veryfront 0.1.112 → 0.1.113

package/esm/src/modules/react-loader/ssr-module-loader/http-bundle-helpers.js

@@ -32,42 +32,23 @@ function extractVfModulePaths(code) {
     return paths;
 }
 /**
- * Recursively extract all HTTP bundle paths from code and any VF modules it imports.
- * This ensures transitive HTTP bundle dependencies through VF modules are discovered.
+ * Visit VF module code blocks imported by the given module, including nested VF modules.
+ * The visitor receives both the module code and the absolute vfmod file path.
  */
-export async function extractAllHttpBundlePathsRecursive(code) {
-    const allBundles = [];
-    const seenHashes = new Set();
+export async function visitImportedVfModules(code, visitor) {
     const seenVfModules = new Set();
-    const fs = createFileSystem();
-    // Helper to add bundles without duplicates
-    const addBundles = (bundles) => {
-        for (const bundle of bundles) {
-            if (!seenHashes.has(bundle.hash)) {
-                seenHashes.add(bundle.hash);
-                allBundles.push(bundle);
-            }
-        }
-    };
-    // Process initial code
-    const directBundles = extractHttpBundlePaths(code);
-    addBundles(directBundles);
-    // Process VF module imports recursively
     const pendingVfModules = extractVfModulePaths(code);
+    const fs = createFileSystem();
     while (pendingVfModules.length > 0) {
         const vfModulePath = pendingVfModules.pop();
         if (seenVfModules.has(vfModulePath))
             continue;
         seenVfModules.add(vfModulePath);
-        // Check if the VF module exists locally
         if (!(await exists(vfModulePath)))
             continue;
         try {
             const vfModuleCode = await fs.readTextFile(vfModulePath);
-            // Extract HTTP bundles from this VF module
-            const vfBundles = extractHttpBundlePaths(vfModuleCode);
-            addBundles(vfBundles);
-            // Extract more VF modules for recursive processing
+            await visitor(vfModuleCode, vfModulePath);
             const nestedVfModules = extractVfModulePaths(vfModuleCode);
             for (const nestedPath of nestedVfModules) {
                 if (!seenVfModules.has(nestedPath)) {
@@ -79,6 +60,31 @@ export async function extractAllHttpBundlePathsRecursive(code) {
             /* expected: VF module file may fail to read */
         }
     }
+}
+/**
+ * Recursively extract all HTTP bundle paths from code and any VF modules it imports.
+ * This ensures transitive HTTP bundle dependencies through VF modules are discovered.
+ */
+export async function extractAllHttpBundlePathsRecursive(code) {
+    const allBundles = [];
+    const seenHashes = new Set();
+    // Helper to add bundles without duplicates
+    const addBundles = (bundles) => {
+        for (const bundle of bundles) {
+            if (!seenHashes.has(bundle.hash)) {
+                seenHashes.add(bundle.hash);
+                allBundles.push(bundle);
+            }
+        }
+    };
+    // Process initial code
+    const directBundles = extractHttpBundlePaths(code);
+    addBundles(directBundles);
+    await visitImportedVfModules(code, (vfModuleCode) => {
+        // Extract HTTP bundles from this VF module
+        const vfBundles = extractHttpBundlePaths(vfModuleCode);
+        addBundles(vfBundles);
+    });
     return allBundles;
 }
 /** Extract HTTP bundle paths from transformed code for proactive recovery */
@@ -132,6 +138,27 @@ export function extractAllFilePaths(code) {
     }
     return paths;
 }
+/**
+ * Extract all file:// paths from cached code and any transitively imported VF modules.
+ * This catches stale pod-local paths that only appear in nested vfmod dependencies.
+ */
+export async function extractAllFilePathsRecursive(code) {
+    const paths = [];
+    const seen = new Set();
+    const addPaths = (entries) => {
+        for (const path of entries) {
+            if (seen.has(path))
+                continue;
+            seen.add(path);
+            paths.push(path);
+        }
+    };
+    addPaths(extractAllFilePaths(code));
+    await visitImportedVfModules(code, (vfModuleCode) => {
+        addPaths(extractAllFilePaths(vfModuleCode));
+    });
+    return paths;
+}
 /**
  * Track modules whose HTTP bundles have been verified, keyed by tempPath:contentHash.
  * Bounded LRU to prevent unbounded memory growth in long-running pods.

