npm - @aion0/forge - Versions diffs - 0.10.81 → 0.10.83 - Mend

@aion0/forge 0.10.81 → 0.10.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/RELEASE_NOTES.md +5 -5
package/app/api/settings/route.ts +25 -1
package/components/SettingsModal.tsx +29 -8
package/lib/connectors/test-runner.ts +10 -1
package/package.json +1 -1

package/RELEASE_NOTES.md CHANGED Viewed

@@ -1,11 +1,11 @@
-# Forge v0.10.81
+# Forge v0.10.83
-Released: 2026-06-14
+Released: 2026-06-15
-## Changes since v0.10.80
+## Changes since v0.10.82
 ### Other
-- feat(ui): URL deep-linking + Automation/History default + Pipeline History page
+- feat(settings): disable admin password change in container mode
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.80...v0.10.81
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.82...v0.10.83

package/app/api/settings/route.ts CHANGED Viewed

@@ -1,11 +1,20 @@
 import { NextResponse } from 'next/server';
+import { existsSync } from 'node:fs';
 import { loadSettings, loadSettingsMasked, saveSettings, type Settings } from '@/lib/settings';
 import { restartTelegramBot } from '@/lib/init';
 import { SECRET_FIELDS } from '@/lib/crypto';
 import { verifyAdmin } from '@/lib/password';
+// Container deployments manage the admin password out-of-band (control plane /
+// `make change-password`), which also re-pairs the browser-extension bridge
+// token. Same detection signal as app/api/onboarding/route.ts.
+function inContainer(): boolean {
+  if (process.env.FORGE_CONTAINER === '1') return true;
+  try { return existsSync('/.dockerenv'); } catch { return false; }
+}
 export async function GET() {
-  return NextResponse.json(loadSettingsMasked());
+  return NextResponse.json({ ...loadSettingsMasked(), _inContainer: inContainer() });
 }
 export async function PUT(req: Request) {
@@ -34,6 +43,21 @@ export async function PUT(req: Request) {
       && !existingSettings.telegramTunnelPassword
       && !!newValue;
+    // In container mode the admin password is managed out-of-band (the
+    // platform rotation also re-pairs the browser extension's bridge token).
+    // Changing it here would desync that token and break the agent's browser,
+    // with no UI re-pair path. Block rotations — but still allow the very first
+    // set (isFirstAdminSet), which happens before any extension pairing.
+    if (field === 'telegramTunnelPassword' && !isFirstAdminSet && inContainer()) {
+      return NextResponse.json({
+        ok: false,
+        error:
+          'Password is managed by the platform in container mode. Change it from ' +
+          'the admin console / self-service portal (it also re-pairs the browser ' +
+          'extension), or on the host run: make change-password U=<user>.',
+      }, { status: 403 });
+    }
     if (!isFirstAdminSet && !verifyAdmin(adminPassword)) {
       return NextResponse.json({ ok: false, error: 'Wrong password' }, { status: 403 });
     }

package/components/SettingsModal.tsx CHANGED Viewed

@@ -367,6 +367,9 @@ export default function SettingsModal({ onClose }: { onClose: () => void }) {
     maxConcurrentPipelines: 5,
   });
   const [secretStatus, setSecretStatus] = useState<Record<string, boolean>>({});
+  // Container deployments manage the admin password out-of-band (it also
+  // re-pairs the browser extension); UI change is disabled when set.
+  const [inContainer, setInContainer] = useState(false);
   const [newRoot, setNewRoot] = useState('');
   const [newDocRoot, setNewDocRoot] = useState('');
   const [pickerFor, setPickerFor] = useState<null | 'project' | 'doc'>(null);
@@ -390,7 +393,9 @@ export default function SettingsModal({ onClose }: { onClose: () => void }) {
   const fetchSettings = useCallback(() => {
     fetch('/api/settings').then(r => r.json()).then((data: Settings) => {
       const status = data._secretStatus || {};
+      setInContainer(!!(data as any)._inContainer);
       delete data._secretStatus;
+      delete (data as any)._inContainer;
       setSettings(data);
       origSettingsRef.current = JSON.stringify(data);
       setSecretStatus(status);
@@ -983,14 +988,30 @@ export default function SettingsModal({ onClose }: { onClose: () => void }) {
           <p className="text-[10px] text-[var(--text-secondary)]">
             Used for local login, tunnel start, secret changes, and Telegram commands. Remote login requires admin password + session code (generated on tunnel start).
           </p>
-          <SecretField
-            label="Admin Password"
-            isSet={!!secretStatus.telegramTunnelPassword}
-            onEdit={() => setEditingSecret({ field: 'telegramTunnelPassword', label: 'Admin Password' })}
-          />
-          <p className="text-[9px] text-[var(--text-secondary)]">
-            Forgot? Run: <code className="text-[var(--accent)]">forge --reset-password</code>
-          </p>
+          {inContainer && secretStatus.telegramTunnelPassword ? (
+            <>
+              <div className="flex items-center justify-between gap-2 px-2 py-1.5 bg-[var(--bg-tertiary)] border border-[var(--border)] rounded">
+                <span className="text-xs font-mono text-[var(--text-secondary)]">••••••••</span>
+                <span className="text-[9px] text-[var(--text-secondary)] italic">Managed by platform</span>
+              </div>
+              <p className="text-[9px] text-[var(--text-secondary)]">
+                Password is managed by the platform. Change it from the admin console
+                or your self-service portal — it also re-pairs the browser extension.
+                (Host CLI: <code className="text-[var(--accent)]">make change-password U=&lt;user&gt;</code>.)
+              </p>
+            </>
+          ) : (
+            <>
+              <SecretField
+                label="Admin Password"
+                isSet={!!secretStatus.telegramTunnelPassword}
+                onEdit={() => setEditingSecret({ field: 'telegramTunnelPassword', label: 'Admin Password' })}
+              />
+              <p className="text-[9px] text-[var(--text-secondary)]">
+                Forgot? Run: <code className="text-[var(--accent)]">forge --reset-password</code>
+              </p>
+            </>
+          )}
         </div>
         {/* API Key */}

package/lib/connectors/test-runner.ts CHANGED Viewed

@@ -130,7 +130,16 @@ async function runHttpProbe(
   const t0 = Date.now();
   let res: Response;
   try {
-    res = await fetch(url, { method, headers, body, signal: ctrl.signal });
+    // Honour connector-level http.verify_tls — self-signed appliances (Jenkins,
+    // NAC, ESXi …) need undici with rejectUnauthorized:false, same as http.ts.
+    const fetchInit = { method, headers, body, signal: ctrl.signal };
+    if (def.http?.verify_tls === false) {
+      const { fetch: undiciFetch, Agent } = await import('undici');
+      const dispatcher = new Agent({ connect: { rejectUnauthorized: false } });
+      res = await undiciFetch(url, { ...fetchInit, dispatcher } as any) as unknown as Response;
+    } else {
+      res = await fetch(url, fetchInit);
+    }
   } catch (e) {
     clearTimeout(timer);
     const err = e as Error & { cause?: unknown };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.81",
+  "version": "0.10.83",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {