@hybridaione/hybridclaw 0.25.0 → 0.25.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +18 -0
- package/README.md +1 -1
- package/console/package.json +1 -1
- package/container/npm-shrinkwrap.json +2 -2
- package/container/package-lock.json +2 -2
- package/container/package.json +1 -1
- package/dist/gateway/gateway-http-server.d.ts.map +1 -1
- package/dist/gateway/gateway-http-server.js +8 -8
- package/dist/gateway/gateway-http-server.js.map +1 -1
- package/dist/security/admin-rbac.d.ts.map +1 -1
- package/dist/security/admin-rbac.js +9 -2
- package/dist/security/admin-rbac.js.map +1 -1
- package/docs/content/developer-guide/admin-access-control.md +4 -2
- package/npm-shrinkwrap.json +5 -5
- package/package.json +3 -3
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,24 @@
|
|
|
2
2
|
|
|
3
3
|
## Unreleased
|
|
4
4
|
|
|
5
|
+
## [0.25.2](https://github.com/HybridAIOne/hybridclaw/tree/v0.25.2) - 2026-06-20
|
|
6
|
+
|
|
7
|
+
### Fixed
|
|
8
|
+
|
|
9
|
+
- **Cloud chat write authentication**: Cookie-authenticated browser writes now
|
|
10
|
+
accept browser-confirmed same-origin fetch metadata, restoring cloud chat
|
|
11
|
+
prompts, slash commands, agent changes, and model changes behind the
|
|
12
|
+
TLS-terminating proxy.
|
|
13
|
+
|
|
14
|
+
## [0.25.1](https://github.com/HybridAIOne/hybridclaw/tree/v0.25.1) - 2026-06-20
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
|
|
18
|
+
- **HybridAI cloud admin sessions**: HybridAI-launched sessions without scoped
|
|
19
|
+
RBAC claims are treated as full admin sessions for compatibility, explicit
|
|
20
|
+
scoped sessions remain restricted, and cookie-authenticated admin mutations
|
|
21
|
+
respect forwarded public origins behind the cloud proxy.
|
|
22
|
+
|
|
5
23
|
## [0.25.0](https://github.com/HybridAIOne/hybridclaw/tree/v0.25.0) - 2026-06-20
|
|
6
24
|
|
|
7
25
|
### Added
|
package/README.md
CHANGED
|
@@ -220,7 +220,7 @@ Core pieces:
|
|
|
220
220
|
| Build desktop releases | [Desktop Release Builds](https://hybridaione.github.io/hybridclaw/docs/developer-guide/desktop-release) |
|
|
221
221
|
| Contribute | [CONTRIBUTING.md](./CONTRIBUTING.md), [docs/content/README.md](./docs/content/README.md) |
|
|
222
222
|
|
|
223
|
-
Latest release: [v0.25.
|
|
223
|
+
Latest release: [v0.25.2](https://github.com/HybridAIOne/hybridclaw/releases/tag/v0.25.2).
|
|
224
224
|
Release notes: [CHANGELOG.md](./CHANGELOG.md)
|
|
225
225
|
|
|
226
226
|
## Development
|
package/console/package.json
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "hybridclaw-agent",
|
|
3
|
-
"version": "0.25.
|
|
3
|
+
"version": "0.25.2",
|
|
4
4
|
"lockfileVersion": 3,
|
|
5
5
|
"requires": true,
|
|
6
6
|
"packages": {
|
|
7
7
|
"": {
|
|
8
8
|
"name": "hybridclaw-agent",
|
|
9
|
-
"version": "0.25.
|
|
9
|
+
"version": "0.25.2",
|
|
10
10
|
"dependencies": {
|
|
11
11
|
"@modelcontextprotocol/sdk": "1.29.0",
|
|
12
12
|
"@mozilla/readability": "0.6.0",
|
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "hybridclaw-agent",
|
|
3
|
-
"version": "0.25.
|
|
3
|
+
"version": "0.25.2",
|
|
4
4
|
"lockfileVersion": 3,
|
|
5
5
|
"requires": true,
|
|
6
6
|
"packages": {
|
|
7
7
|
"": {
|
|
8
8
|
"name": "hybridclaw-agent",
|
|
9
|
-
"version": "0.25.
|
|
9
|
+
"version": "0.25.2",
|
|
10
10
|
"dependencies": {
|
|
11
11
|
"@modelcontextprotocol/sdk": "1.29.0",
|
|
12
12
|
"@mozilla/readability": "0.6.0",
|
package/container/package.json
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gateway-http-server.d.ts","sourceRoot":"","sources":["../../src/gateway/gateway-http-server.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"gateway-http-server.d.ts","sourceRoot":"","sources":["../../src/gateway/gateway-http-server.ts"],"names":[],"mappings":"AA8zNA,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,EAAE,MAAM,IAAI,CAAC;IAC9B,QAAQ,EAAE,MAAM,IAAI,CAAC;CACtB;AAED,wBAAgB,sBAAsB,IAAI,iBAAiB,CAk3B1D"}
|
|
@@ -1381,18 +1381,18 @@ function requestUsesHttps(req) {
|
|
|
1381
1381
|
return forwardedProto === 'https';
|
|
1382
1382
|
return req.socket.encrypted === true;
|
|
1383
1383
|
}
|
|
1384
|
-
function resolveRequestOriginForAuth(req) {
|
|
1385
|
-
const host = String(req.headers.host || '').trim();
|
|
1386
|
-
if (!host)
|
|
1387
|
-
return null;
|
|
1388
|
-
const protocol = requestUsesHttps(req) ? 'https' : 'http';
|
|
1389
|
-
return `${protocol}://${host}`;
|
|
1390
|
-
}
|
|
1391
1384
|
function hasSameGatewayOrigin(req) {
|
|
1392
1385
|
const origin = String(req.headers.origin || '').trim();
|
|
1393
1386
|
if (!origin)
|
|
1394
1387
|
return false;
|
|
1395
|
-
|
|
1388
|
+
if (origin === resolveRequestOrigin(req))
|
|
1389
|
+
return true;
|
|
1390
|
+
// Browsers set this header from the actual page/request relationship. It
|
|
1391
|
+
// keeps cookie-backed writes working behind TLS-terminating proxies even
|
|
1392
|
+
// when the backend cannot reconstruct the public origin exactly.
|
|
1393
|
+
return (String(req.headers['sec-fetch-site'] || '')
|
|
1394
|
+
.trim()
|
|
1395
|
+
.toLowerCase() === 'same-origin');
|
|
1396
1396
|
}
|
|
1397
1397
|
function hasApiAuth(req, url, opts) {
|
|
1398
1398
|
const authHeader = req.headers.authorization || '';
|