sunpeak 0.13.5 → 0.13.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chatgpt/iframe-resource.d.ts +6 -0
- package/dist/chatgpt/index.cjs +1 -1
- package/dist/chatgpt/index.js +1 -1
- package/dist/{index-FiqdlIXV.cjs → index-B_In_BWg.cjs} +38 -5
- package/dist/{index-FiqdlIXV.cjs.map → index-B_In_BWg.cjs.map} +1 -1
- package/dist/{index-BMqwRYBo.js → index-CkEAx7FS.js} +37 -4
- package/dist/{index-BMqwRYBo.js.map → index-CkEAx7FS.js.map} +1 -1
- package/dist/index.cjs +1 -1
- package/dist/index.js +2 -2
- package/package.json +1 -1
- package/template/dist/albums/albums.json +1 -1
- package/template/dist/carousel/carousel.json +1 -1
- package/template/dist/map/map.json +1 -1
- package/template/dist/review/review.json +1 -1
- package/template/node_modules/.vite/deps/_metadata.json +22 -22
- package/template/node_modules/.vite/vitest/da39a3ee5e6b4b0d3255bfef95601890afd80709/results.json +1 -1
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps_app-bridge.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps_app-bridge.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps_react.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@modelcontextprotocol_ext-apps_react.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Avatar.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Avatar.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Button.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Button.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Checkbox.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Checkbox.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Icon.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Icon.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Input.js +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Input.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_SegmentedControl.js +3 -3
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_SegmentedControl.js.map +0 -0
- package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Select.js +6 -6
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Select.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Textarea.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_components_Textarea.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_theme.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/@openai_apps-sdk-ui_theme.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-3FUH6LFP.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-3FUH6LFP.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-4EQ7FTMQ.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-4EQ7FTMQ.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-4WVD247F.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-4WVD247F.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-ABGJ7IDC.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-ABGJ7IDC.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-DP4XHQAG.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-DP4XHQAG.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-EGRHWZRV.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-EGRHWZRV.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-EHI2XMPP.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-EHI2XMPP.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-JWMBYPFX.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-JWMBYPFX.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-PZDCUP6P.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-PZDCUP6P.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-Q2RBUOJ3.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-Q2RBUOJ3.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-SPDZ46BB.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-SPDZ46BB.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-WEIC4XKX.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-WEIC4XKX.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-WSHFT23M.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-WSHFT23M.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-XQARMNNG.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/chunk-XQARMNNG.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/clsx.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/clsx.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/embla-carousel-react.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/embla-carousel-react.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/embla-carousel-wheel-gestures.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/embla-carousel-wheel-gestures.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/mapbox-gl.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/mapbox-gl.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/package.json +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react-dom.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react-dom.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react-dom_client.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react-dom_client.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react_jsx-dev-runtime.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react_jsx-dev-runtime.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react_jsx-runtime.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/react_jsx-runtime.js.map +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/tailwind-merge.js +0 -0
- /package/template/node_modules/.vite-mcp/{deps_temp_f77cfa16 → deps_temp_170f8fb8}/tailwind-merge.js.map +0 -0
|
@@ -20,6 +20,11 @@ export interface ResourceCSP {
|
|
|
20
20
|
/** Domains allowed for scripts, images, styles, fonts */
|
|
21
21
|
resourceDomains?: string[];
|
|
22
22
|
}
|
|
23
|
+
/**
|
|
24
|
+
* Validates a CSP source entry is a safe origin URL (scheme + host + optional port).
|
|
25
|
+
* Rejects wildcards, CSP keywords, and whitespace that could inject extra directives.
|
|
26
|
+
*/
|
|
27
|
+
declare function isValidCspSource(source: string): boolean;
|
|
23
28
|
/**
|
|
24
29
|
* Generates a Content Security Policy string.
