Compare commits

...

5 Commits
v0.2.3 ... main

Author SHA1 Message Date
Alex Dunmow
6fd4c2f65d feat(datatables): DataTables capability for site data table access
Wasm plugins' isolated Postgres role is deliberately denied on core
tables, which left no sanctioned path to data_tables/data_table_rows.
Adds the datatables.* capability family (get_table_by_key, get_row,
list_rows, create_row, update_row_data, find_row_by_field) following
the datasources pattern: interface package, ABI proto messages, guest
stub, CoreServices wiring, golden round-trip coverage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 20:08:14 +08:00
Alex Dunmow
623ea2e14b feat(manifest): public_routes + sitemap manifest capability (ADR 0026)
Plugins declare site-root path claims (exact or prefix) and a sitemap
contribution flag in plugin.mod; the packer validates and stamps them
into PluginManifest. Validation rejects reserved prefixes (/admin,
/api/plugins, /ws), traversal, duplicates, and prefix claims that cover
a reserved prefix.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 02:41:31 +08:00
Alex Dunmow
25bcbad081 feat(render): image block layout, link, and live media attribution
MediaValue gains an Attribution credit resolved through the existing
MediaResolver context hook. The BlockNote image case renders width and
align presets, alt text, an optional link wrap, and the attribution chip
in chip, chipHover, and below modes with the same themed markup as the
cms page-builder image block. Legacy url-and-caption blocks render
byte-identical to the previous output.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 10:51:18 +08:00
Alex Dunmow
39427c40e7 feat(egress): http.request capability + allowed_hosts manifest (ADR 0023)
Host-mediated outbound HTTP for wasm plugins: guest http.RoundTripper
over the http.request capability; the host performs the request under
policy. New egress package defines the host-pattern grammar (exact or
multi-label wildcard, public-suffix rejected), matching, resource
bounds, and the ErrDenied sentinel (ABI_ERROR_CODE_EGRESS_DENIED).
plugin.mod gains first-class AllowedHosts + MaxResponseMB; manifest
gains allowed_hosts=34, max_response_mb=35. CoreServices.OutboundHTTP
carries the transport. Golden roundtrip + denial-mapping tests.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 02:00:29 +08:00
Alex Dunmow
99e791b6e9 test(caps): golden roundtrip case for content.published_block_configs
The cms host parity gate replays these goldens; the capability landed
in v0.2.3 without them, so hosts on v0.2.3 fail TestGoldenParity —
pin v0.2.4 instead.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 23:40:29 +08:00
40 changed files with 2999 additions and 496 deletions

View File

@ -25,6 +25,7 @@ syntax = "proto3";
package abi.v1;
import "google/protobuf/timestamp.proto";
import "v1/http.proto";
import "v1/invoke.proto";
option go_package = "git.dev.alexdunmow.com/block/pluginsdk/abi/v1;abiv1";
@ -310,6 +311,79 @@ message DatasourceResult {
bytes meta_json = 3;
}
// --- datatables.* (datatables.DataTables) ---
message DatatablesGetTableByKeyRequest {
string table_key = 1;
}
message DatatablesGetTableByKeyResponse {
DataTableInfo table = 1;
}
message DatatablesGetRowRequest {
string row_id = 1; // UUID
}
message DatatablesGetRowResponse {
DataTableRowInfo row = 1;
}
message DatatablesListRowsRequest {
string table_id = 1; // UUID
int32 limit = 2;
int32 offset = 3;
}
message DatatablesListRowsResponse {
repeated DataTableRowInfo rows = 1;
}
message DatatablesCreateRowRequest {
string table_id = 1; // UUID
bytes data_json = 2; // JSON object
}
message DatatablesCreateRowResponse {
DataTableRowInfo row = 1;
}
message DatatablesUpdateRowDataRequest {
string row_id = 1; // UUID
bytes data_json = 2; // JSON object
}
message DatatablesUpdateRowDataResponse {
DataTableRowInfo row = 1;
}
message DatatablesFindRowByFieldRequest {
string table_id = 1; // UUID
string field = 2;
string value = 3;
}
message DatatablesFindRowByFieldResponse {
// Unset when no row matches (the guest maps that to nil, nil).
DataTableRowInfo row = 1;
}
// DataTableInfo mirrors datatables.Table.
message DataTableInfo {
string id = 1; // UUID
string table_key = 2;
string name = 3;
int32 row_count = 4;
}
// DataTableRowInfo mirrors datatables.Row (data column as JSON bytes).
message DataTableRowInfo {
string id = 1; // UUID
string table_id = 2; // UUID
bytes data_json = 3; // JSON object
int32 sort_order = 4;
}
// --- users.* (auth.PublicUsers) ---
message UsersGetByUsernameRequest {
@ -854,3 +928,34 @@ message BridgeInvokeRequest {
message BridgeInvokeResponse {
bytes payload = 1;
}
// --- http.request (egress.Client host-mediated outbound HTTP, ADR 0023) ---
// HttpRequestRequest asks the host to perform one outbound HTTPS request on
// the plugin's behalf. The host enforces the plugin's egress grant (host
// patterns + response cap), the platform denylist, the SSRF guard, and the
// redirect policy before any bytes leave the guest never touches a socket.
// Names differ from the HANDLE_HTTP hook pair (HttpRequest/HttpResponse in
// http.proto), which is inbound traffic INTO the guest mux.
message HttpRequestRequest {
string method = 1;
// Absolute https URL (scheme required; http is refused by policy).
string url = 2;
map<string, HeaderValues> headers = 3;
bytes body = 4;
// Optional guest-side deadline. It may only LOWER the host's per-fetch
// ceiling, never raise it; zero means the host ceiling applies.
uint32 timeout_ms = 5;
}
// HttpRequestResponse is the fully buffered upstream response. Bodies larger
// than the granted cap fail the call (EGRESS_DENIED is policy; oversize is
// INTERNAL with a too-large message) never a silent truncation.
message HttpRequestResponse {
int32 status = 1;
map<string, HeaderValues> headers = 2;
bytes body = 3;
// URL that produced the response after any (allowlist-validated)
// redirects.
string final_url = 4;
}

View File

@ -101,6 +101,12 @@ enum AbiErrorCode {
// the cms dbexec side (adopted separately) and mapped guest-side to
// bnwasm.ErrTxExpired.
ABI_ERROR_CODE_TX_EXPIRED = 6;
// An http.request egress call was refused by policy (host not granted,
// grant revoked, platform-denylisted, or an off-allowlist redirect).
// message names the offending host. Mapped guest-side to
// egress.ErrDenied deliberately distinct from a network failure
// (ADR 0023, cms repo).
ABI_ERROR_CODE_EGRESS_DENIED = 7;
}
// AbiError is the structured error carried by InvokeResponse and

View File

@ -125,6 +125,48 @@ message PluginManifest {
// to describe): `ninja plugin build` synthesizes the manifest from
// plugin.mod + the artifact's declarative files.
bool codeless = 33;
// allowed_hosts declares the egress host patterns the plugin needs for
// http.request (exact hostname or left-anchored multi-label wildcard,
// e.g. "*.cal.com"; https/443 only unless an entry names an explicit
// port). Like data_dir, its source of truth is plugin.mod the packer
// stamps it because it lives outside the guest code. The host refuses
// to load the plugin until an admin grants the full declared set
// (ADR 0023, cms repo). Empty means no egress.
repeated string allowed_hosts = 34;
// max_response_mb requests a larger per-request http.request response cap
// than the 10 MB default. Rides the same admin grant as allowed_hosts.
// Zero means the default.
uint32 max_response_mb = 35;
// public_routes declares the site-root paths the plugin serves through its
// HTTP handler (ADR 0026, cms repo): exact paths and path prefixes the host
// mounts at the public site root, dispatching to HOOK_HANDLE_HTTP with the
// full unstripped request path. Like data_dir and allowed_hosts, the source
// of truth is plugin.mod; the packer validates and stamps it. Conflict
// rules are host-side: core routes always win, between plugins the
// first-installed plugin wins, and conflicts are surfaced in the admin UI,
// never silently dropped. Empty means the plugin serves HTTP only under
// /api/plugins/<name>.
repeated PublicRoute public_routes = 36;
// sitemap requests sitemap contribution: when true the host fetches
// entries from the plugin's well-known sitemap endpoint (served by its
// HTTP handler) and merges them into the site sitemap. Requires
// has_http_handler.
bool sitemap = 37;
}
// PublicRoute is one site-root path claim (see PluginManifest.public_routes).
message PublicRoute {
// Absolute site-root path, e.g. "/area" or "/api/directory". Validated by
// the packer: must start with "/", no reserved prefixes ("/admin",
// "/api/plugins", "/ws"), no traversal or empty segments.
string path = 1;
// When true the claim covers every path under path as well (a path-prefix
// mount); when false only the exact path is claimed.
bool prefix = 2;
}
// Dependency mirrors plugin.Dependency.

File diff suppressed because it is too large Load Diff

View File

@ -168,6 +168,12 @@ const (
// the cms dbexec side (adopted separately) and mapped guest-side to
// bnwasm.ErrTxExpired.
AbiErrorCode_ABI_ERROR_CODE_TX_EXPIRED AbiErrorCode = 6
// An http.request egress call was refused by policy (host not granted,
// grant revoked, platform-denylisted, or an off-allowlist redirect).
// message names the offending host. Mapped guest-side to
// egress.ErrDenied — deliberately distinct from a network failure
// (ADR 0023, cms repo).
AbiErrorCode_ABI_ERROR_CODE_EGRESS_DENIED AbiErrorCode = 7
)
// Enum value maps for AbiErrorCode.
@ -180,6 +186,7 @@ var (
4: "ABI_ERROR_CODE_DEADLINE_EXCEEDED",
5: "ABI_ERROR_CODE_PERMISSION_DENIED",
6: "ABI_ERROR_CODE_TX_EXPIRED",
7: "ABI_ERROR_CODE_EGRESS_DENIED",
}
AbiErrorCode_value = map[string]int32{
"ABI_ERROR_CODE_UNSPECIFIED": 0,
@ -189,6 +196,7 @@ var (
"ABI_ERROR_CODE_DEADLINE_EXCEEDED": 4,
"ABI_ERROR_CODE_PERMISSION_DENIED": 5,
"ABI_ERROR_CODE_TX_EXPIRED": 6,
"ABI_ERROR_CODE_EGRESS_DENIED": 7,
}
)
@ -1790,7 +1798,7 @@ const file_v1_invoke_proto_rawDesc = "" +
"\x11HOOK_AI_TOOL_CALL\x10\f\x12\x14\n" +
"\x10HOOK_BRIDGE_CALL\x10\r\x12 \n" +
"\x1cHOOK_DIRECTORY_PANEL_SECTION\x10\x0e\x12 \n" +
"\x1cHOOK_DIRECTORY_PIN_DECORATOR\x10\x0f*\xf3\x01\n" +
"\x1cHOOK_DIRECTORY_PIN_DECORATOR\x10\x0f*\x95\x02\n" +
"\fAbiErrorCode\x12\x1e\n" +
"\x1aABI_ERROR_CODE_UNSPECIFIED\x10\x00\x12\x1b\n" +
"\x17ABI_ERROR_CODE_INTERNAL\x10\x01\x12\x19\n" +
@ -1798,7 +1806,8 @@ const file_v1_invoke_proto_rawDesc = "" +
"\x1cABI_ERROR_CODE_UNIMPLEMENTED\x10\x03\x12$\n" +
" ABI_ERROR_CODE_DEADLINE_EXCEEDED\x10\x04\x12$\n" +
" ABI_ERROR_CODE_PERMISSION_DENIED\x10\x05\x12\x1d\n" +
"\x19ABI_ERROR_CODE_TX_EXPIRED\x10\x06B5Z3git.dev.alexdunmow.com/block/pluginsdk/abi/v1;abiv1b\x06proto3"
"\x19ABI_ERROR_CODE_TX_EXPIRED\x10\x06\x12 \n" +
"\x1cABI_ERROR_CODE_EGRESS_DENIED\x10\aB5Z3git.dev.alexdunmow.com/block/pluginsdk/abi/v1;abiv1b\x06proto3"
var (
file_v1_invoke_proto_rawDescOnce sync.Once

