npm - openmagic - Versions diffs - 0.12.0 → 0.14.0 - Mend

openmagic 0.12.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +9 -0
package/dist/cli.js +35 -83
package/dist/cli.js.map +1 -1
package/dist/toolbar/index.global.js +34 -34
package/dist/toolbar/index.global.js.map +1 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -191,6 +191,15 @@ This file is in your home directory, never in your project. It won't be committe
 - **Path sandboxing** — File operations are restricted to configured root directories. The server cannot read/write outside your project.
 - **API keys stay local** — Keys are stored in `~/.openmagic/config.json` on your machine. They are proxied through the local server and never exposed to the browser or any third party.
 - **Zero project modification** — OpenMagic never modifies your `package.json`, config files, or source code during installation. The toolbar exists only in the proxy layer.
+- **Symlink protection** — File operations resolve symlinks and reject paths that escape the project root.
+- **Diff preview** — AI-proposed code changes are shown as diffs with Apply/Reject buttons. Nothing is auto-applied.
+### Known Limitations
+OpenMagic uses a reverse proxy which introduces these tradeoffs:
+- **Origin change** — Your app runs on `localhost:3000` but is accessed via `localhost:4567`. This can affect OAuth redirects, `localStorage` isolation, and Service Worker scope. Most dev workflows are unaffected, but if your app relies on `window.location.origin`, you may need to adjust your dev config.
+- **CSP meta tags** — OpenMagic strips CSP response headers to allow the toolbar script. However, CSP set via `<meta>` tags in your HTML cannot be modified and may block the toolbar on strict CSP pages.
 ## Comparison

