@trops/dash-core 0.1.511 → 0.1.512

package/dist/index.esm.js

@@ -425,6 +425,7 @@ var WidgetApi = {
       if (eApi) {
         // remove the listeners (reset)
         if ("removeAllListeners" in eApi) {
+          var _this$params;
           eApi.removeAllListeners(eApi.events.DATA_SAVE_TO_FILE_COMPLETE);
           eApi.removeAllListeners(eApi.events.DATA_SAVE_TO_FILE_ERROR);
           if (callbackComplete !== null) {
@@ -437,8 +438,13 @@ var WidgetApi = {
               return callbackError(response);
             });
           }
-          // request.
-          eApi.data.saveData(data, toFilename, append, returnEmpty, widgetId);
+          // Auto-thread widgetId from the singleton's per-widget
+          // state when the caller didn't supply one explicitly. This
+          // is what makes the fs gate fire for ordinary widgets that
+          // call `widgetApi.storeData({data, filename})` without
+          // knowing about widgetId.
+          var effectiveWidgetId = widgetId || ((_this$params = this.params) === null || _this$params === void 0 ? void 0 : _this$params.name) || null;
+          eApi.data.saveData(data, toFilename, append, returnEmpty, effectiveWidgetId);
         }
       }
     } catch (e) {
@@ -473,6 +479,7 @@ var WidgetApi = {
       var toFilename = filename !== null ? filename : "".concat(uuid, ".json");
       var eApi = this.electronApi();
       if ("removeAllListeners" in eApi) {
+        var _this$params2;
         eApi.removeAllListeners(eApi.events.DATA_READ_FROM_FILE_COMPLETE);
         eApi.removeAllListeners(eApi.events.DATA_READ_FROM_FILE_ERROR);
         if (callbackComplete !== null) {
@@ -495,7 +502,9 @@ var WidgetApi = {
             return callbackError(response);
           });
         }
-        eApi.data.readData(toFilename, [], widgetId);
+        // Auto-thread widgetId from the singleton — same as storeData.
+        var effectiveWidgetId = widgetId || ((_this$params2 = this.params) === null || _this$params2 === void 0 ? void 0 : _this$params2.name) || null;
+        eApi.data.readData(toFilename, [], effectiveWidgetId);
       }
     } catch (e) {
     }
@@ -1670,12 +1679,15 @@ var ElectronDashboardApi = /*#__PURE__*/function () {
     value: function mcpCallTool(serverName, toolName, args, allowedTools, onSuccess, onError) {
       var _this22 = this;
       var workspaceId = arguments.length > 6 && arguments[6] !== undefined ? arguments[6] : null;
+      var widgetId = arguments.length > 7 && arguments[7] !== undefined ? arguments[7] : null;
       if (this.api !== null) {
         try {
-          // widgetId is not threaded here; mcpApi.callTool defaults it to
-          // null. Slice 3a: workspaceId scopes the MCP server process per
-          // workspace.
-          this.api.mcp.callTool(serverName, toolName, args, allowedTools, null, workspaceId).then(function (result) {
+          // widgetId is the package-level identity for the MCP gate.
+          // Callers (typically `useMcpProvider`) pass `widgetData.name`
+          // so the gate's `getGrant(widgetId)` lookup matches the grant
+          // written at install consent. workspaceId scopes the server
+          // process per workspace (Slice 3a).
+          this.api.mcp.callTool(serverName, toolName, args, allowedTools, widgetId, workspaceId).then(function (result) {
             onSuccess(_this22.events.MCP_CALL_TOOL_COMPLETE, result);
           })["catch"](function (error) {
             onError(_this22.events.MCP_CALL_TOOL_ERROR, error);
@@ -29901,6 +29913,7 @@ var useMcpProvider = function useMcpProvider(providerType) {
         widgetRequiredTools,
         isRequired,
         workspaceId,
+        widgetIdForGate,
         _args3 = arguments;
       return _regeneratorRuntime.wrap(function (_context3) {
         while (1) switch (_context3.prev = _context3.next) {
@@ -29930,7 +29943,12 @@ var useMcpProvider = function useMcpProvider(providerType) {
             // Slice 3a: scope the MCP server process per workspace. The
             // workspace UUID is the canonical "current dashboard" identity
             // (see useNotifications, useScheduler for the same pattern).
-            workspaceId = (workspace === null || workspace === void 0 || (_workspace$workspaceD5 = workspace.workspaceData) === null || _workspace$workspaceD5 === void 0 ? void 0 : _workspace$workspaceD5.id) || null;
+            workspaceId = (workspace === null || workspace === void 0 || (_workspace$workspaceD5 = workspace.workspaceData) === null || _workspace$workspaceD5 === void 0 ? void 0 : _workspace$workspaceD5.id) || null; // widgetData.name is the package-level identity the MCP gate's
+            // grant store keys on. Without this, the gate's per-widget
+            // permissioning is silent (the legacy widgetId-null bypass
+            // skips the gate entirely). Threading it here makes JIT
+            // consent fire for widgets without the user-grant cached.
+            widgetIdForGate = (widgetData === null || widgetData === void 0 ? void 0 : widgetData.name) || null;
             return _context3.abrupt("return", new Promise(function (resolve, reject) {
               var timeout = setTimeout(function () {
                 reject(new Error("Tool call \"".concat(toolName, "\" timed out after 30s")));
@@ -29945,7 +29963,7 @@ var useMcpProvider = function useMcpProvider(providerType) {
               }, function (event, err) {
                 clearTimeout(timeout);
                 reject(new Error((err === null || err === void 0 ? void 0 : err.message) || "Failed to call MCP tool"));
-              }, workspaceId);
+              }, workspaceId, widgetIdForGate);
             }));
           case 3:
           case "end":