@vortexm/vjt 0.1.2 → 0.1.4

package/dist/index.js

@@ -3682,9 +3682,173 @@ function logRuntimeError(scope, error, details) {
   }
   console.error("[VJT error]", payload);
 }
+function logRuntimeDebug(enabled, scope, payload) {
+  if (!enabled) {
+    return;
+  }
+  if (payload === void 0) {
+    console.log("[VJT debug]", scope);
+    return;
+  }
+  console.log("[VJT debug]", scope, payload);
+}
+
+// src/lib/security.ts
+var BLOCKED_OBJECT_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+var TRUSTED_CONFIG_ONLY_KEYS = /* @__PURE__ */ new Set(["widget", "style", "css", "actions", "events", "onClick", "onRefresh"]);
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function escapeHtmlAttribute(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
+}
+function coerceFiniteNumber(value, kind, path) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return kind === "int" ? Math.trunc(value) : value;
+  }
+  if (typeof value === "string" && value.trim().length > 0) {
+    const parsed = kind === "int" ? Number.parseInt(value, 10) : Number.parseFloat(value);
+    if (Number.isFinite(parsed)) {
+      return kind === "int" ? Math.trunc(parsed) : parsed;
+    }
+  }
+  throw new Error(`Invalid ${kind} at ${path}`);
+}
+function isBlockedObjectKey(key) {
+  return BLOCKED_OBJECT_KEYS.has(key);
+}
+function hasBlockedReferenceSegment(reference) {
+  return reference.split(".").some((segment) => isBlockedObjectKey(segment));
+}
+function isTrustedConfigOnlyKey(key) {
+  return TRUSTED_CONFIG_ONLY_KEYS.has(key);
+}
+function templateValueUsesReference(value) {
+  if (typeof value === "string") {
+    return value.includes("$ref:");
+  }
+  if (Array.isArray(value)) {
+    return value.some((entry) => templateValueUsesReference(entry));
+  }
+  if (isPlainObject(value)) {
+    return Object.values(value).some((entry) => templateValueUsesReference(entry));
+  }
+  return false;
+}
+function sanitizeConfigStyleMap(styleMap) {
+  const safe = {};
+  for (const [key, value] of Object.entries(styleMap)) {
+    if (isBlockedObjectKey(key) || typeof value !== "string") {
+      continue;
+    }
+    safe[key] = value;
+  }
+  return safe;
+}
+function sanitizeUrl(rawValue, options = {}) {
+  if (typeof rawValue !== "string") {
+    return null;
+  }
+  const value = rawValue.trim();
+  if (!value) {
+    return null;
+  }
+  if (/^(javascript|data|vbscript):/i.test(value)) {
+    return null;
+  }
+  if (value.startsWith("//")) {
+    return null;
+  }
+  const schemeMatch = value.match(/^([A-Za-z][A-Za-z\d+\-.]*):/);
+  if (!schemeMatch) {
+    return options.allowRelative !== false ? value : null;
+  }
+  const scheme = schemeMatch[1].toLowerCase();
+  if (scheme === "http" || scheme === "https") {
+    return value;
+  }
+  if (scheme === "mailto" && options.allowMailto) {
+    return value;
+  }
+  return null;
+}
+function sanitizeMarkdownSource(markdown) {
+  return markdown.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+}
+function sanitizeGeneratedHtml(html) {
+  const withoutDangerousTags = html.replace(/<\s*(script|style|iframe|object|embed|link|meta|base|form)\b[^>]*>[\s\S]*?<\s*\/\s*\1\s*>/gi, "").replace(/<\s*(script|style|iframe|object|embed|link|meta|base|form)\b[^>]*\/?>/gi, "").replace(/\son[a-z]+\s*=\s*(".*?"|'.*?'|[^\s>]+)/gi, "");
+  return withoutDangerousTags.replace(/\s(href|src)\s*=\s*("([^"]*)"|'([^']*)'|([^\s>]+))/gi, (_match, attributeName, _full, dq, sq, bare) => {
+    const rawUrl = dq ?? sq ?? bare ?? "";
+    const safeUrl = sanitizeUrl(rawUrl, {
+      allowRelative: true,
+      allowMailto: attributeName.toLowerCase() === "href"
+    });
+    const fallback = attributeName.toLowerCase() === "href" ? "#" : "";
+    return ` ${attributeName}="${escapeHtmlAttribute(safeUrl ?? fallback)}"`;
+  });
+}
+function sanitizeSchemaValue(schema, value, path = "value") {
+  if (value === void 0 || value === null) {
+    return void 0;
+  }
+  if (schema.type === "object") {
+    if (!isPlainObject(value)) {
+      throw new Error(`Expected object at ${path}`);
+    }
+    const result = {};
+    for (const property of schema.properties ?? []) {
+      if (!property.name || isBlockedObjectKey(property.name)) {
+        continue;
+      }
+      result[property.name] = sanitizeSchemaValue(property, value[property.name], `${path}.${property.name}`);
+    }
+    return result;
+  }
+  if (schema.type === "array") {
+    if (!Array.isArray(value)) {
+      throw new Error(`Expected array at ${path}`);
+    }
+    return value.map((entry, index) => sanitizeSchemaValue(schema.elements, entry, `${path}[${index}]`));
+  }
+  switch (schema.type) {
+    case "int":
+      return coerceFiniteNumber(value, "int", path);
+    case "float":
+      return coerceFiniteNumber(value, "float", path);
+    case "boolean":
+      if (typeof value === "boolean") {
+        return value;
+      }
+      if (value === "true" || value === "1" || value === 1) {
+        return true;
+      }
+      if (value === "false" || value === "0" || value === 0) {
+        return false;
+      }
+      throw new Error(`Invalid boolean at ${path}`);
+    case "string": {
+      const stringValue = typeof value === "string" ? value : typeof value === "number" || typeof value === "boolean" || typeof value === "bigint" ? String(value) : (() => {
+        throw new Error(`Invalid string at ${path}`);
+      })();
+      if (typeof schema.maxLength === "number" && stringValue.length > schema.maxLength) {
+        throw new Error(`String too long at ${path}`);
+      }
+      if (typeof schema.regexp === "string" && schema.regexp) {
+        const regexp = new RegExp(schema.regexp);
+        if (!regexp.test(stringValue)) {
+          throw new Error(`String does not match regexp at ${path}`);
+        }
+      }
+      return stringValue;
+    }
+    default:
+      return value;
+  }
+}
 