package/esm/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.js

@@ -17,7 +17,7 @@ import { hashCodeHex } from "../../../utils/hash-utils.js";
 import { ensureHttpBundlesExist } from "../../../transforms/esm/http-cache.js";
 import { getHttpBundleCacheDir, getMdxEsmCacheDir } from "../../../utils/cache-dir.js";
 import { globalModuleCache, globalTmpDirs } from "./cache/index.js";
-import { extractAllFilePaths, extractHttpBundlePaths, verifiedHttpBundlePaths, } from "./http-bundle-helpers.js";
+import { extractAllFilePathsRecursive, extractAllHttpBundlePathsRecursive, verifiedHttpBundlePaths, } from "./http-bundle-helpers.js";
 import { buildTempModulePath, buildTmpDirPath, getTmpDirCacheKey } from "./tmp-paths.js";
 import { ensureMdxModuleDependencies } from "../../../transforms/mdx/esm-module-loader/module-fetcher/dependency-recovery.js";
 const logger = rendererLogger.component("ssr-module-loader");
@@ -160,7 +160,7 @@ export class SSRCacheManager {
         return UNRESOLVED_VF_MODULE_IMPORT_PATTERN.test(code);
     }
     async hasMissingHttpBundles(code, filePath, source) {
-        const bundlePaths = extractHttpBundlePaths(code);
+        const bundlePaths = await extractAllHttpBundlePathsRecursive(code);
         if (bundlePaths.length === 0)
             return false;
         const cacheDir = getHttpBundleCacheDir();
@@ -177,7 +177,7 @@ export class SSRCacheManager {
         return true;
     }
     async hasMissingLocalPaths(code, filePath) {
-        const allPaths = extractAllFilePaths(code);
+        const allPaths = await extractAllFilePathsRecursive(code);
         let hasMissingPath = false;
         for (const path of allPaths) {
             try {

package/esm/src/rendering/orchestrator/html.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"html.d.ts","sourceRoot":"","sources":["../../../../src/src/rendering/orchestrator/html.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAS7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,KAAK,EACV,UAAU,EACV,UAAU,EACV,SAAS,EAET,UAAU,EACX,MAAM,sBAAsB,CAAC;AAE9B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAiBhD,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IACxB,IAAI,EAAE,aAAa,GAAG,YAAY,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,CAAC;IACrB,UAAU,EAAE,UAAU,CAAC;IACvB,YAAY,EAAE,SAAS,GAAG,SAAS,CAAC;IACpC,aAAa,EAAE,UAAU,EAAE,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,2FAA2F;IAC3F,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIjC,gBAAgB,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,MAAM,CAAC;IAWjE,kBAAkB,CACtB,WAAW,EAAE,cAAc,EAC3B,OAAO,EAAE,IAAI,CAAC,qBAAqB,EAAE,MAAM,CAAC,GAC3C,OAAO,CAAC,cAAc,CAAC;YAmCZ,sBAAsB;YA8BtB,wBAAwB;YAmBxB,gBAAgB;YAehB,kBAAkB;IAsDhC,OAAO,CAAC,iBAAiB;IA4DzB,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,cAAc;YAQR,eAAe;YAaf,gBAAgB;IAwE9B;;;;OAIG;YACW,gBAAgB;IA2D9B,OAAO,CAAC,wBAAwB;IAqBhC,OAAO,CAAC,qBAAqB;YAOf,6BAA6B;CAyD5C"}
+{"version":3,"file":"html.d.ts","sourceRoot":"","sources":["../../../../src/src/rendering/orchestrator/html.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAS7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,KAAK,EACV,UAAU,EACV,UAAU,EACV,SAAS,EAET,UAAU,EACX,MAAM,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAuHhD,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IACxB,IAAI,EAAE,aAAa,GAAG,YAAY,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,CAAC;IACrB,UAAU,EAAE,UAAU,CAAC;IACvB,YAAY,EAAE,SAAS,GAAG,SAAS,CAAC;IACpC,aAAa,EAAE,UAAU,EAAE,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,2FAA2F;IAC3F,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIjC,gBAAgB,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,MAAM,CAAC;IAajE,kBAAkB,CACtB,WAAW,EAAE,cAAc,EAC3B,OAAO,EAAE,IAAI,CAAC,qBAAqB,EAAE,MAAM,CAAC,GAC3C,OAAO,CAAC,cAAc,CAAC;YAsCZ,sBAAsB;YA8BtB,wBAAwB;YAmBxB,gBAAgB;YAehB,kBAAkB;IAsDhC,OAAO,CAAC,iBAAiB;IA4DzB,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,cAAc;YAQR,eAAe;YAaf,gBAAgB;IAwE9B;;;;OAIG;YACW,gBAAgB;IA2D9B,OAAO,CAAC,wBAAwB;IAqBhC,OAAO,CAAC,qBAAqB;YAOf,6BAA6B;CAyD5C"}

