npm - @inetafrica/open-claudia - Versions diffs - 2.2.3 → 2.2.4 - Mend

@inetafrica/open-claudia 2.2.3 → 2.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,10 @@
 # Changelog
+## v2.2.4
+- Bearer auth on `/api/*`: when `BOT_CONTROL_TOKEN` is set in the env, requests with `Authorization: Bearer <token>` are accepted in addition to the existing cookie session. Behaviour is unchanged when the env var is not set, so local installs are not affected.
+- `/upgrade` detects an AgentSpace-managed pod (both `AGENTSPACE_POD_TOKEN` and `AGENTSPACE_API_URL` set) and delegates to `POST /pods/self/upgrade` on the control plane instead of running `npm install -g` locally. The control plane rolls the deployment with a fresh image pull. Local installs fall through to the existing npm upgrade path.
+- Password change in the web UI fires a fire-and-forget `POST /pods/self/password-changed` callback so the control plane can flag the pod as having a user-set password and refuse to leak the stale initial value.
 ## v2.2.3
 - Queue drain now batches: when multiple messages are received while a task is running, they're delivered as one combined follow-up turn instead of N isolated turns. The model sees them together (numbered, with HH:MM:SS queue timestamps), in context of what it just finished, so it can plan across them. A single queued message still delivers as before — no behavior change for the common case.

package/core/handlers.js CHANGED Viewed

@@ -301,10 +301,55 @@ register({
   },
 });
+async function requestAgentSpaceUpgrade() {
+  const apiUrl = process.env.AGENTSPACE_API_URL;
+  const token = process.env.AGENTSPACE_POD_TOKEN;
+  if (!apiUrl || !token) return null;
+  const u = new URL("/pods/self/upgrade", apiUrl);
+  const lib = u.protocol === "https:" ? require("https") : require("http");
+  return new Promise((resolve) => {
+    const req = lib.request({
+      method: "POST",
+      hostname: u.hostname,
+      port: u.port || (u.protocol === "https:" ? 443 : 80),
+      path: u.pathname + u.search,
+      headers: {
+        "Authorization": `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "Content-Length": "0",
+      },
+    }, (res) => {
+      let data = "";
+      res.on("data", (c) => { data += c; });
+      res.on("end", () => resolve({ status: res.statusCode, body: data }));
+    });
+    req.on("error", (e) => resolve({ status: 0, body: String(e.message || e) }));
+    req.setTimeout(15000, () => { req.destroy(new Error("timeout")); });
+    req.end();
+  });
+}
 register({
   name: "upgrade", description: "Upgrade and restart", ownerOnly: true,
   handler: async (env) => {
     if (!ownerEnv(env)) return;
+    // Container-managed upgrade: if AgentSpace injected pod-self credentials,
+    // delegate to the control plane so the deployment can be rolled with a
+    // fresh image pull. The local npm path can't do that.
+    if (process.env.AGENTSPACE_POD_TOKEN && process.env.AGENTSPACE_API_URL) {
+      try {
+        const result = await requestAgentSpaceUpgrade();
+        if (result && (result.status === 202 || result.status === 200)) {
+          await send("Upgrade requested — AgentSpace will pull latest image and restart, see you in a minute.");
+          return;
+        }
+        await send(`Upgrade request failed (status ${result?.status || "?"}). ${(result?.body || "").slice(0, 300)}`);
+        return;
+      } catch (e) {
+        await send(`Upgrade request error: ${e.message || e}`);
+        return;
+      }
+    }
     try { process.chdir(process.env.HOME || require("os").homedir()); } catch (e) {}
     let latest = null;
     try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@inetafrica/open-claudia",
-  "version": "2.2.3",
+  "version": "2.2.4",
   "description": "Your always-on AI coding assistant — Claude Code, Cursor Agent, and OpenAI Codex via Telegram or Kazee Chat",
   "main": "bot.js",
   "bin": {

package/web.js CHANGED Viewed

@@ -48,9 +48,48 @@ function validatePasswordComplexity(pw) {
 function setPassword(newPassword) {
   fs.writeFileSync(WEB_PASSWORD_FILE, newPassword);
   fs.writeFileSync(PASSWORD_CHANGED_FILE, new Date().toISOString());
+  notifyAgentSpacePasswordChanged();
+}
+function notifyAgentSpacePasswordChanged() {
+  const apiUrl = process.env.AGENTSPACE_API_URL;
+  const token = process.env.AGENTSPACE_POD_TOKEN;
+  if (!apiUrl || !token) return;
+  let u;
+  try { u = new URL("/pods/self/password-changed", apiUrl); } catch (e) { return; }
+  const lib = u.protocol === "https:" ? require("https") : require("http");
+  const req = lib.request({
+    method: "POST",
+    hostname: u.hostname,
+    port: u.port || (u.protocol === "https:" ? 443 : 80),
+    path: u.pathname + u.search,
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json",
+      "Content-Length": "0",
+    },
+  });
+  req.on("error", () => {});
+  req.setTimeout(5000, () => { try { req.destroy(); } catch (e) {} });
+  req.end();
+}
+function checkBearerAuth(req) {
+  const expected = process.env.BOT_CONTROL_TOKEN;
+  if (!expected) return false;
+  const header = req.headers.authorization || "";
+  if (!header.startsWith("Bearer ")) return false;
+  const presented = header.slice(7).trim();
+  if (presented.length !== expected.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(presented), Buffer.from(expected));
+  } catch (e) {
+    return false;
+  }
 }
 function checkAuth(req) {
+  if (checkBearerAuth(req)) return true;
   const cookie = (req.headers.cookie || "").split(";").find((c) => c.trim().startsWith("oc_session="));
   if (!cookie) return false;
   const token = cookie.split("=")[1]?.trim();