WIP · sealight.xyz/seams.so@35bff81

+1 -1

.gitignore

··· 46 46 # DNS credentials 47 47 dns/creds.json 48 48 49 - # Via proxy build artifacts 49 + # Via proxy build artifacts (pywb production) 50 50 proxy/static/seams-*.js 51 51 proxy/static/seams-*.js.map 52 52 proxy/static/assets/

+81

Dockerfile.sure-client

··· 1 + # Dockerfile for Sure Client Proxy (wabac.js-based) 2 + # Multi-stage build: Node.js for building, then slim runtime 3 + 4 + # Build stage - compile sure-client with Node 5 + FROM node:22-alpine AS builder 6 + 7 + RUN apk add --no-cache bash 8 + RUN npm install -g pnpm 9 + 10 + WORKDIR /build 11 + 12 + # Copy workspace config 13 + COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ 14 + COPY packages/ ./packages/ 15 + COPY entrypoints/via-client/ ./entrypoints/via-client/ 16 + COPY entrypoints/sidepanel/ ./entrypoints/sidepanel/ 17 + COPY sure-client-proxy/ ./sure-client-proxy/ 18 + COPY vite.sure-client.config.ts vite.sure-client-inject.config.ts tsconfig.json ./ 19 + COPY scripts/postbuild-sure-client.sh ./scripts/ 20 + 21 + # Install dependencies 22 + RUN pnpm install --frozen-lockfile 23 + 24 + # Install sure-client-proxy dependencies (for wabac.js sw.js) 25 + WORKDIR /build/sure-client-proxy 26 + RUN npm install 27 + 28 + # Build sure-client 29 + WORKDIR /build 30 + RUN pnpm build:sure-client 31 + 32 + # Runtime stage - Node.js + Caddy 33 + FROM node:22-alpine 34 + 35 + RUN apk add --no-cache bash curl ca-certificates 36 + 37 + # Install Caddy 38 + RUN curl -L "https://caddyserver.com/api/download?os=linux&arch=amd64&arm=" -o /usr/local/bin/caddy \ 39 + && chmod +x /usr/local/bin/caddy 40 + 41 + WORKDIR /app 42 + 43 + # Copy built static files 44 + COPY --from=builder /build/sure-client-proxy/dist/ ./dist/ 45 + 46 + # Copy CORS proxy source and install dependencies 47 + COPY sure-client-proxy/cors-proxy/ ./cors-proxy/ 48 + WORKDIR /app/cors-proxy 49 + RUN npm install 50 + 51 + # Copy Caddyfile 52 + WORKDIR /app 53 + COPY sure-client-proxy/Caddyfile ./ 54 + 55 + # Create startup script 56 + RUN cat <<'EOF' > /app/start.sh 57 + #!/bin/bash 58 + set -e 59 + 60 + echo "Starting Seams Sure Client Proxy..." 61 + 62 + # Start CORS proxy on port 8083 (Caddy proxies 8082 -> 8083) 63 + cd /app/cors-proxy 64 + echo "Starting CORS proxy on :8083..." 65 + CORS_PROXY_PORT=8083 npx tsx index.ts & 66 + CORS_PID=$! 67 + 68 + # Wait for CORS proxy to start 69 + sleep 2 70 + 71 + # Start Caddy (static files on 8081, cors proxy on 8082) 72 + cd /app 73 + echo "Starting Caddy on :8081 (static) and :8082 (cors proxy)..." 74 + caddy run --config /app/Caddyfile --adapter caddyfile 75 + EOF 76 + 77 + RUN chmod +x /app/start.sh 78 + 79 + EXPOSE 8081 8082 80 + 81 + CMD ["/app/start.sh"]

+17

deploy-sure-client.sh

··· 1 + #!/bin/bash 2 + # Deploy Sure Client Proxy to Fly.io 3 + # Usage: ./deploy-sure-client.sh 4 + 5 + set -e 6 + 7 + echo "Deploying Sure Client Proxy to Fly.io..." 8 + 9 + # Build locally first to verify everything works 10 + echo "Building sure-client locally..." 11 + pnpm build:sure-client 12 + 13 + # Deploy to Fly.io 14 + fly deploy --config fly.sure-client.toml 15 + 16 + echo "Deployment complete!" 17 + echo "Visit: https://sure-client-seams-so.fly.dev"