package/esm/src/rendering/orchestrator/html.js

@@ -2,6 +2,7 @@ import { join } from "../../platform/compat/path/index.js";
 import { getExtensionName } from "../../utils/path-utils.js";
 import { buildImportMapJson, extractHTMLMetadata, generateHTMLShellParts, injectHTMLContent, isFullHTMLDocument, } from "../../html/index.js";
 import { DEFAULT_DASHBOARD_PORT, rendererLogger } from "../../utils/index.js";
+import { escapeHtml } from "../../utils/html-escape.js";
 import { injectElementSelectors } from "../../studio/element-selector-injector.js";
 import { computeSourceHash } from "../../studio/hash-utils.js";
 import { extractRelativePath } from "../../utils/route-path-utils.js";
@@ -12,6 +13,92 @@ import { getRouteCandidates } from "./css-candidate-manifest.js";
 import { resolveStyleContentVersion } from "../../html/styles-builder/content-version.js";
 import { createStyleScopeProfile } from "../../html/styles-builder/style-scope-profile.js";
 const logger = rendererLogger.component("html-generator");
+function findTagEnd(html, start) {
+    let activeQuote = null;
+    for (let index = start + 1; index < html.length; index++) {
+        const char = html[index];
+        if (activeQuote) {
+            if (char === activeQuote)
+                activeQuote = null;
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            activeQuote = char;
+            continue;
+        }
+        if (char === ">")
+            return index;
+    }
+    return -1;
+}
+function getOpeningTagName(tag) {
+    const match = /^<\s*([a-zA-Z][\w:-]*)/u.exec(tag);
+    const tagName = match?.[1]?.toLowerCase();
+    if (tagName === "script" || tagName === "style")
+        return tagName;
+    return undefined;
+}
+function injectNonceIntoOpeningTag(tag, escapedNonce) {
+    if (/\bnonce\s*=/iu.test(tag))
+        return tag;
+    const closeIndex = tag.lastIndexOf(">");
+    if (closeIndex === -1)
+        return tag;
+    const insertAt = /\/\s*>$/u.test(tag) ? closeIndex - 1 : closeIndex;
+    return `${tag.slice(0, insertAt)} nonce="${escapedNonce}"${tag.slice(insertAt)}`;
+}
+function addNonceToRenderedTags(html, nonce) {
+    if (!nonce)
+        return html;
+    const escapedNonce = escapeHtml(nonce);
+    const lowerHtml = html.toLowerCase();
+    let result = "";
+    let index = 0;
+    let rawTextTag = null;
+    while (index < html.length) {
+        if (rawTextTag) {
+            const closingIndex = lowerHtml.indexOf(`</${rawTextTag}`, index);
+            if (closingIndex === -1) {
+                result += html.slice(index);
+                break;
+            }
+            result += html.slice(index, closingIndex);
+            index = closingIndex;
+            rawTextTag = null;
+            continue;
+        }
+        if (html.startsWith("<!--", index)) {
+            const commentEnd = html.indexOf("-->", index + 4);
+            const endIndex = commentEnd === -1 ? html.length : commentEnd + 3;
+            result += html.slice(index, endIndex);
+            index = endIndex;
+            continue;
+        }
+        if (html[index] !== "<") {
+            result += html[index];
+            index++;
+            continue;
+        }
+        const tagEnd = findTagEnd(html, index);
+        if (tagEnd === -1) {
+            result += html.slice(index);
+            break;
+        }
+        const tag = html.slice(index, tagEnd + 1);
+        const tagName = getOpeningTagName(tag);
+        if (!tagName) {
+            result += tag;
+            index = tagEnd + 1;
+            continue;
+        }
+        result += injectNonceIntoOpeningTag(tag, escapedNonce);
+        index = tagEnd + 1;
+        if (!/\/\s*>$/u.test(tag)) {
+            rawTextTag = tagName;
+        }
+    }
+    return result;
+}
 export class HTMLGenerator {
     config;
     constructor(config) {
@@ -21,10 +108,11 @@ export class HTMLGenerator {
         const html = isFullHTMLDocument(context.html)
             ? await this.handleFullHTMLDocument(context)
             : await this.wrapHTMLFragment(context);
-        if (!context.options?.studioEmbed)
-            return html;
-        logger.debug("Injected element selectors for Studio");
-        return injectElementSelectors(html);
+        const finalHtml = context.options?.studioEmbed ? injectElementSelectors(html) : html;
+        if (context.options?.studioEmbed) {
+            logger.debug("Injected element selectors for Studio");
+        }
+        return addNonceToRenderedTags(finalHtml, context.options?.nonce);
     }
     async generateHTMLStream(reactStream, context) {
         const fullContext = context;
@@ -44,7 +132,7 @@ export class HTMLGenerator {
         }
         const { start, end } = await this.generateShellParts(fullContext, mergedFrontmatter, htmlOptions, reactContent);
         const encoder = new TextEncoder();
-        const fullHtml = `${start}${reactContent}${end}`;
+        const fullHtml = addNonceToRenderedTags(`${start}${reactContent}${end}`, context.options?.nonce);
         return new ReadableStream({
             start(controller) {
                 controller.enqueue(encoder.encode(fullHtml));

