designlang 7.2.0 → 9.0.0

package/website/jsconfig.json

@@ -1,7 +0,0 @@
-{
-  "compilerOptions": {
-    "paths": {
-      "@/*": ["./*"]
-    }
-  }
-}

package/website/lib/cache.js

@@ -1,73 +0,0 @@
-// Vercel Blob-backed cache for extraction payloads.
-//
-// TTL: 24h, enforced on read by checking `generatedAt` in the stored payload.
-// Key: normalized URL → SHA-256 hex.
-// Gracefully no-ops when BLOB_READ_WRITE_TOKEN is absent (local dev).
-
-import { createHash } from 'node:crypto';
-
-const TTL_MS = 24 * 60 * 60 * 1000;
-let warnedMissingToken = false;
-
-export function cacheKey(url) {
-  const normalized = String(url).trim().toLowerCase();
-  return createHash('sha256').update(normalized).digest('hex');
-}
-
-function hasBlob() {
-  if (!process.env.BLOB_READ_WRITE_TOKEN) {
-    if (!warnedMissingToken) {
-      console.log('[cache] BLOB_READ_WRITE_TOKEN not set — skipping cache');
-      warnedMissingToken = true;
-    }
-    return false;
-  }
-  return true;
-}
-
-function blobPath(key) {
-  return `extract-cache/${key}.json`;
-}
-
-export async function getCached(key) {
-  if (!hasBlob()) return null;
-  try {
-    const { list } = await import('@vercel/blob');
-    const path = blobPath(key);
-    const result = await list({ prefix: path, limit: 1 });
-    const blob = result.blobs?.find((b) => b.pathname === path);
-    if (!blob) return null;
-
-    const res = await fetch(blob.url, { cache: 'no-store' });
-    if (!res.ok) return null;
-    const payload = await res.json();
-
-    const generatedAt = typeof payload?.generatedAt === 'number' ? payload.generatedAt : 0;
-    if (Date.now() - generatedAt > TTL_MS) return null;
-    if (!payload?.design) return null;
-    return { design: payload.design };
-  } catch (err) {
-    console.error('[cache] read failed', err?.message);
-    return null;
-  }
-}
-
-export async function putCached(key, { design }) {
-  if (!hasBlob()) return;
-  try {
-    const { put } = await import('@vercel/blob');
-    const payload = {
-      generatedAt: Date.now(),
-      expiresAt: Date.now() + TTL_MS,
-      design,
-    };
-    await put(blobPath(key), JSON.stringify(payload), {
-      access: 'public',
-      contentType: 'application/json',
-      addRandomSuffix: false,
-      allowOverwrite: true,
-    });
-  } catch (err) {
-    console.error('[cache] write failed', err?.message);
-  }
-}

package/website/lib/rate-limit.js

@@ -1,30 +0,0 @@
-// Per-key in-memory rate limiter.
-//
-// Vercel Fluid Compute reuses function instances across concurrent requests
-// within a region, so this Map is *per-instance*, not global. An attacker can
-// spread requests across regions to bypass it — that's acceptable for Wave 2
-// because we pair this at the middleware layer with Vercel BotID (out of scope
-// for PR B). The per-instance bound still blunts accidental hammering.
-
-const hits = new Map();
-
-export function checkRate(key, { limit = 3, windowMs = 24 * 60 * 60 * 1000 } = {}) {
-  const now = Date.now();
-  const entry = hits.get(key);
-
-  if (!entry || now - entry.firstAt >= windowMs) {
-    hits.set(key, { count: 1, firstAt: now });
-    return { allowed: true, remaining: Math.max(0, limit - 1), resetAt: now + windowMs };
-  }
-
-  entry.count += 1;
-  const resetAt = entry.firstAt + windowMs;
-  const allowed = entry.count <= limit;
-  const remaining = Math.max(0, limit - entry.count);
-  return { allowed, remaining, resetAt };
-}
-
-// Test-only: wipe state. Safe to call from production code — no-op effect.
-export function _resetRateLimit() {
-  hits.clear();
-}

