@wopr-network/platform-ui-core 1.1.9 → 1.1.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-ui-core",
-  "version": "1.1.9",
+  "version": "1.1.11",
   "description": "Brand-agnostic AI agent platform UI — deploy as any brand via env vars",
   "repository": {
     "type": "git",

package/src/__tests__/chat/chat-message.test.tsx

@@ -2,11 +2,12 @@ import { render, screen } from "@testing-library/react";
 import { describe, expect, it } from "vitest";
 import { ChatMessage } from "@/components/chat/chat-message";
 import type { ChatMessage as ChatMessageType } from "@/lib/chat/types";
+import { uuid } from "@/lib/uuid";
 
 function msg(
   overrides: Partial<ChatMessageType> & { role: ChatMessageType["role"]; content: string },
 ): ChatMessageType {
-  return { id: crypto.randomUUID(), timestamp: Date.now(), ...overrides };
+  return { id: uuid(), timestamp: Date.now(), ...overrides };
 }
 
 describe("ChatMessage", () => {

package/src/__tests__/chat/chat-panel.test.tsx

@@ -3,6 +3,7 @@ import userEvent from "@testing-library/user-event";
 import { beforeAll, describe, expect, it, vi } from "vitest";
 import { ChatPanel } from "@/components/chat/chat-panel";
 import type { ChatMessage as ChatMessageType } from "@/lib/chat/types";
+import { uuid } from "@/lib/uuid";
 
 // jsdom does not implement scrollIntoView — polyfill it for ChatPanel's auto-scroll useEffect
 beforeAll(() => {
@@ -12,7 +13,7 @@ beforeAll(() => {
 function msg(
   overrides: Partial<ChatMessageType> & { role: ChatMessageType["role"]; content: string },
 ): ChatMessageType {
-  return { id: crypto.randomUUID(), timestamp: Date.now(), ...overrides };
+  return { id: uuid(), timestamp: Date.now(), ...overrides };
 }
 
 const baseProps = {

package/src/hooks/use-plugin-setup-chat.ts

@@ -3,6 +3,7 @@
 import { useCallback, useEffect, useRef, useState } from "react";
 import { apiFetch, apiFetchRaw } from "@/lib/api";
 import type { ChatMessage } from "@/lib/chat/types";
+import { uuid } from "@/lib/uuid";
 
 interface PluginSetupState {
   isOpen: boolean;
@@ -74,7 +75,7 @@ export function usePluginSetupChat(
       const controller = new AbortController();
       abortRef.current = controller;
 
-      const sessionId = crypto.randomUUID();
+      const sessionId = uuid();
       sessionIdRef.current = sessionId;
 
       const params = new URLSearchParams({ pluginId, botId, sessionId });
@@ -125,7 +126,7 @@ export function usePluginSetupChat(
                       messages: [
                         ...s.messages,
                         {
-                          id: crypto.randomUUID(),
+                          id: uuid(),
                           role: "bot" as const,
                           content: event.delta,
                           timestamp: Date.now(),
@@ -144,7 +145,7 @@ export function usePluginSetupChat(
                     messages: [
                       ...s.messages,
                       {
-                        id: crypto.randomUUID(),
+                        id: uuid(),
                         role: "event" as const,
                         content: reason,
                         timestamp: Date.now(),
@@ -186,7 +187,7 @@ export function usePluginSetupChat(
       messages: [
         ...s.messages,
         {
-          id: crypto.randomUUID(),
+          id: uuid(),
           role: "user" as const,
           content: text,
           timestamp: Date.now(),

package/src/lib/chat/chat-store.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { storageKey } from "../brand-config";
+import { uuid } from "../uuid";
 import type { ChatMessage } from "./types";
 
 const HISTORY_KEY = storageKey("chat-history");
@@ -23,12 +24,12 @@ export function getSessionId(): string {
   try {
     const existing = localStorage.getItem(SESSION_KEY);
     if (existing) return existing;
-    const id = crypto.randomUUID();
+    const id = uuid();
     localStorage.setItem(SESSION_KEY, id);
     return id;
   } catch {
     // localStorage blocked (private browsing) — use ephemeral session ID
-    return crypto.randomUUID();
+    return uuid();
   }
 }
 

package/src/lib/chat/use-chat.ts

@@ -3,6 +3,7 @@
 import { useCallback, useEffect, useRef, useState } from "react";
 import { openChatStream, sendChatMessage } from "@/lib/api";
 import { eventName } from "@/lib/brand-config";
+import { uuid } from "@/lib/uuid";
 import { clearChatHistory, getSessionId, loadChatHistory, saveChatHistory } from "./chat-store";
 import type { ChatEvent, ChatMessage, ChatMode } from "./types";
 
