pmx-canvas 0.1.3 → 0.1.5

package/CHANGELOG.md

@@ -3,6 +3,144 @@
 All notable changes to `pmx-canvas` are documented here. This project follows
 [Semantic Versioning](https://semver.org/).
 
+## [0.1.5] - 2026-04-26
+
+Image-validation hardening + CLI ergonomics. The boundary where untrusted
+file paths become canvas state now validates magic bytes, and common CLI
+typos produce one-line suggestions instead of help-block dumps.
+
+### Added
+
+- **Magic-byte validation for local image nodes.** PNG / JPEG / GIF / SVG /
+  WebP / BMP / ICO / AVIF headers are sniffed before a file becomes an
+  `image` node. A file renamed `screenshot.png` containing PowerPoint XML
+  is now rejected with a clear error before it reaches the renderer.
+- **macOS cloud-on-demand placeholder detection.** Files in iCloud Drive,
+  OneDrive, etc. that are not yet downloaded locally are detected via
+  `stat -f %Xf` flags and rejected with a hint to download them first —
+  no more silent freezes when an iCloud-only file is dropped on the canvas.
+- **`/bin/dd` escape hatch with a 5s timeout** for macOS-only paths where
+  the direct fs read could hang on an unresponsive volume (e.g. an
+  unmounted SMB share that still satisfies `existsSync`). Distinguishes
+  timeout (`SIGTERM` / `ETIMEDOUT`) from generic spawn failures so the
+  cloud-storage hint isn't shown for unrelated errors.
+- **CLI typo hints for resource subcommands.**
+  - `pmx-canvas node delete <id>` and `pmx-canvas node rm <id>` exit 1 with
+    `Did you mean: pmx-canvas node remove?`.
+  - `pmx-canvas edge delete <id>` and `pmx-canvas edge rm <id>` get the
+    same treatment.
+  - `pmx-canvas node pin <id>` redirects to the top-level
+    `pmx-canvas pin <id>` command.
+
+### Changed
+
+- **`GET /api/canvas/image/:id` is now async** (`fs/promises.readFile`) and
+  validates content before serving — returns **400** on invalid image bytes
+  instead of 200 with `application/octet-stream`.
+- **Bare `pmx-canvas node` (no subcommand)** now exits 1 with structured
+  JSON instead of printing the resource help block. Use
+  `pmx-canvas node --help` for the listing.
+
+### Internal
+
+- New module `src/server/image-source.ts` extracts and extends image
+  validation from `canvas-operations.ts`. Same error contract; richer
+  checks. The MCP and HTTP layers both flow through `addCanvasNode`, so
+  CLAUDE.md rule #5 (four-layer parity) is preserved without touching
+  the SDK or MCP server.
+- Direct fs read is the fast path on every platform (no fork, no shell);
+  `dd` is only consulted on macOS as a fallback when direct read fails on
+  a path that wasn't flagged as a placeholder.
+- Real magic-byte fixtures in `tests/unit/canvas-operations.test.ts` (was:
+  `*.png` extension smoke tests). New HTTP coverage in
+  `tests/unit/server-api.test.ts` for valid / invalid / missing image
+  paths. New CLI coverage for `node delete`, `node pin`, `edge delete`,
+  `edge rm` typo hints.
+
+[0.1.5]: https://github.com/pskoett/pmx-canvas/releases/tag/v0.1.5
+
+## [0.1.4] - 2026-04-26
+
+Graph/CLI ergonomics + canvas-node taxonomy hardening. Three threads:
+(1) full graph payload surface (`zKey`, `axisKey`, `metrics`, `series`,
+`barKey`/`lineKey`, `barColor`/`lineColor`) reaches CLI/MCP/HTTP/batch with
+both kebab-case and camelCase flag aliases, (2) `mcp-app` nodes serialize a
+`kind` discriminator so agents can target `web-artifact` / `external-app` /
+`mcp-app` subtypes without inspecting `data`, (3) the long-standing
+`ext-app-ext-app-…` double-prefix bug on node IDs is fixed with explicit
+`nodeId` propagation through SSE.
+
+### Added
+
+- Serialized `kind` discriminator on every canvas node. `mcp-app` nodes now
