sunpeak 0.20.42 → 0.20.49

package/dist/inspector/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("../chunk-Cek0wNdY.cjs");
-const require_inspector = require("../inspector-DOmiG64-.cjs");
+const require_inspector = require("../inspector-BGnxpdOn.cjs");
 const require_inspector_url = require("../inspector-url-BxScdDag.cjs");
 const require_discovery = require("../discovery-31_n0zcu.cjs");
 //#region src/inspector/index.ts

package/dist/inspector/index.js

@@ -1,5 +1,5 @@
 import { Ct as __exportAll } from "../protocol-bhrz2H_E.js";
-import { S as registerHostShell, _ as extractResourceCSP, a as SidebarCollapsibleControl, b as getHostShell, c as SidebarSelect, d as SimpleSidebar, f as ThemeProvider, g as IframeResource, h as useInspectorState, i as SidebarCheckbox, l as SidebarTextarea, m as useMcpConnection, n as flattenAppToSimulations, o as SidebarControl, p as useThemeContext, r as resolveServerToolResult, s as SidebarInput, t as Inspector, u as SidebarToggle, v as McpAppHost, x as getRegisteredHosts, y as SCREEN_WIDTHS } from "../inspector-C6n8zap3.js";
+import { S as registerHostShell, _ as extractResourceCSP, a as SidebarCollapsibleControl, b as getHostShell, c as SidebarSelect, d as SimpleSidebar, f as ThemeProvider, g as IframeResource, h as useInspectorState, i as SidebarCheckbox, l as SidebarTextarea, m as useMcpConnection, n as flattenAppToSimulations, o as SidebarControl, p as useThemeContext, r as resolveServerToolResult, s as SidebarInput, t as Inspector, u as SidebarToggle, v as McpAppHost, x as getRegisteredHosts, y as SCREEN_WIDTHS } from "../inspector-DvduUVNG.js";
 import { t as createInspectorUrl } from "../inspector-url-xUMGbWis.js";
 import { c as toPascalCase, i as findResourceKey, n as extractSimulationKey, r as findResourceDirs, s as getComponentName, t as extractResourceKey } from "../discovery-DOVner--.js";
 //#region src/inspector/index.ts

package/dist/{inspector-DOmiG64-.cjs → inspector-BGnxpdOn.cjs}

@@ -3481,20 +3481,50 @@ var twMerge = /* @__PURE__ */ createTailwindMerge(getDefaultConfig);
 function cn(...inputs) {
 	return twMerge(clsx(inputs));
 }
+function currentPageIsLoopback() {
+	if (typeof window === "undefined") return true;
+	return isLocalNetworkHostname(window.location.hostname);
+}
+function normalizeHostname(hostname) {
+	return hostname.toLowerCase().replace(/^\[(.*)\]$/, "$1");
+}
+function isLocalNetworkHostname(hostname) {
+	const host = normalizeHostname(hostname);
+	if (host === "localhost" || host === "0.0.0.0" || host === "::1") return true;
+	if (host.startsWith("127.")) return true;
+	const ipv4 = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+	if (ipv4) {
+		const octets = ipv4.slice(1).map(Number);
+		if (octets.some((octet) => octet < 0 || octet > 255)) return false;
+		const [a, b] = octets;
+		return a === 10 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254;
+	}
+	return host.startsWith("fc") || host.startsWith("fd") || host.startsWith("fe80:");
+}
 /**
 * Returns true when `icon` is safe to use as the `src` of an `<img>` rendered
-* inside the inspector chrome. Accepts http(s) URLs and `data:image/*` URIs
-* for raster image types only. SVG data URIs are rejected because they can
-* include `<script>`/event handlers that execute when the document parses
-* the inline document (the `<img>` tag itself does not run scripts in modern
-* browsers, but adjacent <object>/<embed>/<iframe> renders would). Anything
-* else (emoji, plain text, javascript:, file:, etc.) falls through to the
-* text-rendering path that already handles emoji icons.
+* inside the inspector chrome. Accepts https URLs, local http URLs while the
+* inspector itself is running locally, and `data:image/*` URIs for raster image
+* types only. SVG data URIs are rejected because they can include
+* `<script>`/event handlers that execute when the document parses the inline
+* document (the `<img>` tag itself does not run scripts in modern browsers,
+* but adjacent <object>/<embed>/<iframe> renders would). Anything else (emoji,
+* plain text, javascript:, file:, etc.) falls through to the text-rendering
+* path that already handles emoji icons.
 */
 function isAllowedIconUrl(icon) {
-	if (icon.startsWith("https://") || icon.startsWith("http://")) return true;
-	if (icon.startsWith("data:image/png") || icon.startsWith("data:image/jpeg") || icon.startsWith("data:image/gif") || icon.startsWith("data:image/webp")) return true;
-	return false;
+	if (/^data:image\/(?:png|jpeg|gif|webp)(?:[;,]|$)/i.test(icon)) return true;
+	let url;
+	try {
+		url = new URL(icon);
+	} catch {
+		return false;
+	}
+	if (url.protocol !== "http:" && url.protocol !== "https:") return false;
+	const inspectorIsLocal = currentPageIsLoopback();
+	if (isLocalNetworkHostname(url.hostname) && !inspectorIsLocal) return false;
+	if (url.protocol === "http:" && !inspectorIsLocal) return false;
+	return true;
 }
 //#endregion
 //#region src/inspector/hosts.ts
@@ -4527,7 +4557,7 @@ registerHostShell({
 }`
 });
 //#endregion
-//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.2_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_f5b843da9146ebea748e10ad8dfce46a/node_modules/@modelcontextprotocol/ext-apps/dist/src/app-bridge.js
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.3_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_198afb8973c94867da191e43eebfe140/node_modules/@modelcontextprotocol/ext-apps/dist/src/app-bridge.js
 ((X) => typeof require < "u" ? require : typeof Proxy < "u" ? new Proxy(X, { get: (Y, Z) => (typeof require < "u" ? require : Y)[Z] }) : X)(function(X) {
 	if (typeof require < "u") return require.apply(this, arguments);
 	throw Error("Dynamic require of \"" + X + "\" is not supported");
@@ -5992,16 +6022,12 @@ var SUNPEAK_INLINE_HELPER_SCRIPT = `
 //#region src/inspector/iframe-resource.tsx
 /**
 * Allowed origins for cross-origin script loading.
-* - Local development: localhost, 127.0.0.1, file://
 * - Production: sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com (serves user scripts)
+*
+* Loopback script URLs are handled separately in isAllowedUrl() so hosted
+* inspectors cannot be tricked into loading scripts from a visitor's machine.
 */
-var ALLOWED_SCRIPT_ORIGINS = [
-	"https://sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com",
-	"http://localhost",
-	"https://localhost",
-	"http://127.0.0.1",
-	"https://127.0.0.1"
-];
+var ALLOWED_SCRIPT_ORIGINS = ["https://sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com"];
 /**
 * Escapes HTML special characters to prevent XSS via attribute injection.
 */
@@ -9519,4 +9545,4 @@ Object.defineProperty(exports, "useThemeContext", {
 	}
 });
 
-//# sourceMappingURL=inspector-DOmiG64-.cjs.map
+//# sourceMappingURL=inspector-BGnxpdOn.cjs.map