veryfront 0.1.129 → 0.1.131

package/esm/src/platform/compat/framework-source-resolver.js

@@ -1,7 +1,8 @@
 import { join } from "./path/index.js";
 import { createFileSystem } from "./fs.js";
-import { getFrameworkRootFromMeta } from "./vfs-paths.js";
+import { getFrameworkRoot, getFrameworkRootFromMeta } from "./vfs-paths.js";
 export const FRAMEWORK_ROOT = getFrameworkRootFromMeta(globalThis[Symbol.for("import-meta-ponyfill-esmodule")](import.meta).url);
+export const FRAMEWORK_SRC_DIR = join(FRAMEWORK_ROOT, "src");
 export const FRAMEWORK_EMBEDDED_SRC_DIR = join(FRAMEWORK_ROOT, "dist", "framework-src");
 export const DEFAULT_FRAMEWORK_SOURCE_EXTENSIONS = [
     ".tsx.src",
@@ -31,6 +32,40 @@ export function getFrameworkSourceLookupDirs(extraLookupDirs = []) {
         return true;
     });
 }
+export function isFrameworkSourcePath(path) {
+    return path.startsWith(`${FRAMEWORK_SRC_DIR}/`) ||
+        path.startsWith(`${FRAMEWORK_EMBEDDED_SRC_DIR}/`);
+}
+function expandFrameworkCandidatePaths(candidatePath) {
+    const candidates = [candidatePath];
+    const candidateRoot = getFrameworkRoot(candidatePath);
+    const candidateSrcDir = candidateRoot ? join(candidateRoot, "src") : FRAMEWORK_SRC_DIR;
+    const candidateEmbeddedDir = candidateRoot
+        ? join(candidateRoot, "dist", "framework-src")
+        : FRAMEWORK_EMBEDDED_SRC_DIR;
+    if (candidatePath.startsWith(`${candidateSrcDir}/`)) {
+        const relativePath = candidatePath.slice(candidateSrcDir.length + 1);
+        candidates.push(join(candidateEmbeddedDir, relativePath));
+    }
+    return [...new Set(candidates)];
+}
+async function findExistingFrameworkCandidate(candidatePath, options = {}) {
+    const fs = options.fileSystem ?? createFileSystem();
+    const exists = options.exists ?? (async (path) => {
+        try {
+            const stat = await fs.stat(path);
+            return stat.isFile;
+        }
+        catch {
+            return false;
+        }
+    });
+    for (const candidate of expandFrameworkCandidatePaths(candidatePath)) {
+        if (await exists(candidate))
+            return candidate;
+    }
+    return null;
+}
 export async function resolveFrameworkSourcePath(relativePathWithoutExt, options = {}) {
     const fs = options.fileSystem ?? createFileSystem();
     const lookupDirs = getFrameworkSourceLookupDirs(options.extraLookupDirs);
@@ -60,3 +95,44 @@ export async function resolveFrameworkSourcePath(relativePathWithoutExt, options
     }
     return null;
 }
+export async function resolveRelativeFrameworkSourceImport(specifier, fromSourcePath, options = {}) {
+    const extensions = options.extensions ?? DEFAULT_FRAMEWORK_SOURCE_EXTENSIONS;
+    const fromDir = fromSourcePath.substring(0, fromSourcePath.lastIndexOf("/"));
+    const parts = fromDir.split("/").filter(Boolean);
+    const importParts = specifier.split("/").filter(Boolean);
+    for (const part of importParts) {
+        if (part === "..") {
+            parts.pop();
+        }
+        else if (part !== ".") {
+            parts.push(part);
+        }
+    }
+    const basePath = "/" + parts.join("/");
+    if (/\.(tsx?|jsx?|mjs)$/.test(specifier)) {
+        const explicitCandidates = [basePath, `${basePath}.src`];
+        if (basePath.endsWith(".js") || basePath.endsWith(".mjs")) {
+            const stem = basePath.replace(/\.(?:m?js)$/, "");
+            for (const ext of [".ts", ".tsx", ".jsx", ".js", ".mjs"]) {
+                explicitCandidates.push(`${stem}${ext}.src`, `${stem}${ext}`);
+            }
+        }
+        for (const candidate of explicitCandidates) {
+            const resolved = await findExistingFrameworkCandidate(candidate, options);
+            if (resolved)
+                return resolved;
+        }
+        return null;
+    }
+    for (const ext of extensions) {
+        const candidate = await findExistingFrameworkCandidate(basePath + ext, options);
+        if (candidate)
+            return candidate;
+    }
+    for (const ext of extensions) {
+        const candidate = await findExistingFrameworkCandidate(join(basePath, "index" + ext), options);
+        if (candidate)
+            return candidate;
+    }
+    return null;
+}