View File

@ -122,7 +122,34 @@ type PluginManifest struct {
// both reject the combination. Not produced by DESCRIBE (there is no guest
// to describe): `ninja plugin build` synthesizes the manifest from
// plugin.mod + the artifact's declarative files.
Codeless bool `protobuf:"varint,33,opt,name=codeless,proto3" json:"codeless,omitempty"`
Codeless bool `protobuf:"varint,33,opt,name=codeless,proto3" json:"codeless,omitempty"`
// allowed_hosts declares the egress host patterns the plugin needs for
// http.request (exact hostname or left-anchored multi-label wildcard,
// e.g. "*.cal.com"; https/443 only unless an entry names an explicit
// port). Like data_dir, its source of truth is plugin.mod — the packer
// stamps it — because it lives outside the guest code. The host refuses
// to load the plugin until an admin grants the full declared set
// (ADR 0023, cms repo). Empty means no egress.
AllowedHosts []string `protobuf:"bytes,34,rep,name=allowed_hosts,json=allowedHosts,proto3" json:"allowed_hosts,omitempty"`
// max_response_mb requests a larger per-request http.request response cap
// than the 10 MB default. Rides the same admin grant as allowed_hosts.
// Zero means the default.
MaxResponseMb uint32 `protobuf:"varint,35,opt,name=max_response_mb,json=maxResponseMb,proto3" json:"max_response_mb,omitempty"`
// public_routes declares the site-root paths the plugin serves through its
// HTTP handler (ADR 0026, cms repo): exact paths and path prefixes the host
// mounts at the public site root, dispatching to HOOK_HANDLE_HTTP with the
// full unstripped request path. Like data_dir and allowed_hosts, the source
// of truth is plugin.mod; the packer validates and stamps it. Conflict
// rules are host-side: core routes always win, between plugins the
// first-installed plugin wins, and conflicts are surfaced in the admin UI,
// never silently dropped. Empty means the plugin serves HTTP only under
// /api/plugins/<name>.
PublicRoutes []*PublicRoute `protobuf:"bytes,36,rep,name=public_routes,json=publicRoutes,proto3" json:"public_routes,omitempty"`
// sitemap requests sitemap contribution: when true the host fetches
// entries from the plugin's well-known sitemap endpoint (served by its
// HTTP handler) and merges them into the site sitemap. Requires
// has_http_handler.
Sitemap bool `protobuf:"varint,37,opt,name=sitemap,proto3" json:"sitemap,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@ -388,6 +415,92 @@ func (x *PluginManifest) GetCodeless() bool {
return false
}
func (x *PluginManifest) GetAllowedHosts() []string {
if x != nil {
return x.AllowedHosts
}
return nil
}
func (x *PluginManifest) GetMaxResponseMb() uint32 {
if x != nil {
return x.MaxResponseMb
}
return 0
}
func (x *PluginManifest) GetPublicRoutes() []*PublicRoute {
if x != nil {
return x.PublicRoutes
}
return nil
}
func (x *PluginManifest) GetSitemap() bool {
if x != nil {
return x.Sitemap
}
return false
}
// PublicRoute is one site-root path claim (see PluginManifest.public_routes).
type PublicRoute struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Absolute site-root path, e.g. "/area" or "/api/directory". Validated by
// the packer: must start with "/", no reserved prefixes ("/admin",
// "/api/plugins", "/ws"), no traversal or empty segments.
Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
// When true the claim covers every path under path as well (a path-prefix
// mount); when false only the exact path is claimed.
Prefix bool `protobuf:"varint,2,opt,name=prefix,proto3" json:"prefix,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *PublicRoute) Reset() {
*x = PublicRoute{}
mi := &file_v1_manifest_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *PublicRoute) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PublicRoute) ProtoMessage() {}
func (x *PublicRoute) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[1]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PublicRoute.ProtoReflect.Descriptor instead.
func (*PublicRoute) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{1}
}
func (x *PublicRoute) GetPath() string {
if x != nil {
return x.Path
}
return ""
}
func (x *PublicRoute) GetPrefix() bool {
if x != nil {
return x.Prefix
}
return false
}
// Dependency mirrors plugin.Dependency.
type Dependency struct {
state protoimpl.MessageState `protogen:"open.v1"`
@ -400,7 +513,7 @@ type Dependency struct {
func (x *Dependency) Reset() {
*x = Dependency{}
mi := &file_v1_manifest_proto_msgTypes[1]
mi := &file_v1_manifest_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -412,7 +525,7 @@ func (x *Dependency) String() string {
func (*Dependency) ProtoMessage() {}
func (x *Dependency) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[1]
mi := &file_v1_manifest_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -425,7 +538,7 @@ func (x *Dependency) ProtoReflect() protoreflect.Message {
// Deprecated: Use Dependency.ProtoReflect.Descriptor instead.
func (*Dependency) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{1}
return file_v1_manifest_proto_rawDescGZIP(), []int{2}
}
func (x *Dependency) GetPlugin() string {
@ -468,7 +581,7 @@ type BlockMeta struct {
func (x *BlockMeta) Reset() {
*x = BlockMeta{}
mi := &file_v1_manifest_proto_msgTypes[2]
mi := &file_v1_manifest_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -480,7 +593,7 @@ func (x *BlockMeta) String() string {
func (*BlockMeta) ProtoMessage() {}
func (x *BlockMeta) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[2]
mi := &file_v1_manifest_proto_msgTypes[3]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -493,7 +606,7 @@ func (x *BlockMeta) ProtoReflect() protoreflect.Message {
// Deprecated: Use BlockMeta.ProtoReflect.Descriptor instead.
func (*BlockMeta) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{2}
return file_v1_manifest_proto_rawDescGZIP(), []int{3}
}
func (x *BlockMeta) GetKey() string {
@ -559,7 +672,7 @@ type BlockTemplateOverride struct {
func (x *BlockTemplateOverride) Reset() {
*x = BlockTemplateOverride{}
mi := &file_v1_manifest_proto_msgTypes[3]
mi := &file_v1_manifest_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -571,7 +684,7 @@ func (x *BlockTemplateOverride) String() string {
func (*BlockTemplateOverride) ProtoMessage() {}
func (x *BlockTemplateOverride) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[3]
mi := &file_v1_manifest_proto_msgTypes[4]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -584,7 +697,7 @@ func (x *BlockTemplateOverride) ProtoReflect() protoreflect.Message {
// Deprecated: Use BlockTemplateOverride.ProtoReflect.Descriptor instead.
func (*BlockTemplateOverride) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{3}
return file_v1_manifest_proto_rawDescGZIP(), []int{4}
}
func (x *BlockTemplateOverride) GetTemplateKey() string {
@ -620,7 +733,7 @@ type SystemTemplateMeta struct {
func (x *SystemTemplateMeta) Reset() {
*x = SystemTemplateMeta{}
mi := &file_v1_manifest_proto_msgTypes[4]
mi := &file_v1_manifest_proto_msgTypes[5]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -632,7 +745,7 @@ func (x *SystemTemplateMeta) String() string {
func (*SystemTemplateMeta) ProtoMessage() {}
func (x *SystemTemplateMeta) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[4]
mi := &file_v1_manifest_proto_msgTypes[5]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -645,7 +758,7 @@ func (x *SystemTemplateMeta) ProtoReflect() protoreflect.Message {
// Deprecated: Use SystemTemplateMeta.ProtoReflect.Descriptor instead.
func (*SystemTemplateMeta) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{4}
return file_v1_manifest_proto_rawDescGZIP(), []int{5}
}
func (x *SystemTemplateMeta) GetKey() string {
@ -684,7 +797,7 @@ type PageTemplateMeta struct {
func (x *PageTemplateMeta) Reset() {
*x = PageTemplateMeta{}
mi := &file_v1_manifest_proto_msgTypes[5]
mi := &file_v1_manifest_proto_msgTypes[6]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -696,7 +809,7 @@ func (x *PageTemplateMeta) String() string {
func (*PageTemplateMeta) ProtoMessage() {}
func (x *PageTemplateMeta) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[5]
mi := &file_v1_manifest_proto_msgTypes[6]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -709,7 +822,7 @@ func (x *PageTemplateMeta) ProtoReflect() protoreflect.Message {
// Deprecated: Use PageTemplateMeta.ProtoReflect.Descriptor instead.
func (*PageTemplateMeta) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{5}
return file_v1_manifest_proto_rawDescGZIP(), []int{6}
}
func (x *PageTemplateMeta) GetSystemKey() string {
@ -760,7 +873,7 @@ type AdminPage struct {
func (x *AdminPage) Reset() {
*x = AdminPage{}
mi := &file_v1_manifest_proto_msgTypes[6]
mi := &file_v1_manifest_proto_msgTypes[7]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -772,7 +885,7 @@ func (x *AdminPage) String() string {
func (*AdminPage) ProtoMessage() {}
func (x *AdminPage) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[6]
mi := &file_v1_manifest_proto_msgTypes[7]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -785,7 +898,7 @@ func (x *AdminPage) ProtoReflect() protoreflect.Message {
// Deprecated: Use AdminPage.ProtoReflect.Descriptor instead.
func (*AdminPage) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{6}
return file_v1_manifest_proto_rawDescGZIP(), []int{7}
}
func (x *AdminPage) GetKey() string {
@ -830,7 +943,7 @@ type AiAction struct {
func (x *AiAction) Reset() {
*x = AiAction{}
mi := &file_v1_manifest_proto_msgTypes[7]
mi := &file_v1_manifest_proto_msgTypes[8]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -842,7 +955,7 @@ func (x *AiAction) String() string {
func (*AiAction) ProtoMessage() {}
func (x *AiAction) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[7]
mi := &file_v1_manifest_proto_msgTypes[8]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -855,7 +968,7 @@ func (x *AiAction) ProtoReflect() protoreflect.Message {
// Deprecated: Use AiAction.ProtoReflect.Descriptor instead.
func (*AiAction) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{7}
return file_v1_manifest_proto_rawDescGZIP(), []int{8}
}
func (x *AiAction) GetKey() string {
@ -905,7 +1018,7 @@ type CssManifest struct {
func (x *CssManifest) Reset() {
*x = CssManifest{}
mi := &file_v1_manifest_proto_msgTypes[8]
mi := &file_v1_manifest_proto_msgTypes[9]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -917,7 +1030,7 @@ func (x *CssManifest) String() string {
func (*CssManifest) ProtoMessage() {}
func (x *CssManifest) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[8]
mi := &file_v1_manifest_proto_msgTypes[9]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -930,7 +1043,7 @@ func (x *CssManifest) ProtoReflect() protoreflect.Message {
// Deprecated: Use CssManifest.ProtoReflect.Descriptor instead.
func (*CssManifest) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{8}
return file_v1_manifest_proto_rawDescGZIP(), []int{9}
}
func (x *CssManifest) GetNpmPackages() map[string]string {
@ -971,7 +1084,7 @@ type DirectoryExtensions struct {
func (x *DirectoryExtensions) Reset() {
*x = DirectoryExtensions{}
mi := &file_v1_manifest_proto_msgTypes[9]
mi := &file_v1_manifest_proto_msgTypes[10]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -983,7 +1096,7 @@ func (x *DirectoryExtensions) String() string {
func (*DirectoryExtensions) ProtoMessage() {}
func (x *DirectoryExtensions) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[9]
