veryfront 0.1.61 → 0.1.63

package/src/src/channels/invoke.ts

@@ -0,0 +1,521 @@
+import * as dntShim from "../../_dnt.shims.js";
+import type { Agent, AgentMessage as Message, AgentResponse } from "../agent/index.js";
+import { fromError } from "../errors/veryfront-error.js";
+import type { HandlerContext } from "../types/index.js";
+import { serverLogger } from "../utils/index.js";
+import { base64urlEncodeBytes } from "../utils/base64url.js";
+import { z } from "zod";
+import {
+  getAgent as getRegisteredAgent,
+  getAllAgentIds as getRegisteredAgentIds,
+} from "../agent/composition/composition.js";
+import { ensureProjectDiscovery as ensureProjectDiscoveryForProject } from "../server/handlers/request/api/project-discovery.js";
+
+const logger = serverLogger.component("channels-invoke");
+const SIGNATURE_SKEW_SECONDS = 5;
+
+const rawHistoryPartSchema = z.object({
+  type: z.string(),
+}).passthrough();
+
+const channelAttachmentSchema = z.object({
+  id: z.string(),
+  kind: z.enum(["image", "file"]),
+  filename: z.string().optional(),
+  mediaType: z.string().optional(),
+  privateUrl: z.string().optional(),
+});
+
+const channelInvokeHistoryMessageSchema = z.object({
+  id: z.string(),
+  role: z.enum(["user", "assistant", "system", "tool"]),
+  parts: z.array(rawHistoryPartSchema),
+  metadata: z.record(z.unknown()).optional(),
+  createdAt: z.string().optional(),
+});
+
+export const ChannelInvokeRequestSchema = z.object({
+  dispatchId: z.string().min(1),
+  conversationId: z.string().min(1),
+  projectId: z.string().min(1),
+  agentConfigId: z.string().min(1),
+  platform: z.literal("slack"),
+  inboundMessage: z.object({
+    text: z.string(),
+    userId: z.string(),
+    userName: z.string(),
+    isDirectMessage: z.boolean(),
+    attachments: z.array(channelAttachmentSchema).optional(),
+  }),
+  conversationHistory: z.array(channelInvokeHistoryMessageSchema),
+  generation: z.object({
+    maxResponseTokens: z.number().int().positive().max(16384).optional(),
+  }).optional(),
+});
+
+const channelTextPartSchema = z.object({
+  type: z.literal("text"),
+  text: z.string(),
+});
+
+const channelToolCallPartSchema = z.object({
+  type: z.literal("tool_call"),
+  id: z.string(),
+  name: z.string(),
+  input: z.record(z.unknown()),
+  state: z.enum(["streaming", "pending", "completed", "error"]),
+});
+
+const channelToolResultPartSchema = z.object({
+  type: z.literal("tool_result"),
+  tool_call_id: z.string(),
+  output: z.unknown(),
+  is_error: z.boolean().optional(),
+});
+
+const channelReasoningPartSchema = z.object({
+  type: z.literal("reasoning"),
+  text: z.string(),
+});
+
+const channelErrorPartSchema = z.object({
+  type: z.literal("error"),
+  code: z.string(),
+  message: z.string(),
+});
+
+export const ChannelResponsePartSchema = z.discriminatedUnion("type", [
+  channelTextPartSchema,
+  channelToolCallPartSchema,
+  channelToolResultPartSchema,
+  channelReasoningPartSchema,
+  channelErrorPartSchema,
+]);
+
+export const ChannelInvokeResponseSchema = z.object({
+  ignored: z.boolean(),
+  responseParts: z.array(ChannelResponsePartSchema).optional(),
+  tokenUsage: z.object({
+    inputTokens: z.number().int().nonnegative().optional(),
+    outputTokens: z.number().int().nonnegative().optional(),
+    totalTokens: z.number().int().nonnegative().optional(),
+  }).optional(),
+  error: z.object({
+    code: z.enum(["provider_error", "internal_error"]),
+    retryable: z.boolean(),
+  }).optional(),
+});
+
+const dispatchHeaderSchema = z.object({
+  alg: z.literal("EdDSA"),
+  typ: z.string().optional(),
+  kid: z.string().optional(),
+});
+
+const dispatchClaimsSchema = z.object({
+  iss: z.string(),
+  aud: z.string(),
+  sub: z.string(),
+  project_id: z.string(),
+  platform: z.string(),
+  body_sha256: z.string(),
+  iat: z.number().int(),
+  exp: z.number().int(),
+});
+
+export type ChannelInvokeRequest = z.infer<typeof ChannelInvokeRequestSchema>;
+export type ChannelInvokeResponse = z.infer<typeof ChannelInvokeResponseSchema>;
+
+type ChannelResponsePart = z.infer<typeof ChannelResponsePartSchema>;
+type DispatchClaims = z.infer<typeof dispatchClaimsSchema>;
+
+export interface ChannelInvokeDeps {
+  ensureProjectDiscovery: (ctx: HandlerContext) => Promise<void>;
+  getAgent: (id: string) => Agent | undefined;
+  getAllAgentIds: () => string[];
+}
+
+export const defaultChannelInvokeDeps: ChannelInvokeDeps = {
+  ensureProjectDiscovery: ensureProjectDiscoveryForProject,
+  getAgent: getRegisteredAgent,
+  getAllAgentIds: getRegisteredAgentIds,
+};
+
+function base64urlDecodeToBytes(input: string): ArrayBuffer {
+  const normalized = input
+    .replaceAll("-", "+")
+    .replaceAll("_", "/")
+    .padEnd(Math.ceil(input.length / 4) * 4, "=");
+
+  return toArrayBuffer(Uint8Array.from(atob(normalized), (char) => char.charCodeAt(0)));
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  const buffer = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(buffer).set(bytes);
+  return buffer;
+}
+
+function pemToDer(pem: string, label: string): ArrayBuffer {
+  const body = pem
+    .replace(`-----BEGIN ${label}-----`, "")
+    .replace(`-----END ${label}-----`, "")
+    .replace(/\s/g, "");
+
+  return toArrayBuffer(Uint8Array.from(atob(body), (char) => char.charCodeAt(0)));
+}
+
+async function importEd25519PublicKey(pem: string): Promise<dntShim.CryptoKey> {
+  return dntShim.crypto.subtle.importKey(
+    "spki",
+    pemToDer(pem, "PUBLIC KEY"),
+    "Ed25519",
+    false,
+    ["verify"],
+  );
+}
+
+async function sha256Base64url(body: string): Promise<string> {
+  const hash = await dntShim.crypto.subtle.digest("SHA-256", new TextEncoder().encode(body));
+  return base64urlEncodeBytes(new Uint8Array(hash));
+}
+
+export async function verifyDispatchJws(
+  jws: string,
+  body: string,
+  options: {
+    audience: string;
+    publicKeyPem: string;
+    maxAgeSeconds: number;
+    expectedProjectId?: string;
+  },
+): Promise<DispatchClaims> {
+  const parts = jws.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Channel dispatch signature must be a compact JWS");
+  }
+
+  const encodedHeader = parts[0];
+  const encodedPayload = parts[1];
+  const encodedSignature = parts[2];
+  if (!encodedHeader || !encodedPayload || !encodedSignature) {
+    throw new Error("Channel dispatch signature must include header, payload, and signature");
+  }
+  const header = dispatchHeaderSchema.parse(
+    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedHeader))),
+  );
+  const claims = dispatchClaimsSchema.parse(
+    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedPayload))),
+  );
+
+  if (header.alg !== "EdDSA") {
+    throw new Error("Unsupported channel dispatch JWS algorithm");
+  }
+
+  const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
+  const signature = base64urlDecodeToBytes(encodedSignature);
+  const publicKey = await importEd25519PublicKey(options.publicKeyPem);
+  const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
+
+  if (!verified) {
+    throw new Error("Channel dispatch signature verification failed");
+  }
+
+  if (claims.aud !== options.audience) {
+    throw new Error("Channel dispatch audience mismatch");
+  }
+
+  if (options.expectedProjectId && claims.project_id !== options.expectedProjectId) {
+    throw new Error("Channel dispatch project mismatch");
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  if (claims.exp <= now) {
+    throw new Error("Channel dispatch signature expired");
+  }
+
+  if (claims.iat > now + SIGNATURE_SKEW_SECONDS) {
+    throw new Error("Channel dispatch signature issued in the future");
+  }
+
+  if (now - claims.iat > options.maxAgeSeconds) {
+    throw new Error("Channel dispatch signature is too old");
+  }
+
+  const bodySha256 = await sha256Base64url(body);
+  if (claims.body_sha256 !== bodySha256) {
+    throw new Error("Channel dispatch body hash mismatch");
+  }
+