|
|
25
30
|
*/
|
|
@@ -85,6 +90,7 @@ export declare function IframeResource({ src, scriptSrc, hostContext, toolInput,
|
|
|
85
90
|
export declare const _testExports: {
|
|
86
91
|
escapeHtml: typeof escapeHtml;
|
|
87
92
|
isAllowedUrl: typeof isAllowedUrl;
|
|
93
|
+
isValidCspSource: typeof isValidCspSource;
|
|
88
94
|
generateCSP: typeof generateCSP;
|
|
89
95
|
generateScriptHtml: typeof generateScriptHtml;
|
|
90
96
|
ALLOWED_SCRIPT_ORIGINS: string[];
|
package/dist/chatgpt/index.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
3
|
-
const chatgpt_index = require("../index-
|
|
3
|
+
const chatgpt_index = require("../index-B_In_BWg.cjs");
|
|
4
4
|
const discovery = require("../discovery-CRR3SlyI.cjs");
|
|
5
5
|
exports.ChatGPTSimulator = chatgpt_index.ChatGPTSimulator;
|
|
6
6
|
exports.IframeResource = chatgpt_index.IframeResource;
|
package/dist/chatgpt/index.js
CHANGED
|
@@ -5442,7 +5442,7 @@ const useEscCloseStack = (listening, cb) => {
|
|
|
5442
5442
|
}, [id, listening, latestCallback]);
|
|
5443
5443
|
};
|
|
5444
5444
|
const __vite_import_meta_env__ = { "DEV": false, "MODE": "production" };
|
|
5445
|
-
const META_ENV = typeof { url: typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-
|
|
5445
|
+
const META_ENV = typeof { url: typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-B_In_BWg.cjs", document.baseURI).href } !== "undefined" ? __vite_import_meta_env__ : void 0;
|
|
5446
5446
|
const NODE_ENV = typeof process !== "undefined" && process.env?.NODE_ENV ? process.env?.NODE_ENV : "production";
|
|
5447
5447
|
const isDev = NODE_ENV === "development" || !!META_ENV?.DEV;
|
|
5448
5448
|
const isJSDomLike = typeof navigator !== "undefined" && /(jsdom|happy-dom)/i.test(navigator.userAgent) || typeof globalThis.happyDOM === "object";
|
|
@@ -14094,6 +14094,16 @@ class McpAppHost {
|
|
|
14094
14094
|
if (this.options.onOpenLink) {
|
|
14095
14095
|
this.options.onOpenLink(url);
|
|
14096
14096
|
} else {
|
|
14097
|
+
try {
|
|
14098
|
+
const parsed = new URL(url);
|
|
14099
|
+
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
|
|
14100
|
+
console.warn("[MCP App] openLink blocked non-http(s) URL:", url);
|
|
14101
|
+
return {};
|
|
14102
|
+
}
|
|
14103
|
+
} catch {
|
|
14104
|
+
console.warn("[MCP App] openLink blocked invalid URL:", url);
|
|
14105
|
+
return {};
|
|
14106
|
+
}
|
|
14097
14107
|
window.open(url, "_blank");
|
|
14098
14108
|
}
|
|
14099
14109
|
return {};
|
|
@@ -14175,6 +14185,7 @@ class McpAppHost {
|
|
|
14175
14185
|
const id = ++this._fenceId;
|
|
14176
14186
|
return new Promise((resolve) => {
|
|
14177
14187
|
const handler = (event) => {
|
|
14188
|
+
if (event.source !== win) return;
|
|
14178
14189
|
if (event.data?.method === "sunpeak/fence-ack" && event.data.params?.fenceId === id) {
|
|
14179
14190
|
cleanup();
|
|
14180
14191
|
resolve();
|
|
@@ -14317,6 +14328,15 @@ function isAllowedUrl(src) {
|
|
|
14317
14328
|
}
|
|
14318
14329
|
}
|
|
14319
14330
|
const SDK_RESOURCE_DOMAINS = ["https://cdn.openai.com"];
