feat(core): permit cdnjs library whitelist in generated artifacts#102
Merged
feat(core): permit cdnjs library whitelist in generated artifacts#102
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Findings
- [Major] Whitelisted cdnjs library IDs include non-existent aliases, which can produce 404 script URLs in generated artifacts and break chart/data functionality at runtime. Evidence
packages/core/src/prompts/index.ts:87,packages/core/src/prompts/output-rules.v1.txt:32,packages/templates/src/system/design-generator.md:41,packages/templates/src/system/index.ts:29.
Suggested fix:
Approved: recharts, Chart.js, d3, three.js, lodash.js, PapaParse
# and keep the exact-version URL template unchanged
https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.js
- [Minor] Prompt tests currently lock in the same incorrect aliases (
chart.js,lodash,papaparse), so CI can pass while generated URLs remain invalid. Evidencepackages/core/src/generate.test.ts:1024.
Suggested fix:
for (const lib of ['recharts', 'Chart.js', 'd3', 'three.js', 'lodash.js', 'PapaParse']) {
expect(prompt, `missing approved cdnjs library: ${lib}`).toContain(lib);
}Summary
- Review mode: initial
- 2 issues found (1 Major, 1 Minor), both introduced by the whitelist update and directly affecting generation correctness.
docs/VISION.mdanddocs/PRINCIPLES.md: Not found in repo/docs.
Testing
- Not run (automation)
open-codesign Bot
| - Google Fonts: \`<link rel="preconnect">\` + \`<link rel="stylesheet">\` from \`fonts.googleapis.com\` / \`fonts.gstatic.com\` | ||
| - **JS libraries** — \`cdnjs.cloudflare.com\` whitelist only. Pin an exact version. Format: \`https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.js\`. Approved libraries: | ||
| - \`recharts\` — data viz (preferred for dashboards) | ||
| - \`chart.js\` — alternative charting |
Contributor
There was a problem hiding this comment.
chart.js, lodash, and papaparse do not map to cdnjs library IDs in ajax/libs paths. This can lead the model to emit 404 script URLs. Prefer Chart.js, lodash.js, and PapaParse here.
| - Google Fonts: `<link rel="preconnect">` + `<link rel="stylesheet">` from `fonts.googleapis.com` / `fonts.gstatic.com` | ||
| - **JS libraries** — `cdnjs.cloudflare.com` whitelist only. Pin an exact version. Format: `https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.js`. Approved libraries: | ||
| - `recharts` — data viz (preferred for dashboards) | ||
| - `chart.js` — alternative charting |
Contributor
There was a problem hiding this comment.
This approved list includes aliases that are not valid cdnjs ajax/libs IDs (chart.js, lodash, papaparse). Use canonical IDs so generated URLs resolve.
| `fonts.googleapis.com` / `fonts.gstatic.com`. | ||
| - **JS libraries**: `cdnjs.cloudflare.com` whitelist only, exact-version | ||
| pinned (`https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.js`). | ||
| Approved: `recharts`, `chart.js`, `d3`, `three.js`, `lodash`, `papaparse`. |
Contributor
There was a problem hiding this comment.
Mirrors the same invalid cdnjs aliases. If left as-is, generated artifacts can include broken script URLs. Please align to canonical cdnjs IDs.
|
|
||
| it('create mode lists the six approved chart / data libraries', () => { | ||
| const prompt = composeSystemPrompt({ mode: 'create' }); | ||
| for (const lib of ['recharts', 'chart.js', 'd3', 'three.js', 'lodash', 'papaparse']) { |
Contributor
There was a problem hiding this comment.
Test currently hard-codes the same alias set, so this regression is not caught. Update expected library IDs to canonical cdnjs names (Chart.js, lodash.js, PapaParse).
…rror Claude Artifacts) Relaxes the prior "Tailwind + Google Fonts only" rule in the design-generation system prompt to allow a tightly-scoped cdnjs.cloudflare.com whitelist (recharts, chart.js, d3, three.js, lodash, papaparse), matching Anthropic's actual stance in Claude Artifacts. Without real chart libraries the model was forced to inline-SVG everything, which is why generated dashboards looked amateur. Updates both the .txt section and the inlined TS constant so the byte-for-byte drift test still passes, and adds two tests asserting the new whitelist + the six approved libraries appear in the system prompt. The same scoping is reflected in packages/templates/src/system to keep the legacy generator prompt aligned. Forbidden list explicitly retains: arbitrary fetch() to external APIs, non-cdnjs script hosts (esm.sh / jsdelivr / unpkg — too open / unverifiable), and hotlinked photos.
cdnjs library slugs are case-sensitive. The original whitelist used `chart.js`, `lodash`, `papaparse` which return 404 against api.cdnjs.com. Updated to the verified slugs (`Chart.js`, `lodash.js`, `PapaParse`) so generated artifact URLs actually load. Verified each slug against https://api.cdnjs.com/libraries/<slug>?fields=name on 2026-04-19. Added a vitest assertion that the bullet-list lines mention only the verified slugs and not the broken ones.
hqhq1025
force-pushed
the
wt/feat-cdn-policy-cdnjs-whitelist
branch
from
c14e57f to
5bb5adc
Compare
Collaborator
Author
|
Fixed slug casing — verified each library against
Updated |
Contributor
There was a problem hiding this comment.