package/website/lib/rate-limit.test.js

@@ -1,55 +0,0 @@
-import { test, beforeEach } from 'node:test';
-import assert from 'node:assert/strict';
-import { checkRate, _resetRateLimit } from './rate-limit.js';
-
-beforeEach(() => _resetRateLimit());
-
-test('first three requests allowed, fourth blocked', () => {
-  const key = 'ip-1';
-  assert.equal(checkRate(key).allowed, true);
-  assert.equal(checkRate(key).allowed, true);
-  assert.equal(checkRate(key).allowed, true);
-  assert.equal(checkRate(key).allowed, false);
-});
-
-test('remaining counts down', () => {
-  const key = 'ip-2';
-  assert.equal(checkRate(key).remaining, 2);
-  assert.equal(checkRate(key).remaining, 1);
-  assert.equal(checkRate(key).remaining, 0);
-  assert.equal(checkRate(key).remaining, 0);
-});
-
-test('different keys have independent budgets', () => {
-  checkRate('a');
-  checkRate('a');
-  checkRate('a');
-  assert.equal(checkRate('a').allowed, false);
-  assert.equal(checkRate('b').allowed, true);
-});
-
-test('window reset after expiry', async () => {
-  const key = 'ip-3';
-  const opts = { limit: 2, windowMs: 30 };
-  assert.equal(checkRate(key, opts).allowed, true);
-  assert.equal(checkRate(key, opts).allowed, true);
-  assert.equal(checkRate(key, opts).allowed, false);
-  await new Promise((r) => setTimeout(r, 40));
-  const after = checkRate(key, opts);
-  assert.equal(after.allowed, true);
-  assert.equal(after.remaining, 1);
-});
-
-test('custom limit respected', () => {
-  const key = 'ip-4';
-  const opts = { limit: 5, windowMs: 60000 };
-  for (let i = 0; i < 5; i++) assert.equal(checkRate(key, opts).allowed, true);
-  assert.equal(checkRate(key, opts).allowed, false);
-});
-
-test('resetAt advances with the first-seen time', () => {
-  const key = 'ip-5';
-  const { resetAt: a } = checkRate(key, { limit: 3, windowMs: 60000 });
-  const { resetAt: b } = checkRate(key, { limit: 3, windowMs: 60000 });
-  assert.equal(a, b);
-});

package/website/lib/specimens.json

@@ -1,86 +0,0 @@
-[
-  {
-    "host": "stripe.com",
-    "display": "Stripe",
-    "year": 2026,
-    "framework": "Next.js",
-    "accent": "#635BFF",
-    "palette": ["#635BFF", "#0A2540", "#F7FAFC", "#1A1F36", "#F6F9FC"],
-    "fontDisplay": "Sohne Breit",
-    "fontBody": "Sohne",
-    "radius": "8px",
-    "a11y": 94,
-    "designScore": 91,
-    "note": "Tight palette, disciplined spacing scale. The gradient hero is one of the few remaining brand indulgences."
-  },
-  {
-    "host": "vercel.com",
-    "display": "Vercel",
-    "year": 2026,
-    "framework": "Next.js",
-    "accent": "#0A0A0A",
-    "palette": ["#0A0A0A", "#FAFAFA", "#EAEAEA", "#A1A1A1", "#0070F3"],
-    "fontDisplay": "Geist",
-    "fontBody": "Geist",
-    "radius": "6px",
-    "a11y": 92,
-    "designScore": 88,
-    "note": "A monochrome system with a single blue for links. Geist carries almost the entire identity."
-  },
-  {
-    "host": "linear.app",
-    "display": "Linear",
-    "year": 2026,
-    "framework": "Next.js",
-    "accent": "#5E6AD2",
-    "palette": ["#5E6AD2", "#08090A", "#1C1D1F", "#D2D4E6", "#F7F8F8"],
-    "fontDisplay": "Inter Tight",
-    "fontBody": "Inter",
-    "radius": "8px",
-    "a11y": 90,
-    "designScore": 89,
-    "note": "Dark-first marketing with a precise purple. Every surface has been rounded to exactly 8px."
-  },
-  {
-    "host": "github.com",
-    "display": "GitHub",
-    "year": 2026,
-    "framework": "Rails",
-    "accent": "#0969DA",
-    "palette": ["#0969DA", "#0D1117", "#F6F8FA", "#1F2328", "#D0D7DE"],
-    "fontDisplay": "Mona Sans",
-    "fontBody": "Mona Sans",
-    "radius": "6px",
-    "a11y": 96,
-    "designScore": 82,
-    "note": "Primer is the reason. Densely informational and accessible — but the marketing pages drift."
-  },
-  {
-    "host": "figma.com",
-    "display": "Figma",
-    "year": 2026,
-    "framework": "Ember",
-    "accent": "#F24E1E",
-    "palette": ["#F24E1E", "#0D0D0D", "#FFFFFF", "#A259FF", "#1ABCFE"],
-    "fontDisplay": "Whyte",
-    "fontBody": "Whyte",
-    "radius": "5px",
-    "a11y": 88,
-    "designScore": 85,
-    "note": "The only site where the brand colors from the logo are still visible across the whole product."
-  },
-  {
-    "host": "apple.com",
-    "display": "Apple",
-    "year": 2026,
-    "framework": "Custom",
-    "accent": "#0071E3",
-    "palette": ["#0071E3", "#1D1D1F", "#F5F5F7", "#86868B", "#FBFBFD"],
-    "fontDisplay": "SF Pro Display",
-    "fontBody": "SF Pro Text",
-    "radius": "12px",
-    "a11y": 93,
-    "designScore": 94,
-    "note": "Four grays, one blue, SF Pro. The spacing and type ramp is the most imitated system on the web."
-  }
-]