+  return claims;
+}
+
+function normalizeConversationPart(
+  part: z.infer<typeof rawHistoryPartSchema>,
+): Message["parts"][number] | null {
+  if (part.type === "text" && typeof part.text === "string") {
+    return { type: "text", text: part.text };
+  }
+
+  if (
+    part.type === "tool_call" &&
+    typeof part.id === "string" &&
+    typeof part.name === "string" &&
+    part.input &&
+    typeof part.input === "object" &&
+    !Array.isArray(part.input)
+  ) {
+    return {
+      type: `tool-${part.name}`,
+      toolCallId: part.id,
+      toolName: part.name,
+      args: part.input as Record<string, unknown>,
+    };
+  }
+
+  if (part.type === "tool_result" && typeof part.tool_call_id === "string") {
+    return {
+      type: "tool-result",
+      toolCallId: part.tool_call_id,
+      toolName: typeof part.tool_name === "string" ? part.tool_name : "unknown",
+      result: "output" in part ? part.output : undefined,
+    };
+  }
+
+  return null;
+}
+
+export function normalizeConversationHistoryForRuntime(
+  messages: ChannelInvokeRequest["conversationHistory"],
+): Message[] {
+  return messages.map((message) => ({
+    id: message.id,
+    role: message.role,
+    parts: message.parts
+      .map((part) => normalizeConversationPart(part))
+      .filter((part): part is NonNullable<typeof part> => part !== null),
+    ...(message.createdAt ? { timestamp: Date.parse(message.createdAt) || undefined } : {}),
+    ...(message.metadata ? { metadata: message.metadata } : {}),
+  }));
+}
+
+export function resolveChannelInvokeAgent(
+  agentConfigId: string,
+  deps: Pick<ChannelInvokeDeps, "getAgent" | "getAllAgentIds">,
+): Agent | undefined {
+  const exactAgent = deps.getAgent(agentConfigId);
+  if (exactAgent) {
+    return exactAgent;
+  }
+
+  const agentIds = deps.getAllAgentIds();
+  if (agentIds.length !== 1) {
+    return undefined;
+  }
+
+  const onlyAgentId = agentIds[0];
+  if (!onlyAgentId) {
+    return undefined;
+  }
+  const onlyAgent = deps.getAgent(onlyAgentId);
+  if (onlyAgent) {
+    logger.warn(
+      "Channel invoke fell back to the only discovered runtime agent because agentConfigId did not match a registry id",
+      {
+        requestedAgentConfigId: agentConfigId,
+        resolvedAgentId: onlyAgentId,
+      },
+    );
+  }
+
+  return onlyAgent;
+}
+
+function normalizeToolCallState(status: string): "pending" | "completed" | "error" {
+  switch (status) {
+    case "completed":
+      return "completed";
+    case "error":
+      return "error";
+    default:
+      return "pending";
+  }
+}
+
+function convertAssistantPartToChannelResponsePart(
+  part: Message["parts"][number],
+  knownToolCallIds: Set<string>,
+): ChannelResponsePart | null {
+  if (part.type === "text" && "text" in part) {
+    return channelTextPartSchema.parse({
+      type: "text",
+      text: part.text,
+    });
+  }
+
+  const isToolCallPart = part.type === "tool-call" ||
+    (part.type.startsWith("tool-") && part.type !== "tool-result");
+  if (
+    isToolCallPart &&
+    "toolCallId" in part &&
+    "toolName" in part &&
+    !knownToolCallIds.has(part.toolCallId)
+  ) {
+    return channelToolCallPartSchema.parse({
+      type: "tool_call",
+      id: part.toolCallId,
+      name: part.toolName,
+      input: "args" in part ? part.args : ("input" in part ? part.input : {}),
+      state: "pending",
+    });
+  }
+
+  return null;
+}
+
+function findLastAssistantMessage(messages: Message[]): Message | undefined {
+  for (let index = messages.length - 1; index >= 0; index -= 1) {
+    if (messages[index]?.role === "assistant") {
+      return messages[index];
+    }
+  }
+
+  return undefined;
+}
+
+export function buildChannelResponseParts(response: AgentResponse): ChannelResponsePart[] {
+  const responseParts: ChannelResponsePart[] = [];
+  const knownToolCallIds = new Set<string>();
+
+  if (response.thinking?.trim()) {
+    responseParts.push(channelReasoningPartSchema.parse({
