  */
-async function _runNetworkGate$1(win, action, widgetId, args, errorEvent) {
+async function _runNetworkGate$1(win, action, widgetId, args, errorEvent, token) {
   const settings = _loadFlags$1();
   if (!readEnforceFlag$2(settings)) return true;
-  if (!widgetId) return true;
+  if (!widgetId && !token) return true;
   const gate = readJitFlag$2(settings)
     ? await gateNetworkCallWithJit$1(
-        { widgetId, action, args },
+        { widgetId, token, action, args },
         { enableJit: true },
       )
-    : gateNetworkCall$1({ widgetId, action, args });
+    : gateNetworkCall$1({ widgetId, token, action, args });
   if (gate.allow) return true;
   if (win && errorEvent) {
     win.webContents.send(errorEvent, {
@@ -3741,7 +3904,13 @@ const dataController$1 = {
     }
   },
 
-  readDataFromURL: async (win, url, toFilepath, widgetId = null) => {
+  readDataFromURL: async (
+    win,
+    url,
+    toFilepath,
+    widgetId = null,
+    token = null,
+  ) => {
     // Phase 3 network gate. Runs before HTTPS-protocol + safePath
     // checks so JIT can prompt the user without leaking URL parser
     // edge cases through error timing.
@@ -3751,6 +3920,7 @@ const dataController$1 = {
       widgetId,
       { url },
       events$5.READ_DATA_URL_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -3938,6 +4108,7 @@ const dataController$1 = {
     append,
     returnEmpty = {},
     widgetId = null,
+    token = null,
   ) => {
     // Phase 2 fs gate. Runs before safePath containment so JIT can
     // prompt the user without leaking path-shape information through
@@ -3948,6 +4119,7 @@ const dataController$1 = {
       widgetId,
       { filename },
       events$5.DATA_SAVE_TO_FILE_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -4043,7 +4215,13 @@ const dataController$1 = {
     }
   },
 
-  readFromFile: async (win, filename, returnIfEmpty = {}, widgetId = null) => {
+  readFromFile: async (
+    win,
+    filename,
+    returnIfEmpty = {},
+    widgetId = null,
+    token = null,
+  ) => {
     // Phase 2 fs gate — same as saveToFile.
     const gateOk = await _runFsGate(
       win,
@@ -4051,6 +4229,7 @@ const dataController$1 = {
       widgetId,
       { filename },
       events$5.DATA_READ_FROM_FILE_ERROR,
+      token,
     );
     if (!gateOk) return;
     try {
@@ -20707,7 +20886,7 @@ auth$2.exchangeAuthorization = exchangeAuthorization;
 auth$2.refreshAuthorization = refreshAuthorization;
 auth$2.fetchToken = fetchToken;
 auth$2.registerClient = registerClient;
-const pkce_challenge_1 = __importDefault$2(require$$0$4);
+const pkce_challenge_1 = __importDefault$2(require$$0$5);
 const types_js_1$5 = types$2;
 const auth_js_1$1 = auth$1;
 const auth_js_2 = auth$1;
@@ -22265,6 +22444,21 @@ streamableHttp$1.StreamableHTTPClientTransport = StreamableHTTPClientTransport$1
 const { getGrant: getGrant$1, setGrant: setGrant$1 } = grantedPermissions;
 const { safePath: safePath$1 } = safePath_1;
 const { requestApproval } = jitConsent$1;
+const { lookup: lookupMountToken } = mountTokenRegistry;
+
+// See `electron/security/mountTokenRegistry.js`. When a token is
+// supplied it's the trusted identity source — gates resolve widgetId
+// via lookupMountToken and ignore renderer-claimed widgetId. Slice 1
+// keeps the legacy widgetId-only path working (additive); slice 2 will
+// flip to deny-without-token.
+function _resolveIdentity({ token, widgetId }) {
+  if (typeof token === "string" && token.length > 0) {
+    const resolved = lookupMountToken(token);
+    if (resolved) return { widgetId: resolved, source: "token" };
+    return { widgetId: null, source: "token-unknown" };
+  }
+  return { widgetId: widgetId || null, source: "legacy" };
+}
 
