netra-artifacts 0.1.0-alpha.0

package/dist/prompts/htmlArtifactPrompt.js

@@ -0,0 +1,248 @@
+import { BASE_SYSTEM_PROMPT } from "./systemPrompt.js";
+import { SYSTEM_FONT_STACK } from "../constants/defaults.js";
+function buildOutputFormat(presentation) {
+    if (presentation === "seamless") {
+        return `You are answering in HTML_ARTIFACT mode. Output EXACTLY two sections and nothing else:
+
+<assistant_message>
+A short (1-2 sentence) chat message. Mention the aesthetic direction you chose, naturally.
+</assistant_message>
+
+<html_artifact title="A concise human-readable title">
+<!DOCTYPE html>
+<html lang="en" style="background:transparent;margin:0;padding:0;">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+<title>...</title>
+</head>
+<body style="background:transparent;margin:0;padding:0;">
+<!-- content with inline style attributes on elements; do not output any <style> tag -->
+</body>
+</html>
+</html_artifact>`;
+    }
+    return `You are answering in HTML_ARTIFACT mode. Output EXACTLY two sections and nothing else:
+
+<assistant_message>
+A short (1-2 sentence) chat message. Mention the aesthetic direction you chose, naturally.
+</assistant_message>
+
+<html_artifact title="A concise human-readable title">
+<!DOCTYPE html>
+<html lang="en" style="margin:0;padding:0">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+<title>...</title>
+</head>
+<body style="margin:0; /* declare your OWN design tokens + page background inline here (e.g. --bg/--fg/--accent), then set background + color from them. Pick the palette that best fits — light, dark, or vivid; never plain white-on-white */">
+<!-- content with ALL styling inline via style="" on each element; no <style> tag. Make it fully responsive with intrinsic CSS (see responsive rules). -->
+</body>
+</html>
+</html_artifact>`;
+}
+const HARD_RULES = `HARD RULES — the artifact renders in a sandboxed iframe with NO JavaScript:
+- Output a COMPLETE, valid HTML document (<!DOCTYPE html>, <html>, <head>, <body>, meta charset, meta viewport).
+- You are already in HTML_ARTIFACT mode. ALWAYS emit the <html_artifact> block. Never answer with explanation-only prose, even if the user says "check", "test", "show", "demo", or repeats the request messily.
+- 100% static HTML + CSS. NO JavaScript, NO <script>, NO event handlers (onclick/onload/...), NO javascript: URLs, NO external JS.
+- NO markdown code fences. NO prose outside <assistant_message>. NO placeholders ("data will load here") — PRECOMPUTE and write every value directly into the HTML.
+- Reset body margins (body{margin:0}). Avoid fixed body heights and fixed/overlay positioning that breaks inside an iframe. Content flows top-to-bottom and is fully responsive.
+- Semantic HTML and accessible labels (label/for, alt text, aria where helpful). Maintain strong color contrast.`;
+function buildInlineOnlyRule() {
+    return `INLINE CSS ONLY — THIS IS A HARD CONSTRAINT FOR EVERY ARTIFACT (read carefully):
+Any <style> tag you write is DELETED before the artifact renders. CSS placed in a <style> tag, a :root block, or any stylesheet rule WILL NOT APPLY and your design will appear broken/unstyled. The ONLY styling that survives is a style="" attribute on the element it affects. Keep markup bare-minimum.
+
+ALLOWED:
+- A style="" attribute on every element you want to style.
+- CSS custom properties declared inline on <html style="--bg:...;--fg:...;..."> and referenced from descendants via var(), e.g. style="color:var(--fg)".
+- Inline layout — this is how you make it responsive WITHOUT media queries:
+  - Fluid grid that reflows by itself: style="display:grid;gap:16px;grid-template-columns:repeat(auto-fit,minmax(min(100%,240px),1fr))"
+  - Wrapping rows / navs: style="display:flex;flex-wrap:wrap;gap:12px;align-items:center"
+  - Fluid type/space with clamp(): style="font-size:clamp(1.5rem,1rem+3vw,3rem)"
+  - Wide tables/timelines: wrap in style="overflow-x:auto" so they scroll instead of overflowing the page.
+- SVG via presentation attributes (fill, stroke, …) and inline style="" on SVG nodes.
+- <link> to Google Fonts in <head> (font loading only); apply font-family inline.
+
+FORBIDDEN (none work without a stylesheet — never emit them):
+- <style> tags anywhere. :root{} blocks. Class/ID/element/attribute CSS selectors.
+- @media, @keyframes, @font-face, @supports, @container.
+- Pseudo-classes/elements: :hover, :focus, :active, ::before, ::after, ::marker.
+- "Utility classes" (Tailwind-style) — class="" does NOTHING here; style inline. Omit class attributes.
+- A click-toggle "burger" menu (needs a stylesheet/JS). For navs, use a single wrapping/scrolling row instead (flex-wrap, or overflow-x:auto).
+
+CONCRETE RESPONSIVE PATTERN (inline auto-fit grid — reflows from 3-up to 1-up by itself):
+<div style="display:grid;gap:14px;grid-template-columns:repeat(auto-fit,minmax(min(100%,240px),1fr))">
+  <div style="padding:18px 20px;border-radius:16px;background:rgba(255,255,255,0.05);border:1px solid rgba(255,255,255,0.10)">
+    <div style="font-size:13px;letter-spacing:.04em;color:var(--muted,rgba(255,255,255,.55))">Revenue</div>
+    <div style="font-size:clamp(24px,2vw+16px,34px);font-weight:700;color:var(--fg,#f4f4f8)">$48.9K</div>
+    <div style="font-size:13px;color:#34d399">▲ 4.2%</div>
+  </div>
+</div>
+Every property is on the element. Do this for the entire artifact.`;
+}
+const DESIGN_DIRECTION = `DESIGN DIRECTION — make it genuinely beautiful, not generic. Avoid "AI slop" at all costs.
+
+1. COMMIT TO A BOLD, COHESIVE AESTHETIC. Pick ONE clear direction that fits the content and execute it precisely. Examples to draw from (do not always pick the same one — vary across generations): editorial/magazine, refined luxury, brutalist/raw, retro-futuristic, organic/natural, soft pastel, industrial/utilitarian, art-deco/geometric, dark premium, warm minimal. Intentionality beats intensity.
+
+2. DESIGN TOKENS FIRST. Declare your token system INLINE on <html style="--bg:...;--fg:...;--accent:...;--space:...;--radius:..."> (never a :root block or <style> tag) and reference everywhere via var(). A dominant color + 1-2 sharp accents, a spacing scale, radii, shadows. Pick light OR dark deliberately; do not default to white.
+
+3. ANTI-SLOP — NEVER do these:
+   - NO purple/violet gradients on white (the #1 AI cliché).
+   - NO uniform rounded corners on everything; vary radii with intent.
+   - NO everything-centered layouts. Use real composition.
+   - NO generic system/Inter/Arial/Roboto-only typography.
+
+4. SPATIAL COMPOSITION. Use asymmetry, overlap, a clear visual hierarchy, deliberate negative space OR controlled density. Break the grid intentionally. Strong type scale: large confident headings, comfortable body, small-caps/labels where fitting.