package/website/lib/token-helpers.js

@@ -1,70 +0,0 @@
-// Browser-friendly DTCG helpers — mirrors src/formatters/_token-ref.js contract.
-// resolveRef: follow {ref} chains, guard cycles.
-// flattenTokens: walk primitive.*/semantic.* into a flat row list.
-
-const REF_PATTERN = /^\{([^}]+)\}$/;
-
-function parseRef(value) {
-  if (typeof value !== 'string') return null;
-  const m = value.match(REF_PATTERN);
-  return m ? m[1] : null;
-}
-
-function getAtPath(tokens, path) {
-  const parts = path.split('.');
-  let node = tokens;
-  for (const part of parts) {
-    if (node == null || typeof node !== 'object') return undefined;
-    node = node[part];
-  }
-  return node;
-}
-
-export function resolveRef(tokens, pathOrRefString, seen = new Set()) {
-  if (pathOrRefString == null) return undefined;
-  const refPath = parseRef(pathOrRefString);
-  const path = refPath != null ? refPath : String(pathOrRefString);
-  if (seen.has(path)) return undefined;
-  seen.add(path);
-
-  const node = getAtPath(tokens, path);
-  if (node == null) return undefined;
-
-  if (typeof node === 'object' && '$value' in node) {
-    const inner = node.$value;
-    const innerRef = parseRef(inner);
-    if (innerRef) return resolveRef(tokens, innerRef, seen);
-    return inner;
-  }
-
-  const innerRef = parseRef(node);
-  if (innerRef) return resolveRef(tokens, innerRef, seen);
-
-  return node;
-}
-
-// Walk a DTCG subtree and collect every leaf token (one with $value).
-function walk(node, prefix, out, layer) {
-  if (node == null || typeof node !== 'object') return;
-  if ('$value' in node) {
-    out.push({ layer, path: prefix, $type: node.$type, $value: node.$value });
-    return;
-  }
-  for (const key of Object.keys(node)) {
-    if (key.startsWith('$')) continue;
-    const next = prefix ? `${prefix}.${key}` : key;
-    walk(node[key], next, out, layer);
-  }
-}
-
-export function flattenTokens(tokens, opts = { layer: 'all' }) {
-  const layer = opts.layer || 'all';
-  const rows = [];
-  if (layer === 'primitive' || layer === 'all') {
-    walk(tokens.primitive, 'primitive', rows, 'primitive');
-  }
-  if (layer === 'semantic' || layer === 'all') {
-    walk(tokens.semantic, 'semantic', rows, 'semantic');
-  }
-  return rows;
-}