+89 -111

entrypoints/via-client/main.ts

··· 1 - // Via proxy client - injects sidebar iframe and handles page interaction 2 - import { WebStorageAdapter, BackgroundWorker, ProxyContentScript, applyHighlights, clearHighlights, generateSelectors, createMobileAnnotateButton, createMobileSidebarToggle, createMobileAnnotationModal } from '@seams/core'; 3 - import type { Annotation } from '@seams/core'; 1 + // Via proxy client - handles page interaction and communicates with parent frame (shell) 2 + // This runs inside the wabac.js proxied iframe which cannot access localStorage 3 + // Uses PostMessageStorageAdapter to request data from shell 4 + import { PostMessageStorageAdapter, ProxyContentScript, applyHighlights, clearHighlights, generateSelectors } from '@seams/core'; 4 5 5 - console.log('🔬 Seams via client loaded!'); 6 + console.log('[seams-client] Seams via client loaded!'); 6 7 7 - // Initialize web storage adapter 8 - const storage = new WebStorageAdapter(); 8 + // Determine the shell origin from the parent frame 9 + // In production this will be sure.seams.so, in dev it's 127.0.0.1:8081 10 + // Note: Use 127.0.0.1 for local dev (RFC 8252 requires loopback IP for OAuth) 11 + function getShellOrigin(): string { 12 + try { 13 + // Try to get the parent origin - this works if we're same-origin or have access 14 + if (window.parent !== window) { 15 + // We can't directly access parent.location.origin cross-origin, 16 + // but we can use document.referrer as a hint 17 + if (document.referrer) { 18 + const referrerOrigin = new URL(document.referrer).origin; 19 + // Validate it's an allowed origin 20 + if (referrerOrigin === 'https://sure.seams.so' || 21 + referrerOrigin === 'http://127.0.0.1:8081') { 22 + return referrerOrigin; 23 + } 24 + } 25 + } 26 + } catch { 27 + // Ignore errors from cross-origin access 28 + } 29 + // Default to production origin 30 + return 'https://sure.seams.so'; 31 + } 32 + 33 + const shellOrigin = getShellOrigin(); 34 + console.log('[seams-client] Shell origin:', shellOrigin); 9 35 10 - const SIDEBAR_ID = 'seams-sidebar-iframe'; 11 - const SIDEBAR_WIDTH = 400; 12 - const IS_MOBILE = window.innerWidth <= 768; 36 + // Initialize PostMessage storage adapter - requests data from shell (parent frame) 37 + const storage = new PostMessageStorageAdapter(window.parent, shellOrigin); 13 38 14 - // Initialize content script only (sidebar handles fetching via BackgroundWorker) 39 + // Initialize content script - messages go to parent frame which routes to sidebar 15 40 const contentScript = new ProxyContentScript({ 16 41 storage, 17 42 getCurrentUrl: getActualUrl, 18 43 applyHighlights, 19 44 clearHighlights, 20 45 generateSelectors, 21 - onAnnotate: (data) => { 22 - const iframe = document.getElementById(SIDEBAR_ID) as HTMLIFrameElement; 23 - if (!iframe || !iframe.contentWindow) return; 24 - 25 - // Always use desktop flow: Activate form 26 - iframe.contentWindow.postMessage({ 27 - type: 'ACTIVATE_ANNOTATION', 28 - payload: null 29 - }, '*'); 30 - 31 - // Mobile handling: If sidebar is hidden, show it 32 - if (IS_MOBILE) { 33 - const isHidden = iframe.style.display === 'none'; 34 - if (isHidden) { 35 - iframe.style.display = 'block'; 36 - // We should also update the toggle button text if we could access it, 37 - // but it's inside a closure in injectSidebar. 38 - // Ideally we should trigger the toggle logic. 39 - } 40 - } 46 + onAnnotate: () => { 47 + // Send activation message to parent frame 48 + window.parent.postMessage({ 49 + type: 'ACTIVATE_ANNOTATION', 50 + payload: null 51 + }, shellOrigin); 41 52 }, 42 53 onSelectionChange: (selection) => { 43 - const iframe = document.getElementById(SIDEBAR_ID) as HTMLIFrameElement; 44 - if (iframe && iframe.contentWindow) { 45 - iframe.contentWindow.postMessage({ 46 - type: 'SELECTION_CHANGED', 47 - payload: selection 48 - }, '*'); 49 - } 54 + // Send selection to parent frame which routes to sidebar 55 + window.parent.postMessage({ 56 + type: 'SELECTION_CHANGED', 57 + payload: selection 58 + }, shellOrigin); 50 59 } 51 60 }); 52 61 53 - function injectSidebar() { 54 - // Don't inject if already present 55 - if (document.getElementById(SIDEBAR_ID)) { 56 - console.log('[seams-via] Sidebar already injected'); 57 - return; 58 - } 59 - 60 - // Create iframe for sidebar 61 - const iframe = document.createElement('iframe'); 62 - iframe.id = SIDEBAR_ID; 63 - // Use relative URL to load through Caddy proxy (same origin for CSP) 64 - iframe.src = '/static/seams-sidebar.html'; 