Add external communication opt-out for browser runtime

[genkio]

Summary

• add an \ option to the browser runtime
• disable the version check, remote font load, and remote open-file fallback when the option is false
• support the option through auto-init via \ and add focused Playwright coverage

Testing

• pnpm typecheck
• pnpm lint
• pnpm exec playwright test e2e/external-communication.spec.ts --project=chromium

---

Note

Medium Risk
Adds a new runtime option that gates network requests, asset loading, and open-file fallbacks; mistakes could silently break expected UX (fonts/version check/open in editor) or regress plugin behavior.

Overview
Adds an allowExternalCommunication option (default true) that can be provided via script data-options and via auto-init through window.__REACT_GRAB_OPTIONS__.

When disabled, the browser runtime now skips the intro version-check request (logIntro), avoids loading remote Google Fonts (mountRoot), and prevents cross-origin HTTP(S) open-file fallbacks by plumbing the flag through the plugin registry/action context and centralizing selection-label + keyboard shortcut open behavior.

Includes new Playwright e2e coverage ensuring no external requests/fonts on init and no remote window.open fallback when the option is off.

^{Written by Cursor Bugbot for commit c4c9aab. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Adds an allowExternalCommunication opt-out to the browser runtime. When disabled, it skips the version check, does not load Google Fonts, and blocks cross-origin HTTP(S) open-file fallbacks from both the keyboard shortcut and the selection label.

• New Features

  • New option: allowExternalCommunication (default true), set via window.__REACT_GRAB_OPTIONS__ and script data-options; auto-init reads and passes it to init.
  • Gates version check (logIntro), Google Fonts (mountRoot), and open-file fallbacks via centralized open logic; plumbed through the plugin registry, action context, renderer, and plugins.
  • Hardened Playwright e2e tests to ensure no version check/fonts on init and no remote open-file fallback by stubbing local editor endpoints and capturing window.open.

• Bug Fixes

  • Selection label "Open" now uses the centralized open flow and respects allowExternalCommunication.
  • Open-file calls now use void for fire-and-forget to avoid dangling promises in UI paths.

^{Written for commit c4c9aab. Summary will update on new commits.}

[vercel]

@genkio is attempting to deploy a commit to the Million Team on Vercel.

A member of the Team first needs to authorize it.

[pullfrog]

This run croaked 😵

The workflow encountered an error before any progress could be reported. Please check the link below for details.

  ^{｜ Rerun failed job ➔ ｜ View workflow run ｜ Triggered by Pullfrog ｜ pullfrog.com ｜ 𝕏}

[cubic-dev-ai]

1 issue found across 10 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/react-grab/src/utils/mount-root.ts">

<violation number="1" location="packages/react-grab/src/utils/mount-root.ts:23">
P1: The `openFile` function's new `allowExternalCommunication` parameter defaults to `true`, which means any call site that wasn't updated will silently bypass the external-communication opt-out. Two call sites in `index.tsx` and `open.ts` were updated, but verify there are no other `openFile` call sites (e.g., in `renderer.tsx` for selection-label clicks) that still pass only `filePath` and `lineNumber`.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: The openFile function's new allowExternalCommunication parameter defaults to true, which means any call site that wasn't updated will silently bypass the external-communication opt-out. Two call sites in index.tsx and open.ts were updated, but verify there are no other openFile call sites (e.g., in renderer.tsx for selection-label clicks) that still pass only filePath and lineNumber.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/react-grab/src/utils/mount-root.ts, line 23:

<comment>The `openFile` function's new `allowExternalCommunication` parameter defaults to `true`, which means any call site that wasn't updated will silently bypass the external-communication opt-out. Two call sites in `index.tsx` and `open.ts` were updated, but verify there are no other `openFile` call sites (e.g., in `renderer.tsx` for selection-label clicks) that still pass only `filePath` and `lineNumber`.</comment>

<file context>
@@ -18,8 +18,13 @@ const loadFonts = () => {
-  loadFonts();
+export const mountRoot = (
+  cssText?: string,
+  allowExternalCommunication = true,
+) => {
+  if (allowExternalCommunication) {
</file context>

[cubic-dev-ai]

1 issue found across 5 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/react-grab/e2e/external-communication.spec.ts">

<violation number="1" location="packages/react-grab/e2e/external-communication.spec.ts:156">
P2: Silent failure risk in Playwright test due to optional chaining on DOM click inside `page.evaluate()`. If the target element is not found, the click is silently skipped and the test's negative assertion (`expect(openUrls ?? []).toEqual([])`) will falsely pass, masking regressions. The test should assert the element exists before clicking or use Playwright's native locators which automatically wait and fail if the target is not found.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}