systemlink-cli 1.13.2__tar.gz → 1.13.4__tar.gz

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: systemlink-cli
-Version: 1.13.2
+Version: 1.13.4
 Summary: SystemLink Integrator CLI - cross-platform CLI for SystemLink workflows and templates.
 License-File: LICENSE
 Author: Fred Visser

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/dff-editor/editor.js

@@ -651,9 +651,7 @@ function downloadConfiguration() {
         const a = document.createElement('a');
         a.href = url;
         a.download = 'dff-configuration.json';
-        document.body.appendChild(a);
         a.click();
-        document.body.removeChild(a);
         URL.revokeObjectURL(url);
         showStatus('Configuration downloaded', 'success');
     } catch (e) {
@@ -682,53 +680,130 @@ function refreshTree() {
     
     const config = currentConfig;
     if (!config) return;
-    
-    let html = '<div class="tree-node" onclick="selectTreeNode(\'root\')"><span class="tree-icon">📄</span><span>Root Configuration</span></div>';
-    
-    // Configurations
+
+    treeView.replaceChildren();
+    treeView.appendChild(createTreeNode({
+        nodeId: 'root',
+        icon: '📄',
+        label: 'Root Configuration'
+    }));
+
     if (config.configurations && config.configurations.length > 0) {
         config.configurations.forEach((conf, i) => {
             const confLabel = conf.displayText || conf.name || conf.key || ('Configuration ' + (i + 1));
-            html += `<div class="tree-node indent-1" onclick="selectTreeNode('config-${i}')"><span class="tree-icon">⚙️</span><span>${confLabel}</span><button class="edit-btn" aria-label="Edit configuration: ${confLabel}" title="Edit configuration" onclick="event.stopPropagation(); showEditDialog('configuration', ${i})">✎</button></div>`;
-            // Show views under each configuration
+            treeView.appendChild(createTreeNode({
+                nodeId: `config-${i}`,
+                icon: '⚙️',
+                label: confLabel,
+                indent: 1,
+                editLabel: `Edit configuration: ${confLabel}`,
+                editTitle: 'Edit configuration',
+                onEdit: () => showEditDialog('configuration', i)
+            }));
+
             if (conf.views && conf.views.length > 0) {
                 conf.views.forEach((view, vi) => {
-                    html += `<div class="tree-node indent-2" onclick="selectTreeNode('config-${i}-view-${vi}')"><span class="tree-icon">👁️</span><span>${view.displayText || view.key}</span><button class="edit-btn" aria-label="Edit view: ${view.displayText || view.key}" title="Edit view" onclick="event.stopPropagation(); showEditDialog('view', ${i}, ${vi})">✎</button></div>`;
+                    const viewLabel = view.displayText || view.key;
+                    treeView.appendChild(createTreeNode({
+                        nodeId: `config-${i}-view-${vi}`,
+                        icon: '👁️',
+                        label: viewLabel,
+                        indent: 2,
+                        editLabel: `Edit view: ${viewLabel}`,
+                        editTitle: 'Edit view',
+                        onEdit: () => showEditDialog('view', i, vi)
+                    }));
                 });
             }
         });
     }
-    
-    // Groups
+
     if (config.groups && config.groups.length > 0) {
-        html += '<div class="tree-node indent-1"><span class="tree-icon">📁</span><span>Groups (' + config.groups.length + ')</span></div>';
+        treeView.appendChild(createTreeSummaryNode('📁', `Groups (${config.groups.length})`, 1));
         config.groups.forEach((group, i) => {
             const groupLabel = group.displayText || group.key;
-            html += `<div class="tree-node indent-2" onclick="selectTreeNode('group-${i}')"><span class="tree-icon">📦</span><span>${groupLabel}</span><button class="edit-btn" aria-label="Edit group: ${groupLabel}" title="Edit group" onclick="event.stopPropagation(); showEditDialog('group', ${i})">✎</button></div>`;
+            treeView.appendChild(createTreeNode({
+                nodeId: `group-${i}`,
+                icon: '📦',
+                label: groupLabel,
+                indent: 2,
+                editLabel: `Edit group: ${groupLabel}`,
+                editTitle: 'Edit group',
+                onEdit: () => showEditDialog('group', i)
+            }));
         });
     }
-    
-    // Fields
+
     if (config.fields && config.fields.length > 0) {
-        html += '<div class="tree-node indent-1"><span class="tree-icon">📁</span><span>Fields (' + config.fields.length + ')</span></div>';
+        treeView.appendChild(createTreeSummaryNode('📁', `Fields (${config.fields.length})`, 1));
         config.fields.forEach((field, i) => {
             const icon = field.required ? '🏷️' : '🔖';
             const fieldLabel = field.displayText || field.key;
-            html += `<div class="tree-node indent-2" onclick="selectTreeNode('field-${i}')"><span class="tree-icon">${icon}</span><span>${fieldLabel}</span><button class="edit-btn" aria-label="Edit field: ${fieldLabel}" title="Edit field" onclick="event.stopPropagation(); showEditDialog('field', ${i})">✎</button></div>`;
+            treeView.appendChild(createTreeNode({
+                nodeId: `field-${i}`,
+                icon,
+                label: fieldLabel,
+                indent: 2,
+                editLabel: `Edit field: ${fieldLabel}`,
+                editTitle: 'Edit field',
+                onEdit: () => showEditDialog('field', i)
+            }));
         });
     }
-    
-    treeView.innerHTML = html;
 }
 
-function selectTreeNode(nodeId) {
+function createTreeSummaryNode(icon, label, indent = 0) {
+    const node = document.createElement('div');
+    node.className = 'tree-node';
+    if (indent > 0) {
+        node.classList.add(`indent-${indent}`);
+    }
+
+    const iconElement = document.createElement('span');
+    iconElement.className = 'tree-icon';
+    iconElement.textContent = icon;
+    node.appendChild(iconElement);
+
+    const labelElement = document.createElement('span');
+    labelElement.textContent = label;
+    node.appendChild(labelElement);
+
+    return node;
+}
+
+function createTreeNode({ nodeId, icon, label, indent = 0, editLabel = '', editTitle = '', onEdit = null }) {
+    const node = createTreeSummaryNode(icon, label, indent);
+    node.dataset.nodeId = nodeId;
+    node.addEventListener('click', () => selectTreeNode(nodeId, node));
+
+    if (onEdit) {
+        const editButton = document.createElement('button');
+        editButton.className = 'edit-btn';
+        editButton.type = 'button';
+        editButton.textContent = '✎';
+        editButton.setAttribute('aria-label', editLabel);
+        editButton.title = editTitle;
+        editButton.addEventListener('click', (event) => {
+            event.stopPropagation();
+            onEdit();
+        });
+        node.appendChild(editButton);
+    }
+
+    return node;
+}
+
+function selectTreeNode(nodeId, nodeElement = null) {
     selectedTreeNode = nodeId;
     
     // Update visual selection
     document.querySelectorAll('.tree-node').forEach(node => {
         node.classList.remove('selected');
     });
-    event.currentTarget.classList.add('selected');
+    const activeNode = nodeElement || document.querySelector(`[data-node-id="${nodeId}"]`);
+    if (activeNode) {
+        activeNode.classList.add('selected');
+    }
     
     // Highlight corresponding JSON in editor
     selectNodeInEditor(nodeId);

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "systemlink-cli"
-version = "1.13.2"
+version = "1.13.4"
 description = "SystemLink Integrator CLI - cross-platform CLI for SystemLink workflows and templates."
 authors = ["Fred Visser <fred.visser@emerson.com>"]
 packages = [{ include = "slcli" }]

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/slcli/_version.py

@@ -1,4 +1,4 @@
 """Version information for slcli."""
 