+      type: "reasoning",
+      text: response.thinking,
+    }));
+  }
+
+  for (const toolCall of response.toolCalls) {
+    knownToolCallIds.add(toolCall.id);
+    responseParts.push(channelToolCallPartSchema.parse({
+      type: "tool_call",
+      id: toolCall.id,
+      name: toolCall.name,
+      input: toolCall.args,
+      state: normalizeToolCallState(toolCall.status),
+    }));
+
+    if (toolCall.status === "completed" || toolCall.status === "error") {
+      responseParts.push(channelToolResultPartSchema.parse({
+        type: "tool_result",
+        tool_call_id: toolCall.id,
+        output: toolCall.status === "error"
+          ? { error: toolCall.error ?? "Tool execution failed" }
+          : toolCall.result,
+        ...(toolCall.status === "error" ? { is_error: true } : {}),
+      }));
+    }
+  }
+
+  const lastAssistantMessage = findLastAssistantMessage(response.messages);
+  if (lastAssistantMessage) {
+    for (const part of lastAssistantMessage.parts) {
+      const converted = convertAssistantPartToChannelResponsePart(part, knownToolCallIds);
+      if (converted) {
+        responseParts.push(converted);
+      }
+    }
+  } else if (response.text.trim()) {
+    responseParts.push(channelTextPartSchema.parse({
+      type: "text",
+      text: response.text,
+    }));
+  }
+
+  return responseParts;
+}
+
+function classifyRuntimeError(error: unknown): ChannelInvokeResponse["error"] {
+  const veryfrontError = fromError(error);
+
+  if (veryfrontError?.type === "no_ai_available") {
+    return { code: "provider_error", retryable: false };
+  }
+
+  if (veryfrontError?.type === "api" || veryfrontError?.type === "network") {
+    return { code: "provider_error", retryable: true };
+  }
+
+  return { code: "internal_error", retryable: true };
+}
+
+export async function executeChannelInvoke(
+  payload: ChannelInvokeRequest,
+  ctx: HandlerContext,
+  deps: ChannelInvokeDeps,
+): Promise<ChannelInvokeResponse> {
+  await deps.ensureProjectDiscovery(ctx);
+
+  const agent = resolveChannelInvokeAgent(payload.agentConfigId, deps);
+  if (!agent) {
+    logger.error("Channel invoke could not resolve a runtime agent for the request", {
+      requestedAgentConfigId: payload.agentConfigId,
+      discoveredAgentIds: deps.getAllAgentIds(),
+      projectSlug: ctx.projectSlug,
+      projectId: ctx.projectId,
+    });
+    return {
+      ignored: false,
+      error: {
+        code: "internal_error",
+        retryable: false,
+      },
+    };
+  }
+
+  const messages = normalizeConversationHistoryForRuntime(payload.conversationHistory);
+  await agent.clearMemory();
+
+  try {
+    const result = await agent.generate({
+      input: messages,
+      context: {
+        requestId: payload.dispatchId,
+        dispatchId: payload.dispatchId,
+        conversationId: payload.conversationId,
+        projectId: payload.projectId,
+        agentConfigId: payload.agentConfigId,
+        channel: payload.inboundMessage,
+      },
+      ...(payload.generation?.maxResponseTokens
+        ? {
+          maxOutputTokens: payload.generation.maxResponseTokens,
+        }
+        : {}),
+    });
+
+    return ChannelInvokeResponseSchema.parse({
+      ignored: false,
+      responseParts: buildChannelResponseParts(result),
+      tokenUsage: result.usage
+        ? {
+          inputTokens: result.usage.promptTokens,
+          outputTokens: result.usage.completionTokens,
+          totalTokens: result.usage.totalTokens,
+        }
+        : undefined,
+    });
+  } catch (error) {
+    logger.error("Channel invoke runtime execution failed", {
+      error: error instanceof Error ? error.message : String(error),
+      stack: error instanceof Error ? error.stack : undefined,
+      projectSlug: ctx.projectSlug,
+      projectId: ctx.projectId,
+      dispatchId: payload.dispatchId,
+    });
+
+    return {
+      ignored: false,
+      error: classifyRuntimeError(error),
+    };
+  }
+}