package/esm/src/rendering/rsc/client-boot.ts

@@ -6,6 +6,7 @@
 import type { ClientModuleStrategy } from "./client-module-strategy.ts";
 import {
   buildClientModuleUrl,
+  type ClientRuntimeHydrationData,
   getHydrationReactImportSpecifiers,
   readHydrationData,
   resolveClientModuleStrategy,
@@ -58,6 +59,18 @@ export function selectHydrationRoot<T extends HydrationRootCandidate>(
     fallback;
 }
 
+interface RSCBootDocument {
+  getElementById(id: string): Element | null;
+}
+
+export function shouldAttemptRSCTransport(
+  doc: RSCBootDocument,
+  hydrationData: ClientRuntimeHydrationData | null,
+): boolean {
+  if (hydrationData?.pagePath) return false;
+  return !!doc.getElementById(RSC_ROOT_ID);
+}
+
 async function tryStream(q: string): Promise<boolean> {
   try {
     const res = await fetch(RSC_PATH_PREFIX + "stream" + q);
@@ -151,8 +164,12 @@ export async function boot(): Promise<void> {
       console.debug?.("[RSC] Found page component in hydration data:", pagePath);
       if (await hydratePageComponent(pagePath, clientModuleStrategy)) {
         console.debug?.("[RSC] Client component hydrated successfully");
-        return;
       }
+      return;
+    }
+
+    if (!shouldAttemptRSCTransport(document, hydrationData)) {
+      return;
     }
 
     if (await tryStream(q)) {

package/esm/src/server/handlers/preview/markdown-html-generator.d.ts

@@ -24,6 +24,8 @@ interface MarkdownHtmlOptions {
     projectId: string;
     /** File path of the markdown file. */
     filePath: string;
+    /** CSP nonce for inline scripts. */
+    nonce?: string;
 }
 /**
  * Generate a complete HTML document for markdown preview rendering.

package/esm/src/server/handlers/preview/markdown-html-generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown-html-generator.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-html-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAKrD,oDAAoD;AACpD,UAAU,mBAAmB;IAC3B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,gDAAgD;IAChD,GAAG,EAAE,GAAG,CAAC;IACT,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAuDD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CA0FzE"}
+{"version":3,"file":"markdown-html-generator.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-html-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAMrD,oDAAoD;AACpD,UAAU,mBAAmB;IAC3B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,gDAAgD;IAChD,GAAG,EAAE,GAAG,CAAC;IACT,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAyDD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CA2FzE"}

package/esm/src/server/handlers/preview/markdown-html-generator.js

@@ -1,4 +1,5 @@
 import { escapeHtml } from "../../../utils/html-escape.js";
+import { buildNonceAttribute } from "../../../html/html-escape.js";
 /**
  * Detect the preferred color theme from request parameters and client hints.
  *
@@ -23,10 +24,11 @@ function detectTheme(req, url) {
  * Generate the studio bridge `<script>` tag.
  * Injected only when embedded in Studio (`studio_embed=true`).
  */
-function buildStudioScript(url, projectId, filePath) {
+function buildStudioScript(url, projectId, filePath, nonce) {
     const studioEmbed = url.searchParams.get("studio_embed") === "true";
     if (!studioEmbed)
         return "";
+    const nonceAttr = buildNonceAttribute(nonce);
     const rawQueryProjectId = url.searchParams.get("vf_project_id")?.trim() || "";
     // Validate query param before using it in bridge config.
     const queryProjectId = /^[a-zA-Z0-9_-]+$/.test(rawQueryProjectId) ? rawQueryProjectId : "";
@@ -40,8 +42,8 @@ function buildStudioScript(url, projectId, filePath) {
     };
     // Escape </script> sequences to prevent XSS breakout from inline JSON
     const safeJson = JSON.stringify(bridgeConfig).replace(/</g, "\\u003c");
-    return `<script>window.__VF_BRIDGE_CONFIG__=${safeJson};</script>
-  <script type="module" src="/_veryfront/studio-bridge.js"></script>`;
+    return `<script${nonceAttr}>window.__VF_BRIDGE_CONFIG__=${safeJson};</script>
+  <script type="module" src="/_veryfront/studio-bridge.js"${nonceAttr}></script>`;
 }
 /**
  * Generate a complete HTML document for markdown preview rendering.
@@ -51,10 +53,11 @@ function buildStudioScript(url, projectId, filePath) {
  * studio bridge integration.
  */
 export function generateMarkdownHtml(options) {
-    const { rawHtml, title, description, request, url, projectId, filePath } = options;
+    const { rawHtml, title, description, request, url, projectId, filePath, nonce } = options;
     const theme = detectTheme(request, url);
-    const studioScript = buildStudioScript(url, projectId, filePath);
+    const studioScript = buildStudioScript(url, projectId, filePath, nonce);
     const themeAttrs = theme ? ` data-theme="${theme}" style="color-scheme: ${theme};"` : "";
+    const nonceAttr = buildNonceAttribute(nonce);
     return `<!DOCTYPE html>
 <html lang="en"${themeAttrs}>
 <head>
@@ -75,7 +78,7 @@ export function generateMarkdownHtml(options) {
 