 # This file is auto-generated. Do not edit manually.
-__version__ = "1.13.2"
+__version__ = "1.13.4"

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/slcli/config_click.py

@@ -2,8 +2,10 @@
 
 import getpass
 import json
+import re
 import sys
 from typing import Any, Optional
+from urllib.parse import urlparse
 
 import click
 import questionary
@@ -18,6 +20,70 @@ from .rich_output import render_table
 from .table_utils import output_formatted_list
 from .utils import ExitCodes
 
+API_KEY_LENGTH = 42
+API_KEY_PATTERN = re.compile(rf"^[A-Za-z0-9_-]{{{API_KEY_LENGTH}}}$")
+
+
+def _exit_with_validation_error(message: str, exit_code: int = ExitCodes.INVALID_INPUT) -> None:
+    """Exit the command with a consistent validation message."""
+    click.echo(f"✗ {message}", err=True)
+    sys.exit(exit_code)
+
+
+def _normalize_profile_name(profile: str) -> str:
+    """Normalize and validate a profile name."""
+    normalized = profile.strip()
+    if not normalized:
+        _exit_with_validation_error("Profile name cannot be empty.")
+    return normalized
+
+
+def _normalize_base_url(raw_url: str, label: str) -> str:
+    """Normalize and validate a SystemLink base URL."""
+    normalized = raw_url.strip()
+    if not normalized:
+        _exit_with_validation_error(f"{label} cannot be empty.")
+
+    if "://" not in normalized:
+        click.echo(f"⚠️  Warning: Adding HTTPS protocol to {label.lower()}.")
+        normalized = f"https://{normalized}"
+
+    parsed = urlparse(normalized)
+    if parsed.scheme not in ("http", "https"):
+        _exit_with_validation_error(f"{label} must use HTTP or HTTPS.")
+    if not parsed.hostname:
+        _exit_with_validation_error(f"{label} must include a valid host name.")
+    if parsed.path and parsed.path.strip("/"):
+        _exit_with_validation_error(
+            f"{label} must be a base URL without a path, query string, or fragment."
+        )
+    if parsed.params or parsed.query or parsed.fragment:
+        _exit_with_validation_error(
+            f"{label} must be a base URL without a path, query string, or fragment."
+        )
+
+    return normalized.rstrip("/")
+
+
+def _normalize_api_key(api_key: str) -> str:
+    """Normalize and validate an API key before probing the server."""
+    normalized = api_key.strip()
+    if not normalized:
+        _exit_with_validation_error("API key cannot be empty.")
+    if any(character.isspace() for character in normalized):
+        _exit_with_validation_error("API key must not contain spaces or line breaks.")
+    if not API_KEY_PATTERN.fullmatch(normalized):
+        _exit_with_validation_error(
+            f"API key must be a {API_KEY_LENGTH}-character URL-safe token containing only "
+            "letters, digits, '-' and '_'."
+        )
+    return normalized
+
+
+def _all_service_probes_unauthorized(services: dict[str, str]) -> bool:
+    """Return True only when every recorded service probe failed with authorization."""
+    return bool(services) and all(status == "unauthorized" for status in services.values())
+
 
 def _add_profile_impl(
     profile: Optional[str],
@@ -46,93 +112,78 @@ def _add_profile_impl(
     if not profile:
         profile = click.prompt("Profile name", default="default")
     assert isinstance(profile, str)
+    profile = _normalize_profile_name(profile)
 
     # Get URL - either from flag or prompt
     if not url:
         click.echo("Example: https://api.my-systemlink.com")
         url = click.prompt("Enter your SystemLink API URL")
-    # Ensure url is a string now
     assert isinstance(url, str)
-    if not url.strip():
-        click.echo("SystemLink URL cannot be empty.")
-        raise click.ClickException("SystemLink URL cannot be empty.")
-
-    # Ensure URL uses HTTPS
-    url = url.strip()
-    if url.startswith("http://"):
-        click.echo("⚠️  Warning: Converting HTTP to HTTPS for security.")
-        url = url.replace("http://", "https://", 1)
-    elif not url.startswith("https://"):
-        click.echo("⚠️  Warning: Adding HTTPS protocol to URL.")
-        url = f"https://{url}"
-    url = url.rstrip("/")
+    url = _normalize_base_url(url, "SystemLink API URL")
 
