fix: don't blindly load esm scripts

[useafterfree]

Addresses: #46

Summary by CodeRabbit

• Tests

  • Added test suite for SDK loader functionality.

• Chores

  • Updated build configuration for esbuild support.
  • Refactored SDK initialization to improve bundled module loading and import mapping.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors bundled UnicornStudio SDK loading to use blob URLs and import maps for extension scripts. A new CDN URL constant is exported, blob URLs are created for bundled extensions, the model-renderer import is rewritten, and an import map redirects the model-renderer URL to the rewritten blob. The core script is injected separately. Comprehensive tests validate the new behavior. Build config enables esbuild support.

Changes

Bundled SDK Loading Refactor

Layer / File(s)	Summary
SDK constant and import map type contract src/shared/constants.ts, src/shared/sdk-loader.ts	Introduces UNICORN_STUDIO_MODEL_RENDERER_URL constant for the model-renderer extension CDN and exports BundledUnicornStudioImportMap interface to type the injected import map script.
Bundled SDK loader refactoring src/shared/sdk-loader.ts	Refactors loadBundledSdk() to create blob URLs for bundled extension scripts, rewrite the model-renderer's three-bundle import to reference the blob URL, inject an import map that redirects UNICORN_STUDIO_MODEL_RENDERER_URL to the rewritten blob, and inject only the core script to the page.
SDK loader test suite src/__tests__/sdk-loader.test.ts	Adds Vitest test suite with hoisted mock bundled SDK, test helpers for dynamic import and DOM cleanup, setup/teardown that stubs URL.createObjectURL and intercepts document.head.appendChild to execute inline scripts in JSDOM, and three test cases for core script injection, import map registration, and external SDK URL loading.
Build configuration pnpm-workspace.yaml	Enables esbuild builds in the pnpm workspace by adding allowBuilds.esbuild: true.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A bundled SDK hops with grace,
Blobs and maps take their place,
Extensions rewrite with care and might,
Tests ensure every import flows right! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main problem solved in the PR: preventing blind loading of ESM scripts by implementing selective script injection with import map rewriting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/shared/sdk-loader.ts (1)

129-137: Make the model-renderer import rewrite slightly more defensive (optional)

• The bundled model-renderer content uses from "./three-bundle.js" (with whitespace), so the current /from\s+["']\.\/three-bundle\.js["']/ pattern matches.
• Optional: switching to \s* would still handle any future bundling/minification that removes the whitespace.

🔧 Proposed fix to handle varying whitespace

   return modelRendererContent.replace(
-    /from\s+["']\.\/three-bundle\.js["']/,
+    /from\s*["']\.\/three-bundle\.js["']/,
     `from "${threeBundleUrl}"`,
   );

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/shared/sdk-loader.ts` around lines 129 - 137, The regex in
rewriteModelRendererImport is fragile to variations in whitespace; update the
pattern used in rewriteModelRendererImport to allow zero-or-more whitespace
between from and the module path (use \s* instead of \s+) so minified/bundled
output without a space still matches, keeping the rest of the pattern (including
the escaped dot and quote handling) the same; ensure you update the replace call
that uses that regex so modelRendererContent.replace(...) still substitutes with
`threeBundleUrl`.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/shared/sdk-loader.ts`:
- Around line 129-137: The regex in rewriteModelRendererImport is fragile to
variations in whitespace; update the pattern used in rewriteModelRendererImport
to allow zero-or-more whitespace between from and the module path (use \s*
instead of \s+) so minified/bundled output without a space still matches,
keeping the rest of the pattern (including the escaped dot and quote handling)
the same; ensure you update the replace call that uses that regex so
modelRendererContent.replace(...) still substitutes with `threeBundleUrl`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4711cb5-3541-42c0-aba8-c8223370e67c

📥 Commits

Reviewing files that changed from the base of the PR and between f775ab5 and 5ca2bde.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• pnpm-workspace.yaml
• src/__tests__/sdk-loader.test.ts
• src/shared/constants.ts
• src/shared/sdk-bundle.ts
• src/shared/sdk-loader.ts

[diegopeixoto]

Gonna check, sorry for the delay, my father in law passed away.

cc @GeorgeHastings

[GeorgeHastings]

Sorry to hear @diegopeixoto !

Im a little over my ski's here but it LGTM