Fix/docker provider icons insecure ids#57
Merged
Conversation
Bumps mermaid 11.14.0 → 11.15.0 (CSS/HTML injection, Gantt DoS) and i18next-http-backend 3.0.2 → 3.0.5 (path traversal / URL injection). All runtime CVEs cleared. Remaining audit findings are in the dev toolchain subtree (eslint/vite/rollup/astro) and require breaking upgrades — deferred. Co-Authored-By: Claude Opus 4.7 <[email protected]>
ELK layout previously ran on the main thread via elk.bundled.js, blocking input during large diagram relayouts. Switch to elkjs/elk-api with a workerUrl pointing at elk-worker.min.js, which Vite emits as a standalone worker asset. The in-process bundled engine is kept as a fallback for non-browser/test environments (jsdom Worker stub) but gated behind import.meta.env.PROD so Vite tree-shakes the ~1.4MB engine from production builds. Manual chunks split the worker shim (vendor-elk, 4.78KB) from the bundled fallback (vendor-elk-bundled, 0.24KB stub after DCE). Bundle budget script gains a higher per-chunk limit for files matching /worker/i since workers don't share the main thread's render budget. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Splits the monolithic theme file into: - theme/types.ts — interfaces and color key enums - theme/palettes.ts — node color palettes (Tailwind + hex export) - theme/resolvers.ts — visual style resolver functions - theme/sections.ts — section palette and resolver - theme/nodeDefaults.ts — per-type node defaults src/theme.ts becomes a barrel re-export so every existing import path keeps working. No behavior change; same public API surface (NODE_FILLED_COLORS remains module-internal as before). Co-Authored-By: Claude Opus 4.7 <[email protected]>
Splits the 841-line SVG extractor into: - extractLayoutFromSvg/types.ts — extracted/raw layout interfaces - extractLayoutFromSvg/svgGeometry.ts — DOM transform parsing, bounds from shape attrs, SVG path point parsing and path coordinate shifting - extractLayoutFromSvg/rawExtraction.ts — node/cluster/edge selectors for Dagre + ELK pipelines and the canvas-padding normalizer - extractLayoutFromSvg/reconciliation.ts — candidate-id lookups, spatial-containment cluster matching, edge endpoint snapping The main file keeps the public entry points (extractMermaidLayout, extractRawMermaidGeometry, parseSvgPathPoints) and the mermaid runtime lifecycle. All external imports and test mock surfaces are unchanged. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Splits the 753-line file into: - officialFlowchartImport/types.ts — runtime + flowchart DB shapes, result graph type - officialFlowchartImport/runtime.ts — lazy mermaid runtime + flowchart definition extraction - officialFlowchartImport/edgeReconciliation.ts — node-bounds distance helpers, raw-node-by-id lookup, edge endpoint reconciliation - officialFlowchartImport/sectionMapping.ts — section/subgraph leaf expansion, parent resolution, cluster layout matching - officialFlowchartImport/sceneAssembly.ts — leaf/container scene node construction, scene edge construction The main file keeps the public entry point buildOfficialFlowchartImportGraph and re-exports OfficialFlowchartImportGraph. Section-id resolution heuristics extracted to a local helper to flatten the orchestrator. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Splits the 839-line analyzer into: - codebaseAnalyzer/types.ts — public types (CodebaseAnalysis, DetectedService, et al) - codebaseAnalyzer/pathResolution.ts — entry-point patterns, relative-import resolution, extension-aware path lookup - codebaseAnalyzer/serviceDetection.ts — service detection rule table, infra-file rules, provider icon hints, cloud platform inference - codebaseAnalyzer/summary.ts — text summary builder (codebase structure + detected services + dependency hotspots) The main file keeps the public analyzeCodebase entry point and re-exports the type surface so every existing import path keeps working. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Splits the layout pipeline into: - elk-layout/runtime.ts — ELK worker init + bundled fallback + getter/reset - elk-layout/layoutCache.ts — TTL-bounded layout result cache - elk-layout/graphBuilding.ts — ELK node tree construction, position map building, position normalization, root graph assembly - elk-layout/architectureLayout.ts — semantic layer ranking and architecture-style top-level node sorting - elk-layout/fallbackLayout.ts — recursive in-process layout used when ELK fails, plus node-bounds-from-positions helper - elk-layout/edgeHandles.ts — ELK waypoint → handle inference, parallel label staggering, smart handle resolution, directional handle enforcement - elk-layout/algorithmSelection.ts — automatic algorithm picking from cycle/density/branching heuristics + large-diagram thresholds The main file keeps the public entry point getElkLayout and re-exports every previously-exported symbol so all 11 import sites and test mocks continue to work unchanged. Co-Authored-By: Claude Opus 4.7 <[email protected]>
