create-zudo-doc 0.2.20 → 0.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/scaffold.js CHANGED
@@ -448,11 +448,11 @@ function generatePackageJson(choices) {
448
448
  // stability, multi-valued response headers (e.g. multiple Set-Cookie),
449
449
  // supplementary-plane CJK reading-time, plus CLI/server/runtime hardening
450
450
  // and render perf passes. No consumer-facing / CLI breaking change.
451
- "@takazudo/zfb": "0.1.0-next.58",
452
- "@takazudo/zfb-runtime": "0.1.0-next.58",
451
+ "@takazudo/zfb": "0.1.0-next.59",
452
+ "@takazudo/zfb-runtime": "0.1.0-next.59",
453
453
  // zfb-adapter-cloudflare — required for any route with `prerender = false`.
454
454
  // Pinned in lockstep with @takazudo/zfb.
455
- "@takazudo/zfb-adapter-cloudflare": "0.1.0-next.58",
455
+ "@takazudo/zfb-adapter-cloudflare": "0.1.0-next.59",
456
456
  // @takazudo/zudo-doc — published from this monorepo via
457
457
  // .github/workflows/publish-zudo-doc.yml. The pin here is bumped in
458
458
  // lockstep by scripts/release-create-zudo-doc.sh whenever zudo-doc's
@@ -464,7 +464,7 @@ function generatePackageJson(choices) {
464
464
  // ties this pin to packages/zudo-doc's version, so the lockstep release
465
465
  // bumps both together; do not cut a create-zudo-doc release until the
466
466
  // matching @takazudo/zudo-doc version (with content.css) is on npm.
467
- "@takazudo/zudo-doc": "^0.2.20",
467
+ "@takazudo/zudo-doc": "^0.2.21",
468
468
  // zod — used by the generated zfb.config.ts. zfb-config-gen emits
469
469
  // `import { z } from "zod"` for the content-collection schema +
470
470
  // `z.toJSONSchema(...)` conversion. Without this dep, the consumer
@@ -518,7 +518,7 @@ function generatePackageJson(choices) {
518
518
  // @takazudo/zudo-doc/integrations/doc-history which in turn imports
519
519
  // @takazudo/zudo-doc-history-server/git-history. Without this dep the
520
520
  // plugin host fails at init with ERR_MODULE_NOT_FOUND — W8A (#1739).
521
- deps["@takazudo/zudo-doc-history-server"] = "^0.2.20";
521
+ deps["@takazudo/zudo-doc-history-server"] = "^0.2.21";
522
522
  // W7A (#1736): doc-history-plugin.mjs spawns `tsx -e <inline-script>` to
523
523
  // run the v2 runtime in a TS-aware Node subprocess; without tsx the
524
524
  // plugin's preBuild step exits with ENOENT before zfb finishes config
@@ -571,6 +571,8 @@ function generatePackageJson(choices) {
571
571
  }
572
572
  if (choices.features.includes("skillSymlinker")) {
573
573
  scripts["setup:doc-skill"] = "bash scripts/setup-doc-skill.sh";
574
+ scripts["setup:doc-skill-silent"] =
575
+ "bash scripts/setup-doc-skill.sh --silent";
574
576
  }
575
577
  const runCmd = choices.packageManager === "npm" || choices.packageManager === "bun" ? `${choices.packageManager} run` : choices.packageManager;
576
578
  // claudeSkills ships the zudo-doc-version-bump skill, whose release workflow
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-zudo-doc",
3
- "version": "0.2.20",
3
+ "version": "0.2.21",
4
4
  "description": "Create a new zudo-doc documentation site",
5
5
  "license": "MIT",
6
6
  "author": "Takeshi Takatsudo",
@@ -215,7 +215,7 @@ export function DocPageShell(props: DocPageShellProps): JSX.Element {
215
215
  }
216
216
  tocOverride={tocOverride}
217
217
  mobileTocOverride={mobileTocOverride}
218
- afterSidebar={<SidebarPrepaint />}
218
+ afterSidebar={<SidebarPrepaint hideSidebar={hideSidebar} />}
219
219
  footerOverride={<FooterWithDefaults lang={locale} />}
220
220
  bodyEndComponents={<DocBodyEnd />}
221
221
  enableClientRouter={settings.dynamicPageTransition}
@@ -23,23 +23,35 @@ import { Island } from "@takazudo/zfb";
23
23
  import { settings } from "@/config/settings";
24
24
  import DesktopSidebarToggle from "@/components/desktop-sidebar-toggle";
25
25
 
26
+ /** Props for {@link SidebarPrepaint}. */
27
+ export interface SidebarPrepaintProps {
28
+ /**
29
+ * Mirrors the page's `hide_sidebar: true` frontmatter. When true the desktop
30
+ * toggle is skipped — there is no visible sidebar for it to collapse.