65 - iframe.style.cssText = ` 66 - position: fixed; 67 - top: 0; 68 - right: 0; 69 - width: ${SIDEBAR_WIDTH}px; 70 - height: 100dvh; 71 - border: none; 72 - border-left: 1px solid #ccc; 73 - z-index: 2147483647; 74 - background: white; 75 - box-shadow: -2px 0 8px rgba(0,0,0,0.1); 76 - `; 77 - 78 - document.body.appendChild(iframe); 79 - console.log('[seams-via] Sidebar injected'); 80 - 81 - // Adjust page content to avoid overlap (only on desktop) 82 - if (!IS_MOBILE) { 83 - document.body.style.marginRight = `${SIDEBAR_WIDTH}px`; 84 - } else { 85 - iframe.style.width = '100%'; 86 - iframe.style.display = 'none'; // Hidden by default on mobile 87 - } 88 - 89 - // When iframe loads, send the URL 90 - iframe.onload = () => { 91 - console.log('[seams-via] Sidebar iframe loaded, sending URL'); 92 - iframe.contentWindow?.postMessage({ 93 - type: 'SEAMS_PAGE_URL', 94 - url: getActualUrl(), 95 - }, '*'); 96 - }; 97 - 98 - // Add toggle button for mobile 99 - if (IS_MOBILE) { 100 - const toggleBtn = createMobileSidebarToggle(() => { 101 - const isHidden = iframe.style.display === 'none'; 102 - iframe.style.display = isHidden ? 'block' : 'none'; 103 - toggleBtn.textContent = isHidden ? '>>' : '<<'; 104 - }); 105 - } 106 - } 107 - 108 62 function normalizeUrl(url: string): string { 109 63 try { 110 64 const parsed = new URL(url); ··· 123 77 } 124 78 125 79 function getActualUrl(): string { 126 - // Extract actual URL from pywb proxy URL 127 - // URL format: http://localhost:8081/proxy/https://example.com 128 80 const proxyUrl = window.location.href; 129 81 130 - // Try to get from wbinfo (pywb metadata) 82 + // Try to get from wbinfo (wabac.js/pywb metadata object) 83 + // wabac.js injects this with the original URL 131 84 const wbinfo = (window as any).wbinfo; 132 85 if (wbinfo && wbinfo.url) { 133 86 const rawUrl = wbinfo.url; ··· 137 90 return normalized; 138 91 } 139 92 140 - // Fallback: parse from proxy URL 141 - const match = proxyUrl.match(/\/proxy\/(https?:\/\/.+)/); 142 - if (match) { 143 - const rawUrl = match[1]; 93 + // Fallback: parse from wabac.js proxy URL pattern 94 + // URL format: /w/liveproxy/mp_/https://example.com 95 + // or with timestamp: /w/liveproxy/20231225mp_/https://example.com 96 + const wabacMatch = proxyUrl.match(/\/w\/[^/]+\/(?:\d+)?[a-z]{2}_\/(https?:\/\/.+)/); 97 + if (wabacMatch) { 98 + const rawUrl = wabacMatch[1]; 144 99 const normalized = normalizeUrl(rawUrl); 145 - console.log('[seams-via] Extracted URL from proxy path:', rawUrl); 100 + console.log('[seams-via] Extracted URL from wabac.js path:', rawUrl); 101 + console.log('[seams-via] Normalized URL:', normalized); 102 + return normalized; 103 + } 104 + 105 + // Fallback: parse from pywb proxy URL 106 + // URL format: http://localhost:8081/proxy/https://example.com 107 + const pywbMatch = proxyUrl.match(/\/proxy\/(https?:\/\/.+)/); 108 + if (pywbMatch) { 109 + const rawUrl = pywbMatch[1]; 110 + const normalized = normalizeUrl(rawUrl); 111 + console.log('[seams-via] Extracted URL from pywb path:', rawUrl); 146 112 console.log('[seams-via] Normalized URL:', normalized); 147 113 return normalized; 148 114 } ··· 153 119 154 120 // Initialize 155 121 function init() { 156 - if (document.body) { 157 - injectSidebar(); 158 - } else { 159 - document.addEventListener('DOMContentLoaded', () => { 160 - injectSidebar(); 161 - }); 162 - } 122 + // Send initial URL to parent frame 123 + const url = getActualUrl(); 124 + console.log('[seams-client] Sending initial URL to parent:', url); 125 + window.parent.postMessage({ 126 + type: 'SEAMS_PAGE_URL', 127 + url: url 128 + }, shellOrigin); 163 129 164 - // Start content script (loads and renders annotations from localStorage) 130 + // Start content script (loads and renders annotations via PostMessage from shell) 165 131 contentScript.start(); 166 132 } 167 133 168 - init(); 134 + // Wait for DOM to be ready 135 + if (document.readyState === 'loading') { 136 + document.addEventListener('DOMContentLoaded', init); 137 + } else { 138 + init(); 139 + } 169 140 170 - // Listen for messages from sidebar 171 - // window.addEventListener('message', (event) => { ... }); 141 + // Also send URL on popstate (back/forward navigation within proxied page) 142 + window.addEventListener('popstate', () => { 143 + const url = getActualUrl(); 144 + console.log('[seams-client] Navigation detected, sending URL to parent:', url); 145 + window.parent.postMessage({ 146 + type: 'SEAMS_PAGE_URL', 147 + url: url 148 + }, shellOrigin); 149 + });

