{{ message }}
Add terminal-mockup canvas extension for marketing screenshots#13612
Merged
Conversation
Self-contained GitHub Copilot app canvas under .github/extensions/terminal-mockup for rendering mock-up gh output as VSCode-styled terminal screenshots. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a self-contained GitHub Copilot Canvas extension under .github/extensions/terminal-mockup that serves a local iframe UI for authoring and exporting VSCode-styled “terminal screenshot” mockups, plus a small on-disk library system for saved mockups and sample templates.
Changes:
- Introduces a loopback HTTP server + SSE channel + REST API for state sync and mockup library CRUD.
- Adds an in-iframe web app (HTML/CSS/JS) that renders ANSI/bracket-marked content and exports images via vendored
html2canvas. - Seeds a set of sample mockups in a committed
library/directory.
Show a summary per file
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 16/17 changed files
- Comments generated: 8
- Restore descendant selector for JetBrains font rule (missing space) - Resolve save dialog promise before closing to avoid sync close-event race - Add fontSize and bodyGradient to set_options schema (already in state) - Guard against canvas.toBlob returning null in both export paths - Fix README markup reference (no [c:#hex] or [/]) and chrome list (no Windows) - Reword export location to match browser behaviour Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Two-model security review found: - DNS-rebinding + cross-origin CSRF: an attacker page can hit the loopback server through a rebound DNS name or a localhost-permissive page and read/write mockup files without any check. Now rejects any request whose Host header is not 127.0.0.1:<port> or localhost:<port>, and any request whose Origin (if present) is not loopback. - Symlink-following on writeMockup/deleteMockup: a malicious PR could land a symlink at library/<slug>.json pointing at ~/.bashrc, ~/.ssh/*, etc., and any subsequent save under that slug would overwrite the link target. refuseSymlink() now lstats first and refuses if the target is a symlink. Verified end-to-end against the running canvas: legitimate flows still succeed (200), rebound-Host probes are blocked (403), cross-origin POSTs are blocked (403), symlink overwrite is refused and the link target is untouched. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
laserlemon
added a commit
to laserlemon/gh-cru
that referenced
this pull request
Jun 9, 2026
Three call sites (score.Compute, format_test.mkScore, demo-output.buildScore) swap cru.SizeOf -> cru.CalculateSize. JSON output for cli/cli#13612 is byte-identical.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a GitHub Copilot app canvas extension under
.github/extensions/terminal-mockupthat renders mock-upghoutput as VSCode-styled terminal screenshots, intended for producing standardized demo materials for design discussions or marketing use-cases.Key Points
The extension is a self-contained GitHub Copilot App canvas. The SDK entry point (
extension.mjs) spins up a loopback HTTP server on a random port, serves a small static iframe app, and exposes an SSE channel and a REST API so the agent can drive content and options from one side while the user edits in the iframe on the other.Rendering is done in-browser with the VSCode Dark+ palette and the GitHub Mono font, then rasterized to PNG with a vendored html2canvas 1.4.1 bundle (MIT, unmodified). No build step, no Node dependencies beyond the SDK.
Content authoring supports raw ANSI escapes plus a more readable bracket markup (
[red],[bold],[c:#hex],[/], etc.), and an auto-style toggle that colorizes commonghoutput patterns (PR/issue states, labels, checkboxes, timestamps) without inline tags.Mockups live in two libraries: the
library/directory committed with the repo, plus a user-scoped directory under$COPILOT_HOMEfor local-only experiments. The agent can save, load, list, delete, and batch export across both.