 // src/lib/network.ts
 var NetworkRuntime = class {
+  debugLogging;
   requestsMap;
   sseConfigs;
   backendUrl;
@@ -3692,6 +3856,7 @@ var NetworkRuntime = class {
   runActions;
   rerenderRoot;
   constructor(options) {
+    this.debugLogging = options.debugLogging;
     this.requestsMap = options.requestsMap;
     this.sseConfigs = options.sseConfigs;
     this.backendUrl = options.backendUrl;
@@ -3707,7 +3872,12 @@ var NetworkRuntime = class {
       if (!config?.url) {
         continue;
       }
-      const source = new EventSource(config.url);
+      const safeUrl = sanitizeUrl(config.url, { allowRelative: true });
+      if (!safeUrl) {
+        logRuntimeError("sseConfig", new Error("Blocked unsafe SSE url"), { url: config.url });
+        continue;
+      }
+      const source = new EventSource(safeUrl);
       this.eventSources.push(source);
       for (const eventDefinition of config.events ?? []) {
         if (!eventDefinition?.name) {
@@ -3717,7 +3887,7 @@ var NetworkRuntime = class {
           void this.handleSseEvent(eventDefinition, event).catch((error) => {
             logRuntimeError("handleSseEvent", error, {
               eventName: eventDefinition.name,
-              url: config.url
+              url: safeUrl
             });
           });
         });
@@ -3745,12 +3915,23 @@ var NetworkRuntime = class {
     if (!requestUrl) {
       throw new Error(`Request ${requestName} has no url in config`);
     }
-    const response = await fetch(requestUrl, {
+    const safeRequestUrl = sanitizeUrl(requestUrl, { allowRelative: true });
+    if (!safeRequestUrl) {
+      throw new Error(`Request ${requestName} has unsafe url`);
+    }
+    const requestBody = JSON.stringify(requestEnvelope);
+    logRuntimeDebug(this.debugLogging, "request", {
+      requestName,
+      url: safeRequestUrl,
+      envelope: requestEnvelope,
+      body: requestBody
+    });
+    const response = await fetch(safeRequestUrl, {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
       },
-      body: JSON.stringify(requestEnvelope)
+      body: requestBody
     });
     const responseText = await response.text();
     if (!response.ok) {
@@ -3765,7 +3946,20 @@ var NetworkRuntime = class {
     } catch {
       throw new Error(`Request ${requestName} returned non-JSON response: ${responseText.slice(0, 120)}`);
     }
-    const result = json.result;
+    if (json.error) {
+      throw new Error(`Request ${requestName} returned JSON-RPC error: ${this.stringifyPrimitive(json.error.message ?? "unknown error")}`);
+    }
+    if (!definition.response) {
+      throw new Error(`Request ${requestName} must define response schema`);
+    }
+    const result = sanitizeSchemaValue(definition.response, json.result, `response.${requestName}`);
+    logRuntimeDebug(this.debugLogging, "response", {
+      requestName,
+      url: safeRequestUrl,
+      status: response.status,
+      json,
+      result
+    });
     if (definition.onResponse?.length) {
       await this.runActions(definition.onResponse, null, {
         currentValue: null,
@@ -3778,7 +3972,7 @@ var NetworkRuntime = class {
     if (schema.type === "object") {
       const result = {};
       for (const property of schema.properties ?? []) {
-        if (!property.name) {
+        if (!property.name || isBlockedObjectKey(property.name)) {
           continue;
         }
         result[property.name] = await this.buildSchemaValue(property, currentValue, responseValue);
@@ -3834,12 +4028,21 @@ var NetworkRuntime = class {
     }
   }
   async handleSseEvent(eventDefinition, event) {
-    let message = {};
+    let parsedMessage = {};
     try {
-      message = event.data ? JSON.parse(event.data) : {};
+      parsedMessage = event.data ? JSON.parse(event.data) : {};
     } catch {
-      message = { value: event.data ?? "" };
+      parsedMessage = { value: event.data ?? "" };
     }
+    const message = eventDefinition.message ? sanitizeSchemaValue(eventDefinition.message, parsedMessage, `sse.${eventDefinition.name}`) : (() => {
+      throw new Error(`SSE event ${eventDefinition.name} must define message schema`);
+    })();
+    logRuntimeDebug(this.debugLogging, "sse", {
+      eventName: eventDefinition.name,
+      raw: event.data,
+      parsedMessage,
+      message
+    });
     if (!eventDefinition.onEvent?.length) {
       return;
     }
@@ -3852,12 +4055,15 @@ var NetworkRuntime = class {
 };
 
