The Orbit panel's "Open artifact" button is an
`<a target="_blank" href="/api/live-artifacts/.../preview?projectId=...">`.
In packaged Electron builds the renderer is loaded from
`od://app/`, so the relative `href` resolves to
`od://app/api/live-artifacts/.../preview?projectId=...` by the
time `setWindowOpenHandler` sees it.
The existing handler in `apps/desktop/src/main/runtime.ts:300`
runs three checks in order:
1. `isAllowedChildWindowUrl(url)` → only matched `blob:`
2. `isHttpUrl(url)` → only matched `http:` / `https:`
3. fall through → `{ action: "deny" }`
The packaged `od://` scheme matched neither, so the click was
silently dropped — Orbit's "Open artifact" became a no-op for
every desktop user. Dev mode (`http://127.0.0.1:port/`) was
unaffected: its links resolved through the http branch and
opened in the user's external browser via `shell.openExternal`.
Fix: extend `isAllowedChildWindowUrl` to also accept the
packaged `od:` scheme. Electron then opens a child BrowserWindow
that inherits the same protocol registration + preload, so the
live artifact preview HTML (served via the `od://` proxy in
`apps/packaged/src/protocol.ts`) renders in the new window.
Behavior delta:
- Packaged: click → `od://app/api/.../preview` → child window
renders the live artifact preview (was: silent no-op).
- Dev mode: unchanged — link is `http://127.0.0.1:port/...`,
still routes to `shell.openExternal`.
- Other links inside the packaged app that still flow to
`shell.openExternal` (e.g. github.com / external docs):
unchanged — `od:` is not a wildcard, only the packaged
scheme passes the allowlist.
Tests: exposed `isHttpUrl` and `isAllowedChildWindowUrl` from
`apps/desktop/src/main/index.ts` (re-exported through
`@open-design/desktop/main`) so the packaged workspace's vitest
can pin both helpers without bringing up Electron. 8 tests
across the negative-guard surface — `od:` allowed, `blob:` still
allowed, `http(s):` NOT allowed by this branch (handled by the
sibling `isHttpUrl` path), `file:`, `javascript:`, `data:`
explicitly NOT allowed.
The pre-existing `apps/packaged/tests/sidecars.test.ts >
adds custom VP_HOME/bin to the packaged PATH builder` failure
is unrelated to this PR — confirmed by stashing the change
and re-running on the bare branch base.
Verified locally:
- packaged vitest desktop-url-allowlist: 8/8
- desktop tsc -p tsconfig.json --noEmit: clean
- packaged tsc -p tsconfig.json --noEmit: clean
- packaged tsc -p tsconfig.tests.json --noEmit (the CI killer): clean
* feat(contracts): types for folder-import endpoint
Add ImportFolderRequest, ImportFolderResponse to the public contract
surface. Extend ProjectMetadata with a baseDir field — when set, the
project's files live at this absolute path instead of .od/projects/<id>/.
Stored as the realpath() result so symlinks cannot redirect later writes.
Refs nexu-io/open-design#597
* feat(daemon): support metadata.baseDir for folder-rooted projects
Add resolveProjectDir() and metadata-aware variants of listFiles,
readProjectFile, writeProjectFile, ensureProject so a project's files
can live under metadata.baseDir (the user's chosen folder) instead of
.od/projects/<id>/. metadata.baseDir is opt-in — projects without it
keep the existing .od/projects/<id>/ behavior unchanged.
When listFiles walks a baseDir-rooted project, it skips conventional
build / install dirs (node_modules, .git, dist, build, .next, .nuxt,
.turbo, .cache, .output, out, coverage, __pycache__, .venv, vendor,
target, .od, .tmp) so the file panel stays focused on design content
instead of being dominated by lockfiles and node_modules.
Add detectEntryFile() — best-effort lookup for index.html or any
.html at the folder root, used by the import endpoint to seed the
initial active tab.