package/website/lib/url-safety.js

@@ -1,103 +0,0 @@
-// URL safety guard for the extraction endpoint.
-//
-// Validates a raw user-supplied URL against common SSRF vectors. Pure function —
-// no DNS lookups (deferred to Wave 3 when we pair with BotID at middleware).
-//
-// Allowed: http(s) URLs on port 80/443, public hostnames.
-// Rejected: private IPs (v4 + v6), loopback, link-local, localhost, *.local,
-// *.localhost, non-http(s) schemes, non-standard ports.
-
-const IPV4 = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-
-function isPrivateIPv4(host) {
-  const m = host.match(IPV4);
-  if (!m) return false;
-  const [a, b] = [Number(m[1]), Number(m[2])];
-  if (a < 0 || a > 255 || b < 0 || b > 255 || Number(m[3]) > 255 || Number(m[4]) > 255) return true;
-  if (a === 10) return true;                                  // 10.0.0.0/8
-  if (a === 127) return true;                                 // 127.0.0.0/8
-  if (a === 169 && b === 254) return true;                    // 169.254.0.0/16
-  if (a === 172 && b >= 16 && b <= 31) return true;           // 172.16.0.0/12
-  if (a === 192 && b === 168) return true;                    // 192.168.0.0/16
-  if (a === 0) return true;                                   // 0.0.0.0/8
-  return false;
-}
-
-// Normalize an IPv6 literal: strip surrounding brackets, lowercase.
-function stripV6Brackets(host) {
-  if (host.startsWith('[') && host.endsWith(']')) return host.slice(1, -1);
-  return host;
-}
-
-function isIPv6Literal(host) {
-  // Very loose — anything with a colon that isn't a port-suffixed hostname.
-  return host.includes(':');
-}
-
-function isPrivateIPv6(rawHost) {
-  const host = stripV6Brackets(rawHost).toLowerCase();
-  if (!isIPv6Literal(host)) return false;
-  // Normalize abbreviated forms conservatively.
-  if (host === '::1' || host === '0:0:0:0:0:0:0:1') return true;      // loopback
-  if (host === '::' || host === '0:0:0:0:0:0:0:0') return true;        // unspecified
-  // IPv4-mapped / compat: ::ffff:127.0.0.1 → treat the embedded IPv4
-  const v4mapped = host.match(/::ffff:(\d+\.\d+\.\d+\.\d+)/);
-  if (v4mapped && isPrivateIPv4(v4mapped[1])) return true;
-  // fc00::/7 — unique local addresses (fc.. or fd..)
-  if (/^f[cd][0-9a-f]{0,2}:/.test(host)) return true;
-  // fe80::/10 — link-local
-  if (/^fe[89ab][0-9a-f]?:/.test(host)) return true;
-  return false;
-}
-
-function isLocalHostname(host) {
-  const h = host.toLowerCase();
-  if (h === 'localhost') return true;
-  if (h.endsWith('.local')) return true;
-  if (h.endsWith('.localhost')) return true;
-  return false;
-}
-
-export function validateTargetUrl(rawUrl) {
-  if (typeof rawUrl !== 'string' || !rawUrl.trim()) {
-    return { ok: false, reason: 'URL is required', status: 400 };
-  }
-  let input = rawUrl.trim();
-  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(input)) {
-    input = `https://${input}`;
-  }
-
-  let parsed;
-  try { parsed = new URL(input); } catch {
-    return { ok: false, reason: 'Invalid URL', status: 400 };
-  }
-
-  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
-    return { ok: false, reason: 'Only http(s) URLs are allowed', status: 400 };
-  }
-
-  // Port check: URL leaves `port` empty for defaults (80 for http, 443 for https).
-  // Explicit 80/443 are fine; anything else is rejected.
-  if (parsed.port && parsed.port !== '80' && parsed.port !== '443') {
-    return { ok: false, reason: 'Port not allowed (only 80/443)', status: 400 };
-  }
-
-  const hostname = parsed.hostname;
-  if (!hostname) {
-    return { ok: false, reason: 'Missing hostname', status: 400 };
-  }
-
-  if (isLocalHostname(hostname)) {
-    return { ok: false, reason: 'Local hostnames are not allowed', status: 400 };
-  }
-
-  if (IPV4.test(hostname) && isPrivateIPv4(hostname)) {
-    return { ok: false, reason: 'Private IP addresses are not allowed', status: 400 };
-  }
-
-  if (isPrivateIPv6(hostname)) {
-    return { ok: false, reason: 'Private IP addresses are not allowed', status: 400 };
-  }
-
-  return { ok: true, url: parsed.toString() };
-}