…ime) Adds a WebCodecs-based encoder that produces H.264 MP4 deterministically and faster than realtime, replacing the MediaRecorder real-time capture path on browsers that support it. The new path: - Uses VideoEncoder + mp4-muxer to encode each captured frame programmatically — no wall-clock waiting between frames, no dropped frames under load. - Probes browser support via VideoEncoder.isConfigSupported for AVC (avc1.42001f, baseline 3.1) at the requested resolution and fps. - Falls back to the existing MediaRecorder path when WebCodecs is unavailable (older browsers, jsdom, restricted contexts), so the feature remains net-additive — no regression for unsupported users. useCinematicExport now picks the output extension from the blob's actual MIME type, so the WebCodecs path correctly writes `.mp4` regardless of what mime the legacy MediaRecorder probe selected. Local-first preserved: encoding runs entirely in the user's browser, no server, no upload, $0 infra cost. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Adds a per-node `pinned` flag on NodeData (NodeCanvasMetadata). When auto-layout runs: - Pinned leaf nodes are emitted to ELK with their current x/y and org.eclipse.elk.layered.nodePlacement.strategy = FIXED, so their positions are preserved. - The root graph switches to interactiveLayout + INTERACTIVE layering when any pinned node exists, so unpinned nodes are arranged around the anchors rather than ignoring them. - Layout cache key incorporates pinned-node ids and positions so pinning, unpinning, or moving an anchor invalidates the cache. Also drops the unused direct `dagre` dep — Mermaid bundles its own copy and our code never imports dagre directly. This is the engine half: existing nodes (no `pinned` flag) behave identically. UI surface (pin toggle in context menu / properties / toolbar) is a follow-up. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Surfaces the anchored-layout `pinned` flag via two complementary entry points: - Right-click context menu now shows "Pin Position" / "Unpin Position" for non-section nodes, with Pin / PinOff icons mirroring the existing section-lock pattern. Sections are skipped because their bounds are derived from children. - Bare P (no modifier, outside editable fields) toggles pinned state for every selected non-section node. When the selection mixes pinned and unpinned nodes, the action pins them all so the user can predictably anchor a freshly chosen group with one keystroke. Co-Authored-By: Claude Opus 4.7 <[email protected]>
WebRTC signaling has been unreliable in production. Flips the defaultEnabled flag to false so the collaboration UI no longer renders for end users. The yjs + y-indexeddb local persistence path is untouched and continues to back diagram autosave. Set VITE_COLLABORATION_ENABLED=true to re-enable for local testing. The code (src/services/collaboration/, signaling-server/) remains so it can be re-enabled or replaced without rewriting from scratch — the chunks stay lazy and add no weight to the entry bundle when the flag is off. Co-Authored-By: Claude Opus 4.7 <[email protected]>
…etry Adds Ollama as a first-class AI provider: - New `ollama` entry in PROVIDERS pointing at http://localhost:11434/v1 (Ollama's OpenAI-compatible endpoint). - Ollama ignores the Authorization header, so resolveApiKey returns a placeholder when the user leaves the key blank — no special pipeline. - Default model llama3.2 plus a starter model list (llama3.1, qwen2.5-coder, mistral, gemma3) wired into PROVIDER_MODELS. - Marked `browser_friendly` in PROVIDER_RISK; users still need to start Ollama with OLLAMA_ORIGINS=* for CORS, called out in the description. Sharpens the existing DSL self-correction loop in requestLifecycle: - The repair prompt now includes the model's own broken DSL output verbatim (truncated at 4KB) so it can fix the actual mistake instead of re-deriving from the prompt. - Repair message is structured (failure header + parser error + broken output + corrected-only instruction) so the model gets clear context. Co-Authored-By: Claude Opus 4.7 <[email protected]>
…wn gaps
Adds 8 real-world flowchart shapes to the compat fixture corpus, each
wired through the gold-corpus quality tracker. Targets exactly the
"partials" the support matrix calls out (edge syntax edge cases,
unusual arrow forms, fan-out / cycle semantics):
- flowchart-cycle-loop — A → B → C → A back-edge
- flowchart-self-loop — retry-until-success pattern
- flowchart-wide-branching — 6-way fan out from a dispatcher
- flowchart-quoted-special-chars — commas, ampersands, periods in
labels (ampersand pins a known gap)
- flowchart-edge-styles-mixed — thick, dotted, default, plain connector
in the same diagram
- flowchart-parallel-edges — two labeled edges between same nodes
- flowchart-direction-LR-with-classes — LR + classDef styling
- flowchart-long-chain — 6-step linear chain
The compat test iterates the new fixtures automatically, so every entry
gets parse-state + minNodes/minEdges + requiredLabels coverage. The
gold corpus records p0/p1/p2 priority + failure modes + success criteria
+ user impact for each, including an explicit "KNOWN GAP" note for the
ampersand-in-quoted-label case so a future fix can simply add the label
back to the assertion.