Refs nexu-io/open-design#597
* feat(daemon): add POST /api/import/folder endpoint
Creates a project rooted at the submitted local folder. metadata.baseDir
points at that folder and OD reads / writes there directly — no copy,
no shadow tree, mirroring how Cursor / Claude Code / Aider behave. The
user owns the workspace and is responsible for their own version
control.
Safety:
- baseDir is canonicalized via fs.promises.realpath() at import time so
user-controlled symlinks can't redirect later writes. resolveSafe
enforces the bounds check against the literal stored path; without
realpath, a symlink (e.g. ~/sneaky → /etc) would let writeProjectFile
escape the project tree at every later call because the OS follows
the symlink at open() time.
- Post-realpath lstat ensures the canonical target is itself a real
directory (defense-in-depth).
- The data directory (RUNTIME_DATA_DIR) and its descendants are
refused after symlink resolution so a redirect into the daemon's
own state can't masquerade as a project import.
The web client wires this through state/projects.ts → App.tsx,
landing the user on the auto-detected entry file when present.
Refs nexu-io/open-design#597
* feat(desktop): expose native folder picker to renderer
Adds an Electron preload script that exposes window.electronAPI.pickFolder
via contextBridge. Wires dialog.showOpenDialog through ipcMain so the
web UI can open a native folder selector for project import. Browser-only
users fall back to a text input for the absolute path (handled in the
web layer); the picker stays an optional convenience on the desktop
binary.
ipcMain.handle() registers handlers in an internal map that is not
exposed via eventNames(), so the natural-looking guard
if (!ipcMain.eventNames().includes('dialog:pick-folder')) ipcMain.handle(...)
is always true. On a second createDesktopRuntime() call (dev hot-reload,
packaged-vs-electron mode swap) the body re-runs and ipcMain.handle()
throws 'Attempted to register a second handler'. Use removeHandler()
+ handle() unconditionally — removeHandler() is a documented no-op
when nothing is registered, making the pair idempotent.
Includes *.cts in the apps/desktop tsconfig so the preload script is
typechecked.
Refs nexu-io/open-design#597
* feat(web): add 'From existing folder' option to New Project
UI surface for the import flow:
- A new 'Open folder' affordance in NewProjectPanel that uses the
native picker on Electron (window.electronAPI.pickFolder) and falls
back to an absolute-path text input in the browser.
- importFolderProject() in state/projects.ts: typed wrapper around
POST /api/import/folder using @open-design/contracts types.
- App.tsx wires the response: prepend the new project to the list,
navigate to it, and select the auto-detected entry file as the
active tab.
Skill / design-system pickers from the existing prototype tab are
reused — folder import is a project-creation flow, not a separate
project type.
Refs nexu-io/open-design#597
* docs(architecture): document folder-import endpoint
Adds POST /api/import/folder to the daemon API table and a 'Folder
import' section explaining the single-mode design (direct read/write
in metadata.baseDir, mirroring Cursor / Claude Code / Aider), the
realpath() canonicalization, the RUNTIME_DATA_DIR refusal, and the
SKIP_DIRS list applied to listFiles for baseDir-rooted projects.
Refs nexu-io/open-design#597
* test(daemon): unit + integration tests for folder import
Two new files:
apps/daemon/tests/folder-import-projects.test.ts (13 unit tests):
- resolveProjectDir behavior under all metadata combinations,
including the fallback when baseDir is relative and the
isSafeId-bypass when baseDir is set
- detectEntryFile: index.html priority, .html fallback, null when
no html, no descent into subdirs
- listFiles with metadata.baseDir: walk, SKIP_DIRS hides node_modules
/ .git / dist, back-compat for projects without baseDir
apps/daemon/tests/folder-import-route.test.ts (10 integration tests):
- Happy path: baseDir stored in metadata, importedFrom='folder',
conversation created, entry file detected
- Error paths: missing baseDir, empty, relative, non-existent,
pointing at a file
- Security: realpath canonicalization (the symlink test was the one
that surfaced the original /var vs /private/var mismatch in
RUNTIME_DATA_DIR comparison on macOS)
- Security: a symlink that resolves into RUNTIME_DATA_DIR is rejected
after realpath, not before
Refs nexu-io/open-design#597
* fix(daemon): wire baseDir metadata into chat + deploy reads
Two bugs caught in Codex automated review of #624:
1. chat-route was passing the metadata object directly as the listFiles
opts argument: `listFiles(PROJECTS_DIR, projectId, chatMeta)`. The
listFiles contract reads opts.metadata, not opts itself, so this
silently fell back to .od/projects/<id>/ instead of the imported
folder. existingProjectFiles was empty for baseDir-rooted projects.