@@ -76,7 +77,7 @@ export function useChat(): UseChatReturn {
         if (data.type === "text") {
           setIsTyping(true);
           if (pendingBotMsgRef.current === null) {
-            pendingBotMsgRef.current = crypto.randomUUID();
+            pendingBotMsgRef.current = uuid();
           }
           const msgId = pendingBotMsgRef.current;
           setMessages((prev) => {
@@ -105,7 +106,7 @@ export function useChat(): UseChatReturn {
           setIsTyping(false);
           pendingBotMsgRef.current = null;
           addMessage({
-            id: crypto.randomUUID(),
+            id: uuid(),
             role: "bot",
             content: `Error: ${data.message}`,
             timestamp: Date.now(),
@@ -165,7 +166,7 @@ export function useChat(): UseChatReturn {
       if (!trimmed) return;
 
       const userMsg: ChatMessage = {
-        id: crypto.randomUUID(),
+        id: uuid(),
         role: "user",
         content: trimmed,
         timestamp: Date.now(),
@@ -177,7 +178,7 @@ export function useChat(): UseChatReturn {
       sendChatMessage(sessionId.current, trimmed).catch(() => {
         setIsTyping(false);
         addMessage({
-          id: crypto.randomUUID(),
+          id: uuid(),
           role: "bot",
           content: "Sorry, your message could not be sent. Please try again.",
           timestamp: Date.now(),
@@ -190,7 +191,7 @@ export function useChat(): UseChatReturn {
   const addEventMarker = useCallback(
     (text: string) => {
       addMessage({
-        id: crypto.randomUUID(),
+        id: uuid(),
         role: "event",
         content: text,
         timestamp: Date.now(),
@@ -227,7 +228,7 @@ export function useChat(): UseChatReturn {
   const notify = useCallback(
     (text: string) => {
       addMessage({
-        id: crypto.randomUUID(),
+        id: uuid(),
         role: "bot",
         content: text,
         timestamp: Date.now(),

package/src/lib/uuid.ts

@@ -0,0 +1,27 @@
+/**
+ * Generate a v4 UUID that works in all contexts.
+ *
+ * crypto.randomUUID() requires a secure context (HTTPS or localhost).
+ * On HTTP with a non-localhost domain (e.g. local dev via /etc/hosts),
+ * it throws. This utility falls back to crypto.getRandomValues() which
+ * works everywhere, including non-secure contexts.
+ */
+export function uuid(): string {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  if (typeof crypto !== "undefined" && typeof crypto.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    // Set version (4) and variant (RFC 4122)
+    bytes[6] = (bytes[6] & 0x0f) | 0x40;
+    bytes[8] = (bytes[8] & 0x3f) | 0x80;
+    const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+  }
+  // Last resort: Math.random (not cryptographically secure, but won't crash)
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
+    const r = (Math.random() * 16) | 0;
+    return (c === "x" ? r : (r & 0x3) | 0x8).toString(16);
+  });
+}

package/src/proxy.ts

@@ -9,7 +9,11 @@ const apiOrigin = process.env.NEXT_PUBLIC_API_URL
   ? new URL(process.env.NEXT_PUBLIC_API_URL).origin
   : "";
 
-const isSecureOrigin = process.env.NODE_ENV === "production";
+/**
+ * Only add upgrade-insecure-requests when actually serving over HTTPS.
+ * Checking NODE_ENV breaks local dev in Docker (NODE_ENV=production but no TLS).
+ * Computed per-request in buildCsp() from the request URL protocol.
+ */
 
 /**
  * Nonce-based style-src toggle.
@@ -21,7 +25,8 @@ const isSecureOrigin = process.env.NODE_ENV === "production";
 const NONCE_STYLES_ENABLED = true;
 
 /** Build the CSP header value with a per-request nonce. */
-function buildCsp(nonce: string): string {
+function buildCsp(nonce: string, requestUrl?: string): string {
+  const isHttps = requestUrl ? requestUrl.startsWith("https://") : false;
   return [
     "default-src 'self'",
     `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https://js.stripe.com`,
@@ -36,7 +41,7 @@ function buildCsp(nonce: string): string {
     "base-uri 'self'",
     "form-action 'self'",
     "object-src 'none'",
-    ...(isSecureOrigin ? ["upgrade-insecure-requests"] : []),
+    ...(isHttps ? ["upgrade-insecure-requests"] : []),
   ].join("; ");
 }
 
@@ -160,7 +165,7 @@ export default async function middleware(request: NextRequest) {
 
   // Generate a per-request nonce for CSP
   const nonce = crypto.randomUUID();
-  const cspHeaderValue = buildCsp(nonce);
+  const cspHeaderValue = buildCsp(nonce, request.url);
 
   /** Apply CSP and cache-busting headers to any response before returning it. */
   function withCsp(response: NextResponse): NextResponse {