 // src/lib/references.ts
-function isPlainObject(value) {
+function isPlainObject2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function readPath(target, path) {
   let current = target;
   for (const segment of path) {
+    if (isBlockedObjectKey(segment)) {
+      return void 0;
+    }
     if (current == null) {
       return void 0;
     }
@@ -3869,6 +4075,9 @@ function readPath(target, path) {
     if (typeof current !== "object") {
       return void 0;
     }
+    if (!Object.prototype.hasOwnProperty.call(current, segment)) {
+      return void 0;
+    }
     current = current[segment];
   }
   return current;
@@ -4008,7 +4217,7 @@ var ReferenceRuntime = class {
       }
       return readPath(currentValue.descriptor, reference.split("."));
     }
-    if (isPlainObject(currentValue) || Array.isArray(currentValue)) {
+    if (isPlainObject2(currentValue) || Array.isArray(currentValue)) {
       return readPath(currentValue, reference.split("."));
     }
     return void 0;
@@ -4033,7 +4242,7 @@ var ReferenceRuntime = class {
         if (state.widget === "combobox") {
           const index = state.selected ?? 0;
           const entry = (state.comboboxElements ?? [])[index];
-          if (isPlainObject(entry)) {
+          if (isPlainObject2(entry)) {
             return entry.value ?? entry.text ?? index;
           }
           return index;
@@ -4041,7 +4250,7 @@ var ReferenceRuntime = class {
         if (state.widget === "listbox") {
           const index = state.selected ?? 0;
           const entry = (state.listboxElements ?? [])[index];
-          if (isPlainObject(entry)) {
+          if (isPlainObject2(entry)) {
             return entry.value ?? entry.text ?? index;
           }
           return index;
@@ -4091,7 +4300,7 @@ var ReferenceRuntime = class {
     }
   }
   assignReference(reference, inputValue, _currentValue, options) {
-    if (reference.startsWith("current.")) {
+    if (reference.startsWith("current.") || hasBlockedReferenceSegment(reference)) {
       return;
     }
     if (reference.startsWith("cookies.")) {
@@ -4136,7 +4345,7 @@ var ReferenceRuntime = class {
       case "elements":
         if (state.widget === "list" || state.widget === "grid-view") {
           this.clearListElementState(state.key);
-          state.elements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item) && typeof item.widget === "string") : [];
+          state.elements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item) && typeof item.widget === "string") : [];
           state.elements.forEach((element, index) => {
             const listNode = this.host.nodeById.get(widgetId);
             if (listNode?.widget === "list" || listNode?.widget === "grid-view") {
@@ -4145,10 +4354,10 @@ var ReferenceRuntime = class {
           });
         }
         if (state.widget === "listbox") {
-          state.listboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item)) : [];
+          state.listboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item)) : [];
         }
         if (state.widget === "combobox") {
-          state.comboboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item)) : [];
+          state.comboboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item)) : [];
         }
         break;
       default:
@@ -4187,9 +4396,15 @@ var ReferenceRuntime = class {
     if (Array.isArray(template)) {
       return template.map((entry) => this.resolveMappedValue(entry, currentValue, responseValue));
     }
-    if (isPlainObject(template)) {
+    if (isPlainObject2(template)) {
       const result = {};
       for (const [key, value] of Object.entries(template)) {
+        if (isBlockedObjectKey(key)) {
+          continue;
+        }
+        if (isTrustedConfigOnlyKey(key) && templateValueUsesReference(value)) {
+          continue;
+        }
         result[key] = this.resolveMappedValue(value, currentValue, responseValue);
       }
       return result;
@@ -4197,7 +4412,7 @@ var ReferenceRuntime = class {
     return template;
   }
   isListElementContext(value) {
-    return isPlainObject(value) && value.kind === "list-element" && typeof value.listId === "string" && typeof value.index === "number" && isPlainObject(value.descriptor) && typeof value.descriptor.widget === "string";
+    return isPlainObject2(value) && value.kind === "list-element" && typeof value.listId === "string" && typeof value.index === "number" && isPlainObject2(value.descriptor) && typeof value.descriptor.widget === "string";
   }
   findNamedWidget(node, name) {
     if (!node) {
@@ -4269,6 +4484,7 @@ var ReferenceRuntime = class {
 