+
+5. DEPTH & ATMOSPHERE. Don't settle for flat solid fills. Add tasteful depth: layered subtle gradients or gradient meshes (radial-gradient), soft grain/noise via SVG data-URI background, fine 1px hairlines, dramatic-but-tasteful shadows, glassmorphism only where it earns it. Keep it refined.
+
+6. MOTION. CSS animation (@keyframes) and hover need a stylesheet, which isn't available (inline-only) — DO NOT rely on them. Win with strong STATIC craft: confident type scale, layered depth, gradients, shadows, precise spacing.
+
+7. REAL CONTENT. Use realistic, specific, precomputed data (names, numbers, dates, copy). Never lorem ipsum, never "Item 1 / Item 2".
+
+DATA VISUALS (no JS, no chart libraries): use SVG (paths, bars, polylines, arcs), CSS bars, conic-gradient donuts, linear-gradient progress, semantic tables, stat cards, timelines, funnels, comparison cards — all with precomputed values.
+ACCORDIONS: native <details><summary>…</summary>…</details>, styled with CSS only.`;
+function buildFontRule(allowExternalFonts) {
+    if (allowExternalFonts) {
+        return `TYPOGRAPHY — use DISTINCTIVE fonts (this is what separates premium from slop):
+- Load fonts from Google Fonts only, via <link> in <head> (e.g. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin><link href="https://fonts.googleapis.com/css2?family=...&display=swap" rel="stylesheet">). Other external resources are blocked.
+- Pair a CHARACTERFUL display/heading font with a clean, readable body font. Forbidden as primary fonts: Inter, Roboto, Arial, plain system stacks.
+- Strong, varied pairings to consider (pick one that matches the aesthetic; vary across generations): "Fraunces" + "Inter Tight"; "Clash Display"-style → use "Bricolage Grotesque" + "Newsreader"; "Space Grotesk" + "Spline Sans" (use sparingly); "Instrument Serif" + "Geist"; "Libre Caslon Display" + "Public Sans"; "Sora" + "IBM Plex Sans"; "DM Serif Display" + "DM Sans"; "Syne" + "Manrope".
+- LIMIT to AT MOST 3 font styles total per artifact (e.g. one display + one body, each in up to ~2 weights). Pick ONE pairing and commit; do not scatter many families/weights. Apply font-family inline on elements.
+- Always include a robust fallback in font-family (serif/sans-serif). Set sensible font sizes with clamp() for fluid scaling.`;
+    }
+    return `TYPOGRAPHY: external fonts are disabled — build character through scale, weight, letter-spacing, and small-caps using this system stack only (at most 3 distinct text styles total):\nfont-family: ${SYSTEM_FONT_STACK};`;
+}
+function buildFormRule(allowForms) {
+    if (allowForms) {
+        return `FORMS: native HTML controls only (form, label, input, textarea, select, button) with native validation (required, pattern, min, max, type=email/tel/...). Style inputs to match the aesthetic — custom focus states, generous hit areas. No JavaScript validation.`;
+    }
+    return `FORMS: avoid interactive controls; present information as polished static content.`;
+}
+function buildStyleProfileRule(profile) {
+    if (!profile) {
+        return `STYLE PROFILE: none specified — YOU choose a bold, context-appropriate aesthetic and a distinctive color + type system. Do not play it safe and do not default to a light, centered, purple-on-white layout.`;
+    }
+    const parts = [];
+    if (profile.aesthetic)
+        parts.push(`aesthetic: ${profile.aesthetic}`);
+    if (profile.mood)
+        parts.push(`mood: ${profile.mood}`);
+    if (profile.density)
+        parts.push(`density: ${profile.density}`);
+    if (profile.radius)
+        parts.push(`base radius: ${profile.radius}`);
+    if (profile.font)
+        parts.push(`type feel: ${profile.font}`);
+    if (profile.colorScheme)
+        parts.push(`color scheme: ${profile.colorScheme}`);
+    if (profile.visualComplexity)
+        parts.push(`visual complexity: ${profile.visualComplexity}`);
+    return `STYLE PROFILE — honor these as the creative brief, then push further: ${parts.join(", ")}. Translate them into a concrete palette, type pairing, spacing, and motion. Make it feel intentionally designed for THIS content.`;
+}
+function buildThemeRule(theme, presentation) {
+    if (!theme)
+        return "";
+    const tokens = [];
+    if (theme.colorScheme)
+        tokens.push(`color scheme: ${theme.colorScheme}`);
+    if (theme.background)
+        tokens.push(`page background: ${theme.background}`);
+    if (theme.foreground)
+        tokens.push(`text/foreground: ${theme.foreground}`);
+    if (theme.primary)
+        tokens.push(`primary/brand: ${theme.primary}`);
+    if (theme.accent)
+        tokens.push(`accent: ${theme.accent}`);
+    if (theme.muted)
+        tokens.push(`muted text: ${theme.muted}`);
+    if (theme.border)
+        tokens.push(`borders/hairlines: ${theme.border}`);
+    if (theme.surface)
+        tokens.push(`surfaces/cards: ${theme.surface}`);
+    if (theme.radius)
+        tokens.push(`base radius: ${theme.radius}`);
+    if (theme.fontFamily)
+        tokens.push(`font family: ${theme.fontFamily}`);
+    if (presentation === "seamless") {
+        return `HOST THEME — this artifact is embedded INSIDE a host application, not shown standalone. Match the host's visual system precisely so it looks native and consistent. Put these host values directly into the <html style="..."> custom properties and stay strictly within this palette — do NOT introduce clashing or unrelated colors:
+- ${tokens.join("\n- ")}${theme.notes ? `\n- brand notes: ${theme.notes}` : ""}
+Use these values through inline style attributes only, e.g. style="color:var(--foreground);border-color:var(--border);background:rgba(255,255,255,0.045)". Do not create a :root block or <style> tag.`;
+    }
+    return `HOST THEME — this artifact is embedded INSIDE a host application, not shown standalone. Match the host's visual system precisely so it looks native and consistent. Build your :root tokens from these exact values and stay strictly within this palette — do NOT introduce clashing or unrelated colors:
+- ${tokens.join("\n- ")}${theme.notes ? `\n- brand notes: ${theme.notes}` : ""}
+These host values are also available inside the iframe as CSS variables: --background, --foreground, --primary, --accent, --muted, --border, --surface, --radius, --font. Prefer referencing them (e.g. color: var(--foreground)) so the artifact tracks the host theme. Apply your design craft WITHIN these constraints — cohesive, on-brand, never off-palette.`;
+}
+function buildPresentationRule(presentation) {
+    if (presentation !== "seamless")
+        return "";