package/src/src/embedding/embedding.ts

@@ -35,7 +35,11 @@ export function embedding(config: EmbeddingConfig): Embedding {
     model: modelId,
 
     async embed(text: string): Promise<number[]> {
-      const result = await embed({ model, value: queryPrefix + text });
+      if (!text.trim()) {
+        throw new Error("Cannot embed an empty string");
+      }
+      const value = queryPrefix + text;
+      const result = await embed({ model, value });
       return result.embedding;
     },
 

package/src/src/embedding/rag-store.ts

@@ -321,6 +321,7 @@ function createLocalJsonRagStore(config: ResolvedRagStoreConfig): RagStore {
       query: string,
       options?: RagSearchOptions,
     ): Promise<RagSearchResult[]> {
+      if (!query.trim()) return [];
       return withLock(async () => {
         const data = await load();
         if (data.chunks.length === 0) return [];

package/src/src/embedding/vector-store.ts

@@ -60,6 +60,7 @@ export function vectorStore(config: VectorStoreConfig): VectorStore {
     },
 
     async search(query: string, options?: SearchOptions): Promise<SearchResult[]> {
+      if (!query.trim()) return [];
       if (entries.length === 0) return [];
 
       const topK = options?.topK ?? 5;

package/src/src/embedding/veryfront-cloud/rag-store.ts

@@ -492,6 +492,7 @@ export function createVeryfrontCloudRagStore(config: ResolvedCloudRagStoreConfig
       query: string,
       options?: RagSearchOptions,
     ): Promise<RagSearchResult[]> {
+      if (!query.trim()) return [];
       const context = getCloudStoreContext(config);
       const queryEmbedder = createEmbedder(config);
       const vector = await queryEmbedder.embed(query);

package/src/src/oauth/handlers/init-handler.ts

@@ -77,16 +77,23 @@ export interface OAuthStatusHandlerOptions {
 
   /** EnvReader for dynamic env vars (defaults to getEnv) */
   envReader?: EnvReader;
+
+  /** Optional authentication check — return true if the request is authenticated */
+  isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>;
 }
 
 export function createOAuthStatusHandler(
   config: OAuthServiceConfig,
   options: OAuthStatusHandlerOptions = {},
-): () => Promise<dntShim.Response> {
+): (req: dntShim.Request) => Promise<dntShim.Response> {
   const tokenStore = options.tokenStore ?? memoryTokenStore;
   const envReader = options.envReader ?? getEnv;
 
-  return async function handler(): Promise<dntShim.Response> {
+  return async function handler(req: dntShim.Request): Promise<dntShim.Response> {
+    if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
+      return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
     const tokens = await tokenStore.getTokens(config.serviceId);
 
     const isConnected = !!tokens?.accessToken;
@@ -106,11 +113,19 @@ export function createOAuthStatusHandler(
 
 export function createOAuthDisconnectHandler(
   config: OAuthServiceConfig,
-  options: { tokenStore?: TokenStore } = {},
-): () => Promise<dntShim.Response> {
+  options: {
+    tokenStore?: TokenStore;
+    /** Optional authentication check — return true if the request is authenticated */
+    isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>;
+  } = {},
+): (req: dntShim.Request) => Promise<dntShim.Response> {
   const tokenStore = options.tokenStore ?? memoryTokenStore;
 
-  return async function handler(): Promise<dntShim.Response> {
+  return async function handler(req: dntShim.Request): Promise<dntShim.Response> {
+    if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
+      return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
     await tokenStore.clearTokens(config.serviceId);
 
     return dntShim.Response.json({

package/src/src/platform/compat/opaque-deps.ts

@@ -17,7 +17,7 @@
 import * as dntShim from "../../../_dnt.shims.js";
 
