fix(manifest): require http.serve for hosted styles and scripts

Author: gabek

examples/js/scripts-demo/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "scripts-demo",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "private": true,
   "scripts": {
     "build": "owncast-plugin build"

examples/js/scripts-demo/package.json

@@ -2,10 +2,11 @@
   "api": "1",
   "name": "Example Scripts Demo",
   "slug": "scripts-demo",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Ships a JavaScript file that pins a banner to the bottom of the viewer page (and logs to the console) so an admin can see at a glance that the plugin's script loaded, with no dependency on a live stream or chat.",
   "permissions": [
-    "ui.modify"
+    "ui.modify",
+    "http.serve"
   ],
   "scripts": [
     "client.js"

examples/js/scripts-demo/plugin.manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "styles-demo",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "private": true,
   "scripts": {
     "build": "owncast-plugin build"

examples/js/styles-demo/package-lock.json

@@ -2,10 +2,11 @@
   "api": "1",
   "name": "Example Styles Demo",
   "slug": "styles-demo",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Ships a CSS file that pins a banner to the top of the viewer page so an admin can see at a glance that the plugin's stylesheet loaded, with no dependency on a live stream or chat.",
   "permissions": [
-    "ui.modify"
+    "ui.modify",
+    "http.serve"
   ],
   "styles": [
     "theme.css"

examples/js/styles-demo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "viewer-gate",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "private": true,
   "scripts": {
     "build": "owncast-plugin build"

examples/js/styles-demo/plugin.manifest.json

@@ -2,10 +2,11 @@
   "api": "1",
   "name": "Example Viewer Gate",
   "slug": "viewer-gate",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Shows a confirmation modal when a viewer opens the page. Yes dismisses the modal; No redirects away. Demonstrates combining manifest.styles and manifest.scripts in a single plugin.",
   "permissions": [
-    "ui.modify"
+    "ui.modify",
+    "http.serve"
   ],
   "styles": [
     "modal.css"

examples/js/viewer-gate/package-lock.json

@@ -281,11 +281,12 @@ func (m *Manifest) Validate() error {
 		a.Icon = rewritten
 	}
 	// manifest.styles: CSS files the plugin contributes to the viewer
-	// page. The host reads each file from assets/ and concatenates the
-	// bytes into the customStyles response on /api/config, so only
-	// ui.modify is required (the plugin paints inside Owncast's
-	// chrome). Path rules mirror actions (relative paths auto-prefix
-	// to /plugins/<slug>/, cross-plugin paths rejected); external
+	// page. The host serves each file from the plugin's own URL
+	// namespace (/plugins/<slug>/...) and injects it into the viewer,
+	// so both ui.modify (the plugin paints inside Owncast's chrome)
+	// and http.serve (the host serves the bytes) are required. Path
+	// rules mirror actions (relative paths auto-prefix to
+	// /plugins/<slug>/, cross-plugin paths rejected); external
 	// http(s):// targets are rejected outright so admins see every
 	// file that will land in their viewer's global CSS scope.
 	if len(m.Styles) > 0 {
@@ -297,6 +298,11 @@ func (m *Manifest) Validate() error {
 					"so it's visible to anyone reviewing the manifest that " +
 					"the plugin restyles Owncast's UI")
 		}
+		if !hasHttpServe {
+			return errors.New(
+				"manifest.styles requires the \"http.serve\" permission so the " +
+					"host can serve the bundled CSS files at /plugins/<slug>/ URLs")
+		}
 		for i, raw := range m.Styles {
 			if strings.TrimSpace(raw) == "" {
 				return fmt.Errorf("manifest.styles[%d] is empty", i)
@@ -324,8 +330,8 @@ func (m *Manifest) Validate() error {
 	}
 	// manifest.scripts: JS files the plugin contributes to the
 	// viewer page. Same rules as styles, applied to .js entries;
-	// inlined into /customjavascript by the host, so only ui.modify
-	// is required.
+	// the host serves them from /plugins/<slug>/ and loads them into
+	// the viewer page, so ui.modify + http.serve are required.
 	if len(m.Scripts) > 0 {
 		if !hasUIModify {
 			return errors.New(
@@ -335,6 +341,11 @@ func (m *Manifest) Validate() error {
 					"ui.modify so it's visible to anyone reviewing the " +
 					"manifest that the plugin runs code inside Owncast's chrome")
 		}
+		if !hasHttpServe {
+			return errors.New(
+				"manifest.scripts requires the \"http.serve\" permission so the " +
+					"host can serve the bundled JavaScript files at /plugins/<slug>/ URLs")
+		}
 		for i, raw := range m.Scripts {
 			if strings.TrimSpace(raw) == "" {
 				return fmt.Errorf("manifest.scripts[%d] is empty", i)