anentrypoint-design 0.0.204 → 0.0.206

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "anentrypoint-design",
-  "version": "0.0.204",
+  "version": "0.0.206",
   "description": "247420 design system SDK — webjsx + modified ripple-ui, single-file ESM bundle for reproducible use of the AnEntrypoint design.",
   "type": "module",
   "main": "./dist/247420.js",

package/src/components/community.js

@@ -2,6 +2,7 @@
 
 import * as webjsx from '../../vendor/webjsx/index.js';
 import { Icon } from './shell.js';
+import { sanitizeHtml } from '../markdown.js';
 const h = webjsx.createElement;
 
 // Clamp a count to a compact badge string (matches the rail's 99+ convention),
@@ -391,7 +392,13 @@ export function PageView({ title = '', html = '', isAdmin = false, onEdit } = {}
         ),
         h('div', {
             class: 'cm-page-body',
-            ref: (el) => { if (el) el.innerHTML = html || '<p class="cm-page-empty">This page is empty.</p>'; }
+            // Page bodies are host/user-authored HTML, so they pass through the
+            // DOMPurify gate before innerHTML — never injected raw (stored-XSS gate).
+            ref: (el) => {
+                if (!el) return;
+                if (!html) { el.innerHTML = '<p class="cm-page-empty">This page is empty.</p>'; return; }
+                sanitizeHtml(html).then((clean) => { el.innerHTML = clean; });
+            }
         })
     );
 }

package/src/components/content.js

@@ -53,7 +53,11 @@ export function Row({ code, rank, title, sub, meta, active, state = 'default', o
     const isLink = kind === 'link' || (href != null && !onClick);
     const isButton = !isLink && !!onClick;
     const stateCls = state === 'disabled' ? ' row-state-disabled' : (state === 'error' ? ' row-state-error' : '');
-    const cls = 'row' + (isActive ? ' active' : '') + stateCls + (cols ? ' row-grid' : '') + (rail ? ' rail-' + rail : '');
+    // With no leading/code, the title would otherwise land in the narrow code
+    // column and wrap; `row-nocode` collapses that column so the title gets the
+    // full width (meta still pinned right).
+    const noLead = codeVal == null && leading == null;
+    const cls = 'row' + (isActive ? ' active' : '') + stateCls + (cols ? ' row-grid' : '') + (noLead && !cols ? ' row-nocode' : '') + (rail ? ' rail-' + rail : '');
     const isDisabled = state === 'disabled';
     const props = { key, class: cls, style: cols ? `${style ? style + ';' : ''}grid-template-columns:${cols}` : style };
     if (isLink) {
@@ -168,7 +172,7 @@ export function WorksList({ works = [], openedIndex = -1, onToggle }) {
                     // Expand affordance: a chevron icon (down when open, right when
                     // collapsed) separated from the meta text by a CSS gap, not a
                     // literal +/- with a double-space.
-                    meta: h('span', { class: 'ds-works-meta', style: 'display:inline-flex;align-items:center;gap:.4em' },
+                    meta: h('span', { class: 'ds-works-meta' },
                         w.meta != null ? h('span', {}, w.meta) : null,
                         Icon(isOpen ? 'chevron-down' : 'chevron-right')),
                     active: isOpen,

package/src/kits/os/freddie/pages-tools.js

@@ -139,7 +139,7 @@ export function makeToolsPages(ctx) {
             const out = h('div', { id: 'fd-batch-out' });
             const root = ctx.root;
             return [
-                Section({ title: '// batch runner', children: [
+                Section({ title: 'batch runner', children: [
                     Panel({ title: 'run prompts', children: form({
                         fields: [{ name: 'prompts', kind: 'textarea', placeholder: 'one prompt per line' }, { name: 'concurrency', type: 'number', value: '4' }],
                         submit: 'run',

package/src/markdown.js

@@ -52,3 +52,13 @@ export async function renderMarkdown(src) {
     const raw = _marked.parse(String(src));
     return _purify.sanitize(raw);
 }
+
+// Sanitize already-rendered HTML before it touches innerHTML. For any surface
+// that injects host/user-authored HTML (e.g. a wiki page body), this is the
+// single XSS gate — DOMPurify strips scripts/handlers. If the purifier hasn't
+// loaded, we safe-fail by escaping (raw tags show as text, never execute).
+export async function sanitizeHtml(html) {
+    const ok = await ensureReady();
+    if (!ok) return escapeHtml(html);
+    return _purify.sanitize(String(html));
+}

