fix(shared-ui): replace AJV validator with cfworker for CSP-safe webview validation

[dsapandora]

Before	After

Summary

• VSCode webview CSP forbids unsafe-eval; @rjsf/validator-ajv8 compiles schemas via new Function(), which throws on save.
• Added csp-safe-validator.ts wrapping @cfworker/json-schema (pure-JS, no eval/Function) behind RJSF's ValidatorType interface.
• Switched rjsf.ts and NodeConfigPanel.tsx from @rjsf/validator-ajv8 to the new wrapper.
• Added @cfworker/json-schema@^4.1.1 to shared-ui/package.json dependencies.
• Wrapper maps cfworker errors to RJSF's RJSFValidationError shape and builds errorSchema tree for inline field errors.
• Node config forms now save without CSP violations; validation, required checks and inline errors keep working client-side.

Type

bug fix

Testing

• Tests added or updated
• Tested locally
• ./builder test passes

Checklist

• Commit messages follow conventional commits
• No secrets or credentials included
• Wiki updated (if applicable)
• Breaking changes documented (if applicable)

Linked Issue

Fixes #

Summary by CodeRabbit

• Improvements
  • Form validation system now compatible with Content Security Policy compliant environments, ensuring forms function properly across all supported configurations and security requirements.

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

This PR replaces the RJSF validator implementation with a CSP-safe alternative. A new validator module is created using @cfworker/json-schema to avoid eval-based validation, a dependency is added to package.json, and two import statements are updated to use the new validator.

Changes

CSP-Safe Validator Implementation

Layer / File(s)	Summary
Dependency Addition packages/shared-ui/package.json	Added @cfworker/json-schema as a new runtime dependency at version ^4.1.1.
Validator Core Implementation packages/shared-ui/src/components/canvas/util/csp-safe-validator.ts	New CSP-safe validator class CspSafeValidator implemented using cfworker/json-schema instead of AJV8. Includes error mapping from cfworker outputs to RJSF error structures, error schema construction, and ValidatorType methods for form validation, error listing, and validity checks.
Validator Wiring packages/shared-ui/src/components/canvas/components/panels/node-config/NodeConfigPanel.tsx, packages/shared-ui/src/components/canvas/util/rjsf.ts	Import statements updated from @rjsf/validator-ajv8 to the new local csp-safe-validator module in both files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

module:ui

Suggested reviewers

• jmaionchi
• stepmikhaylov
• Rod-Christensen

Poem

🐰 Hop, hop—CSP's in the way,
So eval goes out, cfworker comes to play!
No eval rules, just schemas clean and bright,
Form validation flows, safe from policies' might! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing the AJV validator with cfworker for CSP-safe validation, which is the core purpose of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/csp-unsafe-eval

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No description provided.

[dsapandora]

My idea behind this solution:

The original error chain

Form.onSubmit
  → validateFormWithFormData
    → SchemaUtils.retrieveSchema           [@rjsf/utils]
      → resolveSchema → withExactlyOneSubschema
        → validator.isValid(...)           ← validator is invoked here
          → AJV.compileSchema
            → new Function(<generated code>)   ← CSP block ❌

@rjsf/utils and @rjsf/core carry no validation logic of their own — they delegate every check to whichever validator object the <Form> receives as a prop. When that validator is @rjsf/validator-ajv8, AJV compiles the JSON Schema by generating a JavaScript source string and instantiating it with new Function(...). The VSCode webview CSP omits unsafe-eval, so the new Function call throws and form save dies.

After my fix:

1. Single injection point — RJSF accepts any object that satisfies the ValidatorType interface (validateFormData, isValid, rawValidation, toErrorList). The <Form> doesn't care who implements it.

2. Import switch — in rjsf.ts and NodeConfigPanel.tsx I replace import validator from '@rjsf/validator-ajv8' with import validator from './csp-safe-validator'. The object passed to <Form validator={validator}> is now our wrapper.

3. Eval-free internal implementation — the wrapper instantiates new Validator(schema) from @cfworker/json-schema, a pure recursive JSON Schema interpreter: validation walks the schema tree with if/switch/typeof and executes native JS. It never compiles the schema to a function string, never calls new Function, never uses eval.

4. Post-fix chain:

   Form.onSubmit
     → validateFormWithFormData
       → SchemaUtils.retrieveSchema         [@rjsf/utils, unchanged]
         → resolveSchema → withExactlyOneSubschema
           → validator.isValid(...)
             → CspSafeValidator.isValid     ← new wrapper
               → new Validator(schema).validate(formData)   [cfworker]
                 → native recursion, no eval ✅
   

5. Error mapping — cfworker returns OutputUnit { keyword, keywordLocation, instanceLocation, error }. The wrapper translates each one into the RJSFValidationError { name, schemaPath, property, message, stack } shape that @rjsf/utils expects, and builds the errorSchema tree (nested structure keyed by field path) so errors render inline on the correct field.

Why this is non-invasive

• Zero RJSF source code is modified.
• The wrapper is a drop-in: same interface, equivalent behaviour, different internal implementation.
• The only observable change is that validation no longer requires unsafe-eval to run, so the form saves without a CSP violation.