mi := &file_v1_manifest_proto_msgTypes[10]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -996,7 +1109,7 @@ func (x *DirectoryExtensions) ProtoReflect() protoreflect.Message {
// Deprecated: Use DirectoryExtensions.ProtoReflect.Descriptor instead.
func (*DirectoryExtensions) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{9}
return file_v1_manifest_proto_rawDescGZIP(), []int{10}
}
func (x *DirectoryExtensions) GetBooleanFilterFields() []string {
@ -1045,7 +1158,7 @@ type BadgeLabel struct {
func (x *BadgeLabel) Reset() {
*x = BadgeLabel{}
mi := &file_v1_manifest_proto_msgTypes[10]
mi := &file_v1_manifest_proto_msgTypes[11]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -1057,7 +1170,7 @@ func (x *BadgeLabel) String() string {
func (*BadgeLabel) ProtoMessage() {}
func (x *BadgeLabel) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[10]
mi := &file_v1_manifest_proto_msgTypes[11]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -1070,7 +1183,7 @@ func (x *BadgeLabel) ProtoReflect() protoreflect.Message {
// Deprecated: Use BadgeLabel.ProtoReflect.Descriptor instead.
func (*BadgeLabel) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{10}
return file_v1_manifest_proto_rawDescGZIP(), []int{11}
}
func (x *BadgeLabel) GetPositive() string {
@ -1100,7 +1213,7 @@ type MasterPageDefinition struct {
func (x *MasterPageDefinition) Reset() {
*x = MasterPageDefinition{}
mi := &file_v1_manifest_proto_msgTypes[11]
mi := &file_v1_manifest_proto_msgTypes[12]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -1112,7 +1225,7 @@ func (x *MasterPageDefinition) String() string {
func (*MasterPageDefinition) ProtoMessage() {}
func (x *MasterPageDefinition) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[11]
mi := &file_v1_manifest_proto_msgTypes[12]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -1125,7 +1238,7 @@ func (x *MasterPageDefinition) ProtoReflect() protoreflect.Message {
// Deprecated: Use MasterPageDefinition.ProtoReflect.Descriptor instead.
func (*MasterPageDefinition) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{11}
return file_v1_manifest_proto_rawDescGZIP(), []int{12}
}
func (x *MasterPageDefinition) GetKey() string {
@ -1172,7 +1285,7 @@ type MasterPageBlock struct {
func (x *MasterPageBlock) Reset() {
*x = MasterPageBlock{}
mi := &file_v1_manifest_proto_msgTypes[12]
mi := &file_v1_manifest_proto_msgTypes[13]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -1184,7 +1297,7 @@ func (x *MasterPageBlock) String() string {
func (*MasterPageBlock) ProtoMessage() {}
func (x *MasterPageBlock) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[12]
mi := &file_v1_manifest_proto_msgTypes[13]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -1197,7 +1310,7 @@ func (x *MasterPageBlock) ProtoReflect() protoreflect.Message {
// Deprecated: Use MasterPageBlock.ProtoReflect.Descriptor instead.
func (*MasterPageBlock) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{12}
return file_v1_manifest_proto_rawDescGZIP(), []int{13}
}
func (x *MasterPageBlock) GetBlockKey() string {
@ -1254,7 +1367,7 @@ type CoreServiceBinding struct {
func (x *CoreServiceBinding) Reset() {
*x = CoreServiceBinding{}
mi := &file_v1_manifest_proto_msgTypes[13]
mi := &file_v1_manifest_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -1266,7 +1379,7 @@ func (x *CoreServiceBinding) String() string {
func (*CoreServiceBinding) ProtoMessage() {}
func (x *CoreServiceBinding) ProtoReflect() protoreflect.Message {
mi := &file_v1_manifest_proto_msgTypes[13]
mi := &file_v1_manifest_proto_msgTypes[14]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -1279,7 +1392,7 @@ func (x *CoreServiceBinding) ProtoReflect() protoreflect.Message {
// Deprecated: Use CoreServiceBinding.ProtoReflect.Descriptor instead.
func (*CoreServiceBinding) Descriptor() ([]byte, []int) {
return file_v1_manifest_proto_rawDescGZIP(), []int{13}
return file_v1_manifest_proto_rawDescGZIP(), []int{14}
}
func (x *CoreServiceBinding) GetServiceName() string {
@ -1300,7 +1413,7 @@ var File_v1_manifest_proto protoreflect.FileDescriptor
const file_v1_manifest_proto_rawDesc = "" +
"\n" +
"\x11v1/manifest.proto\x12\x06abi.v1\"\x8e\r\n" +
"\x11v1/manifest.proto\x12\x06abi.v1\"\xaf\x0e\n" +
"\x0ePluginManifest\x12\x1f\n" +
"\vabi_version\x18\x01 \x01(\rR\n" +
"abiVersion\x12\x12\n" +
@ -1338,10 +1451,17 @@ const file_v1_manifest_proto_rawDesc = "" +
"\bdata_dir\x18\x1e \x01(\bR\adataDir\x12#\n" +
"\rdeclared_tags\x18\x1f \x03(\tR\fdeclaredTags\x12)\n" +
"\x10declared_filters\x18 \x03(\tR\x0fdeclaredFilters\x12\x1a\n" +
"\bcodeless\x18! \x01(\bR\bcodeless\x1aB\n" +
"\bcodeless\x18! \x01(\bR\bcodeless\x12#\n" +
"\rallowed_hosts\x18\" \x03(\tR\fallowedHosts\x12&\n" +
"\x0fmax_response_mb\x18# \x01(\rR\rmaxResponseMb\x128\n" +
"\rpublic_routes\x18$ \x03(\v2\x13.abi.v1.PublicRouteR\fpublicRoutes\x12\x18\n" +
"\asitemap\x18% \x01(\bR\asitemap\x1aB\n" +
"\x14RbacMethodRolesEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"a\n" +
"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"9\n" +
"\vPublicRoute\x12\x12\n" +
"\x04path\x18\x01 \x01(\tR\x04path\x12\x16\n" +
"\x06prefix\x18\x02 \x01(\bR\x06prefix\"a\n" +
"\n" +
"Dependency\x12\x16\n" +
"\x06plugin\x18\x01 \x01(\tR\x06plugin\x12\x1f\n" +
@ -1435,50 +1555,52 @@ func file_v1_manifest_proto_rawDescGZIP() []byte {
return file_v1_manifest_proto_rawDescData
}
var file_v1_manifest_proto_msgTypes = make([]protoimpl.MessageInfo, 18)
var file_v1_manifest_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
var file_v1_manifest_proto_goTypes = []any{
(*PluginManifest)(nil), // 0: abi.v1.PluginManifest
(*Dependency)(nil), // 1: abi.v1.Dependency
(*BlockMeta)(nil), // 2: abi.v1.BlockMeta
(*BlockTemplateOverride)(nil), // 3: abi.v1.BlockTemplateOverride
(*SystemTemplateMeta)(nil), // 4: abi.v1.SystemTemplateMeta
(*PageTemplateMeta)(nil), // 5: abi.v1.PageTemplateMeta
(*AdminPage)(nil), // 6: abi.v1.AdminPage
(*AiAction)(nil), // 7: abi.v1.AiAction
(*CssManifest)(nil), // 8: abi.v1.CssManifest
(*DirectoryExtensions)(nil), // 9: abi.v1.DirectoryExtensions
(*BadgeLabel)(nil), // 10: abi.v1.BadgeLabel
(*MasterPageDefinition)(nil), // 11: abi.v1.MasterPageDefinition
(*MasterPageBlock)(nil), // 12: abi.v1.MasterPageBlock
(*CoreServiceBinding)(nil), // 13: abi.v1.CoreServiceBinding
nil, // 14: abi.v1.PluginManifest.RbacMethodRolesEntry
nil, // 15: abi.v1.CssManifest.NpmPackagesEntry
nil, // 16: abi.v1.DirectoryExtensions.BadgeLabelsEntry
nil, // 17: abi.v1.CoreServiceBinding.MethodRolesEntry
(*PublicRoute)(nil), // 1: abi.v1.PublicRoute
(*Dependency)(nil), // 2: abi.v1.Dependency
(*BlockMeta)(nil), // 3: abi.v1.BlockMeta
(*BlockTemplateOverride)(nil), // 4: abi.v1.BlockTemplateOverride
(*SystemTemplateMeta)(nil), // 5: abi.v1.SystemTemplateMeta
(*PageTemplateMeta)(nil), // 6: abi.v1.PageTemplateMeta
(*AdminPage)(nil), // 7: abi.v1.AdminPage
(*AiAction)(nil), // 8: abi.v1.AiAction
(*CssManifest)(nil), // 9: abi.v1.CssManifest
(*DirectoryExtensions)(nil), // 10: abi.v1.DirectoryExtensions
(*BadgeLabel)(nil), // 11: abi.v1.BadgeLabel
(*MasterPageDefinition)(nil), // 12: abi.v1.MasterPageDefinition
(*MasterPageBlock)(nil), // 13: abi.v1.MasterPageBlock
(*CoreServiceBinding)(nil), // 14: abi.v1.CoreServiceBinding
nil, // 15: abi.v1.PluginManifest.RbacMethodRolesEntry
nil, // 16: abi.v1.CssManifest.NpmPackagesEntry
nil, // 17: abi.v1.DirectoryExtensions.BadgeLabelsEntry
nil, // 18: abi.v1.CoreServiceBinding.MethodRolesEntry
}
var file_v1_manifest_proto_depIdxs = []int32{
1, // 0: abi.v1.PluginManifest.dependencies:type_name -> abi.v1.Dependency
2, // 1: abi.v1.PluginManifest.blocks:type_name -> abi.v1.BlockMeta
3, // 2: abi.v1.PluginManifest.block_template_overrides:type_name -> abi.v1.BlockTemplateOverride
4, // 3: abi.v1.PluginManifest.system_templates:type_name -> abi.v1.SystemTemplateMeta
5, // 4: abi.v1.PluginManifest.page_templates:type_name -> abi.v1.PageTemplateMeta
6, // 5: abi.v1.PluginManifest.admin_pages:type_name -> abi.v1.AdminPage
11, // 6: abi.v1.PluginManifest.master_pages:type_name -> abi.v1.MasterPageDefinition
7, // 7: abi.v1.PluginManifest.ai_actions:type_name -> abi.v1.AiAction
14, // 8: abi.v1.PluginManifest.rbac_method_roles:type_name -> abi.v1.PluginManifest.RbacMethodRolesEntry
8, // 9: abi.v1.PluginManifest.css_manifest:type_name -> abi.v1.CssManifest
9, // 10: abi.v1.PluginManifest.directory_extensions:type_name -> abi.v1.DirectoryExtensions
13, // 11: abi.v1.PluginManifest.core_service_bindings:type_name -> abi.v1.CoreServiceBinding
15, // 12: abi.v1.CssManifest.npm_packages:type_name -> abi.v1.CssManifest.NpmPackagesEntry
16, // 13: abi.v1.DirectoryExtensions.badge_labels:type_name -> abi.v1.DirectoryExtensions.BadgeLabelsEntry
12, // 14: abi.v1.MasterPageDefinition.blocks:type_name -> abi.v1.MasterPageBlock
17, // 15: abi.v1.CoreServiceBinding.method_roles:type_name -> abi.v1.CoreServiceBinding.MethodRolesEntry
10, // 16: abi.v1.DirectoryExtensions.BadgeLabelsEntry.value:type_name -> abi.v1.BadgeLabel
17, // [17:17] is the sub-list for method output_type
17, // [17:17] is the sub-list for method input_type
17, // [17:17] is the sub-list for extension type_name
17, // [17:17] is the sub-list for extension extendee
0, // [0:17] is the sub-list for field type_name
2, // 0: abi.v1.PluginManifest.dependencies:type_name -> abi.v1.Dependency
3, // 1: abi.v1.PluginManifest.blocks:type_name -> abi.v1.BlockMeta
4, // 2: abi.v1.PluginManifest.block_template_overrides:type_name -> abi.v1.BlockTemplateOverride
5, // 3: abi.v1.PluginManifest.system_templates:type_name -> abi.v1.SystemTemplateMeta
6, // 4: abi.v1.PluginManifest.page_templates:type_name -> abi.v1.PageTemplateMeta
7, // 5: abi.v1.PluginManifest.admin_pages:type_name -> abi.v1.AdminPage
12, // 6: abi.v1.PluginManifest.master_pages:type_name -> abi.v1.MasterPageDefinition
8, // 7: abi.v1.PluginManifest.ai_actions:type_name -> abi.v1.AiAction
15, // 8: abi.v1.PluginManifest.rbac_method_roles:type_name -> abi.v1.PluginManifest.RbacMethodRolesEntry
9, // 9: abi.v1.PluginManifest.css_manifest:type_name -> abi.v1.CssManifest
10, // 10: abi.v1.PluginManifest.directory_extensions:type_name -> abi.v1.DirectoryExtensions
14, // 11: abi.v1.PluginManifest.core_service_bindings:type_name -> abi.v1.CoreServiceBinding
1, // 12: abi.v1.PluginManifest.public_routes:type_name -> abi.v1.PublicRoute
16, // 13: abi.v1.CssManifest.npm_packages:type_name -> abi.v1.CssManifest.NpmPackagesEntry
17, // 14: abi.v1.DirectoryExtensions.badge_labels:type_name -> abi.v1.DirectoryExtensions.BadgeLabelsEntry
13, // 15: abi.v1.MasterPageDefinition.blocks:type_name -> abi.v1.MasterPageBlock
18, // 16: abi.v1.CoreServiceBinding.method_roles:type_name -> abi.v1.CoreServiceBinding.MethodRolesEntry
11, // 17: abi.v1.DirectoryExtensions.BadgeLabelsEntry.value:type_name -> abi.v1.BadgeLabel
18, // [18:18] is the sub-list for method output_type
18, // [18:18] is the sub-list for method input_type
18, // [18:18] is the sub-list for extension type_name
18, // [18:18] is the sub-list for extension extendee
0, // [0:18] is the sub-list for field type_name
}
func init() { file_v1_manifest_proto_init() }
@ -1486,14 +1608,14 @@ func file_v1_manifest_proto_init() {
if File_v1_manifest_proto != nil {
return
}
file_v1_manifest_proto_msgTypes[12].OneofWrappers = []any{}
file_v1_manifest_proto_msgTypes[13].OneofWrappers = []any{}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_v1_manifest_proto_rawDesc), len(file_v1_manifest_proto_rawDesc)),
NumEnums: 0,
NumMessages: 18,
NumMessages: 19,
NumExtensions: 0,
NumServices: 0,
},

View File

@ -13,6 +13,17 @@ type MediaValue struct {
Filename string // Original filename
Width int // Image width in pixels
Height int // Image height in pixels
// Attribution is the stock-source credit (Pexels import), nil for
// ordinary uploads. JSON tags mirror the CMS media row's attribution JSONB.
Attribution *MediaAttribution
}
// MediaAttribution is the stock-source credit for imported media.
type MediaAttribution struct {
Source string `json:"source"`
SourceURL string `json:"source_url"`
Photographer string `json:"photographer"`
PhotographerURL string `json:"photographer_url"`
}
// String renders the default <img> tag representation.

46
datatables/datatables.go Normal file
View File

@ -0,0 +1,46 @@
// Package datatables gives plugins typed access to site data tables (the Data
// Platform's data_tables/data_table_rows), which the per-plugin Postgres role
// deliberately cannot reach with raw SQL. The CMS implements this interface
// host-side and wires it into CoreServices; row payloads cross the ABI as JSON.
package datatables
import (
"context"
"github.com/google/uuid"
)
// DataTables provides read/write access to site data tables for plugins.
type DataTables interface {
// GetTableByKey resolves a data table by its stable key (e.g. "playgrounds").
GetTableByKey(ctx context.Context, tableKey string) (*Table, error)
// GetRow fetches a single row by ID.
GetRow(ctx context.Context, rowID uuid.UUID) (*Row, error)
// ListRows pages through a table's rows in sort order. limit <= 0 applies
// the host default.
ListRows(ctx context.Context, tableID uuid.UUID, limit, offset int32) ([]Row, error)
// CreateRow appends a row with the given JSON object payload.
CreateRow(ctx context.Context, tableID uuid.UUID, dataJSON []byte) (*Row, error)
// UpdateRowData replaces a row's JSON payload, preserving its sort order.
UpdateRowData(ctx context.Context, rowID uuid.UUID, dataJSON []byte) (*Row, error)
// FindRowByField returns the first row whose data->>field equals value, or
// (nil, nil) when no row matches.
FindRowByField(ctx context.Context, tableID uuid.UUID, field, value string) (*Row, error)
}
// Table is a plugin-facing view of a data table.
type Table struct {
ID uuid.UUID
TableKey string
Name string
RowCount int32
}
// Row is a plugin-facing view of a data table row. DataJSON is the row's data
// column verbatim (a JSON object).
type Row struct {
ID uuid.UUID
TableID uuid.UUID
DataJSON []byte
SortOrder int32
}

183
egress/egress.go Normal file
View File

@ -0,0 +1,183 @@
// Package egress defines the wire-independent policy for host-mediated plugin
// HTTP egress (ADR 0023, cms repo): the host-pattern grammar and matching, the
// default resource bounds, and the ErrDenied sentinel. Both the guest SDK
// (validating plugin.mod at build) and the cms host (enforcing grants at
// fetch) import this package so the pattern semantics have exactly one
// definition.
package egress
import (
"errors"
"fmt"
"net/url"
"strconv"
"strings"
"golang.org/x/net/publicsuffix"
)
// ErrDenied marks an egress request refused by policy — host not granted,
// grant revoked, platform-denylisted, or an off-allowlist redirect. It is
// deliberately distinct from a network failure: a plugin can catch it and
// degrade gracefully. It maps to ABI_ERROR_CODE_EGRESS_DENIED across the wire.
var ErrDenied = errors.New("egress denied")
const (
// DefaultMaxResponseBytes is the per-request response cap when a plugin
// declares no larger one. Oversize fails the request, never truncates.
DefaultMaxResponseBytes = 10 << 20
// MaxRequestBytes caps the request body a guest may marshal across the
// host_call boundary.
MaxRequestBytes = 10 << 20
// DefaultPort is the port a host pattern authorizes when it names none.
DefaultPort = 443
)
// Pattern is one parsed allowed_hosts entry: an exact host or a left-anchored
// multi-label wildcard, optionally pinned to a non-default port.
type Pattern struct {
// host is the bare hostname (wildcard: the base domain after "*.").
host string
wildcard bool
port int
}
// ParsePattern parses and validates one allowed_hosts entry. It rejects bare
// "*", public-suffix wildcards ("*.com", "*.co.uk"), embedded schemes/paths,
// and malformed ports. A leading "*." marks a multi-label wildcard whose base
// must be a registrable domain (≥2 labels and not itself a public suffix).
func ParsePattern(raw string) (Pattern, error) {
s := strings.TrimSpace(strings.ToLower(raw))
if s == "" {
return Pattern{}, fmt.Errorf("empty host pattern")
}
if strings.ContainsAny(s, "/:@") && !strings.Contains(s, ":") {
return Pattern{}, fmt.Errorf("host pattern %q must be a bare host, not a URL", raw)
}
if strings.Contains(s, "://") || strings.ContainsAny(s, "/@") {
return Pattern{}, fmt.Errorf("host pattern %q must be a bare host, not a URL", raw)
}
port := DefaultPort
host := s
if h, p, ok := splitHostPort(s); ok {
host = h
parsed, err := strconv.Atoi(p)
if err != nil || parsed < 1 || parsed > 65535 {
return Pattern{}, fmt.Errorf("host pattern %q has an invalid port", raw)
}
port = parsed
}
wildcard := false
if strings.HasPrefix(host, "*.") {
wildcard = true
host = strings.TrimPrefix(host, "*.")
if host == "" || strings.Contains(host, "*") {
return Pattern{}, fmt.Errorf("host pattern %q: only a single leading %q wildcard is allowed", raw, "*.")
}
if strings.Count(host, ".") < 1 {
return Pattern{}, fmt.Errorf("host pattern %q: wildcard base must be a registrable domain (e.g. *.cal.com)", raw)
}
if suffix, _ := publicsuffix.PublicSuffix(host); suffix == host {
return Pattern{}, fmt.Errorf("host pattern %q: cannot wildcard a public suffix", raw)
}
}
if host == "" || strings.Contains(host, "*") {
return Pattern{}, fmt.Errorf("host pattern %q is malformed", raw)
}
if !validHostname(host) {
return Pattern{}, fmt.Errorf("host pattern %q is not a valid hostname", raw)
}
return Pattern{host: host, wildcard: wildcard, port: port}, nil
}
// matches reports whether this pattern authorizes host:port.
func (p Pattern) matches(host string, port int) bool {
if port != p.port {
return false
}
host = strings.ToLower(strings.TrimSuffix(host, "."))
if p.wildcard {
return strings.HasSuffix(host, "."+p.host)
}
return host == p.host
}
// Allowlist is a plugin's parsed egress grant.
type Allowlist []Pattern
// ParseAllowlist parses every entry, failing on the first invalid one.
func ParseAllowlist(raw []string) (Allowlist, error) {
out := make(Allowlist, 0, len(raw))
for _, r := range raw {
p, err := ParsePattern(r)
if err != nil {
return nil, err
}
out = append(out, p)
}
return out, nil
}
// Allows returns nil if u is authorized by this allowlist, else an ErrDenied.
// It enforces the https-only scheme rule and the port pinning; the caller
// still applies the SSRF IP guard and platform denylist.
func (a Allowlist) Allows(u *url.URL) error {
if u == nil {
return fmt.Errorf("%w: nil URL", ErrDenied)
}
if strings.ToLower(u.Scheme) != "https" {
return fmt.Errorf("%w: %q is not https", ErrDenied, u.Scheme)
}
host := u.Hostname()
if host == "" {
return fmt.Errorf("%w: missing host", ErrDenied)
}
port := DefaultPort
if p := u.Port(); p != "" {
parsed, err := strconv.Atoi(p)
if err != nil {
return fmt.Errorf("%w: invalid port", ErrDenied)
}
port = parsed
}
for _, pat := range a {
if pat.matches(host, port) {
return nil
}
}
return fmt.Errorf("%w: host %q not in allowlist", ErrDenied, u.Host)
}
func splitHostPort(s string) (host, port string, ok bool) {
i := strings.LastIndex(s, ":")
if i < 0 {
return "", "", false
}
// Reject bracketed IPv6 / multiple colons — patterns are hostnames.
if strings.Contains(s[:i], ":") {
return "", "", false
}
return s[:i], s[i+1:], true
}
func validHostname(h string) bool {
if len(h) > 253 {
return false
}
for _, label := range strings.Split(h, ".") {
if label == "" || len(label) > 63 {
return false
}
for _, r := range label {
if !(r >= 'a' && r <= 'z') && !(r >= '0' && r <= '9') && r != '-' {
return false
}
}
if label[0] == '-' || label[len(label)-1] == '-' {
return false
}
}
return true
}

