feat(core): chart rendering contract

[hqhq1025]

Summary

The system prompt now includes a dedicated Chart rendering contract section so the model emits real chart markup instead of label lists or empty section headers. Refactored to align with the cdnjs whitelist landed in #102.

What changed

• New packages/core/src/prompts/chart-rendering.v1.txt (mirrored as CHART_RENDERING in index.ts).
• Section is appended in create and revise modes; excluded from tweak mode.
• Chart contract defers to the cdnjs whitelist in output-rules.v1.txt rather than re-listing libraries (DRY against feat(core): permit cdnjs library whitelist in generated artifacts #102 — single source of truth).
• Adds chart-recipe guidance: rendering choice (Inline SVG / Chart.js / Recharts), chart-type selection (line/bar/donut/scatter/sparkline), mandatory elements, accessible color palette, hover & a11y rules.
• Complements data-viz-recharts.md skill (Recharts-specific styling) without duplicating it.

Addressing the original codex finding

The original PR was flagged because it used esm.sh and cdn.jsdelivr.net, which violated the then-current no CDN rule. After #102 we have a verified cdnjs slug whitelist (recharts, Chart.js, d3, three.js, lodash.js, PapaParse). This refactor:

• Removes every esm.sh / jsdelivr reference from the chart contract.
• Points to "the project's approved cdnjs whitelist" with pinned-version format.
• Tests assert the deprecated open hosts are no longer recommended (esm.sh/recharts, cdn.jsdelivr.net/npm/chart.js).

Tests

• 2 new tests in generate.test.ts: create mode includes chart contract + cdnjs deferral; tweak mode excludes it.
• Drift test passes (.txt ↔ TS constant in sync).
• All 136 core tests + 334 desktop tests green.

Four PRINCIPLES checks

• Compatibility: green — string-only prompt section, no API changes
• Upgradeability: green — new chartRendering key in PROMPT_SECTIONS map (additive)
• No bloat: green — text-only, ~50 lines added
• Elegance: green — defers to output-rules whitelist (DRY)

[github-actions]

Findings

• [Major] Contradictory external-resource policy for charts — the new chart contract instructs loading Chart.js from jsDelivr, but output rules allow only Tailwind CDN and Google Fonts. This creates conflicting directives and can cause invalid artifacts or non-deterministic model behavior, evidence packages/core/src/prompts/index.ts:419 (new) vs packages/core/src/prompts/output-rules.v1.txt:26 (existing policy).
  Suggested fix:

  // packages/core/src/prompts/index.ts (CHART_RENDERING)
  - **Chart.js via CDN** — preferred for interactive charts with hover/animation. Include `<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>` and a `<canvas>` per chart.
  + **Inline SVG** — preferred default for chart rendering in HTML artifacts.
  + **Chart.js** — use only when allowed by global output resource policy; otherwise render equivalent charts with inline SVG.

Summary

• Review mode: initial
• 1 issue found in modified lines.
• docs/VISION.md and docs/PRINCIPLES.md: Not found in repo/docs.

Testing

• Not run (automation)

[github-actions]

[Major] This line conflicts with the existing output-resource policy: output-rules only permits Tailwind CDN + Google Fonts, but this adds jsDelivr Chart.js. Please align by making inline SVG the default and gating Chart.js on allowed-resource policy.

Suggested fix:

- **Chart.js via CDN** — preferred for interactive charts with hover/animation. Include `<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>` and a `<canvas>` per chart.
+ **Inline SVG** — preferred default for chart rendering in HTML artifacts.
+ **Chart.js** — use only when allowed by global output resource policy; otherwise render equivalent charts with inline SVG.

[github-actions]

Findings

• [Major] Chart source policy now conflicts with self-contained output rules — the new chart contract permits Recharts via React + esm.sh and opt-in Chart.js via CDN, which contradicts the existing rule that only Tailwind CDN and Google Fonts are allowed external resources; this can regress generated artifacts into disallowed external script usage. Evidence: packages/core/src/prompts/index.ts:421, packages/core/src/prompts/index.ts:422, packages/core/src/prompts/index.ts:423.
  Suggested fix:

  // Keep chart policy aligned with self-contained output rules.
  - **Recharts via React + esm.sh** — allowed only when the artifact is a React document that already loads ESM modules; never for plain HTML.
  - **Chart.js via CDN** — opt-in fallback only. Do NOT add `<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>` unless the user has explicitly relaxed the self-contained constraint (e.g. "you may use Chart.js" / "external CDNs are fine"). When that opt-in is absent, treat Chart.js as forbidden and render with inline SVG.
  + For artifacts in this app, render charts with inline SVG only.
  + Do not import chart libraries from CDNs or ESM hosts.

