mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 23:21:08 +02:00
e4e3360ca8
The previous two attempts at allowlisting cdn.jsdelivr.net for transformers.js's onnxruntime-web loader landed in shared-utils security-headers.ts. The actual file change was correct (verified by grep), the commits got pushed, the live security-headers.ts on disk had the additions — but Vite's SSR module cache for cross-workspace- package imports kept serving the OLD compiled shared-utils to hooks.server.ts. Net effect: edits to hooks.server.ts hot-reloaded fine (proven by the *.hf.co connect-src additions showing up immediately) while edits to shared-utils/security-headers.ts did not. A dev server restart should clear it but I'd rather not depend on manual intervention every time we touch the shared CSP. Move the jsdelivr allowlist out of the shared default and into mana-web's hooks.server.ts via the existing scriptSrc + connectSrc options. hooks.server.ts is in the SvelteKit app's own source tree so it HMRs reliably, no SSR cache to fight. As a bonus this is also architecturally cleaner: cdn.jsdelivr.net is only needed by mana-web because mana-web is the only Mana app that bundles @mana/local-llm — other apps get a slightly tighter CSP for free. The pattern to remember: changes to packages/shared-utils that affect SSR (response headers, server hooks) require either a dev server restart OR a manual `rm -rf apps/.../node_modules/.vite` to take effect. Client-side changes hot-reload fine. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| package.json | ||
| tsconfig.json | ||