Wrap as `{ metadata: chatMeta }`.
2. deploy.ts read project files via readProjectFile without the
metadata third argument, so for baseDir-rooted projects the deploy
and preflight endpoints would look in .od/projects/<id>/ and fail
with file-not-found instead of reading the imported folder. Thread
options.metadata through buildDeployFilePlan → readProjectFile and
pass project?.metadata at the two server.ts callsites
(`POST /api/projects/:id/deploy` and the preflight endpoint).
Add a regression test that locks the listFiles contract: passing a
bare metadata object as opts must NOT scan baseDir — it must fall back
to the standard project dir, otherwise callers can leak the wrong
folder by mistake.
Refs nexu-io/open-design#597, #624 (Codex review)
* fix(daemon): ensure correct metadata handling in folder import
Addressed issues with metadata handling in folder import functionality. Updated the listFiles and readProjectFile methods to correctly utilize the metadata.baseDir, ensuring that project files are read from the intended directory. Added regression tests to verify that passing a bare metadata object does not inadvertently scan the baseDir, maintaining the integrity of project file access.
Refs nexu-io/open-design#597
* fix(daemon): security hardening from Codex review of #624
P1 findings from automated review:
1. POST /api/projects + PATCH /api/projects/:id rejected
client-supplied metadata.baseDir. baseDir is privileged: it lets a
project root inside the user's filesystem, and the realpath() +
RUNTIME_DATA_DIR reentry checks live only on /api/import/folder.
Allowing it on the generic create/patch path lets an attacker
smuggle e.g. /etc through and bypass every import-time guard.
Both endpoints now refuse a baseDir field with 400.
2. resolveSafeReal() helper: realpath()s each candidate path (or its
longest existing prefix for write paths) and re-validates against
realpath(projectRoot). The original resolveSafe() only did a
string-prefix check, which was fooled by symlinks *inside* a
baseDir-rooted project. A repo containing 'assets -> /Users/me/.ssh'
passed the literal prefix check but readFile() followed the link
at open() time. resolveSafeReal() is now used by readProjectFile,
writeProjectFile, and deleteProjectFile.
3. Multer chat-upload destination now resolves to metadata.baseDir for
imported folder projects via a module-level lookup wired to db at
startServer() boot. Previously attachments landed in
.od/projects/<id>/ even for baseDir projects, so the agent (which
runs with cwd=baseDir) couldn't open them.
P2 findings:
4. searchProjectFiles threads metadata through listFiles +
resolveProjectDir so /api/projects/:id/search hits the right tree.
5. buildProjectArchive + buildBatchArchive now accept metadata so
'Download .zip' works for imported folder projects.
6. Watcher subscribe() resolves to baseDir for imported projects so
live-reload SSE actually fires when the user edits files in their
own folder. Registry stays keyed by the canonical directory.
7. Template snapshotting reads source-project files with metadata
so a template can be saved from a baseDir-rooted source.
Tests:
- Regression: POST /api/projects with metadata.baseDir → 400.
- Regression: descendant symlink (assets/leak.txt -> /etc/hosts) is
refused on the raw read endpoint.