     # Get API key - either from flag or prompt
     if not api_key:
         api_key = getpass.getpass("Enter your SystemLink API key: ")
-    # Ensure api_key is a string now
     assert isinstance(api_key, str)
-    if not api_key.strip():
-        click.echo("API key cannot be empty.")
-        raise click.ClickException("API key cannot be empty.")
+    api_key = _normalize_api_key(api_key)
 
     # Normalize and validate web_url (prompt if not provided)
     if not web_url:
         click.echo("Example: https://my-systemlink.com")
         web_url = click.prompt("Enter your SystemLink Web UI URL")
     assert isinstance(web_url, str)
-    web_url = web_url.strip()
-    if web_url.startswith("http://"):
-        click.echo("⚠️  Warning: Converting HTTP to HTTPS for security.")
-        web_url = web_url.replace("http://", "https://", 1)
-    elif not web_url.startswith("https://"):
-        click.echo("⚠️  Warning: Adding HTTPS protocol to web URL.")
-        web_url = f"https://{web_url}"
-    web_url = web_url.rstrip("/")
+    web_url = _normalize_base_url(web_url, "SystemLink Web UI URL")
 
     # Detect platform type and check service status
     click.echo("Checking server connectivity and services...")
-    status = check_service_status(url, api_key.strip())
+    status = check_service_status(url, api_key)
     platform = status["platform"]
+    services = status.get("services", {})
 
     if not status["server_reachable"]:
-        click.echo("  ⚠️  Could not connect to server", err=True)
-        click.echo("      Verify the URL is correct and the server is reachable.", err=True)
-        click.echo(
-            "      Profile will be saved — run login again when the server is available.",
-            err=True,
+        _exit_with_validation_error(
+            "Could not connect to the SystemLink server. Verify the URL and network access. "
+            "Profile was not saved.",
+            ExitCodes.NETWORK_ERROR,
+        )
+
+    if status["auth_valid"] is False and _all_service_probes_unauthorized(services):
+        _exit_with_validation_error(
+            "API key validation failed. The server responded, but the key was not authorized. "
+            "Profile was not saved.",
+            ExitCodes.PERMISSION_DENIED,
+        )
+
+    if status["auth_valid"] is not True:
+        _exit_with_validation_error(
+            "Connected to the server, but profile verification was inconclusive. Check the "
+            "API URL, API key, and service availability. Profile was not saved.",
+            ExitCodes.GENERAL_ERROR,
         )
+
+    click.echo("  Connection: ✓ Verified")
+    if platform == PLATFORM_SLE:
+        click.echo("  Platform: SystemLink Enterprise (Cloud)")
+    elif platform == PLATFORM_SLS:
+        click.echo("  Platform: SystemLink Server (On-Premises)")
     else:
-        if platform == PLATFORM_SLE:
-            click.echo("  Platform: SystemLink Enterprise (Cloud)")
-        elif platform == PLATFORM_SLS:
-            click.echo("  Platform: SystemLink Server (On-Premises)")
-        else:
-            click.echo("  Platform: Unknown (will attempt all features)")
-
-        # Report authorization status
-        if status["auth_valid"] is False:
-            click.echo("  ⚠️  API key: Unauthorized — check that the key is valid", err=True)
-        elif status["auth_valid"] is True:
-            click.echo("  API key:  ✓ Authorized")
-
-        if status.get("file_query_endpoint") == "query-files":
-            click.echo("  File query: query-files")
-        elif status.get("elasticsearch_available") is False:
-            click.echo("  File query: query-files-linq (Elasticsearch unavailable)")
-            click.echo(
-                "      'slcli file list' will fall back automatically; 'slcli file query' requires search-files."
-            )
+        click.echo("  Platform: Unknown (will attempt all features)")
 
