Releases · Fortemi/HotM

Targeted follow-up to v2026.5.11's security batch. Drops 'unsafe-inline' and 'unsafe-eval' from CSP script-src, and tightens Mermaid's securityLevel from 'loose' to 'strict'.

Closes #219.

Why this was possible

The conventional wisdom is that Mermaid / KaTeX / React-heavy SPAs require unsafe-eval and unsafe-inline. A direct survey of the production dist/ artifact showed that's not true for this codebase:

Check on built bundle (4.0 MB main + 930 KB lazy `ModelPreview`)	Result
`eval(...)` calls	0 (4 raw grep hits were syntax-highlighter regex tokens like `/eval(?:cmd)?
`new Function(...)` calls	0
`Function("...")` constructor calls	0 (1 raw match was KaTeX's `r.callFunction` method)
Inline `<script>` blocks in `index.html`	0 (both script tags use `src=`)

Heavy deps analyzed in node_modules vs what actually reaches the bundle:

mermaid 11.x: zero eval/Function in shipped dist
katex: produces static HTML; no runtime eval
d3 (transitive): 2 source files use Function() — Vite tree-shook them out
three.js (via @google/model-viewer): 9 source files use eval/Function — built ModelPreview chunk had 0 in output

Vite's tree-shaking plus Mermaid 11's modernization had already eliminated the paths that would have needed those directives. They were defensive boilerplate, not runtime requirements.

Changes

CSP (ui/src-tauri/tauri.conf.json):

- script-src 'self' 'unsafe-inline' 'unsafe-eval'
+ script-src 'self'

style-src 'self' 'unsafe-inline' is intentionally kept — 37+ source files use React's style={{}} prop plus Radix UI internals inject inline styles for animations. Removing it requires a refactor; CSS injection has fundamentally smaller blast radius than script execution.

Mermaid (ui/src/components/MermaidRenderer.tsx):

- securityLevel: 'loose',
+ securityLevel: 'strict',

'loose' allowed HTML in node labels — the actual reachable XSS surface that #213's npm-advisory patch in v2026.5.11 addressed only at the library-version level. 'strict' is the Mermaid library default and disallows HTML/script in labels entirely. No in-tree usage of HTML-in-labels was detected.

Verification

npm run typecheck: pass
npm test -- --run: 96 test files / 1427 / 1427 tests pass
npm run build: pass
npm audit on both ui/ and agent-proxy/: 0 vulnerabilities (unchanged from v2026.5.11)
act_runner exec -j quality-gate -W .gitea/workflows/ui-ci.yml: success

Still pending (manual)

Tauri desktop runtime verification — open DevTools after a desktop build, render a note with a Mermaid diagram and KaTeX math (both inline and block), and confirm no Refused to execute inline script / Refused to evaluate string console messages on:

macOS WebKit
Windows WebView2
Linux WebKitGTK

The CSP engines on those platforms differ slightly from Vite's bundling assumptions; if anything trips a violation, selectively allow back via 'unsafe-hashes' or hash/nonce rather than re-adding blanket directives.

Component versions

ui 2026.5.12 (this release)
agent-proxy 0.1.0 (unchanged from v2026.5.11)
Bundled Fortemi sidecar v2026.5.6 (unchanged)

Issues

Closed: #219
Open follow-ups from v2026.5.11: #220 (CI: GT_ACCESS_TOKEN missing), #221 (CI: publish-release if-conditional misfire) — both pre-existing CI infrastructure issues, no impact on shipped artifacts