 // src/lib/action-runtime.ts
 var ActionRuntime = class {
+  debugLogging;
   actionsMap;
   actionFunctions;
   nodeById;
@@ -4293,6 +4509,7 @@ var ActionRuntime = class {
   getInlineActions;
   isWidgetEnabled;
   constructor(options) {
+    this.debugLogging = options.debugLogging;
     this.actionsMap = options.actionsMap;
     this.actionFunctions = options.actionFunctions;
     this.nodeById = options.nodeById;
@@ -4348,30 +4565,55 @@ var ActionRuntime = class {
     return this.getInlineActions(node);
   }
   async runSingleAction(action, inputValue, context) {
-    let output = await this.executeAction(action, inputValue, context);
-    if (action.andThen?.length) {
-      if (Array.isArray(output)) {
-        const collected = [];
-        for (const entry of output) {
-          if (entry === null || entry === void 0) {
-            continue;
-          }
-          const nestedOutput = await this.runActions(action.andThen, entry, { ...context, currentValue: entry });
-          if (nestedOutput !== null && nestedOutput !== void 0) {
-            collected.push(nestedOutput);
+    const actionName = action.action.trim();
+    try {
+      let output = await this.executeAction(action, inputValue, context);
+      if (action.andThen?.length) {
+        if (Array.isArray(output)) {
+          const collected = [];
+          for (const entry of output) {
+            if (entry === null || entry === void 0) {
+              continue;
+            }
+            const nestedOutput = await this.runActions(action.andThen, entry, { ...context, currentValue: entry });
+            if (nestedOutput !== null && nestedOutput !== void 0) {
+              collected.push(nestedOutput);
+            }
           }
+          output = collected;
+        } else if (output !== null && output !== void 0) {
+          output = await this.runActions(action.andThen, output, { ...context, currentValue: output });
+        } else {
+          output = null;
         }
-        output = collected;
-      } else if (output !== null && output !== void 0) {
-        output = await this.runActions(action.andThen, output, { ...context, currentValue: output });
-      } else {
-        output = null;
       }
+      logRuntimeDebug(this.debugLogging, "action-result", {
+        action: actionName,
+        output
+      });
+      return output;
+    } catch (error) {
+      logRuntimeError("action", error, {
+        action: actionName,
+        args: action.args,
+        inputValue,
+        currentValue: context.currentValue,
+        responseValue: context.responseValue,
+        pointer: context.pointer ?? null
+      });
+      throw error;
     }
-    return output;
   }
   async executeAction(action, inputValue, context) {
     const name = action.action.trim();
+    logRuntimeDebug(this.debugLogging, "action", {
+      action: name,
+      args: action.args,
+      inputValue,
+      currentValue: context.currentValue,
+      responseValue: context.responseValue,
+      pointer: context.pointer ?? null
+    });
     if (this.actionsMap[name]) {
       return this.runActions(this.actionsMap[name], inputValue, context);
     }
@@ -4486,7 +4728,7 @@ function isIfElseArgs(value) {
 }
 