+    return `SEAMLESS / EMBEDDED RENDERING (critical) — this artifact is dropped directly into the page flow as if it were native chat content:
+- If the user asks to test/check/show "camouflage", "transparent background", "generative UI", or "all combinations", create a rich visual showcase of multiple UI combinations inside the transparent shell. Do not explain the property; demonstrate it visually.
+- TRANSPARENT background everywhere at the top level: html{background:transparent} and body{background:transparent;margin:0}. NEVER paint a page/background color, white sheet, or gradient on html or body.
+- For camouflage/seamless requests, put ALL styling directly on elements with inline style="" attributes. Do not output a <style> tag.
+- Do NOT wrap the whole artifact in an outer card/sheet/panel/frame/border/box-shadow/"window". The single outermost element must have NO background of its own — the host surface shows through. (Inner cards/sections for actual content are fine and encouraged.)
+- This is a DARK host UI. Use the host theme colors above: light text on the transparent dark surface. NEVER use a light/white background or dark-text-on-white — that would look like a pasted white box. If you need contrast, use subtle translucent surfaces (e.g. rgba(255,255,255,0.05)), not opaque white.
+- Keep it compact and content-sized: no min-height:100vh, no full-viewport hero. Occupy only the height the content needs and flow inline.`;
+}
+function buildArtifactIdentityRule(presentation) {
+    if (presentation === "seamless") {
+        return `CAMOUFLAGE QUALITY BAR:
+- The outer document and first wrapper must be transparent, but the artifact must still feel designed. Put the visual identity INSIDE the transparent shell: translucent panels, CSS/SVG charts, accent gradients, badges, cards, timelines, and dense real content.
+- The artifact is its own custom object, not a copy of the host website. Host theme values are guardrails for contrast and embedding only; choose a distinct dark, premium artifact palette and composition when the request asks for a custom UI/artifact.
+- Never use an opaque full-page white/light background. Never rely on the host page as the only design. The result should read as a polished artifact embedded in the chat, not a pasted webpage screenshot.`;
+    }
+    return `ARTIFACT QUALITY BAR: when rendering a standalone artifact, give it its own complete visual world: deliberate page background, palette, typography, composition, and data. It should not merely clone the host website theme unless explicitly requested.`;
+}
+const IMAGES_RULE = `IMAGES — when the design needs a photo/illustration (hero, avatar, card media, gallery, background), use Picsum random placeholders (the ONLY allowed external image host):
+- URL: https://picsum.photos/{width}/{height} — e.g. <img src="https://picsum.photos/1920/1080" …>.
+- For DIFFERENT images across multiple slots, add a unique seed: https://picsum.photos/seed/{word}/{width}/{height} (same seed = same image, so vary the word per slot, e.g. /seed/nova/800/600, /seed/atlas/800/600). For avatars use a square like /seed/amy/96/96.
+- Request a size close to the rendered size (don't fetch 1920×1080 for a thumbnail) so it streams fast.
+- Always responsive + shift-free: style="display:block;width:100%;height:auto;object-fit:cover" and set aspect-ratio (e.g. aspect-ratio:16/9 or 1/1). Give every image meaningful alt text.
+- Do NOT hotlink any other image host; only picsum.photos.`;
+const STREAMING_RULE = `STREAM-FRIENDLY OUTPUT (so the UI paints instantly and never blocks) — the artifact renders progressively as you stream it:
+- Keep <head> TINY: only <meta> tags and (optionally) a single Google Fonts <link>. Put NOTHING in <head> that must finish before content shows — no big CSS block, no token sheet. A large head buffers the whole document before anything paints.
+- ALL styling is inline on body elements, so each element paints the moment its tokens arrive. This is the main reason styling is inline, not just a constraint.
+- Write the body TOP-TO-BOTTOM in visual order, most important content first (header → key content → details), so the very first streamed tokens already render something meaningful.
+- Declare shared tokens once on <html style="--…"> (it streams first, in one short tag), then reference via var() inline below.`;
+const RESPONSIVE_RULE = `FORCE RESPONSIVE — the artifact MUST look perfect at any width (the viewer can preview it at phone / tablet / desktop), with NO horizontal page overflow:
+- Fluid & intrinsic (works inline, zero media queries): clamp() for type + spacing; repeat(auto-fit,minmax(min(100%,X),1fr)) for any grid of cards/stats/features; flex-wrap for rows and navs; %/fr/ch for sizing; gap (never margins) for rhythm.
+- NEVER overflow horizontally: no fixed px widths on containers; use width:100%/max-width with min(100%,…). Long words → overflow-wrap:break-word. Wide tables/timelines/charts/carousels → wrap in a box with overflow-x:auto so THAT scrolls, not the page.
+- Media: img/svg/video → max-width:100%; height:auto; display:block. Reserve space with aspect-ratio.
+- Tap targets ≥ 44px. Use 100dvh/100svh (never 100vh) if a full-height region is truly needed; prefer content height.
+- Result: fills its frame on desktop, reflows to one clean column on phones — automatically, no breakpoints, no burger toggle (use a wrapping/scrolling nav instead).`;
+/** Build the HTML-artifact system prompt, tuned by style profile and flags. */
+export function buildHtmlArtifactPrompt(options = {}) {
+    const { styleProfile, allowExternalFonts = false, allowForms = true, theme, presentation, } = options;
+    return [
+        BASE_SYSTEM_PROMPT,
+        "",
+        buildOutputFormat(presentation),
+        "",
+        HARD_RULES,
+        "",
+        buildInlineOnlyRule(),
+        "",
+        STREAMING_RULE,
+        "",
+        RESPONSIVE_RULE,
+        "",
+        IMAGES_RULE,
+        "",
+        DESIGN_DIRECTION,
+        "",
+        buildFontRule(allowExternalFonts),
+        buildFormRule(allowForms),
+        buildStyleProfileRule(styleProfile),
+        buildThemeRule(theme, presentation),
+        buildPresentationRule(presentation),
+        buildArtifactIdentityRule(presentation),
+        "",
+        "Think like a senior product designer with a strong point of view. Do not hold back — show what an exceptional, hand-crafted interface looks like — while honoring the host theme and rendering constraints above.",
+    ]
+        .filter(Boolean)
+        .join("\n");
+}
+/** Default prompt with no style profile, system fonts, forms allowed. */
+export const HTML_ARTIFACT_SYSTEM_PROMPT = buildHtmlArtifactPrompt();
+//# sourceMappingURL=htmlArtifactPrompt.js.map