package/esm/src/rendering/snippet-renderer.js

@@ -240,7 +240,7 @@ export function renderSnippet(mdxContent, options) {
 function generateErrorHTML(error, options) {
     const message = error instanceof Error ? error.message : String(error);
     const stack = error instanceof Error ? error.stack : undefined;
-    const nonce = options.nonce ? ` nonce="${options.nonce}"` : "";
+    const nonce = options.nonce ? ` nonce="${escapeHtml(options.nonce)}"` : "";
     const stackHtml = options.mode === "development" && stack
         ? `<div class="error-stack">${escapeHtml(stack)}</div>`
         : "";

package/esm/src/security/http/response/security-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/security/http/response/security-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAQjD,wBAAgB,aAAa,IAAI,MAAM,CAItC;AAkCD,wBAAgB,QAAQ,CACtB,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,GACvB,MAAM,CA4BR;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,GACvB,MAAM,CAMR;AAED,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,OAAO,CAAC,OAAO,EACxB,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,EACxB,iBAAiB,CAAC,EAAE,OAAO,GAC1B,IAAI,CA6DN"}
+{"version":3,"file":"security-handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/security/http/response/security-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAQjD,wBAAgB,aAAa,IAAI,MAAM,CAItC;AAmCD,wBAAgB,QAAQ,CACtB,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,GACvB,MAAM,CA4BR;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,GACvB,MAAM,CAMR;AAED,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,OAAO,CAAC,OAAO,EACxB,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,EACxB,iBAAiB,CAAC,EAAE,OAAO,GAC1B,IAAI,CA6DN"}

package/esm/src/security/http/response/security-handler.js

@@ -15,8 +15,8 @@ export function generateNonce() {
  * - Scripts: nonce-based + cdn.jsdelivr.net (Scalar API docs, html2canvas,
  *   React UMD, browser inference)
  * - Styles: 'self' + 'unsafe-inline' + nonce + Google Fonts + cdn.veryfront.com
- *   (CSS-in-JS needs unsafe-inline; nonce as migration path; veryfront CDN for
- *   markdown rendering styles)
+ *   plus style-src-attr 'unsafe-inline' so React style="" attributes remain
+ *   compatible while inline <style> tags continue to use the nonce
  * - Images/media/fonts: 'self' + data: + https: + cdn.veryfront.com
  * - Connections: 'self' + wss: + https: (WebSocket for HMR/live reload, API calls)
  * - Objects: 'none' (block Flash/plugins)
@@ -30,6 +30,7 @@ function buildDefaultCSP(nonce) {
         `default-src 'self'`,
         `script-src 'self' 'nonce-${nonce}' https://cdn.jsdelivr.net`,
         `style-src 'self' 'unsafe-inline' 'nonce-${nonce}' https://fonts.googleapis.com https://cdn.veryfront.com`,
+        `style-src-attr 'unsafe-inline'`,
         `img-src 'self' data: https:`,
         `font-src 'self' data: https://fonts.gstatic.com https://cdn.veryfront.com`,
         `connect-src 'self' wss: https:`,