 // Argument keys that look like paths. Different MCP servers use
 // different conventions; this list covers the common filesystem-style
@@ -22286,7 +22480,15 @@ function isWriteTool(toolName) {
 /**
  * @returns {{ allow: true } | { allow: false, reason: string }}
  */
-function gateToolCall$1({ widgetId, serverName, toolName, args }) {
+function gateToolCall$1({ widgetId, token, serverName, toolName, args }) {
+  const resolved = _resolveIdentity({ token, widgetId });
+  if (resolved.source === "token-unknown") {
+    return {
+      allow: false,
+      reason: "MCP gate: unknown mount token; widget identity not verifiable",
+    };
+  }
+  widgetId = resolved.widgetId;
   if (!widgetId) {
     return {
       allow: false,
@@ -22440,11 +22642,20 @@ async function gateToolCallWithJit$1(req, opts = {}) {
   if (!opts.enableJit) return initial;
   if (!_isNoGrantDenial(initial.reason)) return initial;
 
+  // Same identity-resolution as the sync gate — JIT prompt and grant
+  // write must use the verified widgetId.
+  const resolved = _resolveIdentity({
+    token: req.token,
+    widgetId: req.widgetId,
+  });
+  const verifiedWidgetId = resolved.widgetId;
+  if (!verifiedWidgetId) return initial;
+
   let decision;
   try {
     decision = await requestApproval(
       {
-        widgetId: req.widgetId,
+        widgetId: verifiedWidgetId,
         domain: "mcp",
         action: "callTool",
         args: {
@@ -22471,7 +22682,7 @@ async function gateToolCallWithJit$1(req, opts = {}) {
       allow: false,
       reason:
         "user declined JIT consent for widget '" +
-        req.widgetId +
+        verifiedWidgetId +
         "' calling '" +
         req.toolName +
         "' on '" +
@@ -22501,9 +22712,9 @@ async function gateToolCallWithJit$1(req, opts = {}) {
   addition.grantOrigin = "live";
 
   try {
-    const current = getGrant$1(req.widgetId);
+    const current = getGrant$1(verifiedWidgetId);
     const merged = _mergeGrant(current, addition);
-    setGrant$1(req.widgetId, merged);
+    setGrant$1(verifiedWidgetId, merged);
   } catch (e) {
     return {
       allow: false,
@@ -22716,7 +22927,7 @@ var mcpScopeResolver = {
  * Uses @modelcontextprotocol/sdk for protocol handling.
  */
 
-const { Client } = require$$0$5;
+const { Client } = require$$0$6;
 const {
   StdioClientTransport,
 } = require$$1$3;
@@ -23521,6 +23732,7 @@ const mcpController$3 = {
     allowedTools = null,
     widgetId = null,
     workspaceId = null,
+    token = null,
   ) => {
     const key = serverKey(workspaceId, serverName);
     try {
@@ -23544,8 +23756,12 @@ const mcpController$3 = {
       // startServer happens after the gate decides — and (b) avoids
       // leaking server-running state through error timing to a
       // probing widget that doesn't have permission anyway.
-      if (isWidgetPermissionEnforcementEnabled() && widgetId) {
-        const gateReq = { widgetId, serverName, toolName, args };
+      // Slice 1 (additive): if a mount token is supplied it's the
+      // trusted identity source; widgetId is verified-or-overwritten
+      // inside the gate via mountTokenRegistry. Gate gets to run
+      // whenever EITHER token or widgetId is present.
+      if (isWidgetPermissionEnforcementEnabled() && (widgetId || token)) {
+        const gateReq = { widgetId, token, serverName, toolName, args };
         const gate = isJitConsentEnabled()
           ? await gateToolCallWithJit(gateReq, { enableJit: true })
           : gateToolCall(gateReq);
@@ -24099,7 +24315,7 @@ const REGISTRY_BASE_URL$1 =
 let store$3 = null;
 function getStore$1() {
   if (!store$3) {
-    const Store = require$$0$6;
+    const Store = require$$0$7;
     store$3 = new Store({
       name: "dash-registry-auth",
       encryptionKey: "dash-registry-v1",
@@ -25384,7 +25600,7 @@ var manifestScanner = {
  * and dispatching task-fired events to renderer windows.
  */
 
-const Store$1 = require$$0$6;
+const Store$1 = require$$0$7;
 const { Cron } = require$$1$4;
 
 const store$2 = new Store$1({ name: "dash-scheduler" });
@@ -28600,7 +28816,7 @@ const algoliaController$1 = {
 
 var algoliaController_1 = algoliaController$1;
 