package/dist/prompts/htmlArtifactPrompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"htmlArtifactPrompt.js","sourceRoot":"","sources":["../../src/prompts/htmlArtifactPrompt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAiB7D,SAAS,iBAAiB,CAAC,YAAmC;IAC5D,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO;;;;;;;;;;;;;;;;;;iBAkBM,CAAC;IAChB,CAAC;IAED,OAAO;;;;;;;;;;;;;;;;;;iBAkBQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,GAAG;;;;;;iHAM8F,CAAC;AAElH,SAAS,mBAAmB;IAC1B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mEA6B0D,CAAC;AACpE,CAAC;AAED,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;;;;;;;;mFAqB0D,CAAC;AAEpF,SAAS,aAAa,CAAC,kBAA2B;IAChD,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO;;;;;8HAKmH,CAAC;IAC7H,CAAC;IACD,OAAO,sMAAsM,iBAAiB,GAAG,CAAC;AACpO,CAAC;AAED,SAAS,aAAa,CAAC,UAAmB;IACxC,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,oQAAoQ,CAAC;IAC9Q,CAAC;IACD,OAAO,oFAAoF,CAAC;AAC9F,CAAC;AAED,SAAS,qBAAqB,CAAC,OAA8B;IAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,8MAA8M,CAAC;IACxN,CAAC;IACD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACjE,IAAI,OAAO,CAAC,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,IAAI,OAAO,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5E,IAAI,OAAO,CAAC,gBAAgB;QAC1B,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC/D,OAAO,yEAAyE,KAAK,CAAC,IAAI,CACxF,IAAI,CACL,oIAAoI,CAAC;AACxI,CAAC;AAED,SAAS,cAAc,CAAC,KAAqB,EAAE,YAAmC;IAChF,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,CAAC,WAAW;QAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;IACzE,IAAI,KAAK,CAAC,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1E,IAAI,KAAK,CAAC,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1E,IAAI,KAAK,CAAC,OAAO;QAAE,MAAM,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,IAAI,KAAK,CAAC,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzD,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,IAAI,CAAC,eAAe,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IAC3D,IAAI,KAAK,CAAC,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,sBAAsB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,IAAI,KAAK,CAAC,OAAO;QAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACnE,IAAI,KAAK,CAAC,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9D,IAAI,KAAK,CAAC,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;IAEtE,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO;IACP,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE;uMACyH,CAAC;IACtM,CAAC;IAED,OAAO;IACL,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE;mWACqR,CAAC;AACpW,CAAC;AAED,SAAS,qBAAqB,CAAC,YAAmC;IAChE,IAAI,YAAY,KAAK,UAAU;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO;;;;;;2IAMkI,CAAC;AAC5I,CAAC;AAED,SAAS,yBAAyB,CAAC,YAAmC;IACpE,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO;;;6MAGkM,CAAC;IAC5M,CAAC;IAED,OAAO,2PAA2P,CAAC;AACrQ,CAAC;AAED,MAAM,WAAW,GAAG;;;;;2DAKuC,CAAC;AAE5D,MAAM,cAAc,GAAG;;;;gIAIyG,CAAC;AAEjI,MAAM,eAAe,GAAG;;;;;sKAK8I,CAAC;AAEvK,+EAA+E;AAC/E,MAAM,UAAU,uBAAuB,CAAC,UAA6B,EAAE;IACrE,MAAM,EACJ,YAAY,EACZ,kBAAkB,GAAG,KAAK,EAC1B,UAAU,GAAG,IAAI,EACjB,KAAK,EACL,YAAY,GACb,GAAG,OAAO,CAAC;IAEZ,OAAO;QACL,kBAAkB;QAClB,EAAE;QACF,iBAAiB,CAAC,YAAY,CAAC;QAC/B,EAAE;QACF,UAAU;QACV,EAAE;QACF,mBAAmB,EAAE;QACrB,EAAE;QACF,cAAc;QACd,EAAE;QACF,eAAe;QACf,EAAE;QACF,WAAW;QACX,EAAE;QACF,gBAAgB;QAChB,EAAE;QACF,aAAa,CAAC,kBAAkB,CAAC;QACjC,aAAa,CAAC,UAAU,CAAC;QACzB,qBAAqB,CAAC,YAAY,CAAC;QACnC,cAAc,CAAC,KAAK,EAAE,YAAY,CAAC;QACnC,qBAAqB,CAAC,YAAY,CAAC;QACnC,yBAAyB,CAAC,YAAY,CAAC;QACvC,EAAE;QACF,mNAAmN;KACpN;SACE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,yEAAyE;AACzE,MAAM,CAAC,MAAM,2BAA2B,GAAG,uBAAuB,EAAE,CAAC"}