|
|
14331
|
+
function isValidCspSource(source) {
|
|
14332
|
+
if (!source || /[\s;,']/.test(source) || source === "*") return false;
|
|
14333
|
+
try {
|
|
14334
|
+
const url = new URL(source);
|
|
14335
|
+
return url.protocol === "http:" || url.protocol === "https:" || url.protocol === "ws:" || url.protocol === "wss:";
|
|
14336
|
+
} catch {
|
|
14337
|
+
return false;
|
|
14338
|
+
}
|
|
14339
|
+
}
|
|
14320
14340
|
function generateCSP(csp, scriptSrc) {
|
|
14321
14341
|
let scriptOrigin = "";
|
|
14322
14342
|
try {
|
|
@@ -14334,14 +14354,26 @@ function generateCSP(csp, scriptSrc) {
|
|
|
14334
14354
|
const connectSources = /* @__PURE__ */ new Set(["'self'"]);
|
|
14335
14355
|
if (scriptOrigin) connectSources.add(scriptOrigin);
|
|
14336
14356
|
if (csp?.connectDomains) {
|
|
14337
|
-
for (const domain of csp.connectDomains)
|
|
14357
|
+
for (const domain of csp.connectDomains) {
|
|
14358
|
+
if (isValidCspSource(domain)) {
|
|
14359
|
+
connectSources.add(domain);
|
|
14360
|
+
} else {
|
|
14361
|
+
console.warn("[IframeResource] Ignoring invalid CSP connect domain:", domain);
|
|
14362
|
+
}
|
|
14363
|
+
}
|
|
14338
14364
|
}
|
|
14339
14365
|
directives.push(`connect-src ${Array.from(connectSources).join(" ")}`);
|
|
14340
14366
|
const resourceSources = /* @__PURE__ */ new Set(["'self'", "data:", "blob:"]);
|
|
14341
14367
|
if (scriptOrigin) resourceSources.add(scriptOrigin);
|
|
14342
14368
|
for (const domain of SDK_RESOURCE_DOMAINS) resourceSources.add(domain);
|
|
14343
14369
|
if (csp?.resourceDomains) {
|
|
14344
|
-
for (const domain of csp.resourceDomains)
|
|
14370
|
+
for (const domain of csp.resourceDomains) {
|
|
14371
|
+
if (isValidCspSource(domain)) {
|
|
14372
|
+
resourceSources.add(domain);
|
|
14373
|
+
} else {
|
|
14374
|
+
console.warn("[IframeResource] Ignoring invalid CSP resource domain:", domain);
|
|
14375
|
+
}
|
|
14376
|
+
}
|
|
14345
14377
|
}
|
|
14346
14378
|
const resourceList = Array.from(resourceSources).join(" ");
|
|
14347
14379
|
directives.push(`img-src ${resourceList}`);
|
|
@@ -14352,8 +14384,9 @@ function generateCSP(csp, scriptSrc) {
|
|
|
14352
14384
|
function generateScriptHtml(scriptSrc, theme, cspPolicy) {
|
|
14353
14385
|
const safeScriptSrc = escapeHtml(scriptSrc);
|
|
14354
14386
|
const safeCsp = escapeHtml(cspPolicy);
|
|
14387
|
+
const safeTheme = escapeHtml(theme);
|
|
14355
14388
|
return `<!DOCTYPE html>
|
|
14356
|
-
<html lang="en" data-theme="${
|
|
14389
|
+
<html lang="en" data-theme="${safeTheme}">
|
|
14357
14390
|
<head>
|
|
14358
14391
|
<meta charset="UTF-8" />
|
|
14359
14392
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
@@ -15100,4 +15133,4 @@ exports.clsx = clsx;
|
|
|
15100
15133
|
exports.createSimulatorUrl = createSimulatorUrl;
|
|
15101
15134
|
exports.index = index;
|
|
15102
15135
|
exports.useThemeContext = useThemeContext;
|
|
15103
|
-
//# sourceMappingURL=index-
|
|
15136
|
+
//# sourceMappingURL=index-B_In_BWg.cjs.map
|