-const OpenAI = require$$0$7;
+const OpenAI = require$$0$8;
 const events$2 = events$8;
 
 const openaiController$1 = {
@@ -46960,7 +47176,7 @@ __export(src_exports, {
 var dist = __toCommonJS(src_exports);
 
 // src/server.ts
-var import_node_http = require$$0$8;
+var import_node_http = require$$0$9;
 
 // src/listener.ts
 var import_node_http22 = require$$1$5;
@@ -47311,7 +47527,7 @@ var buildOutgoingHttpHeaders = (headers) => {
 var X_ALREADY_SENT = "x-hono-already-sent";
 
 // src/globals.ts
-var import_node_crypto = __toESM(require$$3$4);
+var import_node_crypto = __toESM(require$$0$3);
 if (typeof commonjsGlobal.crypto === "undefined") {
   commonjsGlobal.crypto = import_node_crypto.default;
 }
@@ -48739,7 +48955,7 @@ var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaProperty
  */
 
 const https$1 = require$$11;
-const { randomUUID } = require$$3$4;
+const { randomUUID } = require$$0$3;
 const { BrowserWindow: BrowserWindow$2 } = require$$0$1;
 const { McpServer } = mcp;
 const {
@@ -50545,10 +50761,10 @@ var themeFromUrlErrors$1 = {
  * computed styles, and favicon/logo images (via node-vibrant).
  */
 
-const css = require$$0$9;
+const css = require$$0$a;
 const { Vibrant } = require$$1$6;
 const https = require$$11;
-const http = require$$0$8;
+const http = require$$0$9;
 const { URL: URL$1 } = require$$4$1;
 const {
   UrlUnreachableError,
@@ -55108,7 +55324,7 @@ var toolHandlers$1 = {
  * per-request, receiving the full messages array each time.
  */
 
-const Anthropic = require$$0$a;
+const Anthropic = require$$0$b;
 const mcpController$2 = mcpControllerExports;
 const cliController$1 = cliController_1;
 const toolDefinitions = toolDefinitions$1;
@@ -60273,7 +60489,7 @@ var dashboardConfigController$1 = {
  */
 
 const { Notification } = require$$0$1;
-const Store = require$$0$6;
+const Store = require$$0$7;
 
 const store$1 = new Store({ name: "dash-notifications" });
 
@@ -60536,7 +60752,7 @@ var notificationController_1 = notificationController$2;
 const { app: app$2 } = require$$0$1;
 const fs$1 = require$$0$2;
 const path$2 = require$$1$1;
-const WebSocket = require$$3$5;
+const WebSocket = require$$3$4;
 const {
   gateNetworkCall,
   gateNetworkCallWithJit,
@@ -60557,16 +60773,16 @@ function _loadFlags() {
   }
 }
 
-async function _runNetworkGate(action, widgetId, args) {
+async function _runNetworkGate(action, widgetId, args, token) {
   const settings = _loadFlags();
   if (!readEnforceFlag(settings)) return { allow: true };
-  if (!widgetId) return { allow: true }; // legacy callers
+  if (!widgetId && !token) return { allow: true }; // legacy callers
   return readJitFlag(settings)
     ? await gateNetworkCallWithJit(
-        { widgetId, action, args },
+        { widgetId, token, action, args },
         { enableJit: true },
       )
-    : gateNetworkCall({ widgetId, action, args });
+    : gateNetworkCall({ widgetId, token, action, args });
 }
 
 /**
@@ -60998,17 +61214,20 @@ const webSocketController$1 = {
    * @param {object} config - { url, headers, subprotocols, credentials }
    * @returns {{ success, providerName, status } | { error, message }}
    */
-  connect: async (win, providerName, config, widgetId = null) => {
-    // Phase 3 network gate — fires only when an explicit widgetId is
-    // supplied. The interpolated URL (with credentials substituted) is
-    // what we actually open the socket to, so the gate uses it for
+  connect: async (win, providerName, config, widgetId = null, token = null) => {
+    // Phase 3 network gate — fires when an explicit widgetId or token
+    // is supplied. The interpolated URL (with credentials substituted)
+    // is what we actually open the socket to, so the gate uses it for
     // hostname extraction.
     const interpolatedForGate = config?.credentials
       ? interpolate(config.url, config.credentials)
       : config?.url;
-    const gateResult = await _runNetworkGate("wsConnect", widgetId, {
-      url: interpolatedForGate,
-    });
+    const gateResult = await _runNetworkGate(
+      "wsConnect",
+      widgetId,
+      { url: interpolatedForGate },
+      token,
+    );
     if (!gateResult.allow) {
       return {
         error: true,
@@ -61614,7 +61833,7 @@ var grantDiff = { isBroadening: isBroadening$1 };
  * grant are also surfaced — those are the install-consent retroactive prompts.
  */
 