   ${studioScript}
 
-  <script type="module">
+  <script type="module"${nonceAttr}>
     import mermaid from 'https://esm.sh/mermaid@11.4.1?pin=v135';
 
     function getMermaidTheme() {
@@ -135,7 +138,7 @@ export function generateMarkdownHtml(options) {
   </script>
 
   <!-- Preview HMR -->
-  <script src="/_veryfront/preview-hmr.js"></script>
+  <script src="/_veryfront/preview-hmr.js"${nonceAttr}></script>
 </body>
 </html>`;
 }

package/esm/src/server/handlers/preview/markdown-preview.handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown-preview.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-preview.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBnG,qBAAa,sBAAuB,SAAQ,WAAW;IACrD,QAAQ,EAAE,eAAe,CAKvB;IAEI,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;YAmEjE,cAAc;CAiF7B"}
+{"version":3,"file":"markdown-preview.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-preview.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBnG,qBAAa,sBAAuB,SAAQ,WAAW;IACrD,QAAQ,EAAE,eAAe,CAKvB;IAEI,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;YAmEjE,cAAc;CAoF7B"}

package/esm/src/server/handlers/preview/markdown-preview.handler.js

@@ -103,6 +103,7 @@ export class MarkdownPreviewHandler extends BaseHandler {
                 return this.continue();
             }
             const bundle = await compileMarkdownRuntime("development", ctx.projectDir, body, frontmatter, filePath, "server");
+            const responseBuilder = this.createResponseBuilder(ctx);
             const html = generateMarkdownHtml({
                 rawHtml: bundle.rawHtml || "",
                 title: frontmatter.title != null ? String(frontmatter.title) : filePath,
@@ -111,15 +112,17 @@ export class MarkdownPreviewHandler extends BaseHandler {
                 url,
                 projectId: ctx.projectSlug || ctx.projectId || "markdown-preview",
                 filePath,
+                nonce: responseBuilder.nonce,
             });
-            const responseBuilder = this.createResponseBuilder(ctx)
+            responseBuilder
                 .withCache("no-cache")
-                .withContentType("text/html; charset=utf-8", html, HTTP_OK);
+                .withSecurity(ctx.securityConfig ?? undefined, req);
+            const response = responseBuilder.withContentType("text/html; charset=utf-8", html, HTTP_OK);
             logger.debug("Serving markdown preview", {
                 filePath,
                 htmlLength: html.length,
             });
-            return this.respond(responseBuilder);
+            return this.respond(response);
         }
         catch (error) {
             logger.error("Error rendering markdown", {

package/esm/src/server/handlers/request/api/project-discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"project-discovery.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/project-discovery.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA8CrD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAkE/E"}
+{"version":3,"file":"project-discovery.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/project-discovery.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA+DrD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA8D/E"}