package/dist/cli.js CHANGED Viewed

@@ -10,8 +10,6 @@ import { createInterface } from "readline";
 // src/proxy.ts
 import http from "http";
-import { gunzip, inflate, brotliDecompress } from "zlib";
-import { promisify } from "util";
 import httpProxy from "http-proxy";
 // src/security.ts
@@ -68,8 +66,9 @@ function saveConfig(updates) {
     const tmpFile = CONFIG_FILE + ".tmp";
     writeFileSync(tmpFile, JSON.stringify(merged, null, 2), { encoding: "utf-8", mode: 384 });
     renameSync(tmpFile, CONFIG_FILE);
+    return { ok: true };
   } catch (e) {
-    console.warn(`[OpenMagic] Warning: Could not save config to ${CONFIG_FILE}: ${e.message}`);
+    return { ok: false, error: e.message };
   }
 }
@@ -78,7 +77,7 @@ import {
   readFileSync as readFileSync2,
   writeFileSync as writeFileSync2,
   existsSync as existsSync2,
-  statSync,
+  lstatSync,
   readdirSync,
   copyFileSync,
   mkdirSync as mkdirSync2,
@@ -184,10 +183,11 @@ function listFiles(rootPath, roots, maxDepth = 4) {
       const fullPath = join2(dir, item);
       let stat;
       try {
-        stat = statSync(fullPath);
+        stat = lstatSync(fullPath);
       } catch {
         continue;
       }
+      if (stat.isSymbolicLink()) continue;
       const relPath = relative(rootPath, fullPath);
       if (stat.isDirectory()) {
         entries.push({ path: relPath, type: "dir", name: item });
@@ -1356,7 +1356,7 @@ async function handleLlmChat(params, onChunk, onDone, onError) {
 }
 // src/server.ts
-var VERSION = "0.11.0";
+var VERSION = "0.14.0";
 var __dirname = dirname2(fileURLToPath(import.meta.url));
 function attachOpenMagic(httpServer, roots) {
   function handleRequest(req, res) {
@@ -1438,7 +1438,7 @@ async function handleMessage(ws, msg, state, roots) {
             provider: config.provider,
             model: config.model,
             hasApiKey: !!config.apiKey,
-            apiKeys: config.apiKeys || {}
+            apiKeys: Object.fromEntries(Object.entries(config.apiKeys || {}).map(([k]) => [k, true]))
           }
         }
       });
@@ -1504,7 +1504,7 @@ async function handleMessage(ws, msg, state, roots) {
       await handleLlmChat(
         {
           provider,
-          model: payload.model || config.model || "gpt-4o",
+          model: payload.model || config.model || MODEL_REGISTRY[provider]?.models[0]?.id || "gpt-4o",
           apiKey,
           messages: payload.messages,
           context: payload.context
@@ -1552,12 +1552,12 @@ async function handleMessage(ws, msg, state, roots) {
       } else if (payload.apiKey !== void 0) {
         updates.apiKey = payload.apiKey;
       }
-      saveConfig(updates);
-      send(ws, {
-        id: msg.id,
-        type: "config.saved",
-        payload: { ok: true }
-      });
+      const result = saveConfig(updates);
+      if (!result.ok) {
+        sendError(ws, "config_error", result.error || "Failed to save", msg.id);
+      } else {
+        send(ws, { id: msg.id, type: "config.saved", payload: { ok: true } });
+      }
       break;
     }
     default:
@@ -1601,9 +1601,6 @@ function serveToolbarBundle(res) {
 }
 // src/proxy.ts
-var gunzipAsync = promisify(gunzip);
-var inflateAsync = promisify(inflate);
-var brotliAsync = promisify(brotliDecompress);
 function createProxyServer(targetHost, targetPort, roots) {
   const proxy = httpProxy.createProxyServer({
     target: `http://${targetHost}:${targetPort}`,
@@ -1611,6 +1608,9 @@ function createProxyServer(targetHost, targetPort, roots) {
     selfHandleResponse: true
   });
   const token = getSessionToken();
+  proxy.on("proxyReq", (proxyReq) => {
+    proxyReq.removeHeader("Accept-Encoding");
+  });
   proxy.on("proxyRes", (proxyRes, req, res) => {
     const contentType = proxyRes.headers["content-type"] || "";
     const isHtml = contentType.includes("text/html");
@@ -1619,32 +1619,20 @@ function createProxyServer(targetHost, targetPort, roots) {
       proxyRes.pipe(res);
       return;
     }
-    collectBody(proxyRes).then((body) => {
-      const toolbarScript = buildInjectionScript(token);
-      if (body.includes("</body>")) {
-        body = body.replace("</body>", `${toolbarScript}</body>`);
-      } else if (body.includes("</html>")) {
-        body = body.replace("</html>", `${toolbarScript}</html>`);
-      } else {
-        body += toolbarScript;
-      }
-      const headers = { ...proxyRes.headers };
-      delete headers["content-length"];
-      delete headers["content-encoding"];
-      delete headers["transfer-encoding"];
-      delete headers["content-security-policy"];
-      delete headers["content-security-policy-report-only"];
-      delete headers["x-content-security-policy"];
-      delete headers["etag"];
-      delete headers["last-modified"];
-      res.writeHead(proxyRes.statusCode || 200, headers);
-      res.end(body);
-    }).catch(() => {
-      try {
-        res.writeHead(proxyRes.statusCode || 200, proxyRes.headers);
-        res.end();
-      } catch {
-      }
+    const headers = { ...proxyRes.headers };
+    delete headers["content-length"];
+    delete headers["content-encoding"];
+    delete headers["transfer-encoding"];
+    delete headers["content-security-policy"];
+    delete headers["content-security-policy-report-only"];
+    delete headers["x-content-security-policy"];
+    delete headers["etag"];
+    delete headers["last-modified"];
+    headers["cache-control"] = "no-store";
+    res.writeHead(proxyRes.statusCode || 200, headers);
+    proxyRes.pipe(res, { end: false });
+    proxyRes.on("end", () => {
+      res.end(buildInjectionScript(token));
     });
   });
   proxy.on("error", (err, _req, res) => {
@@ -1675,46 +1663,8 @@ function createProxyServer(targetHost, targetPort, roots) {
   });
   return server;
 }
-async function collectBody(stream) {
-  const rawBuffer = await new Promise((resolve3, reject) => {
-    const chunks = [];
-    stream.on("data", (chunk) => chunks.push(chunk));
-    stream.on("end", () => resolve3(Buffer.concat(chunks)));
-    stream.on("error", reject);
-  });
-  const encoding = (stream.headers["content-encoding"] || "").toLowerCase();
-  if (!encoding || encoding === "identity") {
-    return rawBuffer.toString("utf-8");
-  }
-  try {
-    let decompressed;
-    if (encoding === "gzip" || encoding === "x-gzip") {
-      decompressed = await gunzipAsync(rawBuffer);
-    } else if (encoding === "deflate") {
-      decompressed = await inflateAsync(rawBuffer);
-    } else if (encoding === "br") {
-      decompressed = await brotliAsync(rawBuffer);
-    } else {
-      return rawBuffer.toString("utf-8");
-    }
-    return decompressed.toString("utf-8");
-  } catch {
-    return rawBuffer.toString("utf-8");
-  }
-}
 function buildInjectionScript(token) {
-  return `
-<script data-openmagic="true">
-(function() {
-  if (window.__OPENMAGIC_LOADED__) return;
-  window.__OPENMAGIC_LOADED__ = true;
-  window.__OPENMAGIC_TOKEN__ = "${token}";
-  var s = document.createElement("script");
-  s.src = "/__openmagic__/toolbar.js";
-  s.dataset.openmagic = "true";
-  document.body.appendChild(s);
-})();
-</script>`;
+  return `<script src="/__openmagic__/toolbar.js?v=${Date.now()}" data-openmagic="true" data-openmagic-token="${token}" defer></script>`;
 }
 // src/detect.ts
@@ -1740,6 +1690,8 @@ var COMMON_DEV_PORTS = [
   // Common alternate
   4e3,
   // Phoenix, generic
+  5e3,
+  // Flask
   1234,
   // Parcel
   4321,
@@ -1891,7 +1843,7 @@ process.on("uncaughtException", (err) => {
   process.exit(1);
 });
 var childProcesses = [];
-var VERSION2 = "0.12.0";
+var VERSION2 = "0.14.0";
 function ask(question) {
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve3) => {