Add configurable UI extension slots#3622
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
| taskQueue: workflow?.taskQueue, | ||
| workflowType: workflow?.name, | ||
| }, | ||
| }} |
There was a problem hiding this comment.
⚠️ Type 'WorkflowStatus | undefined' is not assignable to type 'string | undefined'.
|
| buildIframeSandbox({ | ||
| ...extension().sandbox, | ||
| allowForms: true, | ||
| allowPopupsToEscapeSandbox: true, |
There was a problem hiding this comment.
allowPopupsToEscapeSandbox This seems sus I feel like we shouldn't allow sandbox escaping?
| ).toBeNull(); | ||
| expect(safeNavigationPath('javascript:alert(1)', currentOrigin)).toBeNull(); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
Can we have some tests around iframe allow headers on origin and remote and maybe an iFrame script to reach to the parent frame and a script from the parent frame trying to reach into the child frame?
| const minWidth = positiveOrUndefined(sizing.minWidth) ?? MIN_WIDTH; | ||
| const maxWidth = positiveOrUndefined(sizing.maxWidth) ?? MAX_WIDTH; | ||
| return clamp(defaultWidth, minWidth, maxWidth); | ||
| }; |
There was a problem hiding this comment.
It might be cool to have an @Attach on the parent html container with a ResizeObserver debounced by RAF that sends the height/width of the container to the iframe so you could have the iframe reactive to the size of the parent html contianer
|
|
||
| CustomUI struct { | ||
| Enabled bool `yaml:"enabled"` | ||
| IframeExtensions []IframeExtension `yaml:"iframeExtensions"` |
There was a problem hiding this comment.
I think static YAML is fine for now, but wondering if it might it be worth it to support getting extensions via a manifest URL?
Something that wouldn't require a redeploy every time something needed to be changed e.g.
extensionManifests:
- url: https://example.com/manifest.json
allowedOrigin: https://example.com
permissions: [context:workflow]
There was a problem hiding this comment.
Yes I think that's a great idea. Then that would also support Nexus endpoints - you could point the url to a Nexus endpoint and have it return a custom UI
* Add existing versions to create version form * Show 5 versions max * Add show more button * Add check for aborted in .then
* fix(cloud-nav): keep collapsed nav header height stable The Cloud nav header reflowed from a single row (expanded) into a stacked column (collapsed: flex-col + gap-2, dropping min-h-7), changing its height. Because the nav icon list sits directly below the header, the icons shifted vertically on every expand/collapse. Keep the header a constant-height single row in both states: pin min-h-7, hide the logo/subtitle block when collapsed, and center the toggle. The icon list's top edge no longer moves. OSS nav bar is unaffected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(cloud-nav): animate width on expand/collapse The nav declared transition-width but it never fired: the expanded Cloud nav has an explicit width (w-[13.125rem]) while the collapsed state fell back to content width (auto), which CSS can't interpolate, so the toggle snapped. Pin the collapsed Cloud width to its natural rail size so the existing transition-width has two definite endpoints, and add a motion-reduce guard. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Laura Whitaker <laura.whitaker@temporal.io>
* Update SAA list view * Update SAA details view * Update to use shared no workers polling alert * Fix strict ts errors * Update saa table cell values
* feat(nexus-operations): DT-4005 standalone nexus operations API integrations (#3444) * feat(nexus-operations): add types and API routes for standalone nexus operations Adds NexusOperationExecution types, extends APIRouteParameters with operationId, and registers 6 new API routes (list, describe/start, poll, cancel, terminate, count). Adds route-for helpers mirroring the standalone activities pattern. DT-4005 * feat(nexus-operations): add services for standalone nexus operations Adds fetchPaginatedNexusOperations, startStandaloneNexusOperation, getNexusOperationExecution, pollNexusOperationExecution, cancel, and terminate. Adds count and count-by-status service functions. DT-4005 * feat(nexus-operations): add stores, poller, and filters for standalone nexus operations Adds nexus operation writable stores (refresh, loading, updating, count, error, query). Adds StandaloneNexusOperationPoller with long-poll loop mirroring the activity poller. Adds nexusOperationFilters store to filters.ts. DT-4005 * test(nexus-operations): add route-for-base-path test cases for standalone nexus operations * feat(nexus-operations): add capability flag, guard component, and configurable table columns (#3466) Adds Phase 2 (DT-4006) infrastructure for standalone nexus operations: - NamespaceCapabilities type with standaloneNexusOperations field in src/lib/types/index.ts - Guard component that checks both capability flag and minimum server version (1.31.0) - Disabled state component with Dynamic Config instructions - i18n namespace for standalone-nexus-operations - TABLE_TYPE.NEXUS_OPERATIONS, NexusOperationHeaderLabels, default/available column arrays, persistedNexusOperationsTableColumns store, configurableTableColumns derived store update, availableNexusOperationColumns export, and exhaustive switch cases in configurable-table-columns.ts * feat(nexus-operations): standalone nexus operations list page [DT-4003] (#3470) * feat(nexus-operations): add standalone nexus operations list page - Add list page route at namespaces/[namespace]/nexus-operations - Add page component with status count filters and configurable table - Add filter bar with search attribute support - Add configurable table with header/body cells and empty state - Add get-nexus-operation-status-and-count utility and tests - Add nexus operation search attributes to search-attributes store - Wire nav layout item for standalone nexus operations - Add i18n strings for nexus operations page * feat(nexus-operations): add saved views panel, CTA button, and rich empty state Match Figma design for standalone nexus operations list page: - Add saved views panel with system/user views, expand/collapse, save/edit/delete/share - Add 'Start a Standalone Nexus Operation' CTA button via headerActions snippet - Add rich empty state with value proposition, docs links, and GitHub code samples - Add i18n strings for all new UI copy - Add savedNexusQueryNavOpen persist store and savedNexusQueries/systemNexusViews stores * Update api version to v1.62.12 for SANO APIs and capability * fix capability name * feat(nexus-operations): standalone nexus operation details page [DT-4002] (#3495) * [DT-4039] Workflow query builder doesn't work with numeric search attributes (#3435) * fix(DT-4039): Workflow query builder for numeric search attributes The query builder wrapped Int/Double search attribute values in double quotes (e.g. `Foo="1"`), which the Visibility backend rejects for numeric types. Stop quoting numeric values in the serializer. The tokenizer also merged unquoted values with their conditional operator (e.g. `Foo=1` tokenized as `Foo`, `=1`), which previously only mattered for booleans and was patched in the parser by stripping `=`. With numerics this breaks down for 2-char operators (`>=`, `<=`, `!=`). Fix the tokenizer to emit the conditional as its own token and to accept operator-style 2-char conditionals without a trailing space. Update the boolean parser to read the value from `tokenTwoAhead` to match the new shape. * fix(DT-4039): Update integration tests for unquoted numeric search attributes The desktop and mobile workflow-filter specs asserted the previous buggy serialization (`HistoryLength`="10"). Update them to match the new correct shape (`HistoryLength`=10). * Make Common Errors dismissable (#3471) * Make common errors dismissable * Remove common errors * Capitalize Common Errors * Add description * Update description * [DT-4048] Add accessibility PR triage and notification helpers (#3465) * Implement helpers for accessibility PRs * fix formatting * fix linting * fix title gating regex * improve deduplication detection on notify * Move CLAUDE.md a11y conventions to DT-4049 * feat(DT-4017): Schedules List UI Update (#3467) * fix(markdown): allow nested lists to render as block (DT-4047) (#3463) * Add a prop to hide select/deselect controls (#3474) * DT-4051: pre-populate input when starting standalone activity like this one (#3469) * fix(a11y): reveal Copyable's CopyButton on focus-within (WCAG 2.1.1) (#3452) The Copyable primitive hides its CopyButton behind 'invisible group-hover:visible'. Tailwind's 'invisible' compiles to visibility: hidden, which removes the element from the focus order -- Tab skips it entirely. Mouse users can hover to reveal and click; keyboard users in default mode have no way to invoke copy at all. Add 'group-focus-within:visible' alongside the existing 'group-hover:visible' so the button becomes visible (and therefore focus-eligible) whenever focus moves anywhere inside the wrapping group -- typically when the user Tabs onto the slot's content (workflow IDs, run IDs, etc.). The next Tab now lands on the CopyButton, where Enter or Space triggers copy. Applied to both branches (clickAllToCopy and default mode). Affects detail-list value cells, event-summary rows, and every other Copyable consumer in default mode. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix: accept autocomplete prop on NumberInput, ChipInput, and Combobox (#3425) Allows consumers to pass WCAG-defined autocomplete tokens (e.g. "cc-number", "email") to these input primitives. All three previously hardcoded autocomplete="off", preventing purpose identification per WCAG 2.2 SC 1.3.5. Default remains "off" so existing behavior is unchanged. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix: cap ZoomSvg container height to viewport (#3428) Uses CSS min() to limit the container to the lesser of containerHeight (default 600px) or viewport height minus 8rem. On narrow landscape viewports (e.g. 320x500) the container now fits within the screen instead of overflowing. Desktop behavior is unchanged. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): accommodate text-spacing overrides on Badge and Chip (WCAG 1.4.12) (#3433) * fix(a11y): accommodate text-spacing overrides (WCAG 1.4.12) Three same-family fixes for SC 1.4.12 Text Spacing. WCAG requires that text-spacing user overrides (line-height 1.5, letter-spacing 0.12em, etc.) not cause content loss. - Badge: leading-4 (16px) -> leading-[1.5]. text-sm at 1.5 line- height is 21px which previously clipped. - Chip: h-7 -> min-h-7, add leading-[1.5]. Preserves the 28px visual minimum but allows growth. - Table row: h-8 -> min-h-8. The densest text-bearing surface in the product. Preserves the 32px default but allows growth under user override. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert(a11y): undo h-8 -> min-h-8 on table row Per reviewer feedback: <tr> uses table layout rules, where the height property already acts as a minimum (the row grows to fit cell content). min-height on <tr> is either ignored or behaves differently per browser. The change broke the skeleton table without providing the intended SC 1.4.12 benefit -- under text-spacing override, the row would have grown naturally. Badge and chip portions of the PR remain in place (those are flex elements where min-h-* works as expected). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): non-color signal for Label required indicator (WCAG 1.4.1) (#3439) * fix(a11y): non-color signals for required state and timeline graph nodes (WCAG 1.4.1) Two SC 1.4.1 Use of Color fixes: - Label required-field indicator: replace the 6x6 red dot with a red asterisk (aria-hidden) so users with color-perception differences see a shape signal, not just a color signal. The programmatic required state continues to come from native HTML `required` on the input (which the 1.3.1 forwarders ensure). - Timeline graph nodes (workflow-row, history-graph-row-visual): add aria-label to the <g role="button"> wrapper so AT users hear the workflow id + status (or event type + classification) instead of bare "button". Removes the previous dependency on reaching the legend tooltip to decode color. New i18n keys: workflows.row-accessible-name, events.row-accessible-name. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert: remove timeline graph aria-label changes from this PR Per the PR scope decision, keep this PR focused on the Label required-indicator fix only. The timeline graph status accessible- name fix (workflow-row.svelte, history-graph-row-visual.svelte, and the supporting i18n keys) will ship as its own separate PR so the two SC 1.4.1 defects can be reviewed independently. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): use text-danger so the asterisk actually renders red The previous text-interactive-error class was a no-op for text color (interactive-error is only registered under backgroundColor in the theme plugin, not textColor), so the asterisk inherited the default text color and rendered black/off-white instead of red. text-danger maps to --color-text-danger (red.700 light / red.400 dark) which is the proper red text token. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: simplify required-asterisk span The parent <label> already provides text-sm and font-medium, so the span inherits both. Only text-danger is doing actual work; the size/weight/leading classes were redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(label): refine required-asterisk visual alignment - font-mono: mono asterisks are larger and more geometrically centered than proportional ones, making them feel like a proper visual indicator rather than a tiny text-style superscript. - leading-none: tightens the span's line-box to the character. - translate-y-0.5: small downward nudge so the asterisk aligns with the label baseline rather than sitting above it. - -ml-1: reduces the gap to the preceding label text (8px -> 4px). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): tabindex on <main> so the skip link moves focus reliably (WCAG 2.4.1) (#3451) The SkipNavigation primitive renders <a href="#content">, which targets <main id="content"> in main-content-container.svelte. By HTML spec, <main> without tabindex is not programmatically focusable -- so activating the skip link only reliably moves focus on Chromium-based browsers (Chrome, Edge). Safari and older Firefox scroll the target into view but leave focus on the skip link itself, defeating the bypass for keyboard and screen- reader users. Adding tabindex="-1" makes <main> programmatically focusable (so the hash-link navigation lands focus there) while keeping it out of the natural Tab order. Closes WCAG 2.4.1 sufficient- technique G1's "programmatically moves focus" requirement across all browsers. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): info-and-relationships compliance (WCAG 1.3.1) (#3432) Four related fixes under SC 1.3.1, grouped per the audit's correction of the matrix pathway: - NumberInput / Textarea: forward `required` to the underlying native element. Previously the visual red-dot appeared via <Label> but the field was not programmatically required, so AT users heard an optional-field announcement despite the visible indicator. - RadioGroup: add role="radiogroup" and link the optional description via aria-labelledby so AT users hear the group as a whole rather than each radio in isolation. - Tables: add scope="col" to every <th> in product data tables (workflows, schedules, workers, batch-operations, child/parent workflow relationships). Fixes WCAG technique H63. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> * fix(query): quote ExecutionDuration Go duration strings in visibility SQL (#3482) ExecutionDuration is typed as INT in the search attributes store, so formatValue returns its values unquoted. PR #3435 (DT-4039) added an explicit unquoted INT path which broke ExecutionDuration because it uses Go duration strings (30s, 1m30s) that vitess rejects as unquoted tokens. Add an ExecutionDuration guard before the INT/duration paths: quote non-integer values as strings, pass plain integers (nanoseconds) through unquoted. * Passthrough goto params to link component (#3483) * feat: add centerButton, menuButton, and linksContent snippets to BottomNavigation (#3485) * feat: add centerButton snippet to BottomNavigation for custom center content * feat: add centerButton, menuButton, and linksContent snippets to BottomNavigation * feat: add bars icon to holocene icon set * fix: add "for" to validate connection modal title (#3488) The worker deployment version validate connection modal title now reads "Validate Connection for <version>" instead of "Validate Connection <version>". Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(DT-4069): Update modal backdrop to 50% opaque (#3486) * refactor: Input & DatePicker - Svelte 5 & afterLabel snippet (#3479) * Fix decoded object payload summaries (#3491) * Fix decoded object payload summaries * Convert event details row to Svelte 5 * fix(DT-4044): only use browser codec endpoint when override option is selected (#3490) When the user selects "Use Namespace-level setting, where available" and no namespace codec is configured, the browser endpoint was incorrectly used as a fallback. Now returns empty string so no codec is invoked. * fix(a11y): improve 1.1.1 non-text content compliance (#3431) - nexus-empty-state.svelte: mark Andromeda illustration decorative with alt="" + aria-hidden on wrapper. Previously screen readers announced "Andromeda, image" (the filename), conveying nothing. - toast.svelte: add runtime fallback to translate('common.close') when closeButtonLabel is missing or empty. TypeScript-required prop still flags missing-at-compile-time, but an empty string or undefined at runtime now produces a labeled icon button rather than aria-label="". Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> * fix(a11y): make Tooltip keyboard-accessible, dismissible, and hoverable (#3429) * fix: make Tooltip keyboard-accessible, dismissible, and hoverable The Tooltip primitive was mouse-only: no focus handlers, no Escape dismiss, and portal tooltips disappeared when moving the pointer to the popover content. This failed all three WCAG 2.2 SC 1.4.13 criteria (Content on Hover or Focus). Changes: - Show tooltip on keyboard focus via focusin/focusout on wrapper - Dismiss on Escape (resets when interaction ends) - Track pointer hover on the popover itself (diagonal hover bridge) - Unify both portal and inline variants on a single isOpen derived - Add role="tooltip" and aria-describedby linkage for screen readers No API changes — all existing consumers work identically, with the added benefit that tooltips now appear on keyboard focus. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(tooltip): unify hover-zone handling and match repo patterns - Use <svelte:window on:keydown> instead of reactive document listener (mirrors maximizable.svelte) - Fix hover state lingering when mouse leaves popover to empty space by unifying wrapper + popover into a single hover zone - Extract HOVER_HIDE_DELAY_MS constant - Drop redundant isPopoverHovered state Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(tooltip): use crypto.randomUUID() for tooltip id Align tooltip id generation with the codebase convention used across Holocene (accordion.svelte, accordion-light.svelte) and the rest of the app, replacing the ad-hoc Math.random().toString(36) approach. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * refactor(tooltip): drop unused group/tooltip class The group/tooltip marker only existed to drive the group-hover/tooltip: utilities that previously controlled visibility. Tooltip open/close is now fully JS-driven via isOpen, leaving this class with no consumers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> * fix(a11y): name-role-value compliance, partial (WCAG 4.1.2) (#3434) * fix(a11y): name-role-value compliance (WCAG 4.1.2) Five fixes under SC 4.1.2 Name, Role, Value: - Accordion content panel: remove role="textbox". The disclosure panel is static content, not an editable text input; AT announced "edit text" on every Accordion consumer. - Accordion + AccordionLight: move slot="action" out of the disclosure <button> into a sibling element. Previously consumers placing focusable content in the action slot produced <button><button>... nested-interactive HTML. - CopyButton: ship translated default labels via i18n. Empty string defaults in CodeBlock previously propagated to an Icon that hid itself, producing unlabeled icon-only buttons across ~11 CodeBlock instances. - nav-section: filter out hidden nav items. The NavLinkItem.hidden flag was declared on the type and set at source but never consulted at render time, so Standalone Activities / Nexus links rendered as focusable for AT users on servers that cannot serve them. - Workflow family tree: add aria-label to the two SVG <g role="button"> widgets so screen readers announce node identity instead of "button". Deferred to follow-up PRs (audit blockers): - 4.1.2-button-anchor-empty: audit recommends a two-PR sequenced rollout (primitive change + consumer migration). - 4.1.2-codemirror-no-name: ~5 CodeBlock consumer surfaces need design input on label content. - relationships nested-interactive restructure: site B (button wraps Link) and site A's nested <a> extraction are substantial SVG/HTML restructures separate from the labeling fix above. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(a11y): localize workflow family-tree node aria-labels The family-tree node aria-labels hardcoded the English word "Workflow", inconsistent with the codebase convention of localizing aria-labels via translate(). Add a parameterized workflows.family-node-label i18n key and use it for both the root and child node widgets. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> * feat(nexus-operations): standalone nexus operation details page [DT-4002] Add tab-based detail view for individual nexus operations with live long-polling. Mirrors standalone activity detail page pattern with nexus-specific fields: identity, operation, status, timing, attempt, timeout config, cancellation info, nexus header, and input/outcome payload display. * feat(nexus-operations): redesign details page to match Figma layout Restructure the details page around "Operation Event History" with three subsections: Run Details, Operation Details, Timeout Configuration. - Add filterable links for endpoint, service, and operation fields - Add handler namespace and handler operation link from nexus operation links - Show nexus header code block inline in Operation Details section - Move last attempt failure into the Attempt section (conditional) - Add handler namespace note when handler workflow link is present * fix(nexus-operations): pass namespace to filter links on details page * fix nexus operation id --------- Co-authored-by: Andrew Zamojc <andrew.zamojc@temporal.io> Co-authored-by: Alex Tideman <alex.tideman@temporal.io> Co-authored-by: Ardie Wen <39966887+ardiewen@users.noreply.github.com> Co-authored-by: Tegan Churchill <tegan.churchill@temporal.io> Co-authored-by: Ross Nelson <ross.nelson@temporal.io> Co-authored-by: Alex Thomsen <alex.scott.thomsen@gmail.com> Co-authored-by: Bilal Karim <4129613+bilal-karim@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> * fix(nexus-operations): align fetchNexusOperationCountByStatus return type with StatusCounts prop Return Promise<Required<CountWorkflowExecutionsResponse>> and default groups to [] to match the pattern used by fetchWorkflowCountByExecutionStatus. * feat(nexus-operations): standalone nexus operation commands (start/cancel/terminate) [DT-4008] (#3504) * feat(nexus-operations): add cancel/terminate modals and actions to nexus operation header [DT-4008] Add cancel confirmation modal, terminate confirmation modal, and nexus operation actions component. Wire actions into the header with Request Cancellation button and More Actions