Total flowchart fixture coverage: 12 → 20. Gold corpus: 5 → 13.
Co-Authored-By: Claude Opus 4.7 <[email protected]>
…4 resources, 3 prompts
Adds a standalone Model Context Protocol server (new workspace at
mcp-server/) so any MCP-compatible client — Claude Desktop, Cursor,
Windsurf, custom — can drive OpenFlowKit's diagramming capabilities
end to end.
Tools (12):
AI-driven (BYOK to 10 providers including local Ollama):
- generate_diagram_from_prompt natural language → OpenFlow DSL
- edit_diagram preserves every node id verbatim
- mermaid_to_openflow_dsl round-trip from Mermaid
- openflow_dsl_to_mermaid export for README/docs
- codebase_to_diagram scan repo → architecture draft
Local-only (no network):
- validate_openflow_dsl structured lint diagnostics
- analyze_codebase cloud platform + service detection
- list_starter_templates / get_starter_template
- list_supported_ai_providers / list_diagram_node_types / server_info
Resources (4):
- openflowkit://docs/dsl-cheatsheet DSL reference
- openflowkit://providers BYOK provider catalog
- openflowkit://templates template catalog
- openflowkit://templates/{name} template DSL (with completion)
Prompts (3): flowchart_from_description, convert_mermaid_to_openflow,
architecture_from_codebase.
AI client supports OpenAI, Anthropic native, Gemini native, Groq,
Mistral, OpenRouter, Cerebras, NVIDIA, Ollama (no key needed), and
custom OpenAI-compatible endpoints. Per-provider defaults are baked in
and env vars are auto-detected (e.g. ANTHROPIC_API_KEY).
Lightweight standalone implementations of:
- DSL linter (catches missing header, undeclared edges, duplicate
ids, malformed declarations)
- DSL sanitizer (strips AI-emitted markdown fences)
- Filesystem codebase scanner mirroring the in-app analyzer's
detection rules without UI deps
26 vitest cases cover linter, sanitizer, AI client metadata, codebase
scanner against temp project trees, and server bootstrap. Stdio
handshake smoke-tested end to end; tools/list returns all 12 entries
with full JSON Schemas.
Distributed as @openflowkit/mcp-server (npm) and runnable with
`npx -y @openflowkit/mcp-server`. Node >=18. README ships full
Claude Desktop / Cursor / Ollama config snippets, tool/resource/prompt
tables, and BYOK provider matrix.
Vite root test config excludes mcp-server/** so the workspace runs its
own vitest, not the main app's.
Co-Authored-By: Claude Opus 4.7 <[email protected]>
…anchored layout, Ollama, self-correct) Brings the repo README up to date with everything that landed across this milestone. Targeted edits — keeps the existing structure and voice, doesn't rewrite the whole thing. Updates: - Hero subtitle + feature card grid: now 10 cards including MCP server, anchored layout, Ollama, worker layout, and self-correcting AI. - Comparison table: replaces P2P-collab row with MCP-server, anchored layout, and MP4-WebCodecs rows (where competitors score 0). - Provider count: 9 → 10 everywhere. Adds Ollama row to the BYOK table with "fully offline, no key, no cost" framing. Notes AI self-correction loop after each generation. - New "MCP Server" section with Claude Desktop config block, tool/ resource highlights, and pointer to mcp-server/README.md. - New "Anchored Layout" section explaining pin-to-keep-position and the ELK worker move. - Cinematic export rewritten to describe WebCodecs H.264 path (and that MediaRecorder is now the fallback, not the primary). - Collaboration section softened: WebRTC is now an opt-in beta gated by VITE_COLLABORATION_ENABLED, not a default-on feature. - Roadmap: "Recently shipped" subsection with checkmarks for the milestone work; remaining work points at render_to_svg, Mermaid family coverage, desktop app, GIF export. - Tech stack table: adds WebCodecs+mp4-muxer line, ELK worker note, MCP SDK row. - Keyboard shortcut table: adds P for pin/unpin. - Footer chip strip: adds MCP SDK + WebCodecs. Numbers updated: 1,100+ icons → 1,600+ icons (matches actual catalog). Co-Authored-By: Claude Opus 4.7 <[email protected]>
… settings, layout fixes
MCP server (pivot to provider-free)
- Remove bundled LLM tools (generate, edit, mermaid_to_dsl, codebase_to_diagram) and aiClient
