@1presence/bridge 0.50.0 → 0.52.0

package/dist/auth.js

@@ -47,6 +47,30 @@ function openBrowser(url) {
 export class AuthCancelledError extends Error {
     constructor() { super('Sign-in cancelled — the browser tab was closed.'); }
 }
+/**
+ * Applies the localhost auth server's CORS headers, scoped to the legitimate
+ * PWA origin. Exported so the Private Network Access behaviour stays under test.
+ *
+ * The `Access-Control-Allow-Private-Network` reflection is load-bearing: when
+ * the HTTPS PWA (a public/secure context) fetches this 127.0.0.1 server (a
+ * private address), Chrome sends a CORS preflight carrying
+ * `Access-Control-Request-Private-Network: true`. Without the matching allow
+ * header, Chrome (PNA enforcement, ~v130+) blocks the request outright — even a
+ * plain GET, even for localhost, which is exempt from mixed-content blocking —
+ * and the PWA shows "Could not reach the bridge" though the server is up.
+ */
+export function applyAuthCorsHeaders(req, res, pwaOrigin) {
+    const reqOrigin = req.headers['origin'] ?? '';
+    if (pwaOrigin && reqOrigin === pwaOrigin) {
+        res.setHeader('Access-Control-Allow-Origin', pwaOrigin);
+    }
+    res.setHeader('Vary', 'Origin');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.headers['access-control-request-private-network'] === 'true') {
+        res.setHeader('Access-Control-Allow-Private-Network', 'true');
+    }
+}
 function runBrowserAuthFlow(gatewayUrl, pwaUrl) {
     return new Promise((resolve, reject) => {
         let resolved = false;
@@ -74,13 +98,7 @@ function runBrowserAuthFlow(gatewayUrl, pwaUrl) {
             }
         })();
         const server = createServer((req, res) => {
-            const reqOrigin = req.headers['origin'] ?? '';
-            if (pwaOrigin && reqOrigin === pwaOrigin) {
-                res.setHeader('Access-Control-Allow-Origin', pwaOrigin);
-            }
-            res.setHeader('Vary', 'Origin');
-            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-            res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+            applyAuthCorsHeaders(req, res, pwaOrigin);
             if (req.method === 'OPTIONS') {
                 res.writeHead(204);
                 res.end();

package/dist/claude.js

@@ -234,7 +234,7 @@ async function* promptStream(messages) {
 }
 // ─── Spawn (drive one turn through the SDK) ──────────────────────────────────────
 export function spawnClaude(params) {
-    const { conversationId, presenceSessionId, text, uid, history, vaultFileOpen, clientCapabilities, syncedFolders, onEvent, onDone, onError, onNotice } = params;
+    const { conversationId, presenceSessionId, text, uid, history, vaultFileOpen, clientCapabilities, syncedFolders, model: perTurnModel, onEvent, onDone, onError, onNotice } = params;
     const systemPromptPath = join(tmpdir(), `agent-${uid}.md`);
     const mcpConfigPath = join(tmpdir(), `mcp-${uid}.json`);
     if (verbose) {
@@ -337,7 +337,7 @@ export function spawnClaude(params) {
     if (!safeEnv['MAX_MCP_OUTPUT_TOKENS']) {
         safeEnv['MAX_MCP_OUTPUT_TOKENS'] = '200000';
     }
-    const pinnedModel = getBridgeModel();
+    const pinnedModel = perTurnModel ?? getBridgeModel();
     // Process one translated raw stream-json event: bookkeeping + forward. Mirrors
     // the old CLI stdout parser so the gateway/accumulator see identical shapes.
     // Returns false when the event must be suppressed (errors) or the turn was

package/dist/index.js

@@ -219,7 +219,7 @@ function isUuid(value) {
     return UUID_RE.test(value);
 }
 // ─── Handle a single incoming message (token refresh + spawn) ─────────────────
-async function handleMessage(conversationId, text, sessionId, history, auth, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug) {
+async function handleMessage(conversationId, text, sessionId, history, auth, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug, model) {
     // Refresh JWT if <10 min remaining before spawning Claude
     let activeAuth = auth;
     try {
@@ -322,6 +322,7 @@ async function handleMessage(conversationId, text, sessionId, history, auth, vau
         vaultFileOpen,
         clientCapabilities,
         syncedFolders,
+        model,
         onEvent: (event) => {
             accumulator.consume(event);
             if (!responding && event['type'] === 'assistant') {
@@ -500,12 +501,12 @@ function connect(auth, retryDelay = 1000) {
         }
         if (msg.type !== 'message' || !msg.conversationId || !msg.text)
             return;
-        const { conversationId, text, sessionId, history, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug } = msg;
+        const { conversationId, text, sessionId, history, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug, model } = msg;
         const ts = new Date().toLocaleTimeString();
         const hist = Array.isArray(history) ? history : [];
         console.log(`[${ts}] ▶ ${text}${hist.length ? `  (history: ${hist.length} turn${hist.length === 1 ? '' : 's'})` : ''}`);
         startTurnTimer();
-        handleMessage(conversationId, text, sessionId ?? null, hist, auth, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug).catch((err) => {
+        handleMessage(conversationId, text, sessionId ?? null, hist, auth, vaultFileOpen, clientCapabilities, syncedFolders, agentSlug, model).catch((err) => {
             stopTurnTimer();
             console.error(`[bridge] handleMessage error: ${err.message}`);
         });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@1presence/bridge",
-  "version": "0.50.0",
+  "version": "0.52.0",
   "description": "Run 1Presence on your Mac and use your Claude.ai Pro subscription from any device",
   "type": "module",
   "bin": {