menu (Terminate + Start Like This One). Add route-for helper and i18n strings for the start form. * feat(nexus-operations): add start standalone nexus operation form and route [DT-4008] Adds the start nexus operation form with fields for operation ID (with random UUID generation), endpoint, service, operation name, payload input, timeouts, and advanced options (nexus header, search attributes, user metadata, ID policies). * feat(nexus-operations): pre-fill input payload when starting nexus operation like this one [DT-4008] Adds fetchInitialValuesForStartNexusOperation to decode the source operation's input payload, encoding, message type, user metadata, and search attributes. The start form pre-populates these fields on mount when operationId and runId are present in the URL, and auto-expands advanced options when there is pre-filled data. * fix nav width for cloud * add cloud escape hatch to SANO guard * add a guard for SANO actions * fix SANO system saved views * add runId to routes, links, etc. and fix table columns * fix import * fix case of runId * fix details * Fix links to use Links property, fix Result/Failure type and rendering, don't make timeouts required * remove version check from guard * fix tests * add integration tests * update start SANO form to match current designs * fix breadcrumb text * add close time to default columns * fix(sano): show field-level error and toast on duplicate operation ID (409) When the API returns 409 for a rejected duplicate operation ID, display an error toast, a field-level hint on the operationId input, and focus the field. * fix(sano): show completed operation error state for allow-duplicate-failed-only policy When idReusePolicy is ALLOW_DUPLICATE_FAILED_ONLY and a 409 is returned, show a distinct toast and field-level error indicating the ID is in use by a completed operation. * fix(sano): show conflict error state for use-existing ID conflict policy * refactor(sano): extract 409 error handlers from onUpdate catch block --------- Co-authored-by: Andrew Zamojc <andrew.zamojc@temporal.io> Co-authored-by: Alex Tideman <alex.tideman@temporal.io> Co-authored-by: Ardie Wen <39966887+ardiewen@users.noreply.github.com> Co-authored-by: Tegan Churchill <tegan.churchill@temporal.io> Co-authored-by: Ross Nelson <ross.nelson@temporal.io> Co-authored-by: Alex Thomsen <alex.scott.thomsen@gmail.com> Co-authored-by: Bilal Karim <4129613+bilal-karim@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Ardie Wen <ardie.wen@temporal.io> Co-authored-by: Your Name <alex.tideman@gmail.com>
Validate extension trust, permissions, routes, and slot sizing on the server and client. Add the authenticated registry, CSP integration, runnable separate-origin example, and browser security coverage.
Use a classic deferred entry script and a whitelist-only static server so the unprivileged sandbox can run without broad CORS access. Add browser coverage for the null-origin handshake, host state, and resize behavior.
Description & motivation 💭
Adds configurable iframe-based UI extensions so operators can mount customer-owned UI into stable Temporal UI slots without forking the main UI bundle.
This PR:
customUiserver configuration for enabling iframe extensions, including extension IDs, slot names, source URLs, allowed origins, route filters, sandbox options, sizing bounds, and permissions.settings.customUi.ExtensionSlotandIframeExtensioncomponents that render configured extensions only when the slot, route pattern, iframe URL, and allowed origin all match.postMessageprotocol:temporal-ui/contextandtemporal-ui/theme.temporal-extension/ready,temporal-extension/resize, and permittedtemporal-extension/navigate.src/lib/extensions/README.md.Screenshots (if applicable) 📸
Examples
Design Considerations 🎨
customUi.enabledis false.allow-scripts; additional capabilities are opt-in per extension.navigation:write.Testing 🧪
How was this tested 👻
Local test commands run:
Results:
github.com/temporalio/ui-server/v2/server/apipassed.Steps for others to test: 🚶🏽♂️🚶🏽♀️
customUi.enabled: truewith one or moreiframeExtensionsin the UI server config.srcwithallowedOrigin: self, or at an HTTPS origin with a matching explicitallowedOrigin.app.top-nav.actions.beforeapp.top-nav.actions.afterapp.top-nav.sub-navworkflow.header.after-detailsroutePatternsmatch.readyandresizemessages and verify the host responds with context/theme messages and clamps dimensions to configured bounds.permissions: [context:workflow], verify workflow context is delivered.permissions: [navigation:write], send a same-origin navigate message and verify the host navigates; verify off-origin URLs are ignored.Checklists
Draft Checklist
N/A
Merge Checklist
N/A
Issue(s) closed
N/A
Docs
Any docs updates needed?
Docs for the new extension framework are included in
src/lib/extensions/README.md.