@caplets/core 0.20.1 → 0.20.2

package/dist/{completion-D-kuyArL.js → completion-DZg_TWiX.js}

@@ -1,4 +1,4 @@
-import { St as resolveProjectConfigPath, Y as loadConfigWithSources, bt as resolveConfigPath, mt as DEFAULT_COMPLETION_CACHE_DIR, pt as DEFAULT_AUTH_DIR, vn as __exportAll, yt as resolveCapletsRoot } from "./service-Bsq7R0mt.js";
+import { St as resolveProjectConfigPath, Y as loadConfigWithSources, bt as resolveConfigPath, mt as DEFAULT_COMPLETION_CACHE_DIR, pt as DEFAULT_AUTH_DIR, vn as __exportAll, yt as resolveCapletsRoot } from "./service-D3W-LuOx.js";
 import { u as CapletsError } from "./validation-CdqbI2zN.js";
 import { mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";

package/dist/index.js

@@ -1,9 +1,9 @@
-import { $ as parseConfig, $t as ReadResourceRequestSchema, A as QuickJsCodeModeSandbox, At as toJsonSchemaCompat, B as CapletsEngine, Bt as ErrorCode, C as nativeCapletToolName, Ct as ReadBuffer, D as codeModeRunInputSchema, Dt as AjvJsonSchemaValidator, Et as assertToolsCallTaskCapability, F as redactCodeModeLogText, Ft as CreateMessageResultWithToolsSchema, G as handleServerTool, Gt as LATEST_PROTOCOL_VERSION, H as decodeDirectResourceUri, Ht as InitializeRequestSchema, I as codeModeDeclarationHash, It as CreateTaskResultSchema, J as loadConfig, Jt as ListResourcesRequestSchema, K as ServerRegistry, Kt as ListPromptsRequestSchema, L as generateCodeModeDeclarations, M as createCodeModeCapletsApi, Mt as CallToolResultSchema, N as listCodeModeCallableCaplets, Nt as CompleteRequestSchema, O as codeModeRunParamsSchema, Ot as Protocol, P as CodeModeLogStore, Pt as CreateMessageResultSchema, Q as loadProjectConfig, Qt as McpError, R as generateCodeModeRunToolDescription, Rt as ElicitResultSchema, S as nativeCapletToolDescription, St as resolveProjectConfigPath, T as nativeCodeModeToolId, Tt as assertClientRequestTaskCapability, U as findProjectRoot, Ut as InitializedNotificationSchema, V as resolveExposure, Vt as GetPromptRequestSchema, W as fingerprintProjectRoot, Wt as JSONRPCMessageSchema, X as loadGlobalConfig, Xt as ListToolsRequestSchema, Y as loadConfigWithSources, Yt as ListRootsResultSchema, Z as loadLocalOverlayConfigWithSources, Zt as LoggingLevelSchema, _ as controlUrlForBase, _n as safeParseAsync, _t as defaultConfigBaseDir, a as projectBindingError, an as isJSONRPCErrorResponse, at as markdownStructuredContent, b as resolveCapletsServer, bt as resolveConfigPath, c as cloudAuthPath, cn as getLiteralValue, ct as startGenericOAuthFlow, d as CloudAuthClient, dn as getSchemaDescription, dt as isTokenBundleExpired, en as SUPPORTED_PROTOCOL_VERSIONS, et as discoverCapletFiles, fn as isSchemaOptional, ft as readTokenBundle, g as resolveCapletsRemote, gn as safeParse, gt as defaultCacheBaseDir, hn as objectFromShape, ht as DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR, i as ProjectBindingError, in as isInitializeRequest, it as markdownCallToolResultContent, j as diagnoseCodeModeTypeScript, jt as CallToolRequestSchema, k as runCodeMode, kt as mergeCapabilities, l as migrateCredentials, ln as getObjectShape, lt as startOAuthFlow, m as buildProjectSyncManifest, mn as normalizeObjectSchema, n as resolveRemoteSelection, nn as assertCompleteRequestPrompt, nt as loadCapletFilesFromMap, o as projectBindingRecovery, on as isJSONRPCRequest, ot as runGenericOAuthFlow, p as createSdkRemoteCapletsClient, pn as isZ4Schema, q as capabilityDescription, qt as ListResourceTemplatesRequestSchema, r as PROJECT_BINDING_ERROR_CODES, rn as assertCompleteRequestResourceTemplate, rt as hasRenderableStructuredContent, s as CloudAuthStore, sn as isJSONRPCResultResponse, st as runOAuthFlow, t as createNativeCapletsService, tn as SetLevelRequestSchema, tt as validateCapletFile, u as redactedCloudAuthStatus, un as getParseErrorMessage, ut as deleteTokenBundle, v as parseServerBaseUrl, vt as defaultStateBaseDir, wt as serializeMessage, x as nativeCapletPromptGuidance, xt as resolveProjectCapletsRoot, y as resolveCapletsMode, yt as resolveCapletsRoot, z as minifyCodeModeDeclarationText, zt as EmptyResultSchema } from "./service-Bsq7R0mt.js";
+import { $ as parseConfig, $t as ReadResourceRequestSchema, A as QuickJsCodeModeSandbox, At as toJsonSchemaCompat, B as CapletsEngine, Bt as ErrorCode, C as nativeCapletToolName, Ct as ReadBuffer, D as codeModeRunInputSchema, Dt as AjvJsonSchemaValidator, Et as assertToolsCallTaskCapability, F as redactCodeModeLogText, Ft as CreateMessageResultWithToolsSchema, G as handleServerTool, Gt as LATEST_PROTOCOL_VERSION, H as decodeDirectResourceUri, Ht as InitializeRequestSchema, I as codeModeDeclarationHash, It as CreateTaskResultSchema, J as loadConfig, Jt as ListResourcesRequestSchema, K as ServerRegistry, Kt as ListPromptsRequestSchema, L as generateCodeModeDeclarations, M as createCodeModeCapletsApi, Mt as CallToolResultSchema, N as listCodeModeCallableCaplets, Nt as CompleteRequestSchema, O as codeModeRunParamsSchema, Ot as Protocol, P as CodeModeLogStore, Pt as CreateMessageResultSchema, Q as loadProjectConfig, Qt as McpError, R as generateCodeModeRunToolDescription, Rt as ElicitResultSchema, S as nativeCapletToolDescription, St as resolveProjectConfigPath, T as nativeCodeModeToolId, Tt as assertClientRequestTaskCapability, U as findProjectRoot, Ut as InitializedNotificationSchema, V as resolveExposure, Vt as GetPromptRequestSchema, W as fingerprintProjectRoot, Wt as JSONRPCMessageSchema, X as loadGlobalConfig, Xt as ListToolsRequestSchema, Y as loadConfigWithSources, Yt as ListRootsResultSchema, Z as loadLocalOverlayConfigWithSources, Zt as LoggingLevelSchema, _ as controlUrlForBase, _n as safeParseAsync, _t as defaultConfigBaseDir, a as projectBindingError, an as isJSONRPCErrorResponse, at as markdownStructuredContent, b as resolveCapletsServer, bt as resolveConfigPath, c as cloudAuthPath, cn as getLiteralValue, ct as startGenericOAuthFlow, d as CloudAuthClient, dn as getSchemaDescription, dt as isTokenBundleExpired, en as SUPPORTED_PROTOCOL_VERSIONS, et as discoverCapletFiles, fn as isSchemaOptional, ft as readTokenBundle, g as resolveCapletsRemote, gn as safeParse, gt as defaultCacheBaseDir, hn as objectFromShape, ht as DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR, i as ProjectBindingError, in as isInitializeRequest, it as markdownCallToolResultContent, j as diagnoseCodeModeTypeScript, jt as CallToolRequestSchema, k as runCodeMode, kt as mergeCapabilities, l as migrateCredentials, ln as getObjectShape, lt as startOAuthFlow, m as buildProjectSyncManifest, mn as normalizeObjectSchema, n as resolveRemoteSelection, nn as assertCompleteRequestPrompt, nt as loadCapletFilesFromMap, o