Refs nexu-io/open-design#597, #624 (Codex P1+P2 review)
* fix(daemon): close two regressions found in #624 review round 2
@mrcfps caught two more correctness gaps:
1. Archive root symlink escape — buildProjectArchive accepts an optional
?root=<subdir> param to scope the zip to a subdirectory. The path was
resolved with the string-only resolveSafe(), so a directory symlink
inside an imported folder (docs -> /Users/me/.ssh) passed the prefix
check and collectArchiveEntries() then walked outside the project
tree. Switch to the symlink-aware resolveSafeReal() — the same one
that already protects raw read/write/delete paths. The walker itself
already skips dirent symlinks via !isDirectory && !isFile, so
canonicalizing the root is the only missing piece.
2. PATCH metadata wiped baseDir — updateProject() replaces metadata
wholesale. The previous guard only blocked an explicit baseDir
change, but a normal patch that *omits* baseDir (a UI editing
linkedDirs only sends { metadata: { kind, linkedDirs } }) silently
detached imported projects from their folder root. Subsequent
reads/writes/watch/deploy fell back to .od/projects/<id>.
Re-stamp the immutable folder-import fields (baseDir, importedFrom='folder')
from the existing project record onto the incoming patch when the
project is imported. A patch that supplies a *different* baseDir
still gets rejected as before; a patch that supplies the *same*
baseDir is accepted as a no-op. A patch on a non-imported project
that tries to set baseDir is also still rejected (preserves the
POST /api/projects guard from the previous round).
Tests:
- archive endpoint: ?root=<symlink-to-/etc> → 400.
- patch endpoint: PATCH that omits baseDir on an imported project keeps
baseDir intact (project still resolves to the user's folder after).
Refs nexu-io/open-design#597, #624 (Codex P1 round 2)
* fix(web): add Indonesian deploy provider copy
---------
Co-authored-by: INFINITY <valentyn.sotov@trendarena.app>
Co-authored-by: Siri-Ray <2667192167@qq.com>
* docs: add live artifacts implementation spec
* docs: align live artifacts implementation plan
* Ralph iteration 1: work in progress
* Ralph iteration 2: work in progress
* Ralph iteration 3: work in progress
* Ralph iteration 4: work in progress
* Ralph iteration 5: work in progress
* Ralph iteration 6: work in progress
* Ralph iteration 7: work in progress
* Ralph iteration 8: work in progress
* Ralph iteration 9: work in progress
* Ralph iteration 10: work in progress
* Ralph iteration 11: work in progress
* Ralph iteration 12: work in progress
* Ralph iteration 13: work in progress
* Ralph iteration 14: work in progress
* Ralph iteration 15: work in progress
* Ralph iteration 16: work in progress
* Ralph iteration 17: work in progress
* Ralph iteration 18: work in progress
* Ralph iteration 19: work in progress
* Ralph iteration 20: work in progress
* Ralph iteration 21: work in progress
* Ralph iteration 22: work in progress
* Ralph iteration 23: work in progress
* Ralph iteration 24: work in progress
* Ralph iteration 25: work in progress
* Ralph iteration 26: work in progress
* Ralph iteration 27: work in progress
* Ralph iteration 28: work in progress
* Ralph iteration 29: work in progress
* Ralph iteration 30: work in progress
* Ralph iteration 31: work in progress
* Ralph iteration 32: work in progress
* Ralph iteration 33: work in progress
* Ralph iteration 34: work in progress
* Ralph iteration 35: work in progress
* Ralph iteration 36: work in progress
* Ralph iteration 37: work in progress
* Ralph iteration 38: work in progress
* Ralph iteration 39: work in progress
* Ralph iteration 40: work in progress
* Ralph iteration 41: work in progress
* Ralph iteration 42: work in progress
* Ralph iteration 43: work in progress
* Ralph iteration 44: work in progress
* Ralph iteration 45: work in progress
* Ralph iteration 46: work in progress
* Ralph iteration 47: work in progress
* Ralph iteration 48: work in progress
* Ralph iteration 49: work in progress
* Ralph iteration 50: work in progress
* Ralph iteration 51: work in progress
* Ralph iteration 52: work in progress
* Ralph iteration 53: work in progress
* Ralph iteration 54: work in progress
* Ralph iteration 55: work in progress
* Ralph iteration 56: work in progress
* Ralph iteration 57: work in progress
* Ralph iteration 58: work in progress
* Ralph iteration 59: work in progress
* Ralph iteration 60: work in progress
* Ralph iteration 61: work in progress
* Ralph iteration 62: work in progress
* Ralph iteration 63: work in progress
