eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(widget): sandbox connect-src cdn.jsdelivr.net + Sentry CSP/5xx tracking (#2365)

Browse Source 
* fix(widget): allow cdn.jsdelivr.net in sandbox CSP + Sentry error tracking

- Fix Chart.js source map noise: relax sandbox connect-src from 'none' to
  https://cdn.jsdelivr.net (both vercel.json header and meta CSP in buildWidgetDoc)
- Add Sentry API 5xx capture in premiumFetch via reportServerError() -- fires on
  any status >= 500 before response is returned, tags kind: api_5xx
- Add securitypolicyviolation listener in main.ts for parent-page CSP violations,
  filters browser-extension and blob origins, tags kind: csp_violation

* feat(widget): inject panel design system into PRO widget sandbox

Problem: PRO widgets used a disconnected design (large bold titles,
custom tab buttons, hardcoded hex colors) because the sandbox iframe
had no panel CSS classes and the agent had no examples to follow.

Fix:
- buildWidgetDoc: add .panel-header, .panel-title, .panel-tabs,
  .panel-tab, .panel-tab.active, .disp-stats-grid, .disp-stat-box,
  .disp-stat-value, .disp-stat-label, and --accent CSS variable to
  the iframe's <style> block so they work without a custom <style>
- WIDGET_PRO_SYSTEM_PROMPT: add concrete HTML examples for panel
  header+tabs, stat boxes, and Chart.js color setup using CSS vars;
  prohibit h1/h2/h3 large titles; document the switchTab() pattern
- Test: assert all panel classes and --accent are present in document

Agent now has classes to USE instead of inventing its own styling.

* feat(widget-agent): open API allowlist to all /api/ paths with compact taxonomy

Problem: widget agent only knew 14 hardcoded endpoints and prioritized
search_web even when a WorldMonitor data source was available.

- Replace WIDGET_ALLOWED_ENDPOINTS Set with isWidgetEndpointAllowed()
  function: permits any /api/ path, blocks inference/write endpoints
  (analyze-stock, backtest-stock, summarize-article, classify-event, etc.)
- Replace per-URL endpoint lists in both WIDGET_SYSTEM_PROMPT and
  WIDGET_PRO_SYSTEM_PROMPT with a compact service-grouped taxonomy:
  service + method names only, no full URL repeated 60 times (~400
  tokens vs ~1200 for 4x more endpoint coverage)
- Strengthen prioritization: "ALWAYS use first, ONLY fall back to
  search_web if no matching service exists" (was "preferred for topics")
- Add 30+ new endpoints: earthquakes, wildfires, cyber threats, sanctions,
  consumer prices, FRED series, BLS, Big Mac, fuel, grocery, ETF flows,
  shipping rates, chokepoints, critical minerals, GPS interference, etc.

* fix(csp): add safari-web-extension: scheme to CSP violation filter
This commit is contained in:
Elie Habib
2026-03-27 15:52:02 +04:00
committed by GitHub
parent 6dbd2be2f1
commit f9e127471f
6 changed files with 247 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
vercel.json
View File

@@ -136,7 +136,7 @@
{
"source": "/wm-widget-sandbox.html",
"headers": [
{ "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline'; img-src data:; connect-src 'none';" },
{ "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline'; img-src data:; connect-src https://cdn.jsdelivr.net;" },
{ "key": "Cache-Control", "value": "public, max-age=86400" }
]
}