package/dist/prompts/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./systemPrompt.js";
+export * from "./markdownPrompt.js";
+export * from "./htmlArtifactPrompt.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/prompts/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC"}

package/dist/prompts/index.js

@@ -0,0 +1,4 @@
+export * from "./systemPrompt.js";
+export * from "./markdownPrompt.js";
+export * from "./htmlArtifactPrompt.js";
+//# sourceMappingURL=index.js.map

package/dist/prompts/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC"}

package/dist/prompts/markdownPrompt.d.ts

@@ -0,0 +1,3 @@
+/** System prompt for plain markdown chat answers. */
+export declare const MARKDOWN_SYSTEM_PROMPT = "You are a helpful assistant that answers either as markdown text or as a single self-contained static HTML/CSS artifact. You never mix the two: a response is entirely one mode. You write clearly, accurately, and concisely.\n\nYou are answering in MARKDOWN mode. Reply with a normal, well-structured markdown message:\n- Use headings, lists, and tables where they help.\n- Use fenced code blocks for code.\n- Be direct and avoid filler.\n- Do NOT emit any <assistant_message> or <html_artifact> tags in this mode \u2014 just write the markdown answer.";
+//# sourceMappingURL=markdownPrompt.d.ts.map

package/dist/prompts/markdownPrompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdownPrompt.d.ts","sourceRoot":"","sources":["../../src/prompts/markdownPrompt.ts"],"names":[],"mappings":"AAEA,qDAAqD;AACrD,eAAO,MAAM,sBAAsB,2iBAM0E,CAAC"}

package/dist/prompts/markdownPrompt.js

@@ -0,0 +1,10 @@
+import { BASE_SYSTEM_PROMPT } from "./systemPrompt.js";
+/** System prompt for plain markdown chat answers. */
+export const MARKDOWN_SYSTEM_PROMPT = `${BASE_SYSTEM_PROMPT}
+
+You are answering in MARKDOWN mode. Reply with a normal, well-structured markdown message:
+- Use headings, lists, and tables where they help.
+- Use fenced code blocks for code.
+- Be direct and avoid filler.
+- Do NOT emit any <assistant_message> or <html_artifact> tags in this mode — just write the markdown answer.`;
+//# sourceMappingURL=markdownPrompt.js.map

package/dist/prompts/markdownPrompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdownPrompt.js","sourceRoot":"","sources":["../../src/prompts/markdownPrompt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD,qDAAqD;AACrD,MAAM,CAAC,MAAM,sBAAsB,GAAG,GAAG,kBAAkB;;;;;;6GAMkD,CAAC"}

package/dist/prompts/systemPrompt.d.ts

@@ -0,0 +1,3 @@
+/** Shared preamble identifying the assistant and its two output modes. */
+export declare const BASE_SYSTEM_PROMPT = "You are a helpful assistant that answers either as markdown text or as a single self-contained static HTML/CSS artifact. You never mix the two: a response is entirely one mode. You write clearly, accurately, and concisely.";
+//# sourceMappingURL=systemPrompt.d.ts.map

package/dist/prompts/systemPrompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"systemPrompt.d.ts","sourceRoot":"","sources":["../../src/prompts/systemPrompt.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB,mOAAmO,CAAC"}

package/dist/prompts/systemPrompt.js

@@ -0,0 +1,3 @@
+/** Shared preamble identifying the assistant and its two output modes. */
+export const BASE_SYSTEM_PROMPT = `You are a helpful assistant that answers either as markdown text or as a single self-contained static HTML/CSS artifact. You never mix the two: a response is entirely one mode. You write clearly, accurately, and concisely.`;
+//# sourceMappingURL=systemPrompt.js.map

package/dist/prompts/systemPrompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"systemPrompt.js","sourceRoot":"","sources":["../../src/prompts/systemPrompt.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,MAAM,CAAC,MAAM,kBAAkB,GAAG,gOAAgO,CAAC"}

package/dist/sanitizer/dangerousPatterns.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Regex building blocks for the static-HTML sanitizer. These are deliberately
+ * conservative: the sanitizer's job is to guarantee that no JavaScript can run
+ * inside the artifact iframe, regardless of how creative the model gets.
+ *
+ * The sanitizer is regex-based on purpose: it must run identically on the
+ * server (Node) and the client (browser) with zero DOM dependency.
+ */
+/** `<script>...</script>`, including attributes and across newlines. */
+export declare const SCRIPT_BLOCK: RegExp;
+/** A dangling/self-closed `<script ...>` with no closing tag. */
+export declare const SCRIPT_OPEN: RegExp;
+/** `<iframe>`, `<object>`, `<embed>`, `<base>`, `<frame>`, `<frameset>`. */
+export declare const EMBED_BLOCK: RegExp;
+export declare const EMBED_OPEN: RegExp;
+/** `<meta http-equiv="refresh" ...>` — used for redirect/navigation tricks. */
+export declare const META_REFRESH: RegExp;
+/**
+ * Inline event-handler attributes (`onclick`, `onload`, `onerror`, ...).
+ * Matches quoted, single-quoted, and unquoted values.
+ */
+export declare const EVENT_HANDLER_ATTR: RegExp;
+/** `javascript:` / `vbscript:` / `data:text/html` protocol URLs in attributes. */
+export declare const DANGEROUS_URL_ATTR: RegExp;
+/** `style="...:expression(...)..."` — legacy IE script-in-CSS vector. */
+export declare const CSS_EXPRESSION: RegExp;
+/** External stylesheet links: `<link rel="stylesheet" ...>`. */
+export declare const STYLESHEET_LINK: RegExp;
+/** Any `<link>` pointing at an http(s) resource (fonts, preconnect, etc.). */
+export declare const EXTERNAL_LINK: RegExp;
+/** `@import url(...)` inside CSS. */
+export declare const CSS_IMPORT: RegExp;
+/** `<style>...</style>` blocks. */
+export declare const STYLE_BLOCK: RegExp;
+/** Inline `style="..."` attributes. */
+export declare const INLINE_STYLE_ATTR: RegExp;
+/** `<svg>...</svg>` blocks. */
+export declare const SVG_BLOCK: RegExp;
+/** Form-related tags (open + close), used when forms are disallowed. */
+export declare const FORM_TAGS: RegExp;
+//# sourceMappingURL=dangerousPatterns.d.ts.map