+269

entrypoints/via-client/shell.ts

··· 1 + // Shell entry point - runs in the parent frame 2 + // Manages BackgroundWorker, storage, and renders Sidebar directly (no iframe) 3 + import { 4 + WebStorageAdapter, 5 + BackgroundWorker, 6 + fetchAnnotations, 7 + Sidebar, 8 + PopupOAuthLauncher, 9 + } from '@seams/core'; 10 + 11 + // Import sidebar CSS - will be scoped to .sidebar-container 12 + import sidebarStyles from '../sidepanel/style.css?inline'; 13 + 14 + console.log('[shell] Seams shell loading...'); 15 + 16 + // Configuration 17 + const BACKEND_URL = import.meta.env.VITE_BACKEND_URL || import.meta.env.BACKEND_URL || 'https://seams.so'; 18 + 19 + // Initialize storage (localStorage accessible from shell) 20 + const storage = new WebStorageAdapter(); 21 + 22 + // Initialize background worker 23 + const backgroundWorker = new BackgroundWorker({ 24 + storage, 25 + fetchAnnotations: async (url: string) => { 26 + return fetchAnnotations(BACKEND_URL, url); 27 + }, 28 + }); 29 + 30 + // Track current page URL 31 + let currentUrl: string | null = null; 32 + 33 + // Get iframe reference for content (set after DOM ready) 34 + let contentFrame: HTMLIFrameElement | null = null; 35 + 36 + // Sidebar instance (created after DOM ready) 37 + let sidebar: Sidebar | null = null; 38 + 39 + // Listen for storage changes and push to content iframe 40 + storage.onChange((change) => { 41 + if (change.key === 'annotations') { 42 + console.log('[shell] Annotations updated in storage, pushing to content iframe'); 43 + pushAnnotationsToContent(); 44 + } 45 + }); 46 + 47 + // Safely post a message to the content iframe 48 + // Returns false if the iframe is not accessible (e.g., cross-origin before SW intercepts) 49 + function postToContent(message: object): boolean { 50 + if (!contentFrame) { 51 + console.warn('[shell] Content frame not available'); 52 + return false; 53 + } 54 + 55 + try { 56 + // Accessing contentWindow can throw if cross-origin 57 + const contentWindow = contentFrame.contentWindow; 58 + if (!contentWindow) { 59 + console.warn('[shell] Content frame window not available'); 60 + return false; 61 + } 62 + // Content iframe is same-origin (served via service worker) 63 + contentWindow.postMessage(message, window.location.origin); 64 + return true; 65 + } catch (error) { 66 + // This can happen if the iframe content hasn't been intercepted by the service worker yet 67 + console.warn('[shell] Cannot access content iframe (may be cross-origin):', error); 68 + return false; 69 + } 70 + } 71 + 72 + // Push current annotations to content iframe 73 + async function pushAnnotationsToContent(): Promise<void> { 74 + try { 75 + const annotations = await storage.get('annotations') || []; 76 + console.log('[shell] Pushing', annotations.length, 'annotations to content iframe'); 77 + postToContent({ 78 + type: 'ANNOTATIONS_UPDATED', 79 + annotations 80 + }); 81 + } catch (error) { 82 + console.error('[shell] Failed to push annotations to content:', error); 83 + } 84 + } 85 + 86 + // Handle GET_ANNOTATIONS request from content iframe 87 + async function handleGetAnnotations(requestId: string): Promise<void> { 88 + try { 89 + const annotations = await storage.get('annotations') || []; 90 + console.log('[shell] Responding to GET_ANNOTATIONS with', annotations.length, 'annotations'); 91 + postToContent({ 92 + type: 'ANNOTATIONS_DATA', 93 + requestId, 94 + annotations 95 + }); 96 + } catch (error) { 97 + console.error('[shell] Failed to get annotations for request:', error); 98 + postToContent({ 99 + type: 'ANNOTATIONS_DATA', 100 + requestId, 101 + annotations: [] 102 + }); 103 + } 104 + } 105 + 106 + // Handle messages from content iframe 107 + function handleMessage(event: MessageEvent): void { 108 + // Validate origin - content iframe is same-origin via service worker 109 + if (event.origin !== window.location.origin) { 110 + return; 111 + } 112 + 113 + const { type, requestId, url, payload } = event.data; 114 + 115 + // Only handle messages from content iframe 116 + const isFromContent = contentFrame && event.source === contentFrame.contentWindow; 117 + 118 + if (!isFromContent) return; 119 + 120 + console.log('[shell] Message from content iframe:', type); 121 + 122 + switch (type) { 123 + case 'GET_ANNOTATIONS': 124 + handleGetAnnotations(requestId); 125 + break; 126 + 127 + case 'SEAMS_PAGE_URL': 128 + // Update current URL and trigger background worker fetch 129 + if (url && url !