Split out from #17.
Proposal
- Add
description?: string (plain-text technical comments) and info?: string (rich HTML) to Node.
- Render two optional node icons:
- speech-bubble glyph when
description is set → plain-text tooltip.
- info glyph when
info is set → sanitized HTML popup.
- Sanitize
info via an allowlist renderer (DOMPurify or equivalent). No raw innerHTML.
Needs product decisions before implementation
- Who populates
description / info? Parser? Schema import? Manual annotation?
- HTML tag / attribute allowlist (FlowScope is privacy-first and browser-based; XSS risk is real).
Acceptance
- Both icons conditional on field presence.
- XSS test (
<script>, onerror, javascript: URIs) proves sanitizer blocks them.
⚠️ Hold implementation until the two decisions above are settled.
Split out from #17.
Proposal
description?: string(plain-text technical comments) andinfo?: string(rich HTML) toNode.descriptionis set → plain-text tooltip.infois set → sanitized HTML popup.infovia an allowlist renderer (DOMPurify or equivalent). No raw innerHTML.Needs product decisions before implementation
description/info? Parser? Schema import? Manual annotation?Acceptance
<script>,onerror,javascript:URIs) proves sanitizer blocks them.