* Ralph iteration 64: work in progress
* Ralph iteration 65: work in progress
* Ralph iteration 1: work in progress
* Ralph iteration 2: work in progress
* Ralph iteration 3: work in progress
* Ralph iteration 4: work in progress
* Ralph iteration 5: work in progress
* Ralph iteration 6: work in progress
* Ralph iteration 8: work in progress
* Ralph iteration 9: work in progress
* Ralph iteration 17: work in progress
* Add Composio-backed connectors
* Add Composio-backed connector catalog
* Fix connector callback flow
* Update live artifact connector refresh
* Fix live artifact refresh updates
* Improve live artifact viewer toolbar
* Refine live artifact source tabs
* Expand Composio connector catalog
* Improve Composio connector browsing
* Fix artifact refresh source safety checks
Generated-By: looper 0.4.1 (runner=fixer, agent=opencode)
* Fix live artifacts PR feedback
Generated-By: looper 0.5.0 (runner=fixer, agent=opencode)
* Fix live artifact preview CORS validation
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix connector OAuth IPv6 loopback hosts
Allow bracketed IPv6 loopback Host headers when deriving connector OAuth callback URLs so IPv6-bound daemons can complete connection flow.
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Preserve live artifact refresh permissions
Respect explicit refresh permission choices during live artifact create and update flows so revoked connector sources remain gated.
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix live artifact preview cache freshness
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix live artifact refresh validation
Guard manual refreshes with local daemon checks and reject daemon_tool sources without a toolName before refresh execution.
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix Composio credential invalidation
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix live artifact CORS methods
Generated-By: looper 0.0.0-dev (runner=fixer, agent=opencode)
* Fix workspace validation
Restore media config test isolation under Vitest setup data-dir overrides and add the missing French live artifact display copy so the workspace test suite stays aligned.\n\nGenerated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Fix connector safety filtering
Keep agent-preview connector listings aligned with execution safety policy and prune stale Composio OAuth state records before they accumulate.
Generated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Fix agent runtime cleanup
Generated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Fix live artifact daemon access
Validate local-only live artifact routes against the peer socket address and pass daemon-resolved CLI paths to ACP MCP descriptors.\n\nGenerated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Fix connector run limit pruning
Evict stale connector rate-limit buckets so long-lived daemon processes do not retain per-run entries indefinitely.\n\nGenerated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Fix connector compact schemas
Generated-By: looper 0.5.2 (runner=fixer, agent=opencode)
* Improve connector connection feedback
* Adjust connector gate positioning
* Fix live artifact refresh commits
Avoid marking refresh candidates failed after snapshot or state persistence errors by deferring live artifact mutations until the durable refresh metadata is written. Also align connector OAuth callback host validation with daemon loopback handling.\n\nGenerated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* Improve connector search relevance
* fix(daemon): harden connector connection state
Require loopback daemon validation before connector connect side effects and only clear provider-owned connector statuses during credential reset.
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* fix(daemon): guard connector disconnect route
Require local daemon request validation before connector disconnect side effects.
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* fix(daemon): guard composio config updates
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* fix(daemon): dispatch live artifacts mcp first
Route the live-artifacts MCP server before the generic MCP CLI so od mcp live-artifacts starts the dedicated server instead of failing generic argument parsing.\n\nGenerated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* fix(daemon): handle integer connector schemas
Allow JSON Schema integer connector inputs while preserving fractional-value validation so generated connector tool schemas accept valid page sizes and limits.