-        # Report individual service status
-        services = status.get("services", {})
-        problem_services = [
-            name for name, svc_status in services.items() if svc_status == "unauthorized"
-        ]
-        if problem_services and status["auth_valid"] is not False:
-            # Only show per-service issues if overall auth isn't completely invalid
-            for svc_name in problem_services:
-                click.echo(f"  ⚠️  {svc_name}: unauthorized", err=True)
+    click.echo("  API key:  ✓ Authorized")
+
+    if status.get("file_query_endpoint") == "query-files":
+        click.echo("  File query: query-files")
+    elif status.get("elasticsearch_available") is False:
+        click.echo("  File query: query-files-linq (Elasticsearch unavailable)")
+        click.echo(
+            "      'slcli file list' will fall back automatically; 'slcli file query' requires search-files."
+        )
+
+    problem_services = [
+        name for name, svc_status in services.items() if svc_status == "unauthorized"
+    ]
+    for svc_name in problem_services:
+        click.echo(f"  ⚠️  {svc_name}: unauthorized", err=True)
 
     # Get default workspace (optional)
     if workspace is None:
@@ -145,7 +196,7 @@ def _add_profile_impl(
     new_profile = Profile(
         name=profile,
         server=url,
-        api_key=api_key.strip(),
+        api_key=api_key,
         web_url=web_url,
         platform=platform,
         workspace=workspace,

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/slcli/notebook_click.py

@@ -6,6 +6,7 @@ All commands use Click for robust CLI interfaces and error handling.
 
 import datetime
 import json
+import re
 import sys
 import time
 import urllib.parse
@@ -50,6 +51,56 @@ PREDEFINED_NOTEBOOK_INTERFACES = [
     "Work Item Scheduler",
 ]
 
+WINDOWS_RESERVED_FILENAMES = {
+    "CON",
+    "PRN",
+    "AUX",
+    "NUL",
+    "COM1",
+    "COM2",
+    "COM3",
+    "COM4",
+    "COM5",
+    "COM6",
+    "COM7",
+    "COM8",
+    "COM9",
+    "LPT1",
+    "LPT2",
+    "LPT3",
+    "LPT4",
+    "LPT5",
+    "LPT6",
+    "LPT7",
+    "LPT8",
+    "LPT9",
+}
+
+
+def _get_safe_notebook_download_name(notebook_name: str, suffix: str) -> str:
+    """Build a local filename from remote notebook metadata without honoring path segments."""
+    name_segment = notebook_name.replace("\\", "/").split("/")[-1].strip()
+    if name_segment in {"", ".", ".."}:
+        name_segment = "notebook"
+
+    stem = name_segment[:-6] if name_segment.lower().endswith(".ipynb") else name_segment
+    safe_stem = re.sub(r"[^A-Za-z0-9._ -]+", "_", stem).strip(" ._") or "notebook"
+    if safe_stem.upper() in WINDOWS_RESERVED_FILENAMES:
+        safe_stem = f"{safe_stem}_file"
+    normalized_suffix = suffix if suffix.startswith(".") else f".{suffix}"
+
+    return f"{safe_stem}{normalized_suffix}"
+
+
+def _get_safe_notebook_download_path(notebook_name: str, suffix: str) -> Path:
+    """Build a safe local output path for remote-derived notebook filenames."""
+    safe_filename = _get_safe_notebook_download_name(notebook_name, suffix)
+    working_directory = Path.cwd().resolve()
+    output_path = (working_directory / safe_filename).resolve()
+    if output_path.parent != working_directory:
+        raise ValueError("Notebook download path must stay within the current working directory")
+    return output_path
+
 