== currentUrl) { 130 + currentUrl = url; 131 + console.log('[shell] Page URL changed:', url); 132 + backgroundWorker.setCurrentUrl(url); 133 + } 134 + // Update sidebar directly 135 + if (sidebar) { 136 + sidebar.setCurrentUrl(url); 137 + } 138 + break; 139 + 140 + case 'SELECTION_CHANGED': 141 + // Update sidebar directly 142 + if (sidebar) { 143 + sidebar.setSelection(payload); 144 + } 145 + break; 146 + 147 + case 'ACTIVATE_ANNOTATION': 148 + // Activate sidebar directly 149 + if (sidebar) { 150 + sidebar.handleActivateAnnotation(); 151 + } 152 + break; 153 + 154 + default: 155 + console.log('[shell] Unknown message type from content:', type); 156 + } 157 + } 158 + 159 + // Inject scoped sidebar CSS 160 + function injectScopedStyles(): void { 161 + // Scope all CSS rules under .sidebar-container 162 + // This prevents the sidebar CSS from affecting the shell page 163 + const scopedStyles = sidebarStyles 164 + // Scope body rules to .sidebar-container 165 + .replace(/\bbody\s*\{/g, '.sidebar-container {') 166 + .replace(/\bbody::before\s*\{/g, '.sidebar-container::before {') 167 + // Scope universal selector - be more selective 168 + .replace(/^\*\s*\{/gm, '.sidebar-container * {') 169 + // Keep :root as-is (CSS variables) 170 + ; 171 + 172 + const styleEl = document.createElement('style'); 173 + styleEl.textContent = scopedStyles; 174 + document.head.appendChild(styleEl); 175 + console.log('[shell] Injected scoped sidebar styles'); 176 + } 177 + 178 + // Initialize sidebar 179 + function initSidebar(): void { 180 + const sidebarContainer = document.getElementById('sidebar-container'); 181 + if (!sidebarContainer) { 182 + console.error('[shell] Sidebar container not found'); 183 + return; 184 + } 185 + 186 + // Create the app div inside the container (Sidebar expects an element to render into) 187 + const appDiv = document.createElement('div'); 188 + appDiv.id = 'sidebar-app'; 189 + sidebarContainer.appendChild(appDiv); 190 + 191 + // Use PopupOAuthLauncher - popup flow works better than redirect for shell context 192 + const launcher = new PopupOAuthLauncher(); 193 + 194 + sidebar = new Sidebar( 195 + appDiv, 196 + storage, 197 + launcher, 198 + { 199 + oauth: { 200 + // Note: These env vars are replaced at build time by vite.sure-client.config.ts 201 + // For development, VITE_OAUTH_CLIENT_ID uses the loopback format: http://localhost?redirect_uri=...&scope=... 202 + clientId: import.meta.env.VITE_OAUTH_CLIENT_ID, 203 + redirectUri: import.meta.env.VITE_OAUTH_REDIRECT_URI, 204 + scope: import.meta.env.VITE_OAUTH_SCOPE || 'atproto transition:generic', 205 + }, 206 + pds: { 207 + backendUrl: BACKEND_URL, 208 + }, 209 + }, 210 + () => { 211 + // Sync callback - directly call backgroundWorker 212 + console.log('[shell] Sidebar requested sync'); 213 + backgroundWorker.forceSync(); 214 + } 215 + ); 216 + 217 + // If we already have a URL, set it on the sidebar 218 + if (currentUrl) { 219 + sidebar.setCurrentUrl(currentUrl); 220 + } 221 + 222 + console.log('[shell] Sidebar initialized'); 223 + } 224 + 225 + // Initialize when DOM is ready 226 + function init(): void { 227 + console.log('[shell] Initializing...'); 228 + 229 + // Get content iframe reference 230 + contentFrame = document.getElementById('content') as HTMLIFrameElement; 231 + 232 + if (!contentFrame) { 233 + console.error('[shell] Content iframe not found'); 234 + } 235 + 236 + // Inject scoped CSS and initialize sidebar 237 + injectScopedStyles(); 238 + initSidebar(); 239 + 240 + // Listen for messages from content iframe 241 + window.addEventListener('message', handleMessage); 242 + 243 + console.log('[shell] Ready'); 244 + } 245 + 246 + // Wait for DOM 247 + if (document.readyState === 'loading') { 248 + document.addEventListener('DOMContentLoaded', init); 249 + } else { 250 + init(); 251 + } 252 + 253 + // Export for external access (e.g., from inline script in index.html) 254 + (window as any).SeamsShell = { 255 + setUrl: (url: string) => { 256 + if (url && url !== currentUrl) { 257 + currentUrl = url; 258 + console.log('[shell] URL set externally:', url); 259 + backgroundWorker.setCurrentUrl(url); 260 + if (sidebar) { 261 + sidebar.setCurrentUrl(url); 262 + } 263 + } 264 + }, 265 + forceSync: () => { 266 + backgroundWorker.forceSync(); 267 + }, 268 + getCurrentUrl: () => currentUrl, 269 + };