package/src/markdown-cache-perf-test.js

@@ -1,173 +0,0 @@
-// Performance test harness for markdown & Prism cache optimization.
-// Measures load times, render performance, and verifies correctness.
-// Run: node src/markdown-cache-perf-test.js
-
-import { renderMarkdownCached, highlightCodeBlockCached, initializeCachesEagerly, getCacheStats, resetCacheState } from './markdown-cache.js';
-
-const SAMPLE_MARKDOWN = `
-# Hello World
-
-This is **bold** and *italic* text with \`inline code\`.
-
-[Link example](https://example.com)
-
-## Code Block Example
-
-\`\`\`python
-def hello():
-    print("World")
-\`\`\`
-
-> Blockquote example
-
-- List item 1
-- List item 2
-- List item 3
-`;
-
-const CODE_SAMPLES = [
-    { lang: 'javascript', code: 'const x = 42; console.log(x);' },
-    { lang: 'python', code: 'def fib(n):\n    return n if n < 2 else fib(n-1) + fib(n-2)' },
-    { lang: 'bash', code: 'echo "Hello World" | grep -i hello' },
-];
-
-async function measureInitialization() {
-    console.log('\n=== Initialization Performance ===');
-    resetCacheState();
-
-    const startTotal = performance.now();
-    await initializeCachesEagerly();
-    const totalMs = performance.now() - startTotal;
-
-    const stats = getCacheStats();
-    console.log(`Total init time: ${totalMs.toFixed(2)}ms`);
-    console.log(`  - Markdown init: ${stats.initMs.markdown.toFixed(2)}ms`);
-    console.log(`  - Prism init: ${stats.initMs.prism.toFixed(2)}ms`);
-    console.log(`Status: Markdown=${stats.markdownInitialized}, Prism=${stats.prismInitialized}`);
-
-    // Second call should be instant (cached)
-    const t0 = performance.now();
-    await initializeCachesEagerly();
-    const cacheHitMs = performance.now() - t0;
-    console.log(`Second init (cached): ${cacheHitMs.toFixed(2)}ms`);
-
-    return stats;
-}
-
-async function measureMarkdownRendering() {
-    console.log('\n=== Markdown Rendering Performance ===');
-
-    // Warm up
-    await renderMarkdownCached(SAMPLE_MARKDOWN);
-
-    // Measure 10 renders
-    const times = [];
-    for (let i = 0; i < 10; i++) {
-        const t0 = performance.now();
-        await renderMarkdownCached(SAMPLE_MARKDOWN);
-        times.push(performance.now() - t0);
-    }
-
-    const avg = times.reduce((a, b) => a + b, 0) / times.length;
-    const min = Math.min(...times);
-    const max = Math.max(...times);
-
-    console.log(`Rendered markdown 10x:`);
-    console.log(`  - Average: ${avg.toFixed(2)}ms`);
-    console.log(`  - Min: ${min.toFixed(2)}ms`);
-    console.log(`  - Max: ${max.toFixed(2)}ms`);
-    console.log(`Sample times: [${times.map(t => t.toFixed(1)).join(', ')}]ms`);
-
-    return { avg, min, max, times };
-}
-
-async function measureSyntaxHighlighting() {
-    console.log('\n=== Syntax Highlighting Performance ===');
-
-    const results = [];
-
-    for (const sample of CODE_SAMPLES) {
-        // Create a minimal mock element (note: in browser, this would be real DOM)
-        const mockEl = { querySelectorAll: () => [] };
-
-        // Measure highlight operation
-        const t0 = performance.now();
-        await highlightCodeBlockCached(mockEl);
-        const ms = performance.now() - t0;
-
-        console.log(`${sample.lang}: ${ms.toFixed(2)}ms`);
-        results.push({ lang: sample.lang, ms });
-    }
-
-    return results;
-}
-
-async function measureMultipleMessages() {
-    console.log('\n=== Simulated Message Stream (10 messages) ===');
-
-    const times = [];
-    let totalMs = 0;
-
-    for (let i = 0; i < 10; i++) {
-        const t0 = performance.now();
-        await renderMarkdownCached(SAMPLE_MARKDOWN);
-        const ms = performance.now() - t0;
-        times.push(ms);
-        totalMs += ms;
-        process.stdout.write(`Message ${i + 1}: ${ms.toFixed(1)}ms\n`);
-    }
-
-    console.log(`\nStream Stats:`);
-    console.log(`  - Total: ${totalMs.toFixed(2)}ms`);
-    console.log(`  - Average: ${(totalMs / times.length).toFixed(2)}ms`);
-    console.log(`  - First message overhead: ${times[0].toFixed(2)}ms`);
-    console.log(`  - Steady state average: ${(times.slice(1).reduce((a, b) => a + b, 0) / (times.length - 1)).toFixed(2)}ms`);
-}
-
-async function runAllTests() {
-    console.log('[247420] Markdown & Prism Cache Performance Test Suite');
-    console.log('='.repeat(50));
-
-    try {
-        // Test 1: Initialization
-        const initStats = await measureInitialization();
-
-        // Test 2: Markdown rendering
-        const mdStats = await measureMarkdownRendering();
-
-        // Test 3: Syntax highlighting
-        const syntaxStats = await measureSyntaxHighlighting();
-
-        // Test 4: Multi-message stream
-        await measureMultipleMessages();
-
-        // Final cache stats
-        console.log('\n=== Final Cache Statistics ===');
-        const finalStats = getCacheStats();
-        console.log(`Total messages rendered: ${finalStats.renderStats.count}`);
-        console.log(`Average render time: ${finalStats.renderStats.avgTimeMs}ms`);
-        console.log(`Min/Max render time: ${finalStats.renderStats.minTimeMs}ms / ${finalStats.renderStats.maxTimeMs}ms`);
-
-        // Summary
-        console.log('\n=== Summary ===');
-        console.log(`Library init (one-time): ${initStats.initMs.markdown + initStats.initMs.prism}ms`);
-        console.log(`Markdown render: ~${mdStats.avg.toFixed(1)}ms per message (cached)`);
-        console.log(`Cache hit on subsequent init: 0ms (verified)`);
-        console.log(`Estimated time for 100 messages without cache: ~10000+ms`);
-        console.log(`Estimated time for 100 messages with cache: ~${(mdStats.avg * 100 + initStats.initMs.markdown + initStats.initMs.prism).toFixed(0)}ms`);
-        const speedup = (10000 + initStats.initMs.markdown + initStats.initMs.prism) / (mdStats.avg * 100 + initStats.initMs.markdown + initStats.initMs.prism);
-        console.log(`Performance improvement: ~${speedup.toFixed(1)}x faster`);
-
-        console.log('\nPASS All tests completed successfully');
-    } catch (err) {
-        console.error('\nFAIL Test failed:', err.message);
-        console.error(err.stack);
-        process.exit(1);
-    }
-}
-
-// Run tests
-runAllTests().then(() => process.exit(0)).catch(err => {
-    console.error('Fatal error:', err);
-    process.exit(1);
-});