package/esm/src/server/handlers/request/api/project-discovery.js

@@ -12,6 +12,21 @@ const logger = serverLogger.component("api-wrapper");
  * allows retry on failure (the key is deleted if discovery rejects).
  */
 const discoveredProjects = new Map();
+function buildDiscoveryConfig(ctx) {
+    const ai = ctx.config?.ai;
+    const skillDiscoveryEnabled = ai?.skills?.discovery?.enabled ?? true;
+    return {
+        baseDir: ctx.projectDir,
+        toolDirs: ai?.tools?.discovery?.paths ?? ["tools"],
+        agentDirs: ai?.agents?.discovery?.paths ?? ["agents"],
+        skillDirs: skillDiscoveryEnabled ? (ai?.skills?.discovery?.paths ?? ["skills"]) : [],
+        resourceDirs: ["resources"],
+        promptDirs: ["prompts"],
+        workflowDirs: ["workflows"],
+        fsAdapter: ctx.adapter.fs,
+        verbose: false,
+    };
+}
 /** Build a discovery cache key that incorporates the release/version. */
 function discoveryKey(ctx) {
     const cacheContext = tryGetCacheKeyContext();
@@ -59,11 +74,7 @@ export async function ensureProjectDiscovery(ctx) {
         clearTranspileCache();
         agentRegistry.clear();
         toolRegistry.clear();
-        const result = await discoverAll({
-            baseDir: ctx.projectDir,
-            fsAdapter: ctx.adapter.fs,
-            verbose: false,
-        });
+        const result = await discoverAll(buildDiscoveryConfig(ctx));
         const logData = {
             projectSlug: ctx.projectSlug,
             releaseId: ctx.releaseId,

package/esm/src/server/handlers/request/api/security-headers.d.ts

@@ -3,4 +3,5 @@ import type { HandlerContext } from "../../types.js";
 export declare function buildCSP(ctx: HandlerContext): string;
 export declare function getSecurityHeader(headerName: string, defaultValue: string, ctx: HandlerContext): string;
 export declare function applySecurityHeaders(headers: dntShim.Headers, ctx: HandlerContext, req?: dntShim.Request): void;
+export declare function applySecurityHeadersWithNonce(headers: dntShim.Headers, ctx: HandlerContext, nonce: string, req?: dntShim.Request): void;
 //# sourceMappingURL=security-headers.d.ts.map

package/esm/src/server/handlers/request/api/security-headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AACxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAarD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAQpD;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,cAAc,GAClB,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAa/G"}
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AACxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAarD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAQpD;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,cAAc,GAClB,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAE/G;AAED,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,OAAO,CAAC,OAAO,EACxB,GAAG,EAAE,cAAc,EACnB,KAAK,EAAE,MAAM,EACb,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GACpB,IAAI,CAaN"}

package/esm/src/server/handlers/request/api/security-headers.js

@@ -10,7 +10,10 @@ export function getSecurityHeader(headerName, defaultValue, ctx) {
     return coreGetSecurityHeader(headerName, defaultValue, ctx.securityConfig, ctx.adapter);
 }
 export function applySecurityHeaders(headers, ctx, req) {
-    coreApplySecurityHeaders(headers, isDev(ctx), generateNonce(), ctx.cspUserHeader ?? null, ctx.securityConfig, ctx.adapter, ctx.parsedDomain?.allowIframeEmbed ?? false);
+    applySecurityHeadersWithNonce(headers, ctx, generateNonce(), req);
+}
+export function applySecurityHeadersWithNonce(headers, ctx, nonce, req) {
+    coreApplySecurityHeaders(headers, isDev(ctx), nonce, ctx.cspUserHeader ?? null, ctx.securityConfig, ctx.adapter, ctx.parsedDomain?.allowIframeEmbed ?? false);
     if (req) {
         applyCsrfCookie(req, headers, ctx.securityConfig?.csrf);
     }

package/esm/src/server/handlers/request/openapi-docs.handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openapi-docs.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/request/openapi-docs.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAWnG,qBAAa,kBAAmB,SAAQ,WAAW;IACjD,QAAQ,EAAE,eAAe,CAKvB;cAEiB,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO;IAMnF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAazE,OAAO,CAAC,gBAAgB;CAsCzB"}
+{"version":3,"file":"openapi-docs.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/request/openapi-docs.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAWnG,qBAAa,kBAAmB,SAAQ,WAAW;IACjD,QAAQ,EAAE,eAAe,CAKvB;cAEiB,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO;IAMnF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAezE,OAAO,CAAC,gBAAgB;CAwCzB"}