67
egress/egress_test.go Normal file
View File

@ -0,0 +1,67 @@
package egress
import (
"errors"
"net/url"
"testing"
)
func TestParsePatternRejects(t *testing.T) {
for _, raw := range []string{
"", "*", "*.com", "*.co.uk", "*.uk",
"https://api.cal.com", "api.cal.com/path", "user@api.cal.com",
"*.*.cal.com", "api.cal.com:0", "api.cal.com:99999",
"*.", "-bad.com", "bad-.com",
} {
if _, err := ParsePattern(raw); err == nil {
t.Errorf("ParsePattern(%q) = nil error, want rejection", raw)
}
}
}
func TestParsePatternAccepts(t *testing.T) {
for _, raw := range []string{
"api.cal.com", "*.cal.com", "example.com",
"api.example.com:8443", "sub.deep.example.org",
} {
if _, err := ParsePattern(raw); err != nil {
t.Errorf("ParsePattern(%q) = %v, want accept", raw, err)
}
}
}
func TestAllowlistAllows(t *testing.T) {
al, err := ParseAllowlist([]string{"api.cal.com", "*.example.org", "api.svc.com:8443"})
if err != nil {
t.Fatalf("ParseAllowlist: %v", err)
}
tests := []struct {
url string
allow bool
}{
{"https://api.cal.com/v1/slots", true},
{"https://api.cal.com:443/v1/slots", true},
{"https://cal.com/", false}, // apex not matched by exact api.cal.com
{"http://api.cal.com/", false}, // http refused
{"https://api.cal.com:8443/", false}, // wrong port
{"https://a.example.org/", true}, // wildcard depth 1
{"https://a.b.c.example.org/", true}, // wildcard multi-label
{"https://example.org/", false}, // wildcard excludes apex
{"https://evilexample.org/", false}, // suffix must be dot-anchored
{"https://api.svc.com:8443/", true}, // explicit port
{"https://api.svc.com/", false}, // default port not authorized
}
for _, tt := range tests {
u, _ := url.Parse(tt.url)
err := al.Allows(u)
if tt.allow && err != nil {
t.Errorf("Allows(%q) = %v, want allow", tt.url, err)
}
if !tt.allow && err == nil {
t.Errorf("Allows(%q) = nil, want deny", tt.url)
}
if !tt.allow && err != nil && !errors.Is(err, ErrDenied) {
t.Errorf("Allows(%q) denial not ErrDenied: %v", tt.url, err)
}
}
}

6
go.mod
View File

@ -4,19 +4,19 @@ go 1.26.4
require (
connectrpc.com/connect v1.20.0
git.dev.alexdunmow.com/block/ninjatpl v1.0.2
github.com/BurntSushi/toml v1.6.0
github.com/a-h/templ v0.3.1020
github.com/google/uuid v1.6.0
github.com/jackc/pgx/v5 v5.10.0
github.com/tetratelabs/wazero v1.12.0
golang.org/x/mod v0.37.0
golang.org/x/net v0.56.0
google.golang.org/protobuf v1.36.11
)
require (
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
golang.org/x/sys v0.44.0 // indirect
golang.org/x/text v0.33.0 // indirect
golang.org/x/sys v0.46.0 // indirect
golang.org/x/text v0.38.0 // indirect
)

16
go.sum
View File

@ -1,7 +1,5 @@
connectrpc.com/connect v1.20.0 h1:6TNDAB+WeNd2uolWNlYczB5E0KNNaVMNUEx8JEUsPmQ=
connectrpc.com/connect v1.20.0/go.mod h1:A2ygJrukXwWy32vkCAAHNVguZrqZ+jeZ9rGRnGR4dN4=
git.dev.alexdunmow.com/block/ninjatpl v1.0.2 h1:KQS90HNW35PSzvwDZ3Z9OOwX3OSjX0x62w0AtOYps8s=
git.dev.alexdunmow.com/block/ninjatpl v1.0.2/go.mod h1:WrLz0KysnP5EzJlRCkU2VC1uvazyAXZR99Tn+3Mx1pw=
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/a-h/templ v0.3.1020 h1:ypAT/L5ySWEnZ6Zft/5yfoWXYYkhFNvEFOeeqecg4tw=
@ -32,12 +30,14 @@ github.com/tetratelabs/wazero v1.12.0 h1:DuWcpNu/FzgEXgGBDp8J1Spc+CWOvvtvVyjKlaZ
github.com/tetratelabs/wazero v1.12.0/go.mod h1:LvKtzl2RqO4gyF27BiXU+nKAjcV8f38U+kP/q2vgxh0=
golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

View File

@ -2,6 +2,7 @@ package plugin
import (
"context"
"net/http"
"connectrpc.com/connect"
"git.dev.alexdunmow.com/block/pluginsdk/ai"
@ -9,6 +10,7 @@ import (
"git.dev.alexdunmow.com/block/pluginsdk/content"
"git.dev.alexdunmow.com/block/pluginsdk/crypto"
"git.dev.alexdunmow.com/block/pluginsdk/datasources"
"git.dev.alexdunmow.com/block/pluginsdk/datatables"
"git.dev.alexdunmow.com/block/pluginsdk/gating"
"git.dev.alexdunmow.com/block/pluginsdk/menus"
"git.dev.alexdunmow.com/block/pluginsdk/settings"
@ -26,6 +28,7 @@ type CoreServices struct {
Crypto crypto.Crypto
Menus menus.Menus
Datasources datasources.Datasources
DataTables datatables.DataTables
PublicUsers auth.PublicUsers
Subscriptions subscriptions.Subscriptions
@ -52,6 +55,13 @@ type CoreServices struct {
// Plugin interop
Bridge PluginBridge
// OutboundHTTP is the host-mediated egress transport (ADR 0023, cms repo).
// Plugins make outbound requests through &http.Client{Transport:
// deps.OutboundHTTP}; the host enforces the plugin's allowed_hosts grant,
// the SSRF guard, and the platform denylist. Nil when the plugin declared
// no allowed_hosts — a request through it fails closed.
OutboundHTTP http.RoundTripper
// Core RPC services — pre-built bindings for CMS-provided services
CoreServiceBindings CoreServiceBindings
ReviewSubmitter ReviewSubmitter

View File

@ -53,6 +53,40 @@ type ModPlugin struct {
// packed manifest (PluginManifest.data_dir); the .bnp reader also reads it
// straight from plugin.mod as a fallback. OFF by default.
DataDir bool `toml:"data_dir,omitempty"`
// AllowedHosts declares the egress host patterns the plugin needs for
// http.request (ADR 0023, cms repo): an exact hostname or a left-anchored
// multi-label wildcard (e.g. "*.cal.com"), each https/443 unless the entry
// names an explicit port. First-class for the same reason as DataDir — the
// writeMod round-trip drops any key without a struct home. `ninja plugin
// build` validates the patterns and stamps them into the manifest
// (PluginManifest.allowed_hosts). Empty means no egress.
AllowedHosts []string `toml:"allowed_hosts,omitempty"`
// MaxResponseMB requests a larger per-request http.request response cap
// than the 10 MB default. Rides the same admin grant as AllowedHosts. Zero
// means the default.
MaxResponseMB uint32 `toml:"max_response_mb,omitempty"`
// PublicRoutes declares site-root paths the plugin serves through its
// HTTP handler (ADR 0026, cms repo): exact paths and path prefixes the
// host mounts at the public site root. First-class for the same reason as
// DataDir and AllowedHosts: the writeMod round-trip drops any key without
// a struct home, and a dropped route claim silently unmounts live SEO
// URLs on the next publish. `ninja plugin build` validates the claims
// (ValidatePublicRoutes) and stamps them into the manifest
// (PluginManifest.public_routes). Empty means the plugin serves HTTP only
// under /api/plugins/<name>.
PublicRoutes []ModPublicRoute `toml:"public_routes,omitempty"`
// Sitemap requests sitemap contribution: when true the host fetches
// entries from the plugin's well-known sitemap endpoint and merges them
// into the site sitemap. Stamped into the manifest alongside
// PublicRoutes; requires an HTTP handler.
Sitemap bool `toml:"sitemap,omitempty"`
}
// ModPublicRoute is one site-root path claim in plugin.mod, e.g.
// { path = "/area", prefix = true }.
type ModPublicRoute struct {
Path string `toml:"path"`
Prefix bool `toml:"prefix,omitempty"`
}
type ModCompat struct {

90
plugin/public_routes.go Normal file
View File

@ -0,0 +1,90 @@
package plugin
import (
"fmt"
"regexp"
"strings"
)
// MaxPublicRoutes caps the number of site-root claims a single plugin may
// declare. Generous: real plugins claim a handful of SEO prefixes.
const MaxPublicRoutes = 64
// ReservedRoutePrefixes are site-root prefixes plugins may never claim: the
// admin SPA, the namespaced plugin HTTP mount, and the realtime websocket.
// A claim equal to or under one of these is rejected, as is a prefix claim
// that would cover one (e.g. prefix "/api" covers "/api/plugins").
var ReservedRoutePrefixes = []string{"/admin", "/api/plugins", "/ws"}
// routeSegmentRe matches one path segment: URL-safe unreserved characters.
var routeSegmentRe = regexp.MustCompile(`^[A-Za-z0-9._~-]+$`)
// ValidatePublicRoutes checks a plugin.mod public_routes declaration. It
// returns an error listing every offending entry so authors fix them in one
// pass.
//
// Rules:
// - at most MaxPublicRoutes entries
// - each path is absolute ("/..."), not the site root "/" itself
// - segments are non-empty (no "//", no trailing "/"), never "." or "..",
// and use URL-safe unreserved characters only
// - no claim equal to or under a reserved prefix (ReservedRoutePrefixes),
// and no prefix claim that covers a reserved prefix
// - no duplicate paths
func ValidatePublicRoutes(routes []ModPublicRoute) error {
if len(routes) > MaxPublicRoutes {
return fmt.Errorf("too many public_routes: got %d, max %d", len(routes), MaxPublicRoutes)
}
seen := make(map[string]struct{}, len(routes))
var bad []string
for _, r := range routes {
if reason := checkRoutePath(r); reason != "" {
bad = append(bad, fmt.Sprintf("%q (%s)", r.Path, reason))
continue
}
if _, dup := seen[r.Path]; dup {
bad = append(bad, fmt.Sprintf("%q (duplicate path)", r.Path))
continue
}
seen[r.Path] = struct{}{}
}
if len(bad) > 0 {
return fmt.Errorf("invalid public_routes: %s", strings.Join(bad, "; "))
}
return nil
}
func checkRoutePath(r ModPublicRoute) string {
p := r.Path
if p == "" {
return "empty path"
}
if !strings.HasPrefix(p, "/") {
return "path must be absolute, starting with /"
}
if p == "/" {
return "cannot claim the site root"
}
if strings.HasSuffix(p, "/") {
return "no trailing slash; set prefix = true to claim the subtree"
}
for _, seg := range strings.Split(p[1:], "/") {
switch {
case seg == "":
return "empty path segment"
case seg == "." || seg == "..":
return "path traversal segment"
case !routeSegmentRe.MatchString(seg):
return fmt.Sprintf("segment %q has characters outside [A-Za-z0-9._~-]", seg)
}
}
for _, reserved := range ReservedRoutePrefixes {
if p == reserved || strings.HasPrefix(p, reserved+"/") {
return fmt.Sprintf("reserved prefix %s", reserved)
}
if r.Prefix && strings.HasPrefix(reserved, p+"/") {
return fmt.Sprintf("prefix claim covers reserved prefix %s", reserved)
}
}
return ""
}