package/dist/sanitizer/dangerousPatterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerousPatterns.d.ts","sourceRoot":"","sources":["../../src/sanitizer/dangerousPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,wEAAwE;AACxE,eAAO,MAAM,YAAY,QAA2C,CAAC;AACrE,iEAAiE;AACjE,eAAO,MAAM,WAAW,QAAyB,CAAC;AAElD,4EAA4E;AAC5E,eAAO,MAAM,WAAW,QAC4C,CAAC;AACrE,eAAO,MAAM,UAAU,QACoC,CAAC;AAE5D,+EAA+E;AAC/E,eAAO,MAAM,YAAY,QAA2D,CAAC;AAErF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QACoB,CAAC;AAEpD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,QACoL,CAAC;AAEpN,yEAAyE;AACzE,eAAO,MAAM,cAAc,QAAsB,CAAC;AAElD,gEAAgE;AAChE,eAAO,MAAM,eAAe,QAC0B,CAAC;AACvD,8EAA8E;AAC9E,eAAO,MAAM,aAAa,QAAoB,CAAC;AAE/C,qCAAqC;AACrC,eAAO,MAAM,UAAU,QAAuB,CAAC;AAE/C,mCAAmC;AACnC,eAAO,MAAM,WAAW,QAAyC,CAAC;AAElE,uCAAuC;AACvC,eAAO,MAAM,iBAAiB,QAAyC,CAAC;AAExE,+BAA+B;AAC/B,eAAO,MAAM,SAAS,QAAqC,CAAC;AAE5D,wEAAwE;AACxE,eAAO,MAAM,SAAS,QAC4E,CAAC"}

package/dist/sanitizer/dangerousPatterns.js

@@ -0,0 +1,41 @@
+/**
+ * Regex building blocks for the static-HTML sanitizer. These are deliberately
+ * conservative: the sanitizer's job is to guarantee that no JavaScript can run
+ * inside the artifact iframe, regardless of how creative the model gets.
+ *
+ * The sanitizer is regex-based on purpose: it must run identically on the
+ * server (Node) and the client (browser) with zero DOM dependency.
+ */
+/** `<script>...</script>`, including attributes and across newlines. */
+export const SCRIPT_BLOCK = /<script\b[^>]*>[\s\S]*?<\/script\s*>/gi;
+/** A dangling/self-closed `<script ...>` with no closing tag. */
+export const SCRIPT_OPEN = /<script\b[^>]*\/?>/gi;
+/** `<iframe>`, `<object>`, `<embed>`, `<base>`, `<frame>`, `<frameset>`. */
+export const EMBED_BLOCK = /<(iframe|object|embed|frame|frameset)\b[^>]*>[\s\S]*?<\/\1\s*>/gi;
+export const EMBED_OPEN = /<(iframe|object|embed|frame|frameset|base)\b[^>]*\/?>/gi;
+/** `<meta http-equiv="refresh" ...>` — used for redirect/navigation tricks. */
+export const META_REFRESH = /<meta\b[^>]*http-equiv\s*=\s*["']?refresh["']?[^>]*>/gi;
+/**
+ * Inline event-handler attributes (`onclick`, `onload`, `onerror`, ...).
+ * Matches quoted, single-quoted, and unquoted values.
+ */
+export const EVENT_HANDLER_ATTR = /\s+on[a-z]+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi;
+/** `javascript:` / `vbscript:` / `data:text/html` protocol URLs in attributes. */
+export const DANGEROUS_URL_ATTR = /\s+(href|src|action|formaction|xlink:href|background|poster)\s*=\s*(?:"\s*(?:javascript|vbscript|data:text\/html)[^"]*"|'\s*(?:javascript|vbscript|data:text\/html)[^']*'|\s*(?:javascript|vbscript):[^\s>]*)/gi;
+/** `style="...:expression(...)..."` — legacy IE script-in-CSS vector. */
+export const CSS_EXPRESSION = /expression\s*\(/gi;
+/** External stylesheet links: `<link rel="stylesheet" ...>`. */
+export const STYLESHEET_LINK = /<link\b[^>]*rel\s*=\s*["']?stylesheet["']?[^>]*>/gi;
+/** Any `<link>` pointing at an http(s) resource (fonts, preconnect, etc.). */
+export const EXTERNAL_LINK = /<link\b[^>]*>/gi;
+/** `@import url(...)` inside CSS. */
+export const CSS_IMPORT = /@import\b[^;]+;?/gi;
+/** `<style>...</style>` blocks. */
+export const STYLE_BLOCK = /<style\b[^>]*>[\s\S]*?<\/style\s*>/gi;
+/** Inline `style="..."` attributes. */
+export const INLINE_STYLE_ATTR = /\s+style\s*=\s*(?:"[^"]*"|'[^']*')/gi;
+/** `<svg>...</svg>` blocks. */
+export const SVG_BLOCK = /<svg\b[^>]*>[\s\S]*?<\/svg\s*>/gi;
+/** Form-related tags (open + close), used when forms are disallowed. */
+export const FORM_TAGS = /<\/?(form|input|button|label|textarea|select|option|fieldset|legend|datalist|output)\b[^>]*>/gi;
+//# sourceMappingURL=dangerousPatterns.js.map