Summary

• Review mode: initial
• 1 major issue found in the latest diff.
• Residual risk/testing gap: no assertion currently guards against accidental reintroduction of esm.sh / chart.js guidance in non-tweak prompts.

Testing

• Not run (automation).
• Suggested tests: add prompt-composition assertions that composeSystemPrompt({ mode: 'create' }) and composeSystemPrompt({ mode: 'revise' }) do not include esm.sh or cdn.jsdelivr.net/npm/chart.js.

open-codesign Bot

[github-actions]

[Major] This new guidance allows external chart libraries (esm.sh, CDN Chart.js) that conflict with the existing self-contained output rule (only Tailwind CDN + Google Fonts). Please make chart rendering policy self-contained here to prevent generation regressions.

[hqhq1025]

Closing. The chart contract permitted Recharts via esm.sh + Chart.js via CDN, which conflicts with the no-CDN hard constraint in CLAUDE.md (only Tailwind + Google Fonts allowed external). #89 (dashboard ambient) already showed inline SVG charts work well — that's the path forward. Will reopen as 'inline-chart-recipes' contract in v0.2.

[hqhq1025]

Reopening after research. Confirmed Claude Artifacts (Anthropic's reference) DOES allow CDN scripts via cdnjs.cloudflare.com whitelist. Our 'no CDN' hard constraint in CLAUDE.md was overly rigid. Plan: revise this PR's chart contract to use cdnjs whitelist (Recharts / Chart.js only, pinned versions), drop esm.sh which is too open. CLAUDE.md amendment will land separately.

[hqhq1025]

Refactored on top of #102 (cdnjs whitelist).

What changed since the previous revision (commit 9a451d0):

• Removed every esm.sh and cdn.jsdelivr.net/npm/chart.js reference. The contract now defers to the cdnjs whitelist defined in output-rules.v1.txt (single source of truth).
• Added chart-recipe content: rendering-choice rubric, chart-type-selection guidance (line vs bar vs donut vs scatter vs sparkline), mandatory elements, color/a11y rules — so this reads as a "skill body" rather than a CDN policy snippet.
• Calls out data-viz-recharts skill explicitly to avoid duplication.

Addresses the original codex finding that Recharts via React + esm.sh and Chart.js via cdn.jsdelivr.net contradicted the then-current no CDN rule. Both hosts are now explicitly forbidden in output-rules.v1.txt (covered by existing tests), and the chart contract no longer mentions them.

Verified cdnjs versions used by the whitelist (queried https://api.cdnjs.com/libraries/<slug>?fields=version on 2026-04-19):

• recharts → 3.2.1
• Chart.js → 4.5.0
• d3 → 7.9.0

(The chart contract itself does not pin numeric versions — that is the model's responsibility per the output-rules format https://cdnjs.cloudflare.com/ajax/libs/<lib>/<exact-version>/<file>.min.js. Versions above are documented here for reviewer context.)

pnpm test and pnpm lint both pass with no --no-verify.

[github-actions]

Findings

• [Minor] Missing revise-mode regression coverage for chart contract composition — composeSystemPrompt() now adds CHART_RENDERING for all non-tweak modes, which includes revise, but tests only assert create includes and tweak excludes. This leaves the newly introduced revise path unguarded against accidental regressions. Evidence packages/core/src/prompts/index.ts:816, packages/core/src/generate.test.ts:1063
  Suggested fix:

  it('revise mode includes the chart rendering contract', () => {
    const prompt = composeSystemPrompt({ mode: 'revise' });
    expect(prompt).toContain('Chart rendering contract');
  });

Summary

• Review mode: follow-up after new commits
• 1 minor issue found in the latest diff.
• Context note: docs/VISION.md and docs/PRINCIPLES.md are Not found in repo/docs in this checkout.

Testing

• Not run (automation).

open-codesign Bot

[github-actions]

This diff adds chart-contract composition for all non-tweak modes (create + revise), but tests only cover create include and tweak exclude. Please add an explicit revise include assertion to guard the newly introduced path.

[hqhq1025]

Addressed Codex [Minor]: added composeSystemPrompt() > revise mode includes the chart rendering contract regression test in packages/core/src/generate.test.ts asserting the chart contract heading + cdnjs whitelist reference are present in revise mode. Commit d7ffd66. pnpm test + pnpm lint green.

[github-actions]

Findings

• No high-confidence issues found in added/modified lines of the latest diff.

Summary

• Review mode: follow-up after new commits
• No new issues found in this diff.
• Context note: docs/VISION.md and docs/PRINCIPLES.md were Not found in repo/docs in this checkout.
• Residual risk: runtime verification is limited because local test execution was unavailable in this environment.

Testing

• Not run (automation): pnpm is not available in this runner, so packages/core/src/generate.test.ts could not be executed here.

open-codesign Bot