feat(site): landing page + playground with spiral staircase hero#110
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Greptile OverviewGreptile SummaryThis PR adds a complete brepjs website with a landing page and interactive playground. The implementation includes: Architecture:
Key Technical Decisions:
Code Quality:
Confidence Score: 4/5
Important Files Changed
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| try { | ||
| // Wrap user code in a function and execute it | ||
| const fn = new Function(code); |
There was a problem hiding this comment.
Using new Function() executes arbitrary user code in the worker, which is the intended playground behavior. Properly isolated with Web Worker sandbox and COOP/COEP headers.
Prompt To Fix With AI
This is a comment left during a code review.
Path: site/src/workers/cad.worker.ts
Line: 93:93
Comment:
Using `new Function()` executes arbitrary user code in the worker, which is the intended playground behavior. Properly isolated with Web Worker sandbox and COOP/COEP headers.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+36
to
+42
| // We fetch + blob URL to avoid Vite/Rollup trying to resolve it at build time | ||
| const resp = await fetch('/wasm/brepjs_single.js'); | ||
| const jsText = await resp.text(); | ||
| const blob = new Blob([jsText], { type: 'application/javascript' }); | ||
| const blobUrl = URL.createObjectURL(blob); | ||
| const ocModule = await import(/* @vite-ignore */ blobUrl); | ||
| URL.revokeObjectURL(blobUrl); |
There was a problem hiding this comment.
Ensure the /wasm/ directory is only writable during build/deployment, not at runtime, since this code dynamically imports JS from that location.
Prompt To Fix With AI
This is a comment left during a code review.
Path: site/src/workers/cad.worker.ts
Line: 36:42
Comment:
Ensure the `/wasm/` directory is only writable during build/deployment, not at runtime, since this code dynamically imports JS from that location.
How can I resolve this? If you propose a fix, please make it concise.
andymai
changed the title
Add the brepjs website with landing page + interactive playground: - Landing page with hero 3D viewer, code display, features section - Playground with Monaco editor, 3D viewer, WASM-powered CAD engine - CAD studio visual style: warm clay material (#c8c0b8), studio HDRI reflections, contact shadows, dark charcoal edges, CSS vignette - Shared SceneSetup with Environment, ContactShadows, infinite grid - Examples cleared for quality rebuild - Exclude site/ from root Vitest to avoid symlinked dependency tests
Landing page no longer sends Cross-Origin-Embedder-Policy: require-corp, which could interfere with Googlebot crawling. The COEP/COOP headers (needed for SharedArrayBuffer) are now only set on /playground and /wasm/.
…ive layout - Headline: "Parametric CAD / in TypeScript" - Features section: "Built on OpenCascade" with shorter, scannable cards - Hero shape: parametric spiral staircase with column, treads, railing posts, and swept handrail (replaces box-with-hole) - Hero code: full staircase example showing for-loop, sweep, helix - Default playground code loads the staircase example - Hide empty examples section until examples exist - Remove redundant GitHub button from install section - Footer: inline Apache-2.0 + GitHub link - Responsive: mobile-first padding, flex-wrap CTAs, viewer-first order on mobile, scrollable code panel, min-w-0 grid children, overflow-x hidden on root - Custom thin dark scrollbars for code panels - Camera near/far adjusted for larger model
…layground mesh - Add sphere ball endcaps on first and last handrail ends - Increase hero code/viewer height to 560px from 400px - Set landing page camera to side profile (15° elevation) - Rename code preview tab to staircase.ts - Seed playground viewer with pre-computed hero mesh while WASM loads - Fix Monaco editor StrictMode crash: switch to uncontrolled mode (defaultValue + keepCurrentModel), make setupMonaco idempotent, guard marker effects against disposed editor - Remove fillet from hero code (OCCT fails on complex boolean result) - Add missing ambient types (makeCircle, makeLine, genericSweep) - Clean up unused filletShape import from precompute script
…ion scan The playground intentionally evaluates user-authored code via new Function() in a sandboxed Web Worker with no DOM, cookies, or storage access.
andymai
force-pushed
the
feat/site-visual-upgrade
branch
from
ce2d981 to
0256edc
Compare
Security hardening from audit: - Add Content-Security-Policy with connect-src 'self' to restrict Worker fetch() to same-origin, blocking SSRF/exfiltration via shared links - Allow cdn.jsdelivr.net for Monaco editor CDN loading - Add pendingReview flag: shared-link code is NOT auto-executed - Show amber warning banner with Run/Dismiss for URL-loaded code - Toolbar Run button also clears pendingReview state
The default CodeQL setup is enabled in repo settings and can't coexist with an advanced workflow. The playground's new Function() alerts will be dismissed as intentional in the PR security tab. The CSP headers (connect-src 'self') are the real mitigation for the network vector.
brepjs Bot
added a commit
that referenced
this pull request
Feb 6, 2026
🤖 I have created a release *beep* *boop* --- ## [4.17.0](brepjs-v4.16.0...brepjs-v4.17.0) (2026-02-06) ### Features * **site:** landing page + playground with spiral staircase hero ([#110](#110)) ([55cacd3](55cacd3)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: brepjs-bot[bot] <258782221+brepjs-bot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
defaultValue+keepCurrentModel), idempotent setupSceneSetupwithEnvironment,ContactShadows, infinite gridChanges
site/src/lib/constants.ts— HERO_CODE: parametric spiral staircase with handrail helix sweep + ball endcapssite/scripts/precompute-hero-mesh.ts— Generateshero-mesh.jsonmatching HERO_CODEsite/src/components/landing/— Hero section, code display, features, install, responsive layoutsite/src/components/playground/EditorPanel.tsx— Uncontrolled Monaco to fix React 19 StrictMode disposal crashsite/src/components/playground/PlaygroundPage.tsx— Seeds viewer with pre-computed mesh on loadsite/src/lib/monacoSetup.ts— Idempotent setup guard for StrictMode double-invokesite/src/types/brepjs-ambient.d.ts— Ambient types for playground autocomplete (~80 functions)Test plan
npm run typecheckpasses