 // src/lib/dom-state.ts
-function isPlainObject2(value) {
+function isPlainObject3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function supportsTextSelection(element) {
@@ -4656,7 +4898,7 @@ function getListElementContextFromElement(element, stateByKey) {
   }
   const listState = stateByKey.get(listId);
   const descriptor = listState?.elements?.[index];
-  if (!descriptor || !isPlainObject2(descriptor) || typeof descriptor.widget !== "string") {
+  if (!descriptor || !isPlainObject3(descriptor) || typeof descriptor.widget !== "string") {
     return null;
   }
   return {
@@ -5173,7 +5415,7 @@ var renderMdText = (env, node, state, key) => {
   const verticalAlign = VERTICAL_ALIGN_MAP2[node["vert-align"] ?? "center"];
   const common = state.id ? ` id="${env.escapeHtml(state.id)}"` : "";
   const markdown = env.resolveI18nValue(state.text ?? node.text);
-  const html = markdownConverter.makeHtml(markdown);
+  const html = sanitizeGeneratedHtml(markdownConverter.makeHtml(sanitizeMarkdownSource(markdown)));
   const inlineStyle = [
     "display:flex",
     `align-items:${verticalAlign}`,
@@ -5279,7 +5521,7 @@ var renderCheckbox = (env, node, state, key) => {
 
