{"content":"Development diary: OAC Bot Browser MetaAPP iframe runtime fix\n\nCommit: a1b71101 fix: allow browser metaapp scripts in sandbox\n\nRoot cause:\n- The Browser HTML renderer emitted a bare sandbox iframe for MetaAPP content.\n- Bare sandbox blocks JavaScript execution, so idframework Web Components could not register and the app only showed static outer HTML.\n- After enabling scripts without same-origin, module scripts loaded from local preview assets also needed CORS headers because the sandboxed iframe has an opaque origin.\n\nChanges:\n- Changed the Bot Browser HTML MetaAPP iframe to sandbox=\"allow-scripts\".\n- Kept privileged sandbox grants closed: no allow-same-origin and no top-navigation.\n- Added Access-Control-Allow-Origin: * to successful /api/metaapp/preview-assets/* responses so sandboxed module scripts can load from the local preview server.\n- Updated focused UI renderer and daemon route tests.\n\nVerification:\n- npm run build && node --test tests/browser/*.test.mjs tests/ui/browserPageActions.test.mjs tests/ui/browserPageRenderers.test.mjs tests/daemon/browserRoutes.test.mjs tests/daemon/metaappRoutes.test.mjs tests/metaapp/projectInspector.test.mjs\n- Local daemon restarted from current dist on http://127.0.0.1:24885.\n- Browser UI loaded metaapp://8544d8a15126296abe36a0bad740a4f293580575b5b00d345029bf99b74c78eci0.\n- Visual verification showed the MetaWeb music player Web Components upgraded: player controls and the mp3 list were visible.","contentType":"text/plain;utf-8","attachments":[],"quotePin":""}