package/website/lib/url-safety.test.js

@@ -1,116 +0,0 @@
-import { test } from 'node:test';
-import assert from 'node:assert/strict';
-import { validateTargetUrl } from './url-safety.js';
-
-test('accepts https URL', () => {
-  const r = validateTargetUrl('https://stripe.com');
-  assert.equal(r.ok, true);
-  assert.equal(r.url, 'https://stripe.com/');
-});
-
-test('accepts http URL on port 80', () => {
-  const r = validateTargetUrl('http://example.com:80');
-  assert.equal(r.ok, true);
-});
-
-test('normalizes bare hostname to https', () => {
-  const r = validateTargetUrl('example.com');
-  assert.equal(r.ok, true);
-  assert.equal(r.url, 'https://example.com/');
-});
-
-test('rejects localhost', () => {
-  const r = validateTargetUrl('http://localhost');
-  assert.equal(r.ok, false);
-  assert.equal(r.status, 400);
-});
-
-test('rejects *.local hostnames', () => {
-  const r = validateTargetUrl('https://printer.local');
-  assert.equal(r.ok, false);
-});
-
-test('rejects *.localhost hostnames', () => {
-  const r = validateTargetUrl('https://app.localhost');
-  assert.equal(r.ok, false);
-});
-
-test('rejects 127.0.0.1', () => {
-  const r = validateTargetUrl('http://127.0.0.1');
-  assert.equal(r.ok, false);
-});
-
-test('rejects 10.x private range', () => {
-  const r = validateTargetUrl('http://10.1.2.3');
-  assert.equal(r.ok, false);
-});
-
-test('rejects 192.168.x private range', () => {
-  const r = validateTargetUrl('http://192.168.0.1');
-  assert.equal(r.ok, false);
-});
-
-test('rejects 172.16–31.x private range', () => {
-  const r = validateTargetUrl('http://172.20.0.5');
-  assert.equal(r.ok, false);
-});
-
-test('allows 172.15.x (outside private range)', () => {
-  const r = validateTargetUrl('http://172.15.0.1');
-  assert.equal(r.ok, true);
-});
-
-test('rejects 169.254.x link-local', () => {
-  const r = validateTargetUrl('http://169.254.0.1');
-  assert.equal(r.ok, false);
-});
-
-test('rejects file:// scheme', () => {
-  const r = validateTargetUrl('file://evil');
-  assert.equal(r.ok, false);
-});
-
-test('rejects javascript: scheme', () => {
-  const r = validateTargetUrl('javascript:alert(1)');
-  assert.equal(r.ok, false);
-});
-
-test('rejects non-80/443 port', () => {
-  const r = validateTargetUrl('https://example.com:22');
-  assert.equal(r.ok, false);
-});
-
-test('rejects port 3000', () => {
-  const r = validateTargetUrl('https://example.com:3000');
-  assert.equal(r.ok, false);
-});
-
-test('rejects IPv6 loopback ::1', () => {
-  const r = validateTargetUrl('http://[::1]');
-  assert.equal(r.ok, false);
-});
-
-test('rejects IPv6 [::1]:3000', () => {
-  const r = validateTargetUrl('http://[::1]:3000');
-  assert.equal(r.ok, false);
-});
-
-test('rejects IPv6 unique-local fc00::', () => {
-  const r = validateTargetUrl('http://[fc00::1]');
-  assert.equal(r.ok, false);
-});
-
-test('rejects IPv6 link-local fe80::', () => {
-  const r = validateTargetUrl('http://[fe80::1]');
-  assert.equal(r.ok, false);
-});
-
-test('rejects empty string', () => {
-  const r = validateTargetUrl('');
-  assert.equal(r.ok, false);
-});
-
-test('rejects garbage', () => {
-  const r = validateTargetUrl('http://');
-  assert.equal(r.ok, false);
-});

package/website/lib/zip-files.js

@@ -1,15 +0,0 @@
-// Client-side helper — turns a {filename: string} map into a Blob URL.
-// The caller is responsible for calling URL.revokeObjectURL on the returned url.
-
-export async function zipFilesToUrl(files, { name = 'designlang-output' } = {}) {
-  const JSZip = (await import('jszip')).default;
-  const zip = new JSZip();
-  for (const [filename, content] of Object.entries(files)) {
-    zip.file(filename, content);
-  }
-  const blob = await zip.generateAsync({ type: 'blob' });
-  return {
-    url: URL.createObjectURL(blob),
-    filename: `${name}.zip`,
-  };
-}

package/website/next.config.mjs

@@ -1,15 +0,0 @@
-/** @type {import('next').NextConfig} */
-const nextConfig = {
-  turbopack: {},
-  webpack: (config, { isServer }) => {
-    if (isServer) {
-      // Don't bundle playwright — emit require('playwright-core') at runtime instead
-      config.externals.push({
-        'playwright': 'commonjs playwright-core',
-      });
-    }
-    return config;
-  },
-};
-
-export default nextConfig;