@lifeaitools/clauth 1.5.55 → 1.5.56

package/cli/commands/serve.js

@@ -4774,16 +4774,14 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       }
     }
 
-    // Unknown route — don't count browser/MCP noise as auth failures
-    const isBenign = reqPath.startsWith("/.well-known/") || [
-      "/favicon.ico", "/robots.txt", "/apple-touch-icon.png", "/apple-touch-icon-precomposed.png",
-      "/sse", "/mcp", "/gws", "/clauth", "/message", "/register", "/authorize", "/token", "/shutdown", "/restart",
-    ].includes(reqPath);
-    if (isBenign) {
-      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({ error: "Not found" }));
-    }
-    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
+    // Unknown route — a wrong URL is not an auth failure. Log it, return 404,
+    // but do NOT increment failCount (which locks the vault at MAX_FAILS).
+    // Auth failures (wrong password, wrong token) still strike via /auth and /get/:service.
+    try {
+      fs.appendFileSync(LOG_FILE, `[${new Date().toISOString()}] 404 ${method} ${reqPath}\n`);
+    } catch {}
+    res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+    return res.end(JSON.stringify({ error: `Unknown endpoint: ${reqPath}` }));
   });
 
   // OAuth 2.1 public client — no static credentials to expose

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.55",
+  "version": "1.5.56",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {