@neuralnomads/codenomad 0.9.1 → 0.9.3

package/README.md

@@ -51,8 +51,17 @@ You can configure the server using flags or environment variables:
 | `--config <path>` | `CLI_CONFIG` | Config file location |
 | `--launch` | `CLI_LAUNCH` | Open the UI in a Chromium-based browser |
 | `--log-level <level>` | `CLI_LOG_LEVEL` | Logging level (trace, debug, info, warn, error) |
+| `--username <username>` | `CODENOMAD_SERVER_USERNAME` | Username for CodeNomad's internal auth (default `codenomad`) |
+| `--password <password>` | `CODENOMAD_SERVER_PASSWORD` | Password for CodeNomad's internal auth |
+| `--generate-token` | `CODENOMAD_GENERATE_TOKEN` | Emit a one-time local bootstrap token for desktop flows |
+| `--dangerously-skip-auth` | `CODENOMAD_SKIP_AUTH` | Disable CodeNomad's internal auth (use only behind a trusted perimeter) |
+
+### Authentication
+- Default behavior: CodeNomad requires a login (username/password) and stores a session cookie in the browser.
+- `--dangerously-skip-auth` / `CODENOMAD_SKIP_AUTH=true` disables the login prompt and treats all requests as authenticated.
+  Use this only when access is already protected by another layer (SSO proxy, VPN, Coder workspace auth, etc.).
+  If you bind to `0.0.0.0` while skipping auth, anyone who can reach the port can access the API.
 
 ### Data Storage
 - **Config**: `~/.config/codenomad/config.json`
 - **Instance Data**: `~/.config/codenomad/instances` (chat history, etc.)
-

package/dist/auth/manager.js

@@ -12,6 +12,12 @@ export class AuthManager {
         this.logger = logger;
         this.sessionManager = new SessionManager();
         this.cookieName = DEFAULT_AUTH_COOKIE_NAME;
+        this.authEnabled = !Boolean(init.dangerouslySkipAuth);
+        if (!this.authEnabled) {
+            this.authStore = null;
+            this.tokenManager = null;
+            return;
+        }
         const authFilePath = resolveAuthFilePath(init.configPath);
         this.authStore = new AuthStore(authFilePath, logger.child({ component: "auth" }));
         // Startup: password comes from CLI/env, auth.json, or bootstrap-only mode.
@@ -22,6 +28,9 @@ export class AuthManager {
         });
         this.tokenManager = init.generateToken ? new TokenManager(60000) : null;
     }
+    isAuthEnabled() {
+        return this.authEnabled;
+    }
     getCookieName() {
         return this.cookieName;
     }
@@ -39,21 +48,38 @@ export class AuthManager {
         return this.tokenManager.consume(token);
     }
     validateLogin(username, password) {
-        return this.authStore.validateCredentials(username, password);
+        if (!this.authEnabled) {
+            return true;
+        }
+        return this.requireAuthStore().validateCredentials(username, password);
     }
     createSession(username) {
+        if (!this.authEnabled) {
+            return { id: "auth-disabled", createdAt: Date.now(), username: this.init.username };
+        }
         return this.sessionManager.createSession(username);
     }
     getStatus() {
-        return this.authStore.getStatus();
+        if (!this.authEnabled) {
+            return { username: this.init.username, passwordUserProvided: false };
+        }
+        return this.requireAuthStore().getStatus();
     }
     setPassword(password) {
-        return this.authStore.setPassword({ password, markUserProvided: true });
+        if (!this.authEnabled) {
+            throw new Error("