npm - @growthub/cli - Versions diffs - 0.3.39 → 0.3.40 - Mend

@growthub/cli 0.3.39 → 0.3.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/assets/worker-kits/growthub-open-higgsfield-studio-v1/QUICKSTART.md CHANGED Viewed

@@ -50,7 +50,17 @@ Checks for `node`, `npm`, `git`, and `ffmpeg`. All four are required for local-f
 bash setup/clone-fork.sh
 ```
-Clones the Open Higgsfield AI repo to `~/open-higgsfield-ai`, installs dependencies, and starts the dev server at `http://localhost:3001`. Skip this if you are using browser-hosted or desktop-app mode.
+Clones the Open Higgsfield AI repo to `~/open-higgsfield-ai`, installs dependencies, **automatically applies the CORS proxy patch** (see `setup/patch-cors-proxy.sh`), and starts the dev server at `http://localhost:3001`.
+The CORS patch is required — the upstream repo calls `api.muapi.ai` directly from the browser, which modern browsers block. The patch routes all API calls through the local Next.js server instead.
+Skip this step if you are using browser-hosted or desktop-app mode.
+**Already cloned but hitting CORS errors?** Run the patch standalone:
+```bash
+bash setup/patch-cors-proxy.sh
+```
+Then restart your dev server.
 ---

package/assets/worker-kits/growthub-open-higgsfield-studio-v1/kit.json CHANGED Viewed

@@ -33,6 +33,7 @@
     "brands/growthub/brand-kit.md",
     "brands/NEW-CLIENT.md",
     "setup/clone-fork.sh",
+    "setup/patch-cors-proxy.sh",
     "setup/verify-env.mjs",
     "setup/check-deps.sh",
     "output/README.md",
@@ -79,6 +80,7 @@
       "brands/growthub/brand-kit.md",
       "brands/NEW-CLIENT.md",
       "setup/clone-fork.sh",
+      "setup/patch-cors-proxy.sh",
       "setup/verify-env.mjs",
       "setup/check-deps.sh",
       "output/README.md",

package/assets/worker-kits/growthub-open-higgsfield-studio-v1/runtime-assumptions.md CHANGED Viewed

@@ -34,6 +34,43 @@ If the local fork differs, the fork wins.
 ---
+## KNOWN FORK ISSUE — CORS POLICY (local-fork mode)
+**Status:** Fixed. Patch is applied automatically by `setup/clone-fork.sh`.
+**Root cause:** The upstream repo hardcodes `const BASE_URL = 'https://api.muapi.ai'` in
+`packages/studio/src/muapi.js`. All browser fetch/XHR calls go directly to the external
+API. `api.muapi.ai` does not return `Access-Control-Allow-Origin` headers, so every call
+from `localhost:3001` is blocked by the browser's CORS policy.
+**Errors you will see without the patch:**
+```
+Access to fetch at 'https://api.muapi.ai/api/v1/account/balance'
+from origin 'http://localhost:3001' has been blocked by CORS policy:
+No 'Access-Control-Allow-Origin' header is present on the requested resource.
+```
+**The fix:**
+1. `next.config.mjs` — rewrites `/muapi-proxy/:path*` → `https://api.muapi.ai/:path*` server-side
+2. `packages/studio/src/muapi.js` — `BASE_URL` changed to `'/muapi-proxy'`
+All browser calls now hit `localhost:3001/muapi-proxy/...` (same origin, no CORS).
+Next.js proxies them to `api.muapi.ai` from the server where CORS does not apply.
+**To apply manually if not already patched:**
+```bash
+bash setup/patch-cors-proxy.sh [path-to-fork]
+# defaults to ~/open-higgsfield-ai
+```
+**Affected functions in muapi.js:**
+- `getUserBalance` — `/api/v1/account/balance`
+- `submitAndPoll` — `/api/v1/${endpoint}`
+- `pollForResult` — `/api/v1/predictions/${requestId}/result`
+- `uploadFile` (XHR) — `/api/v1/upload_file`
+---
 ## EXECUTION SURFACES
 ### Local fork

package/assets/worker-kits/growthub-open-higgsfield-studio-v1/setup/clone-fork.sh CHANGED Viewed

@@ -20,6 +20,19 @@ cd "$FORK_DIR"
 echo "Installing dependencies..."
 npm install
+echo ""
+echo "Applying CORS proxy patch..."
+# The upstream repo calls api.muapi.ai directly from the browser, which is blocked
+# by CORS policy. This patch routes all API calls through the Next.js server.
+# See setup/patch-cors-proxy.sh for full explanation.
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/patch-cors-proxy.sh" ]; then
+  bash "$SCRIPT_DIR/patch-cors-proxy.sh" "$FORK_DIR"
+else
+  echo "WARNING: patch-cors-proxy.sh not found — skipping CORS patch."
+  echo "You may hit CORS errors when the studio calls api.muapi.ai from the browser."
+fi
 echo ""
 echo "Starting dev server on http://localhost:$PORT"
 echo "Press Ctrl+C to stop."

package/assets/worker-kits/growthub-open-higgsfield-studio-v1/setup/patch-cors-proxy.sh ADDED Viewed

@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+# patch-cors-proxy.sh — Apply Next.js CORS proxy patch to the Open Higgsfield AI local fork
+#
+# WHY THIS EXISTS
+# ---------------
+# The upstream repo calls api.muapi.ai directly from the browser (BASE_URL in muapi.js).
+# api.muapi.ai does not return Access-Control-Allow-Origin headers, so every browser
+# request from localhost:3001 is blocked by CORS policy.