package/esm/src/server/handlers/request/openapi-docs.handler.js

@@ -1,6 +1,6 @@
 import { BaseHandler } from "../response/base.js";
 import { HTTP_OK, PRIORITY_HIGH_DEV } from "../../../utils/constants/index.js";
-import { escapeHtml } from "../../../html/html-escape.js";
+import { buildNonceAttribute, escapeHtml } from "../../../html/html-escape.js";
 /** Default paths */
 const DEFAULT_DOCS_PATH = "/_docs";
 const DEFAULT_JSON_PATH = "/_openapi.json";
@@ -21,17 +21,20 @@ export class OpenAPIDocsHandler extends BaseHandler {
     handle(req, ctx) {
         if (!this.shouldHandle(req, ctx))
             return Promise.resolve(this.continue());
-        const html = this.generateDocsPage(ctx);
         const isDev = !!ctx.isLocalProject;
-        const response = this.createResponseBuilder(ctx)
+        const builder = this.createResponseBuilder(ctx);
+        const html = this.generateDocsPage(ctx, builder.nonce);
+        const response = builder
             .withCache(isDev ? "no-cache" : { maxAge: DOCS_CACHE_MAX_AGE_SECONDS, public: true })
+            .withSecurity(ctx.securityConfig ?? undefined, req)
             .withContentType("text/html; charset=utf-8", html, HTTP_OK);
         return Promise.resolve(this.respond(response));
     }
-    generateDocsPage(ctx) {
+    generateDocsPage(ctx, nonce) {
         const specUrl = ctx.config?.openapi?.paths?.json ?? DEFAULT_JSON_PATH;
         const title = escapeHtml(ctx.config?.openapi?.title ?? "API Documentation");
         const description = escapeHtml(ctx.config?.openapi?.description ?? "");
+        const nonceAttr = buildNonceAttribute(nonce);
         const configuration = JSON.stringify({
             theme: "purple",
             layout: "modern",
@@ -47,7 +50,7 @@ export class OpenAPIDocsHandler extends BaseHandler {
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
   <title>${title}</title>
   ${description ? `<meta name="description" content="${description}"/>` : ""}
-  <style>
+  <style${nonceAttr}>
     body {
       margin: 0;
       padding: 0;
@@ -59,8 +62,9 @@ export class OpenAPIDocsHandler extends BaseHandler {
     id="api-reference"
     data-url="${specUrl}"
     data-configuration='${configuration}'
+    ${nonce ? `nonce="${escapeHtml(nonce)}"` : ""}
   ></script>
-  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"${nonceAttr}></script>
 </body>
 </html>`;
     }

package/esm/src/server/handlers/request/rsc/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/rsc/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EAEf,aAAa,EACd,MAAM,gBAAgB,CAAC;AAQxB,qBAAa,UAAW,SAAQ,WAAW;IACzC,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CAmD1E"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/rsc/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EAEf,aAAa,EACd,MAAM,gBAAgB,CAAC;AASxB,qBAAa,UAAW,SAAQ,WAAW;IACzC,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CAqD1E"}

package/esm/src/server/handlers/request/rsc/index.js

@@ -7,10 +7,11 @@ import * as dntShim from "../../../../../_dnt.shims.js";
 import { BaseHandler } from "../../response/base.js";
 import { isRSCEnabled } from "../../../../utils/index.js";
 import { handleRSCEndpoint } from "../../../services/rsc/endpoints/index.js";
-import { applySecurityHeaders } from "../api/security-headers.js";
+import { applySecurityHeadersWithNonce } from "../api/security-headers.js";
 import { applyCORSHeaders } from "../../../../security/index.js";
 import { HTTP_NOT_FOUND, PRIORITY_MEDIUM } from "../../../../utils/constants/index.js";
 import { withSpan } from "../../../../observability/tracing/otlp-setup.js";
+import { generateNonce } from "../../../../security/http/response/security-handler.js";
 export class RSCHandler extends BaseHandler {
     metadata = {
         name: "RSCHandler",
@@ -29,6 +30,7 @@ export class RSCHandler extends BaseHandler {
             if (!isRSCEnabled(ctx.config) && !isHydrationScript && !isDeprecatedEndpoint) {
                 return this.respond(new dntShim.Response("Not Found", { status: HTTP_NOT_FOUND }));
             }
+            const nonce = generateNonce();
             const res = await handleRSCEndpoint({
                 req,
                 pathname,
@@ -36,6 +38,7 @@ export class RSCHandler extends BaseHandler {
                 projectId: ctx.projectId,
                 adapter: ctx.adapter,
                 config: ctx.config,
+                nonce,
             });
             if (!res) {
                 return this.continue();
@@ -46,7 +49,7 @@ export class RSCHandler extends BaseHandler {
                 headers,
                 config: ctx.securityConfig?.cors,
             });
-            applySecurityHeaders(headers, ctx, req);
+            applySecurityHeadersWithNonce(headers, ctx, nonce, req);
             return this.respond(new dntShim.Response(res.body, {
                 status: res.status,
                 statusText: res.statusText,