-59

entrypoints/via-client/sidebar.ts

··· 1 - import '../sidepanel/style.css'; 2 - import { WebStorageAdapter, WebOAuthLauncher, Sidebar, BackgroundWorker, fetchAnnotations } from '@seams/core'; 3 - 4 - console.log('[seams-sidebar] Loading sidebar (v2.1)...'); 5 - 6 - const app = document.getElementById('app'); 7 - if (!app) { 8 - throw new Error('App element not found'); 9 - } 10 - 11 - const storage = new WebStorageAdapter(); 12 - const launcher = new WebOAuthLauncher(); 13 - 14 - const backgroundWorker = new BackgroundWorker({ 15 - storage, 16 - fetchAnnotations: async (url: string) => { 17 - const backendUrl = import.meta.env.VITE_BACKEND_URL || import.meta.env.BACKEND_URL || 'https://seams.so'; 18 - return fetchAnnotations(backendUrl, url); 19 - }, 20 - }); 21 - 22 - const sidebar = new Sidebar( 23 - app, 24 - storage, 25 - launcher, 26 - { 27 - oauth: { 28 - clientId: import.meta.env.VITE_OAUTH_CLIENT_ID || 'http://localhost:8081/static/client-metadata.json', 29 - redirectUri: import.meta.env.VITE_OAUTH_REDIRECT_URI || 'http://localhost:8081/static/oauth-callback.html', 30 - scope: import.meta.env.VITE_OAUTH_SCOPE || 'atproto transition:generic', 31 - }, 32 - pds: { 33 - backendUrl: import.meta.env.VITE_BACKEND_URL || import.meta.env.BACKEND_URL || 'https://seams.so', 34 - }, 35 - }, 36 - () => { 37 - backgroundWorker.forceSync(); 38 - } 39 - ); 40 - 41 - // Listen for messages from parent (page URL) 42 - window.addEventListener('message', (event) => { 43 - if (event.data.type === 'SEAMS_PAGE_URL') { 44 - const url = event.data.url; 45 - console.log('[seams-sidebar] Received page URL:', url); 46 - sidebar.setCurrentUrl(url); 47 - backgroundWorker.setCurrentUrl(url); 48 - } else if (event.data.type === 'SELECTION_CHANGED') { 49 - console.log('[seams-sidebar] Received selection update'); 50 - sidebar.setSelection(event.data.payload); 51 - } else if (event.data.type === 'ACTIVATE_ANNOTATION') { 52 - console.log('[seams-sidebar] Received activation request'); 53 - sidebar.handleActivateAnnotation(); 54 - } 55 - }); 56 - 57 - // Notify parent window that sidebar is ready 58 - window.parent.postMessage({ type: 'SEAMS_SIDEBAR_READY' }, '*'); 59 - console.log('[seams-sidebar] Ready');

+87 -1

flake.nix

··· 12 12 let 13 13 pkgs = nixpkgs.legacyPackages.${system}; 14 14 15 + # Path to sure-client-proxy dist (must be built before nix build) 16 + # Requires --impure flag since dist/ is gitignored 17 + # Run: pnpm build:sure-client && nix build .#sureClientProxy --impure 18 + sureClientDistPath = builtins.getEnv "SURE_CLIENT_DIST"; 19 + sureClientDist = if sureClientDistPath != "" 20 + then /. + sureClientDistPath 21 + else builtins.throw "SURE_CLIENT_DIST env var required. Run: SURE_CLIENT_DIST=$PWD/sure-client-proxy/dist nix build .#sureClientProxy --impure"; 22 + 15 23 # Build Go backend server 16 24 server = pkgs.buildGoModule { 17 25 pname = "seams-server"; ··· 72 80 }; 73 81 }; 74 82 75 - # Docker image for Via Proxy 83 + # Docker image for Sure Client Proxy (wabac.js-based) 84 + # Uses Caddy for static files + Node.js CORS proxy 85 + sureClientProxy = pkgs.dockerTools.buildImage { 86 + name = "seams-sure-client-proxy"; 87 + tag = "latest"; 88 + 89 + copyToRoot = pkgs.buildEnv { 90 + name = "image-root"; 91 + paths = [ 92 + pkgs.coreutils 93 + pkgs.bash 94 + pkgs.caddy 95 + pkgs.nodejs_22 96 + pkgs.cacert 97 + 98 + # Static files and config 99 + # Note: Requires running `pnpm build:sure-client` before building 100 + # to populate sure-client-proxy/dist/ 101 + (pkgs.runCommand "sure-client-files" {} '' 102 + mkdir -p $out/app/dist 103 + mkdir -p $out/app/cors-proxy 104 + 105 + # Copy built static files 106 + cp -r ${sureClientDist}/* $out/app/dist/ 107 + 108 + # Copy CORS proxy source 109 + cp -r ${./sure-client-proxy/cors-proxy}/* $out/app/cors-proxy/ 110 + 111 + # Copy Caddyfile 112 + cp ${./sure-client-proxy/Caddyfile} $out/app/Caddyfile 113 + '') 114 + 115 + # Startup script 116 + (pkgs.writeScriptBin "start-sure-client.sh" '' 117 + #!${pkgs.bash}/bin/bash 118 + set -e 119 + 120 + echo "Starting Seams Sure Client Proxy..." 121 + 122 + # Ensure HOME exists for npm 123 + ${pkgs.coreutils}/bin/mkdir -p /root 124 + 125 + # Install CORS proxy dependencies 126 + cd /app/cors-proxy 127 + echo "Installing CORS proxy dependencies..." 128 + ${pkgs.nodejs_22}/bin/npm install --production 2>/dev/null || ${pkgs.nodejs_22}/bin/npm install 129 + 130 + # Start CORS proxy on port 8083 (internal, Caddy proxies to 8082) 131 + echo "Starting CORS proxy on :8083..." 132 + CORS_PROXY_PORT=8083 CORS_ALLOWED_ORIGINS="$CORS_ALLOWED_ORIGINS" ${pkgs.nodejs_22}/bin/npx tsx index.ts & 133 + CORS_PID=$! 134 + 135 + # Wait for CORS proxy to start 136 + ${pkgs.coreutils}/bin/sleep 2 137 + 138 + # Start Caddy (static files on 8081, proxy to cors on 8082) 139 + cd /app 140 + echo "Starting Caddy on :8081 (static) and :8082 (cors proxy)..." 141 + ${pkgs.caddy}/bin/caddy run --config /app/Caddyfile --adapter caddyfile 142 + '') 143 + ]; 144 + pathsToLink = [ "/bin" "/app" ]; 145 + }; 146 + 147 + config = { 148 + Cmd = [ "start-sure-client.sh" ]; 149 + ExposedPorts = { "8081/tcp" = {}; "8082/tcp" = {}; }; 150 + WorkingDir = "/app"; 151 + Env = [ 152 + "PATH=/bin" 153 + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 154 + "HOME=/root" 155 + # Default CORS origins - override with CORS_ALLOWED_ORIGINS env var 156 + "CORS_ALLOWED_ORIGINS=http://localhost:8081,http://127.0.0.1:8081" 157 + ]; 158 + }; 159 + }; 160 + 161 + # Docker image for Via Proxy (pywb-based, legacy) 76 162 proxy = pkgs.dockerTools.buildImage { 77 163 name = "seams-proxy"; 78 164 tag = "latest";

