lumiverse-spindle-types 0.5.14 → 0.5.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lumiverse-spindle-types",
-  "version": "0.5.14",
+  "version": "0.5.16",
   "types": "./src/index.ts",
   "keywords": [
     "lumiverse",

package/src/dom.ts

@@ -259,6 +259,14 @@ export interface SpindleSandboxFrameOptions {
   minHeight?: number;
   /** Maximum host iframe height in CSS pixels. Default: `4000`. */
   maxHeight?: number;
+  /**
+   * Opt this frame into CSP 'unsafe-eval' so the iframe can use eval / new
+   * Function (e.g. frameworks that compile templates at runtime). Requires the
+   * extension to hold the privileged `unsafe_eval` permission, otherwise the
+   * host ignores this and the frame's CSP stays default (unsafe-inline only).
+   * Default: false.
+   */
+  allowEval?: boolean;
 }
 
 export interface SpindleSandboxFrameHandle {

package/src/permissions.ts

@@ -22,6 +22,8 @@
  * - "web_search"           — execute searches via the user's configured web search
  *                            provider (e.g. SearXNG) and read the safe view of their
  *                            web search settings (never the API key).
+ * - "unsafe_eval"          — opt a sandboxed widget frame into CSP 'unsafe-eval'
+ *                            (eval / new Function) for runtime-compiling frameworks.
  */
 export type SpindlePermission =
   | "generation"
@@ -48,7 +50,8 @@ export type SpindlePermission =
   | "images"
   | "generation_parameters"
   | "macro_interceptor"
-  | "web_search";
+  | "web_search"
+  | "unsafe_eval";
 
 export const ALL_PERMISSIONS: readonly SpindlePermission[] = [
   "generation",
@@ -76,6 +79,7 @@ export const ALL_PERMISSIONS: readonly SpindlePermission[] = [
   "generation_parameters",
   "macro_interceptor",
   "web_search",
+  "unsafe_eval",
 ] as const;
 
 export function isValidPermission(p: string): p is SpindlePermission {