-const { ipcMain: ipcMain$1, dialog, BrowserWindow: BrowserWindow$1 } = require$$0$1;
+const { ipcMain: ipcMain$2, dialog, BrowserWindow: BrowserWindow$1 } = require$$0$1;
 const {
   getGrant,
   setGrant,
@@ -61670,11 +61889,11 @@ async function _confirmBroadening(event, widgetId, summary) {
 }
 
 function setupWidgetMcpGrantsHandlers() {
-  ipcMain$1.handle("widget-mcp:get-grant", (event, widgetId) => {
+  ipcMain$2.handle("widget-mcp:get-grant", (event, widgetId) => {
     return getGrant(widgetId);
   });
 
-  ipcMain$1.handle("widget-mcp:set-grant", async (event, widgetId, perms) => {
+  ipcMain$2.handle("widget-mcp:set-grant", async (event, widgetId, perms) => {
     const current = getGrant(widgetId);
     const diff = isBroadening(current, perms);
     if (diff.broadening) {
@@ -61684,11 +61903,11 @@ function setupWidgetMcpGrantsHandlers() {
     return setGrant(widgetId, perms);
   });
 
-  ipcMain$1.handle("widget-mcp:revoke", (event, widgetId) => {
+  ipcMain$2.handle("widget-mcp:revoke", (event, widgetId) => {
     return revokeGrant(widgetId);
   });
 
-  ipcMain$1.handle("widget-mcp:revoke-server", (event, widgetId, serverName) => {
+  ipcMain$2.handle("widget-mcp:revoke-server", (event, widgetId, serverName) => {
     return revokeServer(widgetId, serverName);
   });
 
@@ -61698,7 +61917,7 @@ function setupWidgetMcpGrantsHandlers() {
   // "Grant manually" for unmanifested widgets. Plus orphan-grant rows for
   // granted-but-uninstalled cases. Logic delegated to
   // widgetMcpGrantsListing.buildGrantsListing for unit-testability.
-  ipcMain$1.handle("widget-mcp:list-all", () => {
+  ipcMain$2.handle("widget-mcp:list-all", () => {
     const grantsByWidget = new Map();
     for (const { widgetId, granted } of listAllGrants()) {
       grantsByWidget.set(widgetId, granted);
@@ -61729,6 +61948,46 @@ function setupWidgetMcpGrantsHandlers() {
 
 var widgetMcpGrantsController$1 = { setupWidgetMcpGrantsHandlers };
 
+/**
+ * widgetMountTokenController.js
+ *
+ * IPC handlers for the widget mount-token registry. Called by
+ * `WidgetFactory` at React mount/unmount time. Returns a fresh
+ * server-generated token that the widget framework bakes into the
+ * widget's bound API; the renderer never picks the token itself.
+ *
+ * See `electron/security/mountTokenRegistry.js` for the registry and
+ * the longer threat-model note.
+ *
+ * Channels:
+ *   - "framework:register-widget-mount" (widgetId) → token string
+ *   - "framework:unregister-widget-mount" (token) → boolean (true = unregistered)
+ */
+
+const { ipcMain: ipcMain$1 } = require$$0$1;
+const { register, unregister } = mountTokenRegistry;
+
+function setupWidgetMountTokenHandlers() {
+  ipcMain$1.handle("framework:register-widget-mount", (_event, widgetId) => {
+    if (typeof widgetId !== "string" || widgetId.length === 0) {
+      return null;
+    }
+    try {
+      return register(widgetId);
+    } catch {
+      return null;
+    }
+  });
+
+  ipcMain$1.handle("framework:unregister-widget-mount", (_event, token) => {
+    if (typeof token !== "string" || token.length === 0) return false;
+    unregister(token);
+    return true;
+  });
+}
+
+var widgetMountTokenController$1 = { setupWidgetMountTokenHandlers };
+
 /**
  * clientFactories.js
  *
@@ -61752,7 +62011,7 @@ clientCache$1.registerFactory("algolia", (credentials) => {
 
