docs(prompt): Add HTML5 app serving route implementation prompt

Mbd06b · claude · Mbd06b · commit f55ba2e3096b · 2026-01-08T22:06:37.000Z
Document architecture for serving extracted ZIP content via /apps/{appId}/{path}: - Blob storage for ZIP files with seeder upload - Doorway /apps/ route with ZIP extraction - LRU cache for extracted app files - Content-Type detection and security considerations This enables server-side rendering for interactive HTML5 content like the Evolution of Trust simulation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.claude/prompts/html5-app-serving.md b/.claude/prompts/html5-app-serving.md
@@ -0,0 +1,155 @@
+# HTML5 App Serving Route Implementation
+
+## Goal
+Implement server-side rendering for HTML5 applications, serving extracted ZIP content from blob storage via `/apps/{appId}/{path}` routes. Must work in both web and native Tauri modes.
+
+## Architecture
+
+**Doorway** = Projection layer (read-only view cache from P2P content-server layer, includes both DHT and storage backends)
+**elohim-storage** = Backend storage layer (SQLite metadata, blob storage)
+
+### Deployment Modes
+
+| Mode | App Serving |
+|------|-------------|
+| **Web** | Browser → Doorway `/apps/` → elohim-storage blob |
+| **Native (Tauri)** | Tauri → Local conductor `/apps/` → Local blob storage |
+
+The `/apps/` route lives in Doorway for web deployments, but native Tauri apps need equivalent local serving capability - either via embedded conductor or bundled assets.
+
+## Context
+
+### Current State
+- HTML5 app metadata stored inline in SQLite (`content_body`)
+- ZIP files exist in `genesis/docs/content/fct/` (e.g., `evolution-of-trust.zip` - 7MB)
+- Content JSON references ZIP via `metadata.localZipPath`
+- Angular `IframeRenderer` expects URL: `${baseUrl}/apps/${appId}/${entryPoint}`
+- Currently falls back to `fallbackUrl` since `/apps/` route doesn't exist
+
+### Content Structure
+```json
+{
+  "id": "simulation-evolution-of-trust",
+  "contentFormat": "html5-app",
+  "content": {
+    "appId": "evolution-of-trust",
+    "entryPoint": "index.html",
+    "fallbackUrl": "https://ncase.me/trust/"
+  },
+  "metadata": {
+    "localZipPath": "docs/content/fct/evolution-of-trust.zip",
+    "embedStrategy": "iframe",
+    "securityPolicy": {
+      "sandbox": ["allow-scripts", "allow-same-origin"],
+      "csp": "default-src 'self'; script-src 'unsafe-inline'"
+    }
+  }
+}
+```
+
+## Implementation Tasks
+
+### 1. Blob Storage for ZIPs (elohim-storage)
+Update seeder to upload ZIP files:
+- Read ZIP from `metadata.localZipPath`
+- Upload to blob storage via `/blob/` endpoint
+- Store returned `blob_hash` in content record
+- Track `blob_cid` for IPFS compatibility
+
+### 2. Doorway `/apps/` Route (Web Mode)
+Create `holochain/doorway/src/routes/apps.rs`:
+
+```rust
+// Route: GET /apps/{app_id}/{path:.*}
+// 1. Look up content by appId (via storage backend)
+// 2. Get blob_hash from content record
+// 3. Fetch ZIP from elohim-storage blob endpoint
+// 4. Extract requested file from ZIP (with caching)
+// 5. Serve with appropriate Content-Type
+```
+
+### 3. Native Tauri Support
+Options for native app serving:
+- **Option A**: Bundle HTML5 apps as Tauri assets, serve via `tauri://` protocol
+- **Option B**: Local blob cache with embedded HTTP server
+- **Option C**: Extract to temp directory on first access, serve via file:// URLs
+
+IframeRenderer must detect mode and construct appropriate URL:
+```typescript
+// Web: https://doorway.example.com/apps/evolution-of-trust/index.html
+// Native: tauri://localhost/apps/evolution-of-trust/index.html
+//     or: file:///path/to/extracted/evolution-of-trust/index.html
+```
+
+### 4. ZIP Extraction Service
+Create extraction service (shared between doorway and native):
+- In-memory ZIP extraction using `zip` crate
+- LRU cache for extracted apps (configurable size limit)
+- Lazy extraction: only extract files as requested
+- Full extraction option for frequently accessed apps
+
+### 5. Content-Type Detection
+Map file extensions to MIME types:
+```rust
+".html" => "text/html"
+".js" => "application/javascript"
+".css" => "text/css"
+".png" => "image/png"
+".svg" => "image/svg+xml"
+".json" => "application/json"
+".wasm" => "application/wasm"
+```
+
+## File Structure
+```
+holochain/doorway/src/
+├── routes/
+│   ├── mod.rs          # Add apps module
+│   └── apps.rs         # NEW: /apps/ route handler
+└── services/
+    ├── mod.rs          # Add app_extractor module
+    └── app_extractor.rs # NEW: ZIP extraction + caching
+
+elohim-app/src-tauri/
+└── src/
+    └── apps.rs         # Native app serving (if Option B/C)
+```
+
+## API Design
+
+### GET /apps/{app_id}/{path}
+- **200**: File content with appropriate Content-Type
+- **404**: `{ "error": "not_found", "fallback": "https://..." }`
+- **500**: Extraction or blob fetch error
+
+### Cache Headers
+```
+Cache-Control: public, max-age=31536000, immutable
+ETag: {blob_hash}-{file_path_hash}
+```
+
+## Security Considerations
+- Path traversal prevention (no `..` in paths)
+- Content-Security-Policy from metadata
+- Sandbox attributes for iframe embedding
+- No execution of server-side code from ZIPs
+- Tauri: Ensure proper permissions for local file access
+
+## Testing
+1. **Web**: Upload ZIP to blob storage, request via Doorway
+2. **Native**: Bundle or cache ZIP locally, request via Tauri protocol
+3. Verify game loads in iframe in both modes
+
+## Dependencies
+- `zip` crate for extraction
+- `mime_guess` crate for Content-Type detection
+- Existing blob storage infrastructure
+- Tauri custom protocol handler (for native)
+
+## Related Files
+- `elohim-app/src/app/lamad/renderers/iframe-renderer/iframe-renderer.component.ts`
+- `elohim-app/src/app/lamad/content-io/plugins/html5-app/html5-app-format.plugin.ts`
+- `genesis/data/lamad/content/simulation-evolution-of-trust.json`
+- `genesis/docs/content/fct/evolution-of-trust.zip`
+- `holochain/doorway/src/routes/mod.rs`
+- `holochain/elohim-storage/src/blob_store.rs`