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* fix: align live artifact refresh error codes
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* Fix live artifact connector refresh flow
* Update live artifact design cards
* Add beta badge to live artifact form
* Remove live artifact tile model
* Fix live artifact refresh sync
* Fix live artifact MCP refresh durability
Generated-By: looper 0.5.4 (runner=fixer, agent=opencode)
* Fix live artifact refresh safety
Enforce persisted refresh opt-out and connector auto-read gating before refresh sources execute.
Generated-By: looper 0.5.5 (runner=fixer, agent=opencode)
* chore: enforce test directory conventions
Move package, app, and tool tests out of src and add guard enforcement so source directories stay source-only.
* ci: use guard and package-scoped tests
Run the new repository guard in CI and keep test execution aligned with package-scoped commands after removing root aliases.
* ci: align stable release guard check
Use the new repository guard in stable release verification after replacing the residual-JS-only script.
* chore: tighten test layout enforcement
Enforce sibling tests directories, typecheck moved test suites with dedicated configs, and refresh remaining guidance that pointed at src-based tests.
* chore: clarify no-emit test tsconfigs
Explicitly disable declaration-only emit in test tsconfigs so review tooling sees they are no-emit typecheck configs.
* fix(desktop): show window on macOS dock activate
On macOS, closing the Electron window via the red close button hides it
rather than destroying it. Without an app.on('activate') handler, clicking
the dock icon afterward does nothing — the window stays hidden indefinitely.
Add app.on('activate') in runDesktopMain that calls desktop.show(), and
add the corresponding show() method to DesktopRuntime / createDesktopRuntime
that calls window.show() + window.focus() when the window is not destroyed.
* fix(desktop): hide window on macOS close instead of destroying it
On macOS the red X should hide the window, not destroy it. Without this,
clicking close triggers window-all-closed → shutdown, so the activate
handler added in the previous commit can never show anything.
Intercept the close event on darwin and call event.preventDefault() +
window.hide() when the runtime has not been asked to stop. The stopped
flag is set to true before window.close() is called in the programmatic
shutdown path, so that path is unaffected.
---------
Co-authored-by: StotheC90 <StotheC90@users.noreply.github.com>
The agent renders PPTX into the project folder, which the UI exposes
via /api/projects/:id/raw/*.pptx. Electron's default behavior drops
those downloads silently into the OS Downloads folder, so users have
no opportunity to pick a destination.
Hook will-download on the BrowserWindow session and call
setSaveDialogOptions for .pptx so the native Save As panel appears
before the download starts. Other formats are unaffected.
* fix(tools-dev): strip ELECTRON_RUN_AS_NODE before spawning desktop
Parent processes such as Electron-based IDEs may set ELECTRON_RUN_AS_NODE=1
in their environment for sidecar/script reuse. When tools-dev inherits this
env via process.env, the spawned electron.exe runs as plain Node and fails
to inject main-process APIs (app, BrowserWindow, protocol all become
undefined). Explicitly drop the variable before spawning so desktop always
boots in real Electron mode regardless of caller environment.
* fix(desktop): ensure BrowserWindow is visible on initial load
Windows focus-stealing prevention can leave detached-spawned GUI windows
minimized or hidden, even when constructed with show:true. Add a small
ensureWindowVisible helper that restores from minimized state and forces
show+focus after the placeholder URL loads. Cross-platform safe: only
acts when window is actually hidden or minimized, preserving any user
window-state adjustments.
* feat(dev): add desktop tools-dev control plane
* refactor(sidecar): split Open Design contracts
Move Open Design-specific sidecar protocol definitions into @open-design/contracts so sidecar and platform can remain descriptor-driven primitives.
* refactor(daemon): organize package sources
Keep daemon app code, tests, and sidecar entrypoints in separate package directories so each layer can be built and verified independently.
* chore(repo): streamline maintenance entrypoints
Centralize agent guidance by directory and reduce root command chains while preserving the existing build scope.
* docs: translate agent guidance to English
* fix(sidecar): tolerate stale IPC sockets
Remove stale Unix socket files only after confirming no listener is active, so tools-dev can restart after unclean shutdowns.