 // --- OpenAI ---
 clientCache$1.registerFactory("openai", (credentials) => {
-  const OpenAI = require$$0$7;
+  const OpenAI = require$$0$8;
   return new OpenAI({ apiKey: credentials.apiKey });
 });
 
@@ -61771,7 +62030,7 @@ const MAX_RECENTS = 20;
 let store = null;
 function getStore() {
   if (!store) {
-    const Store = require$$0$6;
+    const Store = require$$0$7;
     store = new Store({ name: "dash-session" });
   }
   return store;
@@ -63227,8 +63486,8 @@ const dataApi$2 = {
     ipcRenderer$l.invoke(READ_JSON, { filepath, objectCount });
   },
 
-  readDataFromURL: (url, toFilepath, widgetId = null) => {
-    ipcRenderer$l.invoke(READ_DATA_URL, { url, toFilepath, widgetId });
+  readDataFromURL: (url, toFilepath, widgetId = null, token = null) => {
+    ipcRenderer$l.invoke(READ_DATA_URL, { url, toFilepath, widgetId, token });
   },
 
   /*
@@ -63236,13 +63495,21 @@ const dataApi$2 = {
    * @param {object} options { filename, extension }
    * @param {object} returnEmpty the return empty object
    */
-  saveData: (data, filename, append, returnEmpty, widgetId = null) =>
+  saveData: (
+    data,
+    filename,
+    append,
+    returnEmpty,
+    widgetId = null,
+    token = null,
+  ) =>
     ipcRenderer$l.invoke(DATA_SAVE_TO_FILE, {
       data,
       filename,
       append,
       returnEmpty,
       widgetId,
+      token,
     }),
 
   /*
@@ -63254,11 +63521,12 @@ const dataApi$2 = {
    *   for legacy callers (`enforceWidgetMcpPermissions` flag still
    *   gates the gate itself).
    */
-  readData: (filename, returnEmpty = [], widgetId = null) =>
+  readData: (filename, returnEmpty = [], widgetId = null, token = null) =>
     ipcRenderer$l.invoke(DATA_READ_FROM_FILE, {
       filename,
       returnEmpty,
       widgetId,
+      token,
     }),
 
   /**
@@ -64031,6 +64299,7 @@ const mcpApi$2 = {
     allowedTools = null,
     widgetId = null,
     workspaceId = null,
+    token = null,
   ) =>
     ipcRenderer$g.invoke(MCP_CALL_TOOL, {
       serverName,
@@ -64039,6 +64308,7 @@ const mcpApi$2 = {
       allowedTools,
       widgetId,
       workspaceId,
+      token,
     }),
 
   /**
@@ -65214,8 +65484,8 @@ const webSocketApi$2 = {
    * @param {object} config { url, headers, subprotocols, credentials }
    * @returns {Promise<{ success, providerName, status } | { error, message }>}
    */
-  connect: (providerName, config, widgetId = null) =>
-    ipcRenderer$4.invoke(WS_CONNECT, { providerName, config, widgetId }),
+  connect: (providerName, config, widgetId = null, token = null) =>
+    ipcRenderer$4.invoke(WS_CONNECT, { providerName, config, widgetId, token }),
 
   /**
    * disconnect
@@ -66735,6 +67005,7 @@ const webSocketController = webSocketController_1;
 const extractionCacheController = extractionCacheController_1;
 const mcpDashServerController = mcpDashServerController_1;
 const widgetMcpGrantsController = widgetMcpGrantsController$1;
+const widgetMountTokenController = widgetMountTokenController$1;
 const jitConsent = jitConsent$1;
 
 // --- Errors ---
@@ -66838,6 +67109,7 @@ var electron = {
   extractionCacheController,
   mcpDashServerController,
   widgetMcpGrantsController,
+  widgetMountTokenController,
   jitConsent,
 
   // Controller functions (flat) — spread for convenient destructuring