package/dist/sanitizer/dangerousPatterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerousPatterns.js","sourceRoot":"","sources":["../../src/sanitizer/dangerousPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,wEAAwE;AACxE,MAAM,CAAC,MAAM,YAAY,GAAG,wCAAwC,CAAC;AACrE,iEAAiE;AACjE,MAAM,CAAC,MAAM,WAAW,GAAG,sBAAsB,CAAC;AAElD,4EAA4E;AAC5E,MAAM,CAAC,MAAM,WAAW,GACtB,kEAAkE,CAAC;AACrE,MAAM,CAAC,MAAM,UAAU,GACrB,yDAAyD,CAAC;AAE5D,+EAA+E;AAC/E,MAAM,CAAC,MAAM,YAAY,GAAG,wDAAwD,CAAC;AAErF;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAC7B,iDAAiD,CAAC;AAEpD,kFAAkF;AAClF,MAAM,CAAC,MAAM,kBAAkB,GAC7B,iNAAiN,CAAC;AAEpN,yEAAyE;AACzE,MAAM,CAAC,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAElD,gEAAgE;AAChE,MAAM,CAAC,MAAM,eAAe,GAC1B,oDAAoD,CAAC;AACvD,8EAA8E;AAC9E,MAAM,CAAC,MAAM,aAAa,GAAG,iBAAiB,CAAC;AAE/C,qCAAqC;AACrC,MAAM,CAAC,MAAM,UAAU,GAAG,oBAAoB,CAAC;AAE/C,mCAAmC;AACnC,MAAM,CAAC,MAAM,WAAW,GAAG,sCAAsC,CAAC;AAElE,uCAAuC;AACvC,MAAM,CAAC,MAAM,iBAAiB,GAAG,sCAAsC,CAAC;AAExE,+BAA+B;AAC/B,MAAM,CAAC,MAAM,SAAS,GAAG,kCAAkC,CAAC;AAE5D,wEAAwE;AACxE,MAAM,CAAC,MAAM,SAAS,GACpB,gGAAgG,CAAC"}

package/dist/sanitizer/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./sanitizeHtml.js";
+export * from "./sanitizeConfig.js";
+export * as dangerousPatterns from "./dangerousPatterns.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/sanitizer/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizer/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,OAAO,KAAK,iBAAiB,MAAM,wBAAwB,CAAC"}

package/dist/sanitizer/index.js

@@ -0,0 +1,4 @@
+export * from "./sanitizeHtml.js";
+export * from "./sanitizeConfig.js";
+export * as dangerousPatterns from "./dangerousPatterns.js";
+//# sourceMappingURL=index.js.map

package/dist/sanitizer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sanitizer/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,OAAO,KAAK,iBAAiB,MAAM,wBAAwB,CAAC"}

package/dist/sanitizer/sanitizeConfig.d.ts

@@ -0,0 +1,4 @@
+import type { SanitizeOptions } from "../types/config.js";
+/** Resolve partial sanitize options against the static-safe defaults. */
+export declare function resolveSanitizeOptions(options?: SanitizeOptions): Required<SanitizeOptions>;
+//# sourceMappingURL=sanitizeConfig.d.ts.map

package/dist/sanitizer/sanitizeConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizeConfig.d.ts","sourceRoot":"","sources":["../../src/sanitizer/sanitizeConfig.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE1D,yEAAyE;AACzE,wBAAgB,sBAAsB,CACpC,OAAO,CAAC,EAAE,eAAe,GACxB,QAAQ,CAAC,eAAe,CAAC,CAK3B"}

package/dist/sanitizer/sanitizeConfig.js

@@ -0,0 +1,10 @@
+import { DEFAULT_SANITIZE_OPTIONS } from "../constants/defaults.js";
+import { mergeConfig } from "../utils/mergeConfig.js";
+/** Resolve partial sanitize options against the static-safe defaults. */
+export function resolveSanitizeOptions(options) {
+    const merged = mergeConfig(DEFAULT_SANITIZE_OPTIONS, options);
+    // Scripts are never allowed, no matter what a caller passes.
+    merged.allowScripts = false;
+    return merged;
+}
+//# sourceMappingURL=sanitizeConfig.js.map

package/dist/sanitizer/sanitizeConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizeConfig.js","sourceRoot":"","sources":["../../src/sanitizer/sanitizeConfig.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAGtD,yEAAyE;AACzE,MAAM,UAAU,sBAAsB,CACpC,OAAyB;IAEzB,MAAM,MAAM,GAAG,WAAW,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;IAC9D,6DAA6D;IAC7D,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC;IAC5B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/sanitizer/sanitizeHtml.d.ts

@@ -0,0 +1,20 @@
+import type { SanitizeOptions } from "../types/config.js";
+export interface SanitizeResult {
+    html: string;
+    /** True if any dangerous content was stripped. */
+    modified: boolean;
+    /** True if the sanitizer crashed and returned an escaped fallback. */
+    failedOpen: boolean;
+}
+/**
+ * Strip everything that could execute or load JavaScript from an HTML string,
+ * keeping static markup, CSS, SVG, and forms according to `options`.
+ *
+ * Fail-open: if anything throws, we return the input HTML-escaped inside a
+ * `<pre>` so the iframe shows inert text rather than crashing the render.
+ */
+export declare function sanitizeHtml(input: string, options?: SanitizeOptions): SanitizeResult;
+/** Convenience wrapper returning only the sanitized string. */
+export declare function sanitize(input: string, options?: SanitizeOptions): string;
+export declare function escapeHtml(input: string): string;
+//# sourceMappingURL=sanitizeHtml.d.ts.map

package/dist/sanitizer/sanitizeHtml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../../src/sanitizer/sanitizeHtml.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAU1D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,QAAQ,EAAE,OAAO,CAAC;IAClB,sEAAsE;IACtE,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,eAAe,GACxB,cAAc,CA6DhB;AAED,+DAA+D;AAC/D,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOhD"}