View File

@ -0,0 +1,214 @@
package plugin
import (
"fmt"
"strings"
"testing"
)
func TestParseModFull_PublicRoutesAndSitemap(t *testing.T) {
src := []byte(`
[plugin]
name = "perthplaygrounds"
version = "1.0.0"
public_routes = [{ path = "/area", prefix = true }, { path = "/badges" }, { path = "/api/directory", prefix = true }]
sitemap = true
`)
m, err := ParseModFull(src)
if err != nil {
t.Fatalf("ParseModFull err: %v", err)
}
routes := m.Plugin.PublicRoutes
if len(routes) != 3 {
t.Fatalf("PublicRoutes len = %d, want 3 (%v)", len(routes), routes)
}
want := []ModPublicRoute{
{Path: "/area", Prefix: true},
{Path: "/badges", Prefix: false},
{Path: "/api/directory", Prefix: true},
}
for i, w := range want {
if routes[i] != w {
t.Errorf("PublicRoutes[%d] = %+v, want %+v", i, routes[i], w)
}
}
if !m.Plugin.Sitemap {
t.Errorf("Sitemap = false, want true")
}
}
func TestParseModFull_PublicRoutesArrayOfTables(t *testing.T) {
src := []byte(`
[plugin]
name = "perthplaygrounds"
version = "1.0.0"
[[plugin.public_routes]]
path = "/area"
prefix = true
[[plugin.public_routes]]
path = "/badges"
`)
m, err := ParseModFull(src)
if err != nil {
t.Fatalf("ParseModFull err: %v", err)
}
routes := m.Plugin.PublicRoutes
if len(routes) != 2 {
t.Fatalf("PublicRoutes len = %d, want 2 (%v)", len(routes), routes)
}
if routes[0] != (ModPublicRoute{Path: "/area", Prefix: true}) {
t.Errorf("PublicRoutes[0] = %+v", routes[0])
}
if routes[1] != (ModPublicRoute{Path: "/badges"}) {
t.Errorf("PublicRoutes[1] = %+v", routes[1])
}
}
func TestParseModFull_PublicRoutesOmitted(t *testing.T) {
src := []byte(`
[plugin]
name = "plain"
version = "0.1.0"
`)
m, err := ParseModFull(src)
if err != nil {
t.Fatalf("ParseModFull err: %v", err)
}
if m.Plugin.PublicRoutes != nil {
t.Errorf("PublicRoutes = %v, want nil when omitted", m.Plugin.PublicRoutes)
}
if m.Plugin.Sitemap {
t.Errorf("Sitemap = true, want false (absent key)")
}
}
func TestValidatePublicRoutes_HappyPath(t *testing.T) {
err := ValidatePublicRoutes([]ModPublicRoute{
{Path: "/area", Prefix: true},
{Path: "/badges", Prefix: true},
{Path: "/age", Prefix: true},
{Path: "/api/directory", Prefix: true},
{Path: "/api/semantic-search"},
{Path: "/some_page.html"},
})
if err != nil {
t.Fatalf("ValidatePublicRoutes err: %v", err)
}
}
func TestValidatePublicRoutes_EmptyAndNil(t *testing.T) {
if err := ValidatePublicRoutes(nil); err != nil {
t.Errorf("nil err: %v", err)
}
if err := ValidatePublicRoutes([]ModPublicRoute{}); err != nil {
t.Errorf("empty err: %v", err)
}
}
func TestValidatePublicRoutes_RejectsReservedPrefixes(t *testing.T) {
cases := []ModPublicRoute{
{Path: "/admin"},
{Path: "/admin", Prefix: true},
{Path: "/admin/settings"},
{Path: "/api/plugins"},
{Path: "/api/plugins/foo", Prefix: true},
{Path: "/ws"},
}
for _, c := range cases {
err := ValidatePublicRoutes([]ModPublicRoute{c})
if err == nil {
t.Errorf("ValidatePublicRoutes(%+v) = nil, want reserved-prefix error", c)
continue
}
if !strings.Contains(err.Error(), "reserved prefix") {
t.Errorf("error for %+v does not mention reserved prefix: %v", c, err)
}
}
}
func TestValidatePublicRoutes_RejectsPrefixCoveringReserved(t *testing.T) {
err := ValidatePublicRoutes([]ModPublicRoute{{Path: "/api", Prefix: true}})
if err == nil {
t.Fatal("prefix claim /api should be rejected: it covers /api/plugins")
}
if !strings.Contains(err.Error(), "covers reserved prefix /api/plugins") {
t.Errorf("error does not explain the covered prefix: %v", err)
}
if err := ValidatePublicRoutes([]ModPublicRoute{{Path: "/api"}}); err != nil {
t.Errorf("exact claim /api should be allowed: %v", err)
}
}
func TestValidatePublicRoutes_RejectsMalformedPaths(t *testing.T) {
cases := []struct {
route ModPublicRoute
frag string
}{
{ModPublicRoute{Path: ""}, "empty path"},
{ModPublicRoute{Path: "area"}, "absolute"},
{ModPublicRoute{Path: "/"}, "site root"},
{ModPublicRoute{Path: "/area/"}, "trailing slash"},
{ModPublicRoute{Path: "/area//list"}, "empty path segment"},
{ModPublicRoute{Path: "/area/../admin"}, "traversal"},
{ModPublicRoute{Path: "/area?x=1"}, "characters outside"},
{ModPublicRoute{Path: "/area list"}, "characters outside"},
}
for _, c := range cases {
err := ValidatePublicRoutes([]ModPublicRoute{c.route})
if err == nil {
t.Errorf("ValidatePublicRoutes(%q) = nil, want error", c.route.Path)
continue
}
if !strings.Contains(err.Error(), c.frag) {
t.Errorf("error for %q = %v, want mention of %q", c.route.Path, err, c.frag)
}
}
}
func TestValidatePublicRoutes_RejectsDuplicates(t *testing.T) {
err := ValidatePublicRoutes([]ModPublicRoute{
{Path: "/area"},
{Path: "/area", Prefix: true},
})
if err == nil {
t.Fatal("duplicate path should be rejected")
}
if !strings.Contains(err.Error(), "duplicate path") {
t.Errorf("error does not mention duplicate: %v", err)
}
}
func TestValidatePublicRoutes_ReportsAllOffendersInOnePass(t *testing.T) {
err := ValidatePublicRoutes([]ModPublicRoute{
{Path: "bad"},
{Path: "/admin/x"},
{Path: "/fine"},
})
if err == nil {
t.Fatal("expected error")
}
for _, frag := range []string{`"bad"`, `"/admin/x"`} {
if !strings.Contains(err.Error(), frag) {
t.Errorf("error %q does not mention %s", err.Error(), frag)
}
}
if strings.Contains(err.Error(), `"/fine"`) {
t.Errorf("error should not name the valid route: %v", err)
}
}
func TestValidatePublicRoutes_CapEnforced(t *testing.T) {
routes := make([]ModPublicRoute, MaxPublicRoutes+1)
for i := range routes {
routes[i] = ModPublicRoute{Path: fmt.Sprintf("/r%d", i)}
}
err := ValidatePublicRoutes(routes)
if err == nil {
t.Fatal("expected too-many error")
}
if !strings.Contains(err.Error(), "too many public_routes") {
t.Errorf("error %q does not mention the cap", err.Error())
}
}

View File

@ -4,6 +4,8 @@ import (
"context"
"errors"
"flag"
"io"
"net/http"
"os"
"path/filepath"
"strings"
@ -13,6 +15,7 @@ import (
abiv1 "git.dev.alexdunmow.com/block/pluginsdk/abi/v1"
"git.dev.alexdunmow.com/block/pluginsdk/ai"
"git.dev.alexdunmow.com/block/pluginsdk/content"
"git.dev.alexdunmow.com/block/pluginsdk/egress"
"git.dev.alexdunmow.com/block/pluginsdk/gating"
"git.dev.alexdunmow.com/block/pluginsdk/plugin"
"github.com/google/uuid"
@ -160,6 +163,19 @@ func TestCapabilityRoundTrip(t *testing.T) {
}
},
},
{
name: "content_published_block_configs", wantMethod: "content.published_block_configs",
resp: &abiv1.ContentPublishedBlockConfigsResponse{Configs: [][]byte{[]byte(`{"captchaEnabled":true,"eventTypeSlug":"30min","username":"alice"}`)}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.Content.PublishedBlockConfigs(ctx, "calcom:booking")
if err != nil {
t.Fatal(err)
}
if len(got) != 1 || got[0]["username"] != "alice" || got[0]["captchaEnabled"] != true {
t.Errorf("configs = %+v", got)
}
},
},
{
name: "content_get_page", wantMethod: "content.get_page",
resp: &abiv1.ContentGetPageResponse{Page: &abiv1.PageInfo{Id: idAuthor.String(), Slug: "about", Title: "About Us"}},
@ -389,6 +405,90 @@ func TestCapabilityRoundTrip(t *testing.T) {
}
},
},
// --- datatables ---
{
name: "datatables_get_table_by_key", wantMethod: "datatables.get_table_by_key",
resp: &abiv1.DatatablesGetTableByKeyResponse{Table: &abiv1.DataTableInfo{
Id: idTable.String(), TableKey: "playgrounds", Name: "Playgrounds", RowCount: 678,
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.GetTableByKey(ctx, "playgrounds")
if err != nil || got.ID != idTable || got.TableKey != "playgrounds" || got.RowCount != 678 {
t.Errorf("table = %+v err = %v", got, err)
}
},
},
{
name: "datatables_get_row", wantMethod: "datatables.get_row",
resp: &abiv1.DatatablesGetRowResponse{Row: &abiv1.DataTableRowInfo{
Id: idRow.String(), TableId: idTable.String(), DataJson: []byte(`{"name":"Whiteman Park"}`), SortOrder: 3,
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.GetRow(ctx, idRow)
if err != nil || got.ID != idRow || got.TableID != idTable || got.SortOrder != 3 {
t.Errorf("row = %+v err = %v", got, err)
}
},
},
{
name: "datatables_list_rows", wantMethod: "datatables.list_rows",
resp: &abiv1.DatatablesListRowsResponse{Rows: []*abiv1.DataTableRowInfo{
{Id: idRow.String(), TableId: idTable.String(), DataJson: []byte(`{"name":"A"}`)},
{Id: idItem.String(), TableId: idTable.String(), DataJson: []byte(`{"name":"B"}`), SortOrder: 1},
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.ListRows(ctx, idTable, 100, 0)
if err != nil || len(got) != 2 || got[0].ID != idRow || got[1].SortOrder != 1 {
t.Errorf("rows = %+v err = %v", got, err)
}
},
},
{
name: "datatables_create_row", wantMethod: "datatables.create_row",
resp: &abiv1.DatatablesCreateRowResponse{Row: &abiv1.DataTableRowInfo{
Id: idRow.String(), TableId: idTable.String(), DataJson: []byte(`{"name":"New"}`),
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.CreateRow(ctx, idTable, []byte(`{"name":"New"}`))
if err != nil || got.ID != idRow || string(got.DataJSON) != `{"name":"New"}` {
t.Errorf("row = %+v err = %v", got, err)
}
},
},
{
name: "datatables_update_row_data", wantMethod: "datatables.update_row_data",
resp: &abiv1.DatatablesUpdateRowDataResponse{Row: &abiv1.DataTableRowInfo{
Id: idRow.String(), TableId: idTable.String(), DataJson: []byte(`{"name":"Updated"}`), SortOrder: 7,
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.UpdateRowData(ctx, idRow, []byte(`{"name":"Updated"}`))
if err != nil || got.SortOrder != 7 || string(got.DataJSON) != `{"name":"Updated"}` {
t.Errorf("row = %+v err = %v", got, err)
}
},
},
{
name: "datatables_find_row_by_field", wantMethod: "datatables.find_row_by_field",
resp: &abiv1.DatatablesFindRowByFieldResponse{Row: &abiv1.DataTableRowInfo{
Id: idRow.String(), TableId: idTable.String(), DataJson: []byte(`{"google_place_id":"abc"}`),
}},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.FindRowByField(ctx, idTable, "google_place_id", "abc")
if err != nil || got == nil || got.ID != idRow {
t.Errorf("row = %+v err = %v", got, err)
}
},
},
{
name: "datatables_find_row_by_field_miss", wantMethod: "datatables.find_row_by_field",
resp: &abiv1.DatatablesFindRowByFieldResponse{},
run: func(t *testing.T, cs plugin.CoreServices) {
got, err := cs.DataTables.FindRowByField(ctx, idTable, "google_place_id", "missing")
if err != nil || got != nil {
t.Errorf("want nil, nil on miss; row = %+v err = %v", got, err)
}
},
},
// --- users ---
{
name: "users_get_by_username", wantMethod: "users.get_by_username",
@ -851,6 +951,35 @@ func TestCapabilityRoundTrip(t *testing.T) {
}
},
},
// --- http.request (ADR 0023; RoundTripper, not a value-returning stub) ---
{
name: "http_request", wantMethod: "http.request",
resp: &abiv1.HttpRequestResponse{
Status: 200,
Headers: map[string]*abiv1.HeaderValues{"Content-Type": {Values: []string{"application/json"}}},
Body: []byte(`{"ok":true}`),
FinalUrl: "https://api.cal.com/v1/slots",
},
run: func(t *testing.T, cs plugin.CoreServices) {
req, err := http.NewRequest(http.MethodGet, "https://api.cal.com/v1/slots", nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set("Authorization", "Bearer test")
res, err := cs.OutboundHTTP.RoundTrip(req)
if err != nil {
t.Fatal(err)
}
defer func() { _ = res.Body.Close() }()
if res.StatusCode != 200 || res.Header.Get("Content-Type") != "application/json" {
t.Errorf("response = %+v", res)
}
body, _ := io.ReadAll(res.Body)
if string(body) != `{"ok":true}` {
t.Errorf("body = %q", body)
}
},
},
// --- jobs.progress (WO-WZ-019; sent by the job dispatch path, not a
// CoreServices stub, so the case drives the transport directly) ---
{
@ -919,6 +1048,22 @@ func TestErrorMappingDeadlineBecomesContextDeadline(t *testing.T) {
}
}
func TestEgressDeniedMapsToErrDenied(t *testing.T) {
f := &fakeTransport{t: t, err: &fakeAbiErr{code: abiv1.AbiErrorCode_ABI_ERROR_CODE_EGRESS_DENIED, msg: `host "evil.example" not in allowlist`}}
cs := NewCoreServices(f.call)
f.name = "http_request" // reuse the request golden for the compare
req, _ := http.NewRequest(http.MethodGet, "https://api.cal.com/v1/slots", nil)
req.Header.Set("Authorization", "Bearer test") // match the http_request_req golden
_, err := cs.OutboundHTTP.RoundTrip(req)
if err == nil {
t.Fatal("want error")
}
if !errors.Is(err, egress.ErrDenied) {
t.Errorf("error %q does not wrap egress.ErrDenied", err)
}
}
func TestNilTransportFailsCleanly(t *testing.T) {
cs := NewCoreServices(nil)
_, err := cs.Content.GetPage(context.Background(), "about")