 def _normalize_sls_notebook(notebook: Dict[str, Any]) -> None:
     """Normalize SLS notebook response to include id/name fields.
@@ -529,9 +580,10 @@ def _download_notebook_content_and_metadata(
     if download_type in ("content", "both"):
         try:
             content = _get_notebook_content_http(notebook_id)
-            output_path = output or (
-                notebook_name if notebook_name.endswith(".ipynb") else f"{notebook_name}.ipynb"
-            )
+            if output:
+                output_path = Path(output)
+            else:
+                output_path = _get_safe_notebook_download_path(notebook_name, ".ipynb")
             with open(output_path, "wb") as f:
                 f.write(content)
             click.echo(f"Notebook content downloaded to {output_path}")
@@ -543,14 +595,17 @@ def _download_notebook_content_and_metadata(
     if download_type in ("metadata", "both"):
         try:
             meta = _get_notebook_http(notebook_id)
-            meta_path = (output or notebook_name.replace(".ipynb", "")) + ".json"
+            if output:
+                meta_path = Path(f"{output}.json")
+            else:
+                meta_path = _get_safe_notebook_download_path(notebook_name, ".json")
 
             def _json_default(obj: Any) -> str:
                 if isinstance(obj, (datetime.datetime, datetime.date)):
                     return obj.isoformat()
                 return str(obj)
 
-            save_json_file(meta, meta_path, _json_default)
+            save_json_file(meta, str(meta_path), _json_default)
             click.echo(f"Notebook metadata downloaded to {meta_path}")
         except Exception as exc:
             click.echo(f"Failed to download notebook metadata: {exc}")

{systemlink_cli-1.13.2 → systemlink_cli-1.13.4}/slcli/web_editor.py

@@ -43,10 +43,9 @@ def _build_proxy_url(
     origin_scheme: str,
     origin_netloc: str,
     target_path: str,
-    query: str = "",
 ) -> str:
     """Build a proxy URL from a validated origin and allowlisted path."""
-    return urllib.parse.urlunsplit((origin_scheme, origin_netloc, target_path, query, ""))
+    return urllib.parse.urlunsplit((origin_scheme, origin_netloc, target_path, "", ""))
 
 
 def _validated_proxy_path(request_path: str) -> str:
@@ -59,6 +58,118 @@ def _validated_proxy_path(request_path: str) -> str:
     return decoded_path
 