 // src/lib/widgets/image.ts
 var renderImage = (env, node, state, key) => {
-  const url = env.escapeHtml(state.url ?? node.url ?? "");
+  const url = env.escapeHtml(sanitizeUrl(state.url ?? node.url ?? "", { allowRelative: true }) ?? "");
   const styleParts = [
     "box-sizing:border-box",
     "width:100%",
@@ -5306,7 +5548,7 @@ var renderLink = (env, node, state, key) => {
   const classes = `vjt-link vjt-link--${type}${enabled ? "" : " is-disabled"}`;
   const styleString = env.buildStyleString(node);
   const styleAttribute = styleString ? ` style="${env.escapeHtml(styleString)}"` : "";
-  const href = enabled && typeof node.url === "string" ? node.url : "#";
+  const href = enabled ? sanitizeUrl(state.url ?? node.url, { allowRelative: true, allowMailto: true }) ?? "#" : "#";
   const tabIndex = enabled ? "" : ' tabindex="-1" aria-disabled="true"';
   return `<a${state.id ? ` id="${env.escapeHtml(state.id)}"` : ""}${env.buildWidgetDataAttributes(key, node)} class="${classes}" data-widget="link" href="${env.escapeHtml(href)}"${tabIndex}${styleAttribute}>${text}</a>`;
 };
@@ -5868,7 +6110,7 @@ function toFiniteNumber3(value) {
   }
   return null;
 }
-function isPlainObject3(value) {
+function isPlainObject4(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function deepClone(value) {
@@ -5878,6 +6120,9 @@ function sanitizeIdFragment2(value) {
   const cleaned = value.replaceAll(/[^A-Za-z0-9_-]+/g, "");
   return cleaned || "item";
 }
+function buildDefinitionSignature(value) {
+  return JSON.stringify(value) ?? "null";
+}
 function isGeneratedElementId(value) {
   return !value.includes(".") && !value.includes(":") && /Element\d+/.test(value);
 }
@@ -5926,6 +6171,7 @@ var RuntimeRenderer = class {
   systemEvents;
   resourceManager;
   actionFunctions;
+  debugLogging;
   backendUrl;
   initialRuntimeSnapshot;
   onRuntimeSnapshot;
@@ -5952,7 +6198,7 @@ var RuntimeRenderer = class {
   constructor(description, options = {}) {
     this.description = deepClone(description);
     this.resourceManager = options.resourceManager ?? null;
-    const customStyleMap = options.styleMap ?? this.resourceManager?.getStyleMap() ?? {};
+    const customStyleMap = sanitizeConfigStyleMap(options.styleMap ?? this.resourceManager?.getStyleMap() ?? {});
     this.styleMap = {
       ...DEFAULT_STYLE_MAP,
       ...customStyleMap
@@ -5966,6 +6212,7 @@ var RuntimeRenderer = class {
     this.sseConfigs = Array.isArray(resolvedSseConfigs) ? resolvedSseConfigs : resolvedSseConfigs ? [resolvedSseConfigs] : [];
     this.systemEvents = options.systemEvents ?? this.resourceManager?.getSystemEvents() ?? {};
     this.actionFunctions = options.actionFunctions ?? {};
+    this.debugLogging = options.debugLogging === true;
     this.backendUrl = options.backendUrl;
     this.initialRuntimeSnapshot = options.runtimeSnapshot ? deepClone(options.runtimeSnapshot) : null;
     this.onRuntimeSnapshot = options.onRuntimeSnapshot;
@@ -6013,6 +6260,7 @@ var RuntimeRenderer = class {
       indexListElementNodes: (listNode, element, index) => this.indexListElementNodes(listNode, element, index)
     });
     this.networkRuntime = new NetworkRuntime({
+      debugLogging: this.debugLogging,
       requestsMap: this.requestsMap,
       sseConfigs: this.sseConfigs,
       backendUrl: this.backendUrl,
@@ -6021,6 +6269,7 @@ var RuntimeRenderer = class {
       rerenderRoot: () => this.rerenderRoot()
     });
     this.actionRuntime = new ActionRuntime({
+      debugLogging: this.debugLogging,
       actionsMap: this.actionsMap,
       actionFunctions: this.actionFunctions,
       nodeById: this.nodeById,
@@ -6066,7 +6315,9 @@ var RuntimeRenderer = class {
     this.applyRuntimeSnapshot(this.initialRuntimeSnapshot);
   }
   renderMarkup() {
-    return `${this.renderNode(this.description, "root", null)}${this.renderGlobalOverlays()}`;
+    const markup = `${this.renderNode(this.description, "root", null)}${this.renderGlobalOverlays()}`;
+    logRuntimeDebug(this.debugLogging, "html", markup);
+    return markup;
   }
   mount(root, options = {}) {
     if (!(root instanceof HTMLElement)) {
@@ -6160,7 +6411,11 @@ var RuntimeRenderer = class {
     if (typeof window === "undefined" || !url.trim()) {
       return;
     }
-    const nextUrl = new URL(url, window.location.href);
+    const safeUrl = sanitizeUrl(url, { allowRelative: true });
+    if (!safeUrl) {
+      throw new Error("Blocked unsafe navigation url");
+    }
+    const nextUrl = new URL(safeUrl, window.location.href);
     if (nextUrl.origin !== window.location.origin) {
       window.location.assign(nextUrl.toString());
       return;
@@ -6398,6 +6653,7 @@ var RuntimeRenderer = class {
         existing.id = stateId2;
         this.stateById.set(stateId2, existing);
       }
+      this.syncStateDefinition(existing, node);
       return existing;
     }
     const stateId = node.id ?? (isGeneratedElementId(key) ? key : void 0);
@@ -6467,6 +6723,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           elements: deepClone(node.elements ?? [])
         };
         break;
@@ -6477,6 +6734,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           listboxElements: deepClone(node.elements ?? []),
           selected: toFiniteNumber3(node.selected) ?? 0
         };
@@ -6488,6 +6746,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           comboboxElements: deepClone(node.elements ?? []),
           selected: toFiniteNumber3(node.selected) ?? 0
         };
@@ -6551,6 +6810,45 @@ var RuntimeRenderer = class {
     }
     return state;
   }
+  syncStateDefinition(state, node) {
+    if (state.widget !== node.widget) {
+      return;
+    }
+    switch (node.widget) {
+      case "list":
+      case "grid-view": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          if (state.widget === "list" || state.widget === "grid-view") {
+            this.clearListElementState(state.key);
+            state.elements = deepClone(node.elements ?? []);
+            state.definitionSignature = nextSignature;
+          }
+        }
+        break;
+      }
+      case "listbox": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          state.listboxElements = deepClone(node.elements ?? []);
+          state.selected = toFiniteNumber3(node.selected) ?? 0;
+          state.definitionSignature = nextSignature;
+        }
+        break;
+      }
+      case "combobox": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          state.comboboxElements = deepClone(node.elements ?? []);
+          state.selected = toFiniteNumber3(node.selected) ?? 0;
+          state.definitionSignature = nextSignature;
+        }
+        break;
+      }
+      default:
+        break;
+    }
+  }
   getStateForNode(node, fallbackPath) {
     const key = fallbackPath ? this.resolveNodeKey(node, fallbackPath) : node.id ?? this.resolveNodeKey(node, `auto:${node.widget}`);
     return this.ensureWidgetState(node, key);
@@ -6941,7 +7239,7 @@ var RuntimeRenderer = class {
       return;
     }
     const descriptor = listState.elements[indexValue];
-    if (!descriptor || !isPlainObject3(descriptor) || typeof descriptor.widget !== "string") {
+    if (!descriptor || !isPlainObject4(descriptor) || typeof descriptor.widget !== "string") {
       return;
     }
     mutate(descriptor);