package/dist/sanitizer/sanitizeHtml.js

@@ -0,0 +1,81 @@
+import { resolveSanitizeOptions } from "./sanitizeConfig.js";
+import { CSS_EXPRESSION, CSS_IMPORT, DANGEROUS_URL_ATTR, EMBED_BLOCK, EMBED_OPEN, EVENT_HANDLER_ATTR, EXTERNAL_LINK, FORM_TAGS, INLINE_STYLE_ATTR, META_REFRESH, SCRIPT_BLOCK, SCRIPT_OPEN, STYLE_BLOCK, STYLESHEET_LINK, SVG_BLOCK, } from "./dangerousPatterns.js";
+// A <link> is kept under allowExternalFonts only if its href starts with a
+// Google Fonts host (covers stylesheet links and preconnect hints).
+const ALLOWED_FONT_LINK = /href\s*=\s*["']https:\/\/fonts\.(googleapis|gstatic)\.com/i;
+// An @import is kept only if it targets the Google Fonts CSS host.
+const ALLOWED_FONT_IMPORT = /@import\s+(?:url\()?\s*["']?https:\/\/fonts\.googleapis\.com/i;
+/**
+ * Strip everything that could execute or load JavaScript from an HTML string,
+ * keeping static markup, CSS, SVG, and forms according to `options`.
+ *
+ * Fail-open: if anything throws, we return the input HTML-escaped inside a
+ * `<pre>` so the iframe shows inert text rather than crashing the render.
+ */
+export function sanitizeHtml(input, options) {
+    const opts = resolveSanitizeOptions(options);
+    try {
+        if (typeof input !== "string") {
+            return { html: "", modified: false, failedOpen: false };
+        }
+        let html = input;
+        const before = html;
+        // 1. Scripts — always removed.
+        html = html.replace(SCRIPT_BLOCK, "").replace(SCRIPT_OPEN, "");
+        // 2. Nested browsing contexts & navigation tricks — always removed.
+        html = html
+            .replace(EMBED_BLOCK, "")
+            .replace(EMBED_OPEN, "")
+            .replace(META_REFRESH, "");
+        // 3. Inline event handlers — always removed.
+        html = html.replace(EVENT_HANDLER_ATTR, "");
+        // 4. javascript:/vbscript:/data:text/html URLs — always removed.
+        html = html.replace(DANGEROUS_URL_ATTR, "");
+        // 5. CSS expression() — always removed.
+        html = html.replace(CSS_EXPRESSION, "void(");
+        // 6. External CSS / fonts.
+        if (opts.allowExternalFonts) {
+            // Keep ONLY links/imports pointing at the Google Fonts hosts; strip the
+            // rest. This permits distinctive typography without opening a hole for
+            // arbitrary external stylesheets.
+            html = html
+                .replace(EXTERNAL_LINK, (tag) => ALLOWED_FONT_LINK.test(tag) ? tag : "")
+                .replace(CSS_IMPORT, (imp) => ALLOWED_FONT_IMPORT.test(imp) ? imp : "");
+        }
+        else {
+            html = html.replace(STYLESHEET_LINK, "").replace(CSS_IMPORT, "");
+            // Remove any remaining <link> (preconnect/font links) too.
+            html = html.replace(EXTERNAL_LINK, "");
+        }
+        // 7. Optional element classes.
+        if (!opts.allowStyleTags)
+            html = html.replace(STYLE_BLOCK, "");
+        if (!opts.allowInlineStyles)
+            html = html.replace(INLINE_STYLE_ATTR, "");
+        if (!opts.allowSvg)
+            html = html.replace(SVG_BLOCK, "");
+        if (!opts.allowForms)
+            html = html.replace(FORM_TAGS, "");
+        return { html, modified: html !== before, failedOpen: false };
+    }
+    catch {
+        return {
+            html: `<pre>${escapeHtml(String(input))}</pre>`,
+            modified: true,
+            failedOpen: true,
+        };
+    }
+}
+/** Convenience wrapper returning only the sanitized string. */
+export function sanitize(input, options) {
+    return sanitizeHtml(input, options).html;
+}
+export function escapeHtml(input) {
+    return input
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+//# sourceMappingURL=sanitizeHtml.js.map

package/dist/sanitizer/sanitizeHtml.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizeHtml.js","sourceRoot":"","sources":["../../src/sanitizer/sanitizeHtml.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,WAAW,EACX,UAAU,EACV,kBAAkB,EAClB,aAAa,EACb,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,WAAW,EACX,eAAe,EACf,SAAS,GACV,MAAM,wBAAwB,CAAC;AAGhC,2EAA2E;AAC3E,oEAAoE;AACpE,MAAM,iBAAiB,GACrB,4DAA4D,CAAC;AAC/D,mEAAmE;AACnE,MAAM,mBAAmB,GACvB,+DAA+D,CAAC;AAUlE;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAa,EACb,OAAyB;IAEzB,MAAM,IAAI,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;QAC1D,CAAC;QAED,IAAI,IAAI,GAAG,KAAK,CAAC;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC;QAEpB,+BAA+B;QAC/B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAE/D,oEAAoE;QACpE,IAAI,GAAG,IAAI;aACR,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;aACxB,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;aACvB,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAE7B,6CAA6C;QAC7C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAE5C,iEAAiE;QACjE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAE5C,wCAAwC;QACxC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAE7C,2BAA2B;QAC3B,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,wEAAwE;YACxE,uEAAuE;YACvE,kCAAkC;YAClC,IAAI,GAAG,IAAI;iBACR,OAAO,CAAC,aAAa,EAAE,CAAC,GAAG,EAAE,EAAE,CAC9B,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACvC;iBACA,OAAO,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,CAC3B,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC;QACN,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YACjE,2DAA2D;YAC3D,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,+BAA+B;QAC/B,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAC/D,IAAI,CAAC,IAAI,CAAC,iBAAiB;YAAE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAEzD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,KAAK,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,IAAI,EAAE,QAAQ,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ;YAC/C,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,IAAI;SACjB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,QAAQ,CAAC,KAAa,EAAE,OAAyB;IAC/D,OAAO,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}

package/dist/server/config.d.ts

@@ -0,0 +1,6 @@
+import type { CoreMessage, CreateArtifactStreamResponseOptions, ResolvedServerConfig } from "../types/server.js";
+/** Fill in defaults and precompute the prompts for a request. */
+export declare function resolveServerConfig(options: CreateArtifactStreamResponseOptions): ResolvedServerConfig;
+/** Extract the latest user message text for classification. */
+export declare function latestUserText(messages: CoreMessage[]): string;
+//# sourceMappingURL=config.d.ts.map

package/dist/server/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,WAAW,EACX,mCAAmC,EACnC,oBAAoB,EACrB,MAAM,oBAAoB,CAAC;AAE5B,iEAAiE;AACjE,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,mCAAmC,GAC3C,oBAAoB,CA2CtB;AAED,+DAA+D;AAC/D,wBAAgB,cAAc,CAAC,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,CAO9D"}