+33

fly.sure-client.toml

··· 1 + # fly.sure-client.toml app configuration for Sure Client Proxy (wabac.js-based) 2 + # Deploy with: fly deploy --config fly.sure-client.toml 3 + app = 'sure-client-seams-so' 4 + primary_region = 'sjc' 5 + 6 + [build] 7 + dockerfile = "Dockerfile.sure-client" 8 + 9 + # Main service on port 8081 (static files) 10 + [http_service] 11 + internal_port = 8081 12 + force_https = true 13 + auto_stop_machines = 'stop' 14 + auto_start_machines = true 15 + min_machines_running = 1 16 + processes = ['app'] 17 + 18 + # Also expose CORS proxy on port 8082 19 + [[services]] 20 + internal_port = 8082 21 + protocol = "tcp" 22 + [[services.ports]] 23 + handlers = ["tls", "http"] 24 + port = 8082 25 + 26 + [[vm]] 27 + memory = '512mb' 28 + cpu_kind = 'shared' 29 + cpus = 1 30 + 31 + [env] 32 + # Override with production domain 33 + CORS_ALLOWED_ORIGINS = "https://sure-client-seams-so.fly.dev"

+2

package.json

··· 10 10 "build:landing": "vite build --config vite.landing.config.ts", 11 11 "build:via": "vite build --config vite.via.config.ts && bash scripts/postbuild-via.sh", 12 12 "dev:via": "vite build --config vite.via.config.ts --watch", 13 + "build:sure-client": "vite build --config vite.sure-client.config.ts && vite build --config vite.sure-client-inject.config.ts && bash scripts/postbuild-sure-client.sh", 14 + "dev:sure-client": "vite build --config vite.sure-client-inject.config.ts --watch", 13 15 "dev:server": "pnpm run build:landing && cd server && air", 14 16 "via": "bash scripts/start-via.sh" 15 17 },

+1

packages/core/src/storage/index.ts

··· 1 1 export type { StorageAdapter, StorageChange } from './adapter'; 2 2 export { WebStorageAdapter } from './web'; 3 3 export { BrowserStorageAdapter } from './browser'; 4 + export { PostMessageStorageAdapter } from './postmessage';