31
+ */
32
+ hideSidebar?: boolean;
33
+ }
34
+
26
35
  /**
27
36
  * The `afterSidebar` slot content shared by all four doc-route page components.
28
37
  *
29
38
  * Returns the pre-paint localStorage script + `DesktopSidebarToggle` Island
30
- * when `settings.sidebarToggle` is enabled; returns `undefined` when it is
31
- * disabled (matching the conditional the route files used inline).
39
+ * when `settings.sidebarToggle` is enabled AND the page actually shows a
40
+ * sidebar; returns `undefined` when the toggle is disabled or the page hides
41
+ * the sidebar (matching the conditional the route files used inline).
32
42
  */
33
- export function SidebarPrepaint(): JSX.Element | undefined {
34
- if (!settings.sidebarToggle) return undefined;
43
+ export function SidebarPrepaint({
44
+ hideSidebar,
45
+ }: SidebarPrepaintProps): JSX.Element | undefined {
46
+ if (!settings.sidebarToggle || hideSidebar) return undefined;
35
47
 
36
48
  return (
37
49
  <>
38
50
  {/* Pre-paint inline script: restore persisted sidebar visibility to
39
51
  <html data-sidebar-hidden> before first paint to avoid flash.
40
- Runs unconditionally when sidebarToggle is enabled; the attribute
41
- is only set when localStorage says "false" so the default (visible)
42
- needs no attribute and causes no layout shift. */}
52
+ Rendered only when the toggle is enabled and the page shows a
53
+ sidebar; the attribute is only set when localStorage says "false"
54
+ so the default (visible) needs no attribute and causes no layout shift. */}
43
55
  <script dangerouslySetInnerHTML={{
44
56
  __html: `(function(){try{if(localStorage.getItem('zudo-doc-sidebar-visible')==='false'){document.documentElement.setAttribute('data-sidebar-hidden','');}}catch(e){}})();`,
45
57
  }} />
@@ -1,10 +1,7 @@
1
1
  {
2
2
  "identifier": "default",
3
- "description": "Default capabilities for the main window",
3
+ "description": "Default capabilities for the main window. The shipped offline reader loads the embedded dist/ via the tauri:// protocol (WebviewUrl::App), so it needs no remote-origin grant. The previous `remote.urls: http://localhost:*/**` grant was dropped (zudolab/zudo-doc#2240) so no localhost-served page can reach core:default. `cargo tauri dev` still loads http://localhost:4321, but the zudo-doc site invokes no Tauri commands, so it does not need the grant either.",
4
4
  "windows": ["main"],
5
- "remote": {
6
- "urls": ["http://localhost:*/**"]
7
- },
8
5
  "permissions": [
9
6
  "core:default"
10
7
  ]
@@ -10,7 +10,7 @@
10
10
  "app": {
11
11
  "windows": [],
12
12
  "security": {
13
- "csp": null
13
+ "csp": "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; script-src 'self' 'unsafe-inline' https://esm.sh; connect-src 'self' https://esm.sh https://cdn.jsdelivr.net"
14
14
  }
15
15
  },
16
16
  "bundle": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "identifier": "default",
3
- "description": "Default capabilities for the main window",
3
+ "description": "Default capabilities for the main window. TRUST NOTE (zudolab/zudo-doc#2240): Mode 2 displays an arbitrary, user-configured localhost project in this webview, and `remote.urls` grants core:default to any http://localhost:*/** origin. Combined with withGlobalTauri (required by frontend/index.html's launch-error listener + retry_launch invoke), a malicious dependency in the wrapped project would gain Tauri reach. This is an accepted trust assumption for a developer-only wrapper: only point Mode 2 at projects you trust. The grant is intentionally dev-scoped (localhost only). Narrowing it to the single configured port, or splitting the local-frontend capability from the remote-project capability, is tracked as a future hardening.",
4
4
  "windows": ["main"],
5
5
  "remote": { "urls": ["http://localhost:*/**"] },
6
6
  "permissions": ["core:default"]