+#
+# THE FIX
+# -------
+# 1. next.config.mjs — adds a rewrites() block:
+#      /muapi-proxy/:path* → https://api.muapi.ai/:path*   (server-side, no CORS)
+#
+# 2. packages/studio/src/muapi.js — changes BASE_URL:
+#      'https://api.muapi.ai'  →  '/muapi-proxy'
+#
+# All fetch/XHR calls now hit the local Next.js server which proxies them server-side.
+# No browser cross-origin request is made. CORS policy never fires.
+#
+# USAGE
+# -----
+#   bash setup/patch-cors-proxy.sh [path-to-fork]
+#
+# Defaults to ~/open-higgsfield-ai if no path given.
+# Safe to run multiple times — idempotent.
+set -e
+FORK_DIR="${1:-$HOME/open-higgsfield-ai}"
+NEXT_CONFIG="$FORK_DIR/next.config.mjs"
+MUAPI_JS="$FORK_DIR/packages/studio/src/muapi.js"
+echo ""
+echo "=== CORS Proxy Patch ==="
+echo "Fork: $FORK_DIR"
+echo ""
+# ── Guard: fork must exist ──────────────────────────────────────────────────
+if [ ! -d "$FORK_DIR" ]; then
+  echo "ERROR: Fork not found at $FORK_DIR"
+  echo "Run setup/clone-fork.sh first."
+  exit 1
+fi
+if [ ! -f "$NEXT_CONFIG" ]; then
+  echo "ERROR: next.config.mjs not found at $NEXT_CONFIG"
+  exit 1
+fi
+if [ ! -f "$MUAPI_JS" ]; then
+  echo "ERROR: muapi.js not found at $MUAPI_JS"
+  exit 1
+fi
+# ── Idempotency check ───────────────────────────────────────────────────────
+if grep -q "muapi-proxy" "$NEXT_CONFIG" 2>/dev/null; then
+  echo "✓ next.config.mjs already patched — skipping."
+  NEXT_DONE=1
+else
+  NEXT_DONE=0
+fi
+if grep -q "muapi-proxy" "$MUAPI_JS" 2>/dev/null; then
+  echo "✓ muapi.js already patched — skipping."
+  MUAPI_DONE=1
+else
+  MUAPI_DONE=0
+fi
+if [ "$NEXT_DONE" -eq 1 ] && [ "$MUAPI_DONE" -eq 1 ]; then
+  echo ""
+  echo "Both files already patched. Nothing to do."
+  exit 0
+fi
+# ── Backup originals ────────────────────────────────────────────────────────
+if [ "$NEXT_DONE" -eq 0 ]; then
+  cp "$NEXT_CONFIG" "$NEXT_CONFIG.orig"
+fi
+if [ "$MUAPI_DONE" -eq 0 ]; then
+  cp "$MUAPI_JS" "$MUAPI_JS.orig"
+fi
+# ── Patch next.config.mjs ───────────────────────────────────────────────────
+if [ "$NEXT_DONE" -eq 0 ]; then
+  cat > "$NEXT_CONFIG" << 'NEXTEOF'
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  transpilePackages: ['studio'],
+  // CORS proxy — forward all Muapi API calls through the Next.js server so
+  // the browser never makes cross-origin requests to api.muapi.ai directly.
+  // muapi.js uses BASE_URL = '/muapi-proxy', so every fetch/XHR hits
+  // /muapi-proxy/api/v1/... which Next.js rewrites to api.muapi.ai server-side.
+  async rewrites() {
+    return [
+      {
+        source: '/muapi-proxy/:path*',
+        destination: 'https://api.muapi.ai/:path*',
+      },
+    ];
+  },
+};
+export default nextConfig;
+NEXTEOF
+  echo "✓ next.config.mjs patched — added /muapi-proxy rewrites()"
+fi
+# ── Patch muapi.js ──────────────────────────────────────────────────────────
+if [ "$MUAPI_DONE" -eq 0 ]; then
+  # Replace the BASE_URL line only (targeted sed, not full file rewrite)
+  sed -i.bak \
+    "s|const BASE_URL = 'https://api.muapi.ai';|// Proxy through Next.js to avoid CORS. All calls route through /muapi-proxy/:path*\n// which next.config.mjs rewrites to api.muapi.ai server-side — no CORS headers needed.\nconst BASE_URL = '/muapi-proxy';|" \
+    "$MUAPI_JS"
+  # Remove sed backup (we already made our own)
+  rm -f "$MUAPI_JS.bak"
+  echo "✓ muapi.js patched — BASE_URL changed to '/muapi-proxy'"
+fi
+# ── Verify ───────────────────────────────────────────────────────────────────
+echo ""
+echo "Verifying patch..."
+if grep -q "muapi-proxy" "$NEXT_CONFIG" && grep -q "muapi-proxy" "$MUAPI_JS"; then
+  echo "✓ Patch verified. Both files updated correctly."
+else
+  echo "ERROR: Patch verification failed. Check the files manually."
+  echo "  $NEXT_CONFIG"
+  echo "  $MUAPI_JS"
+  exit 1
+fi
+echo ""
+echo "CORS proxy patch complete."
+echo "Restart the dev server to pick up next.config.mjs changes:"
+echo "  npm run dev -- --port 3001"
+echo ""

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@growthub/cli",
-  "version": "0.3.39",
+  "version": "0.3.40",
   "description": "Growthub CLI — orchestrate AI agent teams to run a business",
   "type": "module",
   "bin": {