+  surface as `web-artifact`, `external-app`, or `mcp-app` so agents can
+  filter via `node list --type web-artifact` or
+  `--type external-app` directly.
+- Full graph payload surface on MCP, HTTP `validate-spec`, and `batch`:
+  `zKey`, `axisKey`, `metrics`, `series`, `barKey`, `lineKey`, `barColor`,
+  `lineColor`. Radar (`metrics`), stacked-bar (`series`), and composed
+  (`barKey`/`lineKey`) configs are now uniformly addressable.
+- CLI camelCase aliases for graph flags: `--graphType`, `--xKey`, `--yKey`,
+  `--zKey`, `--axisKey`, `--barKey`, `--lineKey`, `--barColor`,
+  `--lineColor`, alongside existing kebab-case forms. Same fields land in
+  `canvas_validate_spec` and `canvas_batch`.
+- `id` field on `external-app add` / `canvas_open_mcp_app` /
+  `canvas_add_diagram` responses (alias for the canvas node ID, matches
+  HTTP).
+- `viewerType: 'web-artifact'` persisted on web-artifact mcp-app nodes for
+  authoritative `kind` classification.
+
+### Changed
+
+- `SerializedCanvasNode` now includes `kind: string` (additive; consumers
+  grouping by `type === 'mcp-app'` should switch to `kind`).
+- `canvas://summary` `typeCounts` keys are derived from `kind`, not `type` —
+  `mcp-app` totals split into `web-artifact` / `external-app` / `mcp-app`.
+- Charts wrap with type-specific CSS modifier classes
+  (`pmx-chart--line/--bar/--pie/--area/--scatter/--radar/--stacked-bar/--composed`)
+  and per-type minimum widths, so axes don't clip in narrow nodes.
+- `canvas-schema.ts` cleanup based on the v0.1.4 review:
+  - `nodeHeight` no longer aliases `height` (collision with the chart-content
+    `height` field). Use `--node-height` going forward; `--height` always
+    means chart content height.
+  - `stdin` removed from the `data` and `appTsx` aliases — `--stdin` is an
+    input-mode (read from pipe), not a flag synonym. Behavior unchanged;
+    schema is now accurate.
+
+### Fixed
+
+- Excalidraw / external-app node IDs no longer double-prefix to
+  `ext-app-ext-app-…`. The canvas node ID retains the `ext-app-` prefix; the
+  `toolCallId` is the random suffix only.
+- SSE `ext-app-open` / `ext-app-update` / `ext-app-result` events now carry
+  an explicit `nodeId` so the client and server agree on node identity even
+  after the ID-format change.
+- `getCanvasNodeKind` precedence reordered so a future URL-only web-artifact
+  (no `data.path`) still classifies correctly via `viewerType`. The legacy
+  `hostMode + path` heuristic is now an explicitly-documented backwards-compat
+  fallback for canvas state.json files persisted before v0.1.4.
+
+### Internal
+
+- `findCanvasExtAppNodeId` extracted into `src/server/ext-app-lookup.ts` and
+  shared between `src/server/index.ts` and `src/server/server.ts` (was
+  duplicated; drift risk eliminated).
+- `shouldReplayAppToolResult` documented with explicit intent: only `isError`
+  or `structuredContent` results overwrite the bootstrap-replay
+  `toolResult`, so a plain-text `read_checkpoint`-style return doesn't
+  clobber widget state on reload.
+- E2E coverage now exercises camelCase graph flags and asserts the
+  single-prefix node-ID fix.
+- New unit coverage:
+  - `kind` discriminator across fresh, URL-only, legacy, ext-app, and
+    plain-mcp-app paths (6 tests).
+  - Camel-case graph flags in CLI.
+  - Full-surface graph validation in MCP `canvas_validate_spec`.
+  - Single-prefix node-ID round-trip in `external-app add`.
+  - Post-restart text-tool replay semantics.
+
+[0.1.4]: https://github.com/pskoett/pmx-canvas/releases/tag/v0.1.4
+
 ## [0.1.3] - 2026-04-25
 
 CLI hardening release with full MCP parity for the new affordances. Closes