Skip to content

feat(rich-markdown-editor): live media embeds + shared embed detection util#5290

Merged
waleedlatif1 merged 4 commits into
stagingfrom
worktree-rich-editor-embeds
Jun 30, 2026
Merged

feat(rich-markdown-editor): live media embeds + shared embed detection util#5290
waleedlatif1 merged 4 commits into
stagingfrom
worktree-rich-editor-embeds

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Shared embed detection — extract getEmbedInfo/EmbedInfo into a pure @sim/utils/media-embed module (string → {url, type, aspectRatio}); the workflow note block now imports it instead of carrying its own ~270-line copy
  • Live media embeds in the rich markdown editor — a new LinkEmbed ProseMirror widget-decoration plugin renders players (YouTube, Vimeo, Spotify, Dropbox, …) beneath a standalone link, in both editing and read-only surfaces (Linear/Notion-style auto-embed via StarterKit autolink)
  • The document stays a plain markdown link — embeds never enter the schema or the serialized markdown, so round-trips stay lossless. Widgets are keyed by source URL so iframes don't reload on keystrokes
  • Embeds are gated behind an opt-in embeds flag — on for the file editor, off for the compact modal fields
  • Knowledge chunk editor polished to the file editor's centered reading frame (max-w-[48rem]), kept plaintext to preserve exact text fidelity for embeddings (tokenizer overlay + token count intact)

Type of Change

  • New feature
  • Refactor (shared util extraction)

Testing

  • New media-embed.test.ts (7) — platform detection + Dropbox host-validation security cases
  • New link-embed.test.ts (5) — renders for standalone embeddable links, lossless markdown round-trip, no embed for inline/non-embeddable links, off when disabled
  • Full rich-markdown-editor suite: 195/195 pass · apps/sim tsc 0 errors · both packages typecheck · monorepo boundary + realtime prune checks pass

Note

This carries forward the Dropbox host-validation hardening from #5288 into the shared util. Since this branch removes the inline getEmbedInfo from note-block-view.tsx (which #5288 patches), the two will conflict — recommend merging #5288 first, then this rebases to "inline removed, fix lives in the util."

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)
@waleedlatif1 waleedlatif1 requested a review from a team as a code owner June 30, 2026 17:58
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jun 30, 2026 6:26pm

Request Review

@cursor

cursor Bot commented Jun 30, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Third-party iframe/video sources and hostname-gated URL rewriting affect XSS/embed surface area; behavior is covered by tests and mirrors existing note-block rendering.

Overview
Adds live media embeds to the workspace file rich markdown editor and centralizes URL→player resolution in @sim/utils/media-embed.

Shared utilgetEmbedInfo / EmbedInfo move out of note-block-view.tsx into @sim/utils/media-embed, with hostname checks before provider regexes (including Dropbox direct-link rewrite). Workflow note blocks import the util; @sim/workflow-renderer gains a @sim/utils peer dependency.

Rich markdown editor — Optional embeds on createMarkdownEditorExtensions wires in a LinkEmbed TipseMirror plugin that paints iframe/video/audio players under standalone paragraph links (Notion/Linear-style); inline links stay plain. Widget decorations keep markdown serialization unchanged. The file editor enables embeds: true; compact fields keep the default off.

Knowledge chunk editor — Layout only: centered max-w-[48rem] reading column aligned with the file editor; content stays plaintext for embedding fidelity.

Tests cover media-embed (platforms + host spoofing) and LinkEmbed (render rules, round-trip, opt-out).

Reviewed by Cursor Bugbot for commit 427f8d4. Configure here.

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds shared media embed detection and live embeds for the rich markdown editor. The main changes are:

  • Shared getEmbedInfo utility in @sim/utils/media-embed.
  • Note block rendering moved to the shared embed utility.
  • Rich markdown editor widget decorations for standalone media links.
  • Opt-in embed support for the file editor surface.
  • Centered plaintext layout updates for the knowledge chunk editor.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
packages/utils/src/media-embed.ts Adds the shared embed detection utility with parsed host validation for provider embeds.
packages/workflow-renderer/src/note/note-block-view.tsx Replaces the inline embed detection logic with the shared utility.
apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/embed/link-embed.ts Adds standalone link embed decorations without changing serialized markdown.

Reviews (3): Last reviewed commit: "refactor(media-embed): tighten comments ..." | Re-trigger Greptile

Comment thread packages/utils/src/media-embed.ts Outdated
…n util

- Extract getEmbedInfo/EmbedInfo into pure @sim/utils/media-embed (carries the
  PR #5288 dropbox host-validation hardening); repoint the note block to it
- Add LinkEmbed: a ProseMirror widget-decoration plugin that renders media
  players (YouTube, Vimeo, Spotify, Dropbox, …) beneath standalone links in the
  rich markdown editor, in both editing and read-only surfaces. The document
  stays a plain markdown link, so markdown round-trips stay lossless
- Gate embeds behind an opt-in flag (on for the file editor, off for modal fields)
- Polish the knowledge chunk editor to the file editor's centered reading frame
  while keeping it plaintext for exact embedding fidelity
Validate each platform against the URL's parsed host before extracting, so a
look-alike host (youtube.com.evil.com) or a provider domain in the path
(evil.com/youtube.com/...) can no longer render a trusted-looking embed. Dropbox
is no longer a special case — all providers share the hostMatches gate. Also
consolidates the five Spotify branches and orders Twitch clip before channel.
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Key embed widgets by source + per-source occurrence index so two standalone
links to the same URL render as two distinct players instead of collapsing into
one, while keeping the key stable across unrelated edits (no iframe reload).
- Drop the redundant paragraph type-check in getStandaloneLinkHref (the caller
  already filters to paragraphs) and rename the param for clarity
- Remove an inline comment and a TSDoc sentence that restated logic documented
  elsewhere
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 427f8d4. Configure here.

@waleedlatif1 waleedlatif1 merged commit ca0a7ff into staging Jun 30, 2026
11 checks passed
@waleedlatif1 waleedlatif1 deleted the worktree-rich-editor-embeds branch June 30, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant