7fd5fcd9af
- Bring-your-own-key assistant config in a dedicated persisted store (src/stores/assistantStore.ts); partialize drops the key from localStorage when 'remember' is off. Key lives in localStorage only, so it's auto-excluded from Dexie backups. - Provider-agnostic LLM client (src/lib/llm) over fetch, no SDK: Anthropic Messages + OpenAI-compatible Chat Completions (covers OpenAI/OpenRouter/ Ollama/LM Studio via custom base URL). Structured JSON output parsed + Zod-validated; timeouts; typed error kinds; key never leaked in errors. - Settings 'Assistant (AI)' section with provider/model/baseUrl/key, remember + enabled toggles, and Test connection. - CSP connect-src widened to any https + localhost for the BYO endpoint. 10 client unit tests; settings e2e asserts config persists and the key is never present in an exported backup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
63 lines
2.2 KiB
TypeScript
63 lines
2.2 KiB
TypeScript
import { defineConfig } from 'vite';
|
|
import react from '@vitejs/plugin-react';
|
|
import tailwindcss from '@tailwindcss/vite';
|
|
import { VitePWA } from 'vite-plugin-pwa';
|
|
import { fileURLToPath, URL } from 'node:url';
|
|
|
|
// Strict CSP injected at build time only. In dev, Vite's react-refresh needs
|
|
// inline scripts, so we leave the placeholder empty there.
|
|
// connect-src allows any HTTPS endpoint plus localhost so the bring-your-own-key
|
|
// assistant can reach cloud providers (Anthropic/OpenAI/OpenRouter/…) and local
|
|
// models (Ollama/LM Studio). Everything else stays locked to 'self'.
|
|
const PROD_CSP =
|
|
"default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; " +
|
|
"script-src 'self'; connect-src 'self' https: http://localhost:* http://127.0.0.1:*; " +
|
|
"font-src 'self' data:; worker-src 'self' blob:; " +
|
|
"manifest-src 'self'; object-src 'none'; base-uri 'self'";
|
|
|
|
function cspPlugin() {
|
|
return {
|
|
name: 'inject-csp',
|
|
transformIndexHtml(html: string) {
|
|
const tag = `<meta http-equiv="Content-Security-Policy" content="${PROD_CSP}" />`;
|
|
return html.replace('<!--CSP-PLACEHOLDER-->', tag);
|
|
},
|
|
apply: 'build' as const,
|
|
};
|
|
}
|
|
|
|
export default defineConfig({
|
|
plugins: [
|
|
react(),
|
|
tailwindcss(),
|
|
cspPlugin(),
|
|
VitePWA({
|
|
registerType: 'prompt',
|
|
includeAssets: ['favicon.svg'],
|
|
manifest: {
|
|
name: 'TTRPG Manager',
|
|
short_name: 'TTRPG',
|
|
description: 'A local-first manager for D&D 5e and Pathfinder 2e campaigns.',
|
|
theme_color: '#0f0f17',
|
|
background_color: '#0f0f17',
|
|
display: 'standalone',
|
|
icons: [
|
|
{ src: 'pwa-192x192.png', sizes: '192x192', type: 'image/png' },
|
|
{ src: 'pwa-512x512.png', sizes: '512x512', type: 'image/png' },
|
|
{ src: 'pwa-512x512.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' },
|
|
],
|
|
},
|
|
workbox: {
|
|
globPatterns: ['**/*.{js,css,html,svg,png,woff2}'],
|
|
// SRD data chunks can be large; allow them to be precached.
|
|
maximumFileSizeToCacheInBytes: 6 * 1024 * 1024,
|
|
},
|
|
}),
|
|
],
|
|
resolve: {
|
|
alias: {
|
|
'@': fileURLToPath(new URL('./src', import.meta.url)),
|
|
},
|
|
},
|
|
});
|