H-6544: Load Petrinaut in HASH in an iFrame, and add the AI assistant

[CiaranMn]

🌟 What is the purpose of this PR?

Two changes to Petrinaut in HASH:

1. Load it in an iFrame, given that it evaluates user-provided code (the risk being that someone unsuspectingly loads a malicious model)
2. Add an API endpoint for proxying requests to OpenAI, and enable the AI assistant

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

🛡 What tests cover this?

• None in HASH yet.

❓ How to test this?

1. Visit /processes on the preview deployment
2. Open an example
3. Use the AI assistant

Note that 'Create'ing a net seems to not work on the preview deployment, but it does locally. Not sure what's happening there but it works locally, will need to test again in prod.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	May 30, 2026 11:37am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign-tokens	Ignored	Preview	May 30, 2026 11:37am
petrinaut	Skipped		May 30, 2026 11:37am

[cursor]

PR Summary

High Risk
Introduces untrusted-code isolation with eval in an iframe, a new authenticated LLM proxy using a shared API key, and cross-frame messaging for saves and streaming—security- and abuse-sensitive surfaces.

Overview
Petrinaut in HASH is moved out of the host page into a sandboxed null-origin iframe (/processes/.../embed) so user model code can run with unsafe-eval without touching the parent origin’s cookies, storage, or GraphQL. The process editor becomes a host that keeps routing, save/load to the graph, dirty guards, and revision metadata, while the iframe owns the live editor, workers, and dirty state—coordinated through a typed postMessage bridge (init/load/save, revisions, errors).

Security and observability tighten around that split: middleware applies a dedicated embed CSP (buildEmbedCspHeader), embed documents skip Sentry and instead forward errors to the host for capture with Petrinaut tags; _app serves a minimal authenticated shell for the embed route without injecting user subgraph data. Font CORS on /fonts/* fixes self-hosted fonts inside the opaque-origin iframe.

An authenticated Edge API (/api/petrinaut-ai-chat) streams OpenAI for the Petrinaut assistant (session via Ory whoami, zod/AI SDK validation, per-user in-memory rate limit). The iframe cannot call it directly—the host proxies chat bytes over the bridge; AI conversations persist in host localStorage, including migration from draft to saved net on first create. Dependencies add ai, @ai-sdk/openai, and zod; @hashintel/petrinaut-core/ai is built as an edge-safe export for prompt/tools.

^{Reviewed by Cursor Bugbot for commit f62dd02. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR isolates Petrinaut’s execution by moving it into a sandboxed iframe, and adds a streamed AI assistant backed by an authenticated OpenAI proxy.

Changes:

• Adds a dedicated embed route (/processes/<uuid>/embed) that dynamically loads Petrinaut client-side only.
• Refactors the main process editor to host an <iframe sandbox="allow-scripts"> and communicate via a typed postMessage bridge.
• Introduces host/iframe message types, host and iframe bridge hooks, and a loading skeleton while the iframe warms up.
• Adds a stricter embed-specific CSP (including 'unsafe-eval') applied via middleware for the embed route.
• Adds an App Router streaming route handler (/api/petrinaut-ai-chat) that validates UI messages, enforces per-user rate limiting, and streams responses from OpenAI.
• Proxies AI chat from the iframe through the host (cookie-bearing) page, relaying raw streamed bytes back to the iframe for SSE parsing by the AI SDK.
• Persists AI conversations in host localStorage keyed by net, and forwards iframe errors to the host’s Sentry SDK.

Technical Notes: Adds CORS headers for self-hosted fonts to work from a null-origin iframe, and conditionally disables Sentry init inside the embed document in favor of postMessage-based error reporting.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.04%. Comparing base (abbaefe) to head (18e4061).
⚠️ Report is 1 commits behind head on cm/processes-pages-in-hash.

Additional details and impacted files

@@                     Coverage Diff                     @@
##           cm/processes-pages-in-hash    #8790   +/-   ##
===========================================================
  Coverage                       59.04%   59.04%           
===========================================================
  Files                            1341     1341           
  Lines                          129387   129387           
  Branches                         5837     5837           
===========================================================
+ Hits                            76395    76397    +2     
+ Misses                          52091    52089    -2     
  Partials                          901      901           

Flag	Coverage Δ
apps.hash-ai-worker-ts	1.41% <ø> (ø)
apps.hash-api	0.00% <ø> (ø)
blockprotocol.type-system	40.84% <ø> (ø)
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
local.hash-backend-utils	2.81% <ø> (ø)
local.hash-graph-sdk	9.63% <ø> (ø)
local.hash-isomorphic-utils	0.00% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.21% <ø> (+0.03%)	⬆️
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-api	2.52% <ø> (ø)
rust.hash-graph-authorization	62.34% <ø> (ø)
rust.hash-graph-postgres-store	26.74% <ø> (ø)
rust.hash-graph-store	37.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hash-graph-types	0.00% <ø> (ø)
rust.hash-graph-validation	83.45% <ø> (ø)
rust.hashql-ast	87.23% <ø> (ø)
rust.hashql-compiletest	28.26% <ø> (ø)
rust.hashql-core	79.32% <ø> (ø)
rust.hashql-diagnostics	72.53% <ø> (ø)
rust.hashql-eval	75.69% <ø> (ø)
rust.hashql-hir	89.06% <ø> (ø)
rust.hashql-mir	86.74% <ø> (ø)
rust.hashql-syntax-jexpr	94.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will not alter performance

✅ 80 untouched benchmarks

---

_{Comparing cm/petrinaut-in-hash-iframe-and-ai (f62dd02) with cm/processes-pages-in-hash (4bd73e6)}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 96463c8. Configure here.}