View File

@ -34,6 +34,7 @@ func NewCoreServices(call CallFunc) plugin.CoreServices {
Crypto: &cryptoStub{base{family: "crypto", call: call}},
Menus: &menusStub{base{family: "menus", call: call}},
Datasources: &datasourcesStub{base{family: "datasources", call: call}},
DataTables: &datatablesStub{base{family: "datatables", call: call}},
PublicUsers: &usersStub{base{family: "users", call: call}},
Subscriptions: &subscriptionsStub{base{family: "subscriptions", call: call}},
Media: &mediaStub{base{family: "media", call: call}},
@ -47,5 +48,6 @@ func NewCoreServices(call CallFunc) plugin.CoreServices {
EmbeddingService: &embeddingsStub{base{family: "embeddings", call: call}},
RAGService: NewRAGStub(call),
Provisioner: &provisionerStub{base{family: "provisioner", call: call}},
OutboundHTTP: &httpStub{base{family: "http", call: call}},
}
}

View File

@ -0,0 +1,102 @@
package caps
import (
"context"
abiv1 "git.dev.alexdunmow.com/block/pluginsdk/abi/v1"
"git.dev.alexdunmow.com/block/pluginsdk/datatables"
"github.com/google/uuid"
)
// datatablesStub implements datatables.DataTables over datatables.* capability
// calls. Row payloads cross as JSON bytes.
type datatablesStub struct{ base }
var _ datatables.DataTables = (*datatablesStub)(nil)
func (s *datatablesStub) GetTableByKey(ctx context.Context, tableKey string) (*datatables.Table, error) {
resp := &abiv1.DatatablesGetTableByKeyResponse{}
req := &abiv1.DatatablesGetTableByKeyRequest{TableKey: tableKey}
if err := s.invoke(ctx, "get_table_by_key", req, resp); err != nil {
return nil, err
}
return dataTableFromProto(resp.GetTable()), nil
}
func (s *datatablesStub) GetRow(ctx context.Context, rowID uuid.UUID) (*datatables.Row, error) {
resp := &abiv1.DatatablesGetRowResponse{}
req := &abiv1.DatatablesGetRowRequest{RowId: rowID.String()}
if err := s.invoke(ctx, "get_row", req, resp); err != nil {
return nil, err
}
return dataTableRowFromProto(resp.GetRow()), nil
}
func (s *datatablesStub) ListRows(ctx context.Context, tableID uuid.UUID, limit, offset int32) ([]datatables.Row, error) {
resp := &abiv1.DatatablesListRowsResponse{}
req := &abiv1.DatatablesListRowsRequest{TableId: tableID.String(), Limit: limit, Offset: offset}
if err := s.invoke(ctx, "list_rows", req, resp); err != nil {
return nil, err
}
rows := make([]datatables.Row, 0, len(resp.GetRows()))
for _, r := range resp.GetRows() {
if row := dataTableRowFromProto(r); row != nil {
rows = append(rows, *row)
}
}
return rows, nil
}
func (s *datatablesStub) CreateRow(ctx context.Context, tableID uuid.UUID, dataJSON []byte) (*datatables.Row, error) {
resp := &abiv1.DatatablesCreateRowResponse{}
req := &abiv1.DatatablesCreateRowRequest{TableId: tableID.String(), DataJson: dataJSON}
if err := s.invoke(ctx, "create_row", req, resp); err != nil {
return nil, err
}
return dataTableRowFromProto(resp.GetRow()), nil
}
func (s *datatablesStub) UpdateRowData(ctx context.Context, rowID uuid.UUID, dataJSON []byte) (*datatables.Row, error) {
resp := &abiv1.DatatablesUpdateRowDataResponse{}
req := &abiv1.DatatablesUpdateRowDataRequest{RowId: rowID.String(), DataJson: dataJSON}
if err := s.invoke(ctx, "update_row_data", req, resp); err != nil {
return nil, err
}
return dataTableRowFromProto(resp.GetRow()), nil
}
func (s *datatablesStub) FindRowByField(ctx context.Context, tableID uuid.UUID, field, value string) (*datatables.Row, error) {
resp := &abiv1.DatatablesFindRowByFieldResponse{}
req := &abiv1.DatatablesFindRowByFieldRequest{TableId: tableID.String(), Field: field, Value: value}
if err := s.invoke(ctx, "find_row_by_field", req, resp); err != nil {
return nil, err
}
return dataTableRowFromProto(resp.GetRow()), nil
}
func dataTableFromProto(t *abiv1.DataTableInfo) *datatables.Table {
if t == nil {
return nil
}
id, _ := uuid.Parse(t.GetId())
return &datatables.Table{
ID: id,
TableKey: t.GetTableKey(),
Name: t.GetName(),
RowCount: t.GetRowCount(),
}
}
func dataTableRowFromProto(r *abiv1.DataTableRowInfo) *datatables.Row {
if r == nil {
return nil
}
id, _ := uuid.Parse(r.GetId())
tableID, _ := uuid.Parse(r.GetTableId())
return &datatables.Row{
ID: id,
TableID: tableID,
DataJSON: r.GetDataJson(),
SortOrder: r.GetSortOrder(),
}
}

View File

@ -0,0 +1,87 @@
package caps
import (
"bytes"
"errors"
"fmt"
"io"
"net/http"
"time"
abiv1 "git.dev.alexdunmow.com/block/pluginsdk/abi/v1"
"git.dev.alexdunmow.com/block/pluginsdk/egress"
)
// httpStub implements http.RoundTripper over the http.request capability: it
// marshals the outbound *http.Request into an HttpRequestRequest, hands it to
// the host (which enforces the plugin's egress grant, the SSRF guard, and the
// platform denylist, then performs the request), and rebuilds the reply into
// an *http.Response. The guest never touches a socket. Plugins use it through
// an ordinary &http.Client{Transport: deps.OutboundHTTP}.
type httpStub struct{ base }
var _ http.RoundTripper = (*httpStub)(nil)
// MaxRequestBytes bounds the request body the guest will marshal across the
// boundary, matching the host's cap; larger fails before any host call.
func (s *httpStub) RoundTrip(req *http.Request) (*http.Response, error) {
var body []byte
if req.Body != nil {
defer func() { _ = req.Body.Close() }()
b, err := io.ReadAll(io.LimitReader(req.Body, egress.MaxRequestBytes+1))
if err != nil {
return nil, fmt.Errorf("http.request: read body: %w", err)
}
if len(b) > egress.MaxRequestBytes {
return nil, fmt.Errorf("http.request: request body exceeds %d bytes", egress.MaxRequestBytes)
}
body = b
}
out := &abiv1.HttpRequestRequest{
Method: req.Method,
Url: req.URL.String(),
Headers: make(map[string]*abiv1.HeaderValues, len(req.Header)),
Body: body,
}
for name, values := range req.Header {
out.Headers[name] = &abiv1.HeaderValues{Values: values}
}
if dl, ok := req.Context().Deadline(); ok {
if ms := time.Until(dl).Milliseconds(); ms > 0 {
out.TimeoutMs = uint32(ms)
}
}
resp := &abiv1.HttpRequestResponse{}
if err := s.invoke(req.Context(), "request", out, resp); err != nil {
if isEgressDenied(err) {
return nil, fmt.Errorf("%w: %s", egress.ErrDenied, err.Error())
}
return nil, err
}
header := make(http.Header, len(resp.GetHeaders()))
for name, hv := range resp.GetHeaders() {
for _, v := range hv.GetValues() {
header.Add(name, v)
}
}
return &http.Response{
Status: http.StatusText(int(resp.GetStatus())),
StatusCode: int(resp.GetStatus()),
Proto: "HTTP/1.1",
ProtoMajor: 1,
ProtoMinor: 1,
Header: header,
Body: io.NopCloser(bytes.NewReader(resp.GetBody())),
ContentLength: int64(len(resp.GetBody())),
Request: req,
}, nil
}
func isEgressDenied(err error) bool {
var coded abiCoded
return errors.As(err, &coded) &&
coded.AbiErrorCode() == abiv1.AbiErrorCode_ABI_ERROR_CODE_EGRESS_DENIED
}

View File

@ -0,0 +1,2 @@
calcom:booking

View File

@ -0,0 +1,2 @@
B{"captchaEnabled":true,"eventTypeSlug":"30min","username":"alice"}

View File

@ -0,0 +1,2 @@
$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa{"name":"New"}

View File

@ -0,0 +1,3 @@
\
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa{"name":"New"}

View File

@ -0,0 +1,2 @@
$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaagoogle_place_idmissing

View File

@ -0,0 +1,2 @@
$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaagoogle_place_idabc

View File

@ -0,0 +1,3 @@
g
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa{"google_place_id":"abc"}

View File

@ -0,0 +1,2 @@
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb

View File

@ -0,0 +1,3 @@
h
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa{"name":"Whiteman Park"} 

View File

@ -0,0 +1,2 @@
playgrounds

View File

@ -0,0 +1,3 @@
C
$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa playgrounds Playgrounds ¦

View File

@ -0,0 +1,2 @@
$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaad

View File

@ -0,0 +1,5 @@
Z
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa {"name":"A"}
\
$44444444-4444-4444-4444-444444444444$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa {"name":"B"} 

View File

@ -0,0 +1,2 @@
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb{"name":"Updated"}

View File

@ -0,0 +1,3 @@
b
$bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb$aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa{"name":"Updated"} 

View File

@ -0,0 +1,4 @@
GEThttps://api.cal.com/v1/slots
Authorization
Bearer test

View File

@ -0,0 +1,3 @@
È"
Content-Type
application/json {"ok":true}"https://api.cal.com/v1/slots

View File

@ -292,11 +292,87 @@ func renderBlock(ctx context.Context, block map[string]any) string {
if alt == "" {
alt = caption
}
sb.WriteString(`<figure class="my-6">`)
fmt.Fprintf(&sb, `<img src="%s" alt="%s" />`, html.EscapeString(url), html.EscapeString(alt))
link := ""
if l, ok := props["link"].(string); ok {
link = l
}
width := ""
if w, ok := props["width"].(string); ok {
width = w
}
align := ""
if a, ok := props["align"].(string); ok {
align = a
}
attMode := ""
if m, ok := props["attributionMode"].(string); ok {
attMode = m
}
var att *blocks.MediaAttribution
if attMode == "chip" || attMode == "chipHover" || attMode == "below" {
if idStr, ok := props["mediaId"].(string); ok && idStr != "" {
if id, err := uuid.Parse(idStr); err == nil {
if resolver := blocks.GetMediaResolver(ctx); resolver != nil {
if mv := resolver.ResolveMedia(ctx, id); mv != nil {
att = mv.Attribution
}
}
}
}
}
chip := ""
switch attMode {
case "chip":
chip = buildAttributionHTML(att, imageChipClass)
case "chipHover":
chip = buildAttributionHTML(att, imageChipClass+" opacity-0 group-hover:opacity-100 focus-within:opacity-100 transition-opacity")
}
figureClass := "my-6"
switch width {
case "small":
figureClass += " max-w-[400px]"
case "medium":
figureClass += " max-w-[600px]"
case "wide":
figureClass += " max-w-[800px]"
}
if width == "small" || width == "medium" || width == "wide" {
switch align {
case "left":
figureClass += " float-left mr-6 mb-4"
case "right":
figureClass += " float-right ml-6 mb-4"
default:
figureClass += " mx-auto"
}
}
img := fmt.Sprintf(`<img src="%s" alt="%s" />`, html.EscapeString(url), html.EscapeString(alt))
if link != "" {
img = fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(link), img)
}
// The positioning wrapper only exists when a chip is rendered, so
// legacy and chip-less blocks keep today's exact markup.
if chip != "" {
wrapClass := "relative overflow-hidden"
if attMode == "chipHover" {
wrapClass = "group " + wrapClass
}
img = fmt.Sprintf(`<div class="%s">%s%s</div>`, wrapClass, img, chip)
}
fmt.Fprintf(&sb, `<figure class="%s">`, figureClass)
sb.WriteString(img)
if caption != "" {
fmt.Fprintf(&sb, "<figcaption>%s</figcaption>", html.EscapeString(caption))
}
if attMode == "below" {
if credit := buildAttributionHTML(att, ""); credit != "" {
fmt.Fprintf(&sb, `<div class="mt-1 text-xs text-muted-foreground text-center">%s</div>`, credit)
}
}
sb.WriteString("</figure>\n")
case "video":
@ -580,6 +656,43 @@ func renderInlineContent(content []map[string]any, insideLink bool) string {
return sb.String()
}
// imageChipClass matches the page-builder image block's attribution chip
// (backend/blocks/tags via image.ninjatpl in the cms repo) so themes style
// blog and page credits identically.
const imageChipClass = "absolute bottom-2 right-2 z-10 px-2 py-1 rounded-md bg-background/80 backdrop-blur-sm text-xs text-muted-foreground"
// buildAttributionHTML renders the escaped "Photo by NAME on SOURCE" credit,
// or "" when there is no photographer to credit. The "on SOURCE" suffix is
// omitted when no source is set.
func buildAttributionHTML(att *blocks.MediaAttribution, class string) string {
if att == nil || att.Photographer == "" {
return ""
}
var b strings.Builder
b.WriteString(`<span`)
if class != "" {
fmt.Fprintf(&b, ` class="%s"`, html.EscapeString(class))
}
b.WriteString(`>Photo by `)
writeAttributionLink(&b, att.PhotographerURL, att.Photographer)
if att.Source != "" {
sourceLabel := strings.ToUpper(att.Source[:1]) + att.Source[1:]
b.WriteString(` on `)
writeAttributionLink(&b, att.SourceURL, sourceLabel)
}
b.WriteString(`</span>`)
return b.String()
}
func writeAttributionLink(b *strings.Builder, href, label string) {
if href != "" && (strings.HasPrefix(href, "https://") || strings.HasPrefix(href, "http://")) {
fmt.Fprintf(b, `<a href="%s" target="_blank" rel="noopener noreferrer" class="underline">%s</a>`,
html.EscapeString(href), html.EscapeString(label))
return
}
b.WriteString(html.EscapeString(label))
}
// autolinkText escapes plain text for HTML output and wraps any https:// URL
// substring in <a href="..." rel="noopener">URL</a>. Bare domains, www. and
// http:// URLs are intentionally not auto-linked.

View File

@ -672,3 +672,111 @@ func TestUnknownBlockType(t *testing.T) {
t.Errorf("expected fallback rendering of unknown block: %s", html)
}
}
type testMediaResolver struct {
att *blocks.MediaAttribution
}
func (r testMediaResolver) ResolveMedia(_ context.Context, mediaID uuid.UUID) *blocks.MediaValue {
return &blocks.MediaValue{Src: "/media/" + mediaID.String(), Attribution: r.att}
}
func imageBlock(props map[string]any) map[string]any {
return map[string]any{"blocks": []any{map[string]any{"type": "image", "props": props}}}
}
// Legacy blocks (url/caption only) must render byte-identical to the old output.
func TestImageBlockLegacyUnchanged(t *testing.T) {
html := BlockNoteToHTML(context.Background(), imageBlock(map[string]any{
"url": "https://example.com/pic.jpg", "caption": "A pic",
}))
want := "<figure class=\"my-6\"><img src=\"https://example.com/pic.jpg\" alt=\"A pic\" /><figcaption>A pic</figcaption></figure>\n"
if html != want {
t.Fatalf("legacy image output changed:\n got: %s\nwant: %s", html, want)
}
}
func TestImageBlockAltAndLink(t *testing.T) {
html := BlockNoteToHTML(context.Background(), imageBlock(map[string]any{
"url": "/media/x.webp", "alt": "Sunset", "link": "https://example.com/story",
}))
if !strings.Contains(html, `alt="Sunset"`) {
t.Fatalf("alt not rendered: %s", html)
}
if !strings.Contains(html, `<a href="https://example.com/story"><img `) {
t.Fatalf("link wrap not rendered: %s", html)
}
}
func TestImageBlockWidthAndAlign(t *testing.T) {
html := BlockNoteToHTML(context.Background(), imageBlock(map[string]any{
"url": "/media/x.webp", "width": "medium", "align": "right",
}))
if !strings.Contains(html, `max-w-[600px]`) || !strings.Contains(html, `float-right ml-6 mb-4`) {
t.Fatalf("width/align classes missing: %s", html)
}
centered := BlockNoteToHTML(context.Background(), imageBlock(map[string]any{
"url": "/media/x.webp", "width": "small", "align": "center",
}))
if !strings.Contains(centered, `max-w-[400px]`) || !strings.Contains(centered, `mx-auto`) {
t.Fatalf("centered width classes missing: %s", centered)
}
}
func TestImageBlockAttributionModes(t *testing.T) {
mediaID := uuid.MustParse("33333333-3333-3333-3333-333333333333")
att := &blocks.MediaAttribution{
Photographer: "Jane Doe",
PhotographerURL: "https://www.pexels.com/@janedoe",
Source: "pexels",
SourceURL: "https://www.pexels.com/photo/123",
}
ctx := blocks.WithMediaResolver(context.Background(), testMediaResolver{att: att})
props := func(mode string) map[string]any {
return map[string]any{"url": "/media/x.webp", "mediaId": mediaID.String(), "attributionMode": mode}
}
chip := BlockNoteToHTML(ctx, imageBlock(props("chip")))
if !strings.Contains(chip, "Photo by ") || !strings.Contains(chip, "Jane Doe") ||
!strings.Contains(chip, "on ") || !strings.Contains(chip, "Pexels") ||
!strings.Contains(chip, `absolute bottom-2 right-2`) {
t.Fatalf("chip mode wrong: %s", chip)
}
hover := BlockNoteToHTML(ctx, imageBlock(props("chipHover")))
if !strings.Contains(hover, `group-hover:opacity-100`) || !strings.Contains(hover, `class="group relative overflow-hidden"`) {
t.Fatalf("chipHover mode wrong: %s", hover)
}
below := BlockNoteToHTML(ctx, imageBlock(props("below")))
if !strings.Contains(below, `mt-1 text-xs text-muted-foreground text-center`) || !strings.Contains(below, "Jane Doe") {
t.Fatalf("below mode wrong: %s", below)
}
off := BlockNoteToHTML(ctx, imageBlock(map[string]any{"url": "/media/x.webp", "mediaId": mediaID.String()}))
if strings.Contains(off, "Photo by") {
t.Fatalf("default mode must render no credit: %s", off)
}
}
func TestImageBlockAttributionDegradesGracefully(t *testing.T) {
mediaID := uuid.MustParse("44444444-4444-4444-4444-444444444444")
props := imageBlock(map[string]any{"url": "/media/x.webp", "mediaId": mediaID.String(), "attributionMode": "chip"})
// No resolver in ctx.
if html := BlockNoteToHTML(context.Background(), props); strings.Contains(html, "Photo by") {
t.Fatalf("no-resolver ctx must render no credit: %s", html)
}
// Resolver returns media without attribution.
ctx := blocks.WithMediaResolver(context.Background(), testMediaResolver{att: nil})
if html := BlockNoteToHTML(ctx, props); strings.Contains(html, "Photo by") {
t.Fatalf("nil attribution must render no credit: %s", html)
}
// Photographer-only credit omits the "on SOURCE" suffix.
ctx = blocks.WithMediaResolver(context.Background(), testMediaResolver{att: &blocks.MediaAttribution{Photographer: "Jane"}})
html := BlockNoteToHTML(ctx, props)
if !strings.Contains(html, "Photo by ") || strings.Contains(html, " on ") {
t.Fatalf("photographer-only credit wrong: %s", html)
}
}