+143

packages/core/src/storage/postmessage.ts

··· 1 + // PostMessage storage adapter for cross-origin iframes 2 + // Used by content script in wabac.js proxied iframe which cannot access localStorage 3 + // Communicates with shell (parent window) which has localStorage access 4 + 5 + import type { StorageAdapter, StorageChange } from './adapter'; 6 + 7 + // Allowed origins for postMessage communication 8 + // Note: Use 127.0.0.1 for local dev (RFC 8252 requires loopback IP for OAuth) 9 + const ALLOWED_ORIGINS = [ 10 + 'http://127.0.0.1:8081', 11 + 'https://sure.seams.so', 12 + ]; 13 + 14 + interface PendingRequest { 15 + resolve: (value: any) => void; 16 + reject: (error: Error) => void; 17 + } 18 + 19 + export class PostMessageStorageAdapter implements StorageAdapter { 20 + private listeners: Array<(change: StorageChange) => void> = []; 21 + private pendingRequests: Map<string, PendingRequest> = new Map(); 22 + private targetWindow: Window; 23 + private targetOrigin: string; 24 + private boundHandleMessage: (event: MessageEvent) => void; 25 + 26 + constructor(targetWindow: Window = window.parent, targetOrigin: string = 'https://sure.seams.so') { 27 + this.targetWindow = targetWindow; 28 + this.targetOrigin = targetOrigin; 29 + 30 + // Bind handler once so we can remove it later 31 + this.boundHandleMessage = this.handleMessage.bind(this); 32 + 33 + // Listen for messages from shell 34 + window.addEventListener('message', this.boundHandleMessage); 35 + } 36 + 37 + private handleMessage(event: MessageEvent): void { 38 + // Validate origin - only accept messages from allowed origins 39 + if (!ALLOWED_ORIGINS.includes(event.origin)) { 40 + return; 41 + } 42 + 43 + const { type, requestId, annotations, key, newValue, oldValue } = event.data; 44 + 45 + if (type === 'ANNOTATIONS_DATA' && requestId) { 46 + // Response to GET_ANNOTATIONS request 47 + const pending = this.pendingRequests.get(requestId); 48 + if (pending) { 49 + this.pendingRequests.delete(requestId); 50 + pending.resolve(annotations); 51 + } 52 + } else if (type === 'ANNOTATIONS_UPDATED') { 53 + // Push notification from shell when storage changes 54 + console.log('[PostMessageStorageAdapter] Received annotations update'); 55 + const change: StorageChange = { 56 + key: 'annotations', 57 + newValue: annotations, 58 + oldValue: undefined 59 + }; 60 + this.listeners.forEach(callback => callback(change)); 61 + } else if (type === 'STORAGE_CHANGE') { 62 + // Generic storage change notification 63 + const change: StorageChange = { key, newValue, oldValue }; 64 + this.listeners.forEach(callback => callback(change)); 65 + } 66 + } 67 + 68 + async get(keys: string | string[]): Promise<any> { 69 + // For now, we only support getting 'annotations' 70 + // This could be extended to support other keys if needed 71 + if (keys === 'annotations' || (Array.isArray(keys) && keys.includes('annotations'))) { 72 + return this.requestAnnotations(); 73 + } 74 + 75 + // For single key 76 + if (typeof keys === 'string') { 77 + if (keys === 'annotations') { 78 + return this.requestAnnotations(); 79 + } 80 + // Unsupported key - return null 81 + console.warn('[PostMessageStorageAdapter] Unsupported key:', keys); 82 + return null; 83 + } 84 + 85 + // For multiple keys 86 + const result: Record<string, any> = {}; 87 + for (const key of keys) { 88 + if (key === 'annotations') { 89 + result[key] = await this.requestAnnotations(); 90 + } else { 91 + result[key] = null; 92 + } 93 + } 94 + return result; 95 + } 96 + 97 + private requestAnnotations(): Promise<any> { 98 + return new Promise((resolve, reject) => { 99 + const requestId = `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`; 100 + 101 + // Set up timeout 102 + const timeout = setTimeout(() => { 103 + this.pendingRequests.delete(requestId); 104 + console.warn('[PostMessageStorageAdapter] GET_ANNOTATIONS request timed out'); 105 + resolve([]); // Return empty array on timeout rather than rejecting 106 + }, 5000); 107 + 108 + this.pendingRequests.set(requestId, { 109 + resolve: (value) => { 110 + clearTimeout(timeout); 111 + resolve(value); 112 + }, 113 + reject: (error) => { 114 + clearTimeout(timeout); 115 + reject(error); 116 + } 117 + }); 118 + 119 + // Send request to shell 120 + console.log('[PostMessageStorageAdapter] Requesting annotations from shell'); 121 + this.targetWindow.postMessage({ 122 + type: 'GET_ANNOTATIONS', 123 + requestId 124 + }, this.targetOrigin); 125 + }); 126 + } 127 + 128 + async set(_key: string, _value: any): Promise<void> { 129 + // Content script doesn't write to storage - it's read-only 130 + // Writes happen through sidebar -> PDS -> storage in shell 131 + console.warn('[PostMessageStorageAdapter] set() called but content script is read-only'); 132 + } 133 + 134 + onChange(callback: (change: StorageChange) => void): void { 135 + this.listeners.push(callback); 136 + } 137 + 138 + destroy(): void { 139 + window.removeEventListener('message', this.boundHandleMessage); 140 + this.pendingRequests.clear(); 141 + this.listeners = []; 142 + } 143 + }

+21 -5

proxy/static/extension-callback.html

··· 5 5 <title>OAuth Callback</title> 6 6 </head> 7 7 <body> 8 - <p>Authenticated. This window will close automatically.</p> 8 + <p>Redirecting...</p> 9 9 <script> 10 - // Log what we received to help debug 11 - console.log('[extension-callback] Full URL:', window.location.href); 12 - console.log('[extension-callback] Search:', window.location.search); 13 - console.log('[extension-callback] Hash:', window.location.hash); 10 + // Relay to Chromium extension callback 11 + const extensionId = 'kjdnjfgcikmlbloojphbkmknfpmfofio'; 12 + const extRedirect = `https://${extensionId}.chromiumapp.org/extension-callback.html`; 13 + 14 + // Check if we are already in the extension context to avoid infinite loops 15 + const isExtension = window.location.protocol === 'chrome-extension:' || 16 + window.location.hostname.endsWith('.chromiumapp.org') || 17 + window.location.protocol === 'moz-extension:'; 18 + 19 + if (!isExtension) { 20 + // We are on the web server (relay), so redirect to the extension 21 + console.log('Relaying to extension:', extRedirect); 22 + window.location.href = extRedirect + window.location.search + window.location.hash; 23 + } else { 24 + // We are in the extension 25 + console.log('Authentication successful!'); 26 + // The browser should handle closing this window via launchWebAuthFlow, 27 + // but we can show a message just in case. 28 + document.querySelector('p').textContent = 'Authenticated. This window will close automatically.'; 29 + } 14 30 </script> 15 31 </body> 16 32 </html>

proxy/static/favicon.ico