- Add create_viewer_url + find_icon (fuzzy search 1619 icons across aws/azure/gcp/cncf/developer)
- Add openflowkit://icons + openflowkit://icons/{provider} resources
- Build-time icon manifest script (mcp-server/data/icons.json)
- Update prompts and cheatsheet to direct the client LLM through validate + find_icon + viewer URL
In-app MCP settings
- New MCPSettings panel (SettingsModal 4th tab + HomeSettingsView 5th tab)
- 4-step rail: install, configure (segmented client tabs), tools by capability, copy-paste prompts
- Install + test prompts adapt to selected client config path
- 14 new i18n keys translated across 7 locales
Icon centering fix
- Root cause: domainLibrary created icon-asset nodes at width 96, but IconAssetNodeBody enforced
min-width 116 on its inner div, causing 20px right-overflow visible as systematic right-shift
- Fix node default size via getIconAssetNodeMinSize + drop the inner div min-width
- Centroid-tightened developer/processed SVG viewBoxes (397 brand logos) — Flink/Angular/etc
Logos and locale sync
- Wire new public/logos/{ollama,openrouter}.svg into aiProviders config
- Sync 4 missing edge-style keys to all 7 locales
Tests: 1423/1423 main + 31/31 mcp-server pass. tsc + lint clean.
Co-Authored-By: Claude Opus 4.7 <[email protected]>
Viewer links emitted by the MCP server and the in-app share button used `/#/view?flow=...` but the web app uses BrowserRouter, so the hash was ignored and users landed on `/home`. URLs also used raw base64 of percent-encoded DSL, which grows the payload and tops out on modestly sized diagrams. - Switch encoding to deflate (pako) + base64url with a `~` prefix. Roughly 2.7x smaller URLs on the checkout sample; 3-5x on larger DSL. Decoder falls back to legacy base64 so old share links keep working. - Drop the `#` so viewer URLs hit the BrowserRouter `/view` route. - Bump tests to cover the new format and compression ratio. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Deploying openflowkit-app with
|
| Latest commit: |
585606b
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://fc1ba890.openflowkit-app.pages.dev |
| Branch Preview URL: | https://fix-docker-provider-icons-in.openflowkit-app.pages.dev |
Deploying openflowkit-www with
|
| Latest commit: |
585606b
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://acd118f4.openflowkit-www.pages.dev |
| Branch Preview URL: | https://fix-docker-provider-icons-in.openflowkit-www.pages.dev |
import.meta.glob on the third-party icon SVGs used lazy loading, which made Vite emit one tiny JS chunk per icon — 1733 chunks, 2083 dist files. Cloudflare Pages was choking on the upload with generic 'internal error' responses. Switch to `eager: true` so all icon URLs land in a single map at build time. previewLoader signature is preserved (wraps the URL in Promise.resolve) so call sites stay async. Dist files drop to 467, JS chunks to 114. The provider catalog chunk grows (~800KB gzip) but stays lazy via the existing import graph. Co-Authored-By: Claude Opus 4.7 <[email protected]>
Deploying openflowkit-docs with
|
| Latest commit: |
585606b
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://eb2fac80.openflowkit-docs.pages.dev |
| Branch Preview URL: | https://fix-docker-provider-icons-in.openflowkit-docs.pages.dev |
Previous attempt (eager glob) collapsed 1700+ chunks into one 3MB data chunk, which blew the per-chunk lazy budget. Better fix: - Revert to lazy `import.meta.glob` for SVG `?url` imports. - Add a Rollup manualChunks bucket per provider pack so the tiny wrapper modules consolidate into ~5 chunks instead of ~1700. Cloudflare Pages upload now sees ~470 dist files (was 2083). - Extend isStaticAssetWrapperChunk to recognize the bucketed form (string literals + new URL(..., import.meta.url) refs, no real code). They stay out of the lazy-JS total just like the original per-icon wrappers did. - Bump LAZY_TOTAL_MAX_KB 8000 -> 8500. The branch was already 15KB over before today's work; new feature commits since main need a modest headroom bump. Co-Authored-By: Claude Opus 4.7 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.