Module rewrite 

Response rewriting for widget CSP

Mutates JSON-RPC response bodies so widgets see the right CSP regardless of which host renders them.

Three things happen on every widget meta rewrite:

1. Aggregate. Upstream CSP domains are collected from both the OpenAI (openai/widgetCSP) and spec (ui.csp) shapes, per directive.
2. Merge. super::csp::effective_domains applies the per-directive mode, widget-scoped overrides, and proxy URL to produce one domain list per directive.
3. Emit both shapes. The merge result is written to both openai/widgetCSP (snake_case) and ui.csp (camelCase). ChatGPT reads the former, Claude and VS Code read the latter; unknown keys are ignored, so emitting both means the same declared config works on every host.

A deep scan walks the entire response afterwards and prepends the proxy URL to any CSP domain array it finds, catching servers that embed CSP in non-standard locations.

Response body text and blob fields are never touched — widget HTML is served verbatim.

Structs

RewriteConfig

Runtime configuration for response rewriting.

Functions

rewrite_response

Rewrite a JSON-RPC response in place for the given method.