package/esm/src/server/handlers/request/ssr/ssr-response-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssr-response-builder.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/ssr/ssr-response-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGrD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4CAA4C,CAAC;AAElF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+CAA+C,CAAC;AAErF;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,CAAC,OAAO,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,eAAe,EACvB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAkD3B"}
+{"version":3,"file":"ssr-response-builder.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/ssr/ssr-response-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGrD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4CAA4C,CAAC;AAElF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+CAA+C,CAAC;AAWrF;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,CAAC,OAAO,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,eAAe,EACvB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAuD3B"}

package/esm/src/server/handlers/request/ssr/ssr-response-builder.js

@@ -10,6 +10,11 @@ import * as dntShim from "../../../../../_dnt.shims.js";
 import { hasMatchingEtag } from "../../utils/etag.js";
 import { getContentType } from "../../utils/content-types.js";
 import { ErrorPages } from "../../../utils/error-html.js";
+import { escapeHtml } from "../../../../html/html-escape.js";
+function addNonceToInlineTags(html, nonce) {
+    const escapedNonce = escapeHtml(nonce);
+    return html.replace(/<(script|style)\b(?![^>]*\bnonce\s*=)([^>]*)>/giu, `<$1$2 nonce="${escapedNonce}">`);
+}
 /**
  * Build an HTTP response from an SSR render result.
  *
@@ -41,8 +46,13 @@ export async function buildSSRResponse(req, ctx, result, builder) {
             .notModified(result.etag);
     }
     // Buffered response path
-    const content = result.html || result.stream || ErrorPages.serverError();
-    const body = isHeadRequest ? null : content;
+    const content = typeof result.html === "string"
+        ? result.html
+        : typeof result.stream === "string"
+            ? result.stream
+            : ErrorPages.serverError();
+    const html = addNonceToInlineTags(content, builder.nonce);
+    const body = isHeadRequest ? null : html;
     let response = builder
         .withCORS(req, ctx.securityConfig?.cors)
         .withSecurity(ctx.securityConfig ?? undefined, req)

package/esm/src/server/handlers/response/not-found.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"not-found.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/response/not-found.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AASnG,qBAAa,eAAgB,SAAQ,WAAW;IAC9C,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAgCzE,OAAO,CAAC,eAAe;CA2GxB"}
+{"version":3,"file":"not-found.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/response/not-found.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AASnG,qBAAa,eAAgB,SAAQ,WAAW;IAC9C,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IA8BzE,OAAO,CAAC,eAAe;CA4GxB"}