package/esm/src/server/dev-server/error-overlay/html-template.d.ts

@@ -1,4 +1,4 @@
 import { type ErrorInfo } from "./error-formatter.js";
 export declare function generateRuntimeScript(): string;
-export declare function generateErrorHTML(errorInfo: ErrorInfo, suggestion?: string, projectSlug?: string): string;
+export declare function generateErrorHTML(errorInfo: ErrorInfo, suggestion?: string, projectSlug?: string, nonce?: string): string;
 //# sourceMappingURL=html-template.d.ts.map

package/esm/src/server/dev-server/error-overlay/html-template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"html-template.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/dev-server/error-overlay/html-template.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAmB,MAAM,sBAAsB,CAAC;AAmBvE,wBAAgB,qBAAqB,IAAI,MAAM,CA6L9C;AAED,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,SAAS,EACpB,UAAU,CAAC,EAAE,MAAM,EACnB,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CAuOR"}
+{"version":3,"file":"html-template.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/dev-server/error-overlay/html-template.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAmB,MAAM,sBAAsB,CAAC;AAmBvE,wBAAgB,qBAAqB,IAAI,MAAM,CA6L9C;AAED,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,SAAS,EACpB,UAAU,CAAC,EAAE,MAAM,EACnB,WAAW,CAAC,EAAE,MAAM,EACpB,KAAK,CAAC,EAAE,MAAM,GACb,MAAM,CAwOR"}

package/esm/src/server/dev-server/error-overlay/html-template.js

@@ -202,7 +202,7 @@ export function generateRuntimeScript() {
     });
   `;
 }
-export function generateErrorHTML(errorInfo, suggestion, projectSlug) {
+export function generateErrorHTML(errorInfo, suggestion, projectSlug, nonce) {
     const errorType = escapeHtml(formatErrorType(errorInfo.type));
     const errorName = escapeHtml(errorInfo.error.name);
     const errorMessage = escapeHtml(errorInfo.error.message);
@@ -211,6 +211,7 @@ export function generateErrorHTML(errorInfo, suggestion, projectSlug) {
     const errorColumn = errorInfo.column ? escapeHtml(String(errorInfo.column)) : "";
     const errorSuggestion = suggestion ? escapeHtml(suggestion) : "";
     const errorStack = errorInfo.error.stack ? escapeHtml(errorInfo.error.stack) : "";
+    const nonceAttr = nonce ? ` nonce="${escapeHtml(nonce)}"` : "";
     const fileSection = errorFile
         ? `
       <div class="error-file">
@@ -243,7 +244,7 @@ export function generateErrorHTML(errorInfo, suggestion, projectSlug) {
 <head>
   <meta charset="UTF-8">
   <title>${errorType} Error - Veryfront</title>
-  <style>
+  <style${nonceAttr}>
     body {
       margin: 0;
       padding: 20px;
@@ -350,7 +351,7 @@ export function generateErrorHTML(errorInfo, suggestion, projectSlug) {
     </div>
     ${fixButtonHtml}
   </div>
-  <script>${projectSlug
+  <script${nonceAttr}>${projectSlug
         ? `
     (function() {
       var slug = ${jsonForScript(projectSlug)};

package/esm/src/server/dev-server/error-overlay/overlay-renderer.d.ts

@@ -3,6 +3,6 @@ import { generateRuntimeScript } from "./html-template.js";
 export declare const ErrorOverlay: {
     getRuntime: typeof generateRuntimeScript;
     getSuggestion: typeof getSuggestion;
-    createHTML(errorInfo: ErrorInfo, projectSlug?: string): string;
+    createHTML(errorInfo: ErrorInfo, projectSlug?: string, nonce?: string): string;
 };
 //# sourceMappingURL=overlay-renderer.d.ts.map

package/esm/src/server/dev-server/error-overlay/overlay-renderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"overlay-renderer.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/dev-server/error-overlay/overlay-renderer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAqB,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAE9E,eAAO,MAAM,YAAY;;;0BAGD,SAAS,gBAAgB,MAAM,GAAG,MAAM;CAO/D,CAAC"}
+{"version":3,"file":"overlay-renderer.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/dev-server/error-overlay/overlay-renderer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAqB,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAE9E,eAAO,MAAM,YAAY;;;0BAGD,SAAS,gBAAgB,MAAM,UAAU,MAAM,GAAG,MAAM;CAQ/E,CAAC"}