 
+def _validated_proxy_query_params(query: str) -> dict[str, list[str]]:
+    """Return parsed proxy query parameters."""
+    if not query:
+        return {}
+
+    try:
+        return urllib.parse.parse_qs(
+            query,
+            keep_blank_values=True,
+            strict_parsing=True,
+            separator="&",
+        )
+    except ValueError as exc:
+        raise ValueError("Editor proxy received an invalid query string") from exc
+
+
+def _validated_single_query_value(
+    query_params: dict[str, list[str]],
+    name: str,
+) -> str:
+    """Return a single query value and reject repeated parameters."""
+    values = query_params.get(name)
+    if not values:
+        raise ValueError(f"Editor proxy requires query parameter: {name}")
+    if len(values) != 1:
+        raise ValueError(f"Editor proxy rejects repeated query parameter: {name}")
+    return values[0]
+
+
+def _validated_integer_query_value(
+    query_params: dict[str, list[str]],
+    name: str,
+    *,
+    minimum: int,
+    maximum: Optional[int] = None,
+) -> str:
+    """Return a validated integer query value preserved as a string."""
+    raw_value = _validated_single_query_value(query_params, name)
+
+    try:
+        parsed_value = int(raw_value)
+    except ValueError as exc:
+        raise ValueError(f"Editor proxy requires an integer query parameter: {name}") from exc
+
+    if parsed_value < minimum or (maximum is not None and parsed_value > maximum):
+        raise ValueError(f"Editor proxy rejected out-of-range query parameter: {name}")
+
+    return str(parsed_value)
+
+
+def _validated_identifier_query_value(query_params: dict[str, list[str]], name: str) -> str:
+    """Return a single identifier-like query value safe for proxy forwarding."""
+    value = _validated_single_query_value(query_params, name)
+    if not value.strip():
+        raise ValueError(f"Editor proxy requires a non-empty query parameter: {name}")
+    if len(value) > 256:
+        raise ValueError(f"Editor proxy rejected oversized query parameter: {name}")
+    if any(ord(character) < 32 for character in value):
+        raise ValueError(f"Editor proxy rejected invalid query parameter: {name}")
+    if any(character in value for character in "/\\?#"):
+        raise ValueError(f"Editor proxy rejected invalid query parameter: {name}")
+    return value
+
+
+def _resolve_proxy_target(
+    method: str,
+    request_path: str,
+    query: str,
+) -> Optional[tuple[str, dict[str, str]]]:
+    """Resolve a frontend route to a fixed upstream path and validated params."""
+    query_params = _validated_proxy_query_params(query)
+
+    if method == "POST":
+        post_route_map = {
+            "/api/dff/configurations": "/nidynamicformfields/v1/configurations",
+            "/api/dff/update-configurations": "/nidynamicformfields/v1/update-configurations",
+            "/nidynamicformfields/v1/update-configurations": "/nidynamicformfields/v1/update-configurations",
+        }
+        target_path = post_route_map.get(request_path)
+        if target_path is None:
+            return None
+        if query_params:
+            raise ValueError("Editor proxy does not forward query parameters for this route")
+        return target_path, {}
+
+    if method == "GET" and request_path == "/niuser/v1/workspaces":
+        unexpected_params = set(query_params) - {"take", "skip"}
+        if unexpected_params:
+            raise ValueError("Editor proxy rejected unsupported workspace query parameters")
+
+        safe_params: dict[str, str] = {}
+        if "take" in query_params:
+            safe_params["take"] = _validated_integer_query_value(
+                query_params, "take", minimum=1, maximum=1000
+            )
+        if "skip" in query_params:
+            safe_params["skip"] = _validated_integer_query_value(query_params, "skip", minimum=0)
+        return "/niuser/v1/workspaces", safe_params
+
+    if method == "GET" and request_path == "/nidynamicformfields/v1/resolved-configuration":
+        unexpected_params = set(query_params) - {"configurationId"}
+        if unexpected_params:
+            raise ValueError(
+                "Editor proxy rejected unsupported resolved-configuration query parameters"
+            )
+        return "/nidynamicformfields/v1/resolved-configuration", {
+            "configurationId": _validated_identifier_query_value(query_params, "configurationId")
+        }
+
+    return None
+
+
 class DFFWebEditor:
     """Web-based editor for custom fields configurations."""
 
@@ -224,21 +335,17 @@ class DFFWebEditor:
                         self.send_error(404, "Config file not found")
                         return True
 
-                # Handle API proxying
-                path_map = {
-                    "/api/dff/configurations": "/nidynamicformfields/v1/configurations",
-                    "/api/dff/update-configurations": "/nidynamicformfields/v1/update-configurations",
-                }
-
-                if request_path in path_map:
-                    target_path = path_map[request_path]
-                elif request_path.startswith("/nidynamicformfields/v1/"):
-                    target_path = request_path
-                elif request_path.startswith("/niuser/v1/workspaces"):
-                    target_path = request_path
-                else:
+                try:
+                    resolved_target = _resolve_proxy_target(method, request_path, parsed.query)
+                except ValueError as exc:
+                    self.send_error(400, str(exc))
+                    return True
+
+                if resolved_target is None:
                     return False
 
+                target_path, target_params = resolved_target
+
                 # Require per-session secret on all proxied routes
                 req_secret = self.headers.get("X-Editor-Secret")
                 if not secret or req_secret != secret:
@@ -249,7 +356,6 @@ class DFFWebEditor:
                     origin_scheme=api_scheme,
                     origin_netloc=api_netloc,
                     target_path=target_path,
-                    query=parsed.query,
                 )
 
                 headers = dict(default_headers)
@@ -266,6 +372,7 @@ class DFFWebEditor:
                         url=target_url,
                         headers=headers,
                         data=data,
+                        params=target_params or None,
                         verify=ssl_verify,
                     )
                 except requests.RequestException as exc:  # pragma: no cover