package/esm/src/server/handlers/response/not-found.js

@@ -1,7 +1,7 @@
 import { BaseHandler } from "./base.js";
 import { ResponseBuilder } from "../../../security/index.js";
 import { HTTP_INTERNAL_SERVER_ERROR, HTTP_NOT_FOUND, PRIORITY_FALLBACK, } from "../../../utils/constants/index.js";
-import { escapeHtml } from "../../../html/html-escape.js";
+import { buildNonceAttribute, escapeHtml } from "../../../html/html-escape.js";
 export class NotFoundHandler extends BaseHandler {
     metadata = {
         name: "NotFoundHandler",
@@ -10,35 +10,34 @@ export class NotFoundHandler extends BaseHandler {
     };
     handle(req, ctx) {
         const pathname = new URL(req.url).pathname;
-        const securityConfig = ctx.securityConfig;
-        const corsConfig = ctx.securityConfig?.cors;
         try {
-            const html = this.generate404Html(pathname);
-            const response = ResponseBuilder.html(html, req, {
-                securityConfig,
-                corsConfig,
-                cache: "no-cache",
-                status: HTTP_NOT_FOUND,
-            });
+            const builder = this.createResponseBuilder(ctx);
+            const html = this.generate404Html(pathname, builder.nonce);
+            const response = builder
+                .withCORS(req, ctx.securityConfig?.cors)
+                .withSecurity(ctx.securityConfig ?? undefined, req)
+                .withCache("no-cache")
+                .html(html, HTTP_NOT_FOUND);
             return Promise.resolve(this.respond(response));
         }
         catch (e) {
             this.logDebug("404 fallback error", { error: this.getErrorMessage(e) }, ctx);
             const response = ResponseBuilder.error(HTTP_INTERNAL_SERVER_ERROR, "Internal Server Error", req, {
-                securityConfig,
-                corsConfig,
+                securityConfig: ctx.securityConfig,
+                corsConfig: ctx.securityConfig?.cors,
             });
             return Promise.resolve(this.respond(response));
         }
     }
-    generate404Html(pathname) {
+    generate404Html(pathname, nonce) {
+        const nonceAttr = buildNonceAttribute(nonce);
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="utf-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1"/>
     <title>404 Not Found</title>
-    <style>
+    <style${nonceAttr}>
         body {
             font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
             margin: 0;
@@ -132,7 +131,7 @@ export class NotFoundHandler extends BaseHandler {
         </p>
         <div class="actions">
             <a href="/" class="button">Go Home</a>
-            <a href="javascript:history.back()" class="button secondary">Go Back</a>
+            <a href=".." class="button secondary">Go Back</a>
         </div>
     </div>
 </body>

package/esm/src/server/services/rsc/endpoints/endpoint-router.d.ts

@@ -9,5 +9,5 @@ import type { RSCEndpointParams } from "./types.js";
  * @param params - RSC endpoint parameters
  * @returns Response or null if not an RSC endpoint
  */
-export declare function handleRSCEndpoint({ req, pathname, projectDir, projectId, adapter, config }: RSCEndpointParams): Promise<dntShim.Response | null>;
+export declare function handleRSCEndpoint({ req, pathname, projectDir, projectId, adapter, config, nonce }: RSCEndpointParams): Promise<dntShim.Response | null>;
 //# sourceMappingURL=endpoint-router.d.ts.map

package/esm/src/server/services/rsc/endpoints/endpoint-router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"endpoint-router.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/endpoint-router.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAexD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAKpD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,iBAAiB,GAC3E,OAAO,CAAC,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAyHlC"}
+{"version":3,"file":"endpoint-router.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/endpoint-router.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAexD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAKpD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAClF,OAAO,CAAC,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAyHlC"}

package/esm/src/server/services/rsc/endpoints/endpoint-router.js

@@ -19,7 +19,7 @@ const rscLog = serverLogger.component("rsc");
  * @param params - RSC endpoint parameters
  * @returns Response or null if not an RSC endpoint
  */
-export async function handleRSCEndpoint({ req, pathname, projectDir, projectId, adapter, config }) {
+export async function handleRSCEndpoint({ req, pathname, projectDir, projectId, adapter, config, nonce }) {
     if (!pathname.startsWith("/_veryfront/rsc/")) {
         return null;
     }
@@ -51,7 +51,7 @@ export async function handleRSCEndpoint({ req, pathname, projectDir, projectId,
         }
         if (sub.startsWith("page/")) {
             metrics.recordRSC("page");
-            return handler.handlePage(sub.replace("page/", ""), url.searchParams);
+            return handler.handlePage(sub.replace("page/", ""), url.searchParams, nonce);
         }
         if (sub.startsWith("stream/")) {
             metrics.recordRSC("stream");
@@ -97,7 +97,7 @@ export async function handleRSCEndpoint({ req, pathname, projectDir, projectId,
         }
         if (sub === "page") {
             metrics.recordRSC("page");
-            return handler.handlePage("/", url.searchParams);
+            return handler.handlePage("/", url.searchParams, nonce);
         }
         if (sub === "stream") {
             metrics.recordRSC("stream");

package/esm/src/server/services/rsc/endpoints/rsc-bundles.generated.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rsc-bundles.generated.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/rsc-bundles.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,EAAE,MACkgrB,CAAC;AAEpirB,eAAO,MAAM,iBAAiB,EAAE,MACgpiB,CAAC"}
+{"version":3,"file":"rsc-bundles.generated.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/endpoints/rsc-bundles.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,EAAE,MACunrB,CAAC;AAEzprB,eAAO,MAAM,iBAAiB,EAAE,MACgpiB,CAAC"}