 
-import { isDeno } from "./runtime.js";
+import { isDeno, isDenoCompiled } from "./runtime.js";
 import { dynamicImport } from "./dynamic-import.js";
 
 function resolve(pkg: string, version: string): string {
@@ -27,6 +27,14 @@ function resolve(pkg: string, version: string): string {
 // deno-lint-ignore no-explicit-any -- callers assign to their own typed variable; any allows implicit narrowing at each call site
 type OpaqueModule = any;
 
+type KreuzbergModule = {
+  initWasm?: () => Promise<void>;
+  extractBytes: (
+    data: Uint8Array,
+    mimeType: string,
+  ) => Promise<{ content: string }>;
+};
+
 /** Lazily import `@huggingface/transformers` (+ onnxruntime, ~500MB). */
 export function importTransformers(): Promise<OpaqueModule> {
   return dynamicImport(resolve("@huggingface/transformers", "3.4.2"));
@@ -57,9 +65,16 @@ export async function importKreuzberg(): Promise<{
 }> {
   if (isDeno) {
     // Regular import — visible to deno compile, resolved via deno.json import map
-    const mod = await import("@kreuzberg/wasm") as unknown as
-      & { initWasm?: () => Promise<void> }
-      & { extractBytes: (data: Uint8Array, mimeType: string) => Promise<{ content: string }> };
+    const mod = await import("@kreuzberg/wasm") as unknown as KreuzbergModule;
+    if (isDenoCompiled) {
+      // Kreuzberg's initWasm() internally uses a computed dynamic import() to
+      // load the WASM glue module (kreuzberg_wasm.js). deno compile cannot
+      // trace computed import() paths, so the glue module is absent from the
+      // binary's embedded module graph. Pre-importing it here populates Deno's
+      // in-process module cache so the subsequent import() inside initWasm()
+      // resolves from cache instead of hitting the missing file.
+      await import("@kreuzberg/wasm/dist/pkg/kreuzberg_wasm.js");
+    }
     await mod.initWasm?.();
     return mod;
   }

package/src/src/prompt/factory.ts

@@ -1,5 +1,6 @@
 import type { Prompt, PromptConfig } from "./types.js";
 import { createError, toError } from "../errors/veryfront-error.js";
+import { COMMON_BLOCKED_PATTERNS } from "../agent/middleware/security/validator.js";
 
 export function prompt(config: PromptConfig): Prompt {
   const id = config.id ?? generatePromptId();
@@ -35,12 +36,20 @@ function generatePromptId(): string {
   return `prompt_${Date.now()}_${promptIdCounter++}`;
 }
 
+function sanitizeVariableValue(value: string): string {
+  let sanitized = value;
+  for (const pattern of COMMON_BLOCKED_PATTERNS.promptInjection) {
+    sanitized = sanitized.replace(pattern, "");
+  }
+  return sanitized;
+}
+
 function interpolateVariables(
   template: string,
   variables: Record<string, unknown>,
 ): string {
   return template.replace(/\{(\w+)\}/g, (match, key) => {
     const value = variables[key];
-    return value != null ? String(value) : match;
+    return value != null ? sanitizeVariableValue(String(value)) : match;
   });
 }

package/src/src/react/components/ai/markdown.tsx

@@ -21,10 +21,11 @@ export interface CodeBlockProps {
   inline?: boolean;
 }
 
-const ESM_REACT_MARKDOWN = "https://esm.sh/react-markdown@9?external=react&target=es2022";
-const ESM_REMARK_GFM = "https://esm.sh/remark-gfm@4?target=es2022";
-const ESM_REHYPE_HIGHLIGHT = "https://esm.sh/rehype-highlight@7?target=es2022";
-const ESM_MERMAID = "https://esm.sh/mermaid@11";
+const ESM_REACT_MARKDOWN =
+  "https://esm.sh/react-markdown@9.0.3?external=react&target=es2022&pin=v135";
+const ESM_REMARK_GFM = "https://esm.sh/remark-gfm@4.0.1?target=es2022&pin=v135";
+const ESM_REHYPE_HIGHLIGHT = "https://esm.sh/rehype-highlight@7.0.2?target=es2022&pin=v135";
+const ESM_MERMAID = "https://esm.sh/mermaid@11.4.1?pin=v135";
 
 const dynamicImport = new Function("url", "return import(url)") as (url: string) => Promise<any>;