package/esm/src/server/dev-server/error-overlay/overlay-renderer.js

@@ -3,7 +3,7 @@ import { generateErrorHTML, generateRuntimeScript } from "./html-template.js";
 export const ErrorOverlay = {
     getRuntime: generateRuntimeScript,
     getSuggestion,
-    createHTML(errorInfo, projectSlug) {
-        return generateErrorHTML(errorInfo, errorInfo.suggestion ?? getSuggestion(errorInfo.error), projectSlug);
+    createHTML(errorInfo, projectSlug, nonce) {
+        return generateErrorHTML(errorInfo, errorInfo.suggestion ?? getSuggestion(errorInfo.error), projectSlug, nonce);
     },
 };

package/esm/src/server/services/rendering/ssr.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssr.service.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/services/rendering/ssr.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAEL,KAAK,eAAe,EAErB,MAAM,kCAAkC,CAAC;AAmB1C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAItE;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CAC5D;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB,IAAI,YAAY,CAAC;IACpC,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAAC;CAC3D;AAUD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,UAAU,GAAG,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,WAAW,GAAG,YAAY,GAAG,cAAc,GAAG,SAAS,CAAC;IACpE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,GAAG,EAAE,GAAG,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,UAAW,YAAW,cAAc;IAC/C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAA0B;IACrD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;gBAExC,OAAO,CAAC,EAAE;QACpB,SAAS,CAAC,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;QACpC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;KACrC;IAKD,mBAAmB,IAAI,YAAY;IAW7B,WAAW,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;IAI1D,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAiG1F,OAAO,CAAC,iBAAiB;IA4FzB,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;CAS1D"}
+{"version":3,"file":"ssr.service.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/services/rendering/ssr.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAEL,KAAK,eAAe,EAErB,MAAM,kCAAkC,CAAC;AAmB1C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAItE;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CAC5D;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB,IAAI,YAAY,CAAC;IACpC,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAAC;CAC3D;AAUD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,UAAU,GAAG,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,WAAW,GAAG,YAAY,GAAG,cAAc,GAAG,SAAS,CAAC;IACpE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,GAAG,EAAE,GAAG,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,UAAW,YAAW,cAAc;IAC/C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAA0B;IACrD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;gBAExC,OAAO,CAAC,EAAE;QACpB,SAAS,CAAC,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;QACpC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;KACrC;IAKD,mBAAmB,IAAI,YAAY;IAW7B,WAAW,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;IAI1D,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAiG1F,OAAO,CAAC,iBAAiB;IAiGzB,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;CAS1D"}

package/esm/src/server/services/rendering/ssr.service.js

@@ -108,10 +108,10 @@ export class SSRService {
         }
         catch (error) {
             endRenderSession(renderSessionId);
-            return this.handleRenderError(error, ctx, slug, request);
+            return this.handleRenderError(error, ctx, slug, request, nonce);
         }
     }
-    handleRenderError(error, ctx, slug, request) {
+    handleRenderError(error, ctx, slug, request, nonce) {
         const errorObj = error instanceof Error ? error : new Error(String(error));
         const isDev = ctx.isLocalProject || ctx.requestContext?.mode === "preview";
         if (error instanceof VeryfrontError && error.slug === "file-not-found") {
@@ -167,7 +167,7 @@ export class SSRService {
                     type: "runtime",
                     ...(sourceFile ? { file: sourceFile } : {}),
                     ...location,
-                }, ctx.projectSlug),
+                }, ctx.projectSlug, nonce),
                 isStreaming: false,
                 cacheStrategy: "no-cache",
                 error: errorObj,

package/esm/src/server/services/rsc/endpoints/rsc-bundles.generated.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rsc-bundles.generated.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/rsc-bundles.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,EAAE,MACgwhE,CAAC;AAElyhE,eAAO,MAAM,iBAAiB,EAAE,MACgpiB,CAAC"}
+{"version":3,"file":"rsc-bundles.generated.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/rsc-bundles.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,EAAE,MAC6whE,CAAC;AAE/yhE,eAAO,MAAM,iBAAiB,EAAE,MACgpiB,CAAC"}