Findings
- No issues found in added/modified lines with high confidence.
Summary
- Review mode: follow-up after new commits
- No new correctness, security, regression, or hard-constraint violations were found in this diff.
- Residual risk/testing gap: changes are prompt-behavior updates; there is no end-to-end assertion here that generated artifacts using the approved cdnjs libraries always resolve at runtime.
docs/VISION.md: Not found in repo/docs.docs/PRINCIPLES.md: Not found in repo/docs.
Testing
- Not run (automation)
open-codesign Bot
hqhq1025
added a commit
that referenced
this pull request
Apr 19, 2026
Replaces the original esm.sh / jsdelivr references with deferral to the project's approved cdnjs whitelist (PR #102). The chart contract now: - Defers JS-library loading to output-rules' cdnjs whitelist (DRY) - Adds chart-recipe guidance: when to use bar vs line vs donut, axis labelling, accessible color choices, hover state — chart skill body content rather than just a CDN reference - Complements the data-viz-recharts skill instead of duplicating it
hqhq1025
added a commit
that referenced
this pull request
Apr 19, 2026
Replaces the original esm.sh / jsdelivr references with deferral to the project's approved cdnjs whitelist (PR #102). The chart contract now: - Defers JS-library loading to output-rules' cdnjs whitelist (DRY) - Adds chart-recipe guidance: when to use bar vs line vs donut, axis labelling, accessible color choices, hover state — chart skill body content rather than just a CDN reference - Complements the data-viz-recharts skill instead of duplicating it
hqhq1025
added a commit
that referenced
this pull request
Apr 19, 2026
* feat(core): chart contract uses cdnjs whitelist (aligns with #102) Replaces the original esm.sh / jsdelivr references with deferral to the project's approved cdnjs whitelist (PR #102). The chart contract now: - Defers JS-library loading to output-rules' cdnjs whitelist (DRY) - Adds chart-recipe guidance: when to use bar vs line vs donut, axis labelling, accessible color choices, hover state — chart skill body content rather than just a CDN reference - Complements the data-viz-recharts skill instead of duplicating it * test(core): cover chart contract composition in revise mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Today's bug hunt revealed our generated dashboards look amateur because the system prompt banned all CDN scripts beyond Tailwind + Google Fonts, forcing the model to inline-SVG every chart. Web research confirms Claude Artifacts (Anthropic's reference product) actually permits scripts from a single trusted CDN host (
cdnjs.cloudflare.com) and ships popular viz libraries inside its React Artifacts environment — that's why their dashboards look professional.This PR mirrors that policy in our system prompt: relaxes the "Tailwind + Google Fonts only" rule to allow a tightly-scoped cdnjs whitelist of six libraries with exact-version pinning, while keeping the trust posture explicit.
What's now allowed
CSS (unchanged)
cdn.tailwindcss.comfonts.googleapis.com/fonts.gstatic.comJS libraries (new —
cdnjs.cloudflare.comwhitelist only, exact-version pinned)recharts— preferred for dashboardschart.js— alternative chartingd3— low-level visualizationthree.js— 3Dlodash— utilitiespapaparse— CSV parsingURL format:
https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.jsWhat's still forbidden
fetch()/XMLHttpRequestto external APIs (data must remain inline)cdnjs.cloudflare.com(noesm.sh,jsdelivr,unpkg— too open, no version verification)Files touched
packages/core/src/prompts/output-rules.v1.txt— rewrote the "Permitted external resources" blockpackages/core/src/prompts/index.ts— kept the inlined TS constant byte-for-byte aligned (drift test passes)packages/core/src/generate.test.ts— added two assertions covering the cdnjs whitelist + the six approved librariespackages/templates/src/system/design-generator.md+packages/templates/src/system/index.ts— same relaxation applied to the legacy generator prompt for consistencyPRINCIPLES checks
output-rules.v1.txt) so future additions/removals are a single-file PR; section is versioned via the.v1suffix already in use.Test plan
pnpm --filter @open-codesign/core exec vitest run— 133/133 pass, including the prompt section .txt-vs-TS drift test and the two new whitelist assertionspnpm test(full workspace) — 10/10 task successful after rebase onto currentorigin/mainpnpm lint— clean (preexisting warnings only)