npm - sliccy - Versions diffs - 3.43.0 → 3.45.0 - Mend

sliccy 3.43.0 → 3.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/README.md CHANGED Viewed

@@ -11,7 +11,7 @@ If this scares, confuses, or excites you, keep reading.
 # slicc — Self-Licking Ice Cream Cone
-[![63% Vibe_Coded](https://img.shields.io/badge/63%25-Vibe_Coded-ff69b4?style=for-the-badge&logo=claude&logoColor=white)](https://github.com/ai-ecoverse/vibe-coded-badge-action)
+[![60% Vibe_Coded](https://img.shields.io/badge/60%25-Vibe_Coded-ff69b4?style=for-the-badge&logo=claude&logoColor=white)](https://github.com/ai-ecoverse/vibe-coded-badge-action)
 [![npm](https://img.shields.io/npm/v/sliccy)](https://www.npmjs.com/package/sliccy)

package/dist/node-server/electron-controller.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { type ChildProcess } from 'child_process';
+import { type ElectronInspectableTarget } from './electron-runtime.js';
 interface RunningProcessInfo {
     pid: number;
     commandLine: string;
@@ -31,9 +32,20 @@ export declare function decodePngPixels(base64Data: string): {
  * sampling a grid of pixels for performance.
  */
 export declare function computeAverageLuminance(pixels: Buffer, width: number, height: number, sampleStep?: number): number;
+/**
+ * Resolve the `Fetch.enable` origin pattern for CSP-bypass escalation. Mirrors
+ * swift-server's `OverlayTargetSession.fetchProxyOrigin` (Wave 5): prefer the
+ * parent page's http(s) origin so interception is byte-for-byte the same as
+ * before, but for `file://` (or other no-http-origin) targets fall back to the
+ * overlay iframe's own `http://localhost:<servePort>` origin — that is what
+ * actually needs unblocking when the parent is a local file.
+ */
+export declare function resolveFetchProxyOrigin(targetUrl: string, servePort: number): string;
 export declare class ElectronOverlayInjector {
     private readonly cdpPort;
+    private readonly servePort;
     private readonly bootstrapScript;
+    private readonly probeDelayMs;
     private readonly connections;
     private readonly cspBypassedTargets;
     private syncTimer;
@@ -45,6 +57,25 @@ export declare class ElectronOverlayInjector {
         dev: boolean;
         projectRoot: string;
     }): Promise<ElectronOverlayInjector>;
+    /**
+     * Test-only factory: skips bundle loading and lets tests drive the per-target
+     * connect flow directly with a controllable probe delay. Mirrors swift-server's
+     * `_testing_*` hooks on `ElectronOverlayInjector`.
+     */
+    static _createForTesting(options: {
+        cdpPort?: number;
+        servePort: number;
+        bootstrapScript?: string;
+        probeDelayMs?: number;
+    }): ElectronOverlayInjector;
+    /** Test-only: drive the per-target connect flow without going through `start`. */
+    _testingConnectToTarget(target: ElectronInspectableTarget): void;
+    /** Test-only: seed the per-target "already bypassed" guard. */
+    _testingSeedBypassedTarget(url: string): void;
+    /** Test-only: snapshot the per-target "already bypassed" guard set. */
+    _testingBypassedTargets(): ReadonlySet<string>;
+    /** Test-only: close any sockets opened by `_testingConnectToTarget`. */
+    _testingCloseConnections(): void;
     start(): Promise<void>;
     stop(): void;
     private syncTargets;
@@ -53,6 +84,41 @@ export declare class ElectronOverlayInjector {
      * Returns true if the iframe element exists and has started loading content.
      */
     private probeOverlayIframeLoaded;
+    /**
+     * Build a script that sets the SLICC theme preference in localStorage to
+     * match the target app's detected theme, then runs the bootstrap.
+     */
+    private buildThemedBootstrap;
+    /**
+     * Handle the initial CDP `ws.on('open', ...)` event for a target: enable
+     * Runtime/Page, set CSP bypass, detect theme, inject the overlay, and (on a
+     * first connect) probe whether the overlay iframe actually loaded — falling
+     * back to a CSP-bypass reload by setting `state.pendingReload` and
+     * `state.pendingCspEscalation` for the message handler to continue from.
+     *
+     * Mutating flow flags (`pendingReload`, `pendingCspEscalation`,
+     * `fetchProxyActive`) live on the shared `state` object so this helper
+     * preserves the original closure-driven control flow exactly.
+     */
+    private handleSocketOpen;
+    /**
+     * Handle `Page.loadEventFired` after a CSP-bypass reload: re-inject the
+     * themed overlay, then (if this load came from the simple-reload path) probe
+     * the iframe again and, if still blocked, escalate to the Fetch HTTP proxy
+     * which strips CSP from the document response. The proxy reload also sets
+     * `pendingReload` again so the next `loadEventFired` re-injects on top of
+     * the stripped response.
+     */
+    private handlePageLoadAfterReload;
+    /**
+     * Handle a single `Fetch.requestPaused` event under the active Fetch proxy:
+     * pass non-HTML requests straight through with `Fetch.continueRequest`, and
+     * proxy HTML document requests through Node http/https so the response can
+     * be returned via `Fetch.fulfillRequest` with CSP and hop-by-hop headers
+     * stripped. `Fetch.fulfillRequest` is intentionally fire-and-forget — there
+     * is no CDP reply for fulfill, and the response body is the document body.
+     */
+    private handleFetchRequestPaused;
     private connectToTarget;
 }
 export {};