package/dist/lib/action-runtime.d.ts

@@ -8,6 +8,7 @@ export type ActionExecutionContext = {
     } | null;
 };
 type ActionRuntimeOptions = {
+    debugLogging: boolean;
     actionsMap: ActionMap;
     actionFunctions: Record<string, () => unknown>;
     nodeById: Map<string, DescriptionNode>;
@@ -48,6 +49,7 @@ type ActionRuntimeOptions = {
     isWidgetEnabled: (node: DescriptionNode, key: string) => boolean;
 };
 export declare class ActionRuntime {
+    private readonly debugLogging;
     private readonly actionsMap;
     private readonly actionFunctions;
     private readonly nodeById;

package/dist/lib/logging.d.ts

@@ -1 +1,2 @@
 export declare function logRuntimeError(scope: string, error: unknown, details?: Record<string, unknown>): void;
+export declare function logRuntimeDebug(enabled: boolean, scope: string, payload?: unknown): void;

package/dist/lib/network.d.ts

@@ -4,6 +4,7 @@ type ActionRunner = (actions: ActionDefinition[], inputValue: unknown, context:
     responseValue?: unknown;
 }) => Promise<unknown>;
 type NetworkRuntimeOptions = {
+    debugLogging: boolean;
     requestsMap: RequestMap;
     sseConfigs: SseConfig[];
     backendUrl?: string;
@@ -12,6 +13,7 @@ type NetworkRuntimeOptions = {
     rerenderRoot: () => Promise<void>;
 };
 export declare class NetworkRuntime {
+    private readonly debugLogging;
     private readonly requestsMap;
     private readonly sseConfigs;
     private readonly backendUrl?;

package/dist/lib/security.d.ts

@@ -0,0 +1,13 @@
+import type { RequestSchema, StyleMap } from './types.js';
+export declare function isBlockedObjectKey(key: string): boolean;
+export declare function hasBlockedReferenceSegment(reference: string): boolean;
+export declare function isTrustedConfigOnlyKey(key: string): boolean;
+export declare function templateValueUsesReference(value: unknown): boolean;
+export declare function sanitizeConfigStyleMap(styleMap: StyleMap): StyleMap;
+export declare function sanitizeUrl(rawValue: unknown, options?: {
+    allowRelative?: boolean;
+    allowMailto?: boolean;
+}): string | null;
+export declare function sanitizeMarkdownSource(markdown: string): string;
+export declare function sanitizeGeneratedHtml(html: string): string;
+export declare function sanitizeSchemaValue(schema: RequestSchema, value: unknown, path?: string): unknown;

package/dist/lib/types.d.ts

@@ -91,6 +91,7 @@ export type WidgetState = {
     widget: DescriptionNode['widget'];
     id?: string;
     name?: string;
+    definitionSignature?: string;
     currentRef?: string;
     text?: string;
     url?: string;
@@ -131,6 +132,7 @@ export type RenderJsonOptions = {
     i18n?: I18nMap;
     language?: string;
     theme?: Theme;
+    debugLogging?: boolean;
     actionsMap?: ActionMap;
     requestsMap?: RequestMap;
     sseConfigs?: SseConfigInput;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vortexm/vjt",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",