as projectBindingRecovery, on as isJSONRPCRequest, ot as runGenericOAuthFlow, p as createSdkRemoteCapletsClient, pn as isZ4Schema, q as capabilityDescription, qt as ListResourceTemplatesRequestSchema, r as PROJECT_BINDING_ERROR_CODES, rn as assertCompleteRequestResourceTemplate, rt as hasRenderableStructuredContent, s as CloudAuthStore, sn as isJSONRPCResultResponse, st as runOAuthFlow, t as createNativeCapletsService, tn as SetLevelRequestSchema, tt as validateCapletFile, u as redactedCloudAuthStatus, un as getParseErrorMessage, ut as deleteTokenBundle, v as parseServerBaseUrl, vt as defaultStateBaseDir, wt as serializeMessage, x as nativeCapletPromptGuidance, xt as resolveProjectCapletsRoot, y as resolveCapletsMode, yt as resolveCapletsRoot, z as minifyCodeModeDeclarationText, zt as EmptyResultSchema } from "./service-D3W-LuOx.js";
 import { _ as record, b as unknown, d as literal, m as object, n as ZodOptional, o as array, p as number, r as _enum, s as boolean, v as string, x as url } from "./schemas-BZ6BBrh7.js";
 import { f as redactSecrets, i as SERVER_ID_PATTERN, l as CAPLETS_ERROR_CODES, p as toSafeError, u as CapletsError } from "./validation-CdqbI2zN.js";
 import { generatedToolInputSchema, generatedToolInputSchemaForCaplet } from "./generated-tool-input-schema.js";
 import { f as observedOutputShapeKey, i as observeOutputShape, u as FileObservedOutputShapeStore } from "./observed-output-shapes-uzAMQPhg.js";
-import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands$1, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-D-kuyArL.js";
+import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands$1, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-DZg_TWiX.js";
 import { n as normalizeCapletSourcePath, t as FilesystemCapletSource } from "./filesystem-Kkg32TOJ.js";
 import { parseConfig as parseConfig$1 } from "./config-runtime.js";
 import fs, { accessSync, chmodSync, closeSync, constants, copyFileSync, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, readlinkSync, realpathSync, rmSync, statSync, writeFileSync, writeSync } from "node:fs";
@@ -1553,7 +1553,7 @@ const EMPTY_COMPLETION_RESULT = { completion: {
 } };
 //#endregion
 //#region package.json
-var version = "0.20.1";
+var version = "0.20.2";
 //#endregion
 //#region src/serve/session.ts
 var CapletsMcpSession = class {
@@ -7110,6 +7110,7 @@ function resolveServeOptions(raw, env = process.env) {
 		path,
 		...serverUrl ? { publicOrigin: serverUrl.origin } : {},
 		auth,
+		allowUnauthenticatedHttp: raw.allowUnauthenticatedHttp === true,
 		warnUnauthenticatedNetwork: !loopback && !auth.enabled,
 		loopback,
 		trustProxy: raw.trustProxy === true
@@ -11135,13 +11136,16 @@ function safeEqual(left, right) {
 }
 function dnsRebindingOptions(options) {
 	const hostForHeader = options.host === "::1" ? "[::1]" : options.host;
+	const publicUrl = options.publicOrigin ? new URL(options.publicOrigin) : void 0;
+	const publicHosts = publicUrl && (options.auth.enabled || options.allowUnauthenticatedHttp) ? [publicUrl.hostname, publicUrl.host] : [];
 	return {
 		enableDnsRebindingProtection: true,
 		allowedHosts: [
 			options.host,
 			hostForHeader,
 			`${hostForHeader}:${options.port}`,
-			`localhost:${options.port}`
+			`localhost:${options.port}`,
+			...publicHosts
 		]
 	};
 }

package/dist/native.js

@@ -1,4 +1,4 @@
-import { C as nativeCapletToolName, E as nativeCodeModeToolName, S as nativeCapletToolDescription, T as nativeCodeModeToolId, f as RemoteNativeCapletsService, h as resolveNativeCapletsServiceOptions, p as createSdkRemoteCapletsClient, t as createNativeCapletsService, w as nativeCapletsSystemGuidance, x as nativeCapletPromptGuidance } from "./service-Bsq7R0mt.js";
+import { C as nativeCapletToolName, E as nativeCodeModeToolName, S as nativeCapletToolDescription, T as nativeCodeModeToolId, f as RemoteNativeCapletsService, h as resolveNativeCapletsServiceOptions, p as createSdkRemoteCapletsClient, t as createNativeCapletsService, w as nativeCapletsSystemGuidance, x as nativeCapletPromptGuidance } from "./service-D3W-LuOx.js";
 import { generatedToolInputJsonSchema, generatedToolInputSchema } from "./generated-tool-input-schema.js";
 //#region src/native/process-cleanup.ts
 function registerNativeCapletsProcessCleanup(service, options = {}) {

package/dist/serve/options.d.ts

@@ -19,6 +19,7 @@ export type HttpServeOptions = {
     path: string;
     publicOrigin?: string | undefined;
     auth: HttpBasicAuthOptions;
+    allowUnauthenticatedHttp: boolean;
     warnUnauthenticatedNetwork: boolean;
     loopback: boolean;
     trustProxy: boolean;

package/dist/{service-Bsq7R0mt.js → service-D3W-LuOx.js}

@@ -17442,7 +17442,7 @@ async function startOAuthFlow(server, options) {
 		complete: async (callbackUrl) => {
 			assertNoOAuthCallbackError(server, callbackUrl);
 			const completion = extractCompletion(callbackUrl);
-			if (completion.state !== provider.state()) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			if (completion.state !== provider.state()) throw oauthStateMismatchError(server.server);
 			try {
 				await auth(provider, {
 					serverUrl: server.url,
@@ -17536,7 +17536,7 @@ async function startGenericOAuthFlow(target, options) {
 		complete: async (callbackUrl) => {
 			assertNoOAuthCallbackError(target, callbackUrl);
 			const completion = extractCompletion(callbackUrl);
-			if (completion.state !== state) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			if (completion.state !== state) throw oauthStateMismatchError(target.server);
 			const params = new URLSearchParams({
 				grant_type: "authorization_code",
 				code: completion.code,
@@ -17614,7 +17614,7 @@ async function runGenericOAuthFlow(target, options = {}) {
 			code: callbackCode,
 			...callbackState ? { state: callbackState } : {}
 		} : void 0);
-		if (completion.state !== state) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+		if (completion.state !== state) throw oauthStateMismatchError(target.server);
 		const params = new URLSearchParams({
 			grant_type: "authorization_code",
 			code: completion.code,
@@ -17659,9 +17659,9 @@ async function runGenericOAuthFlow(target, options = {}) {
 }
 function extractCompletion(input) {
 	try {
-		const url = new URL(input);
-		const code = url.searchParams.get("code");
-		const state = url.searchParams.get("state") ?? void 0;
+		const url = new URL(stripOAuthCallbackUrlWrapping(input));
+		const code = extractOAuthCallbackParam(url, "code");
+		const state = extractOAuthCallbackParam(url, "state");
 		if (!code) throw new Error("missing code");
 		return state ? {
 			code,
@@ -17671,6 +17671,27 @@ function extractCompletion(input) {
 		return { code: input.trim() };
 	}
 }
+function stripOAuthCallbackUrlWrapping(input) {
+	return input.replace(/\s+/g, "");
+}
+function extractOAuthCallbackParam(url, name) {
+	const query = url.search.startsWith("?") ? url.search.slice(1) : url.search;
+	for (const part of query.split("&")) {
+		const separator = part.indexOf("=");
+		const rawName = separator < 0 ? part : part.slice(0, separator);
+		const rawValue = separator < 0 ? "" : part.slice(separator + 1);
+		if (decodeOAuthCallbackQueryValue(rawName) === name) return decodeOAuthCallbackQueryValue(rawValue) || void 0;
+	}
+}
+function decodeOAuthCallbackQueryValue(value) {
+	return decodeURIComponent(value);
+}
+function oauthStateMismatchError(server) {
+	return new CapletsError("AUTH_FAILED", "OAuth callback state did not match. Re-run auth login and use the authorization URL and callback URL from the same attempt.", {
+		server,
+		nextAction: "rerun_caplets_auth_login"
+	});
+}
 function classifyRemoteAuthError(server, response) {
 	if (response.status !== 401 && response.status !== 403) return;
 	const challenge = extractWWWAuthenticateParams(response);
@@ -61779,7 +61800,7 @@ var CapletsEngine = class {
 		}
 	}
 	async completeCliWords(words) {
-		const { completeCliWords } = await import("./completion-D-kuyArL.js").then((n) => n.r);
+		const { completeCliWords } = await import("./completion-DZg_TWiX.js").then((n) => n.r);
 		return await completeCliWords(words, {
 			config: this.registry.config,
 			managers: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@caplets/core",
-  "version": "0.20.1",
+  "version": "0.20.2",
   "description": "Core runtime library for Caplets Code Mode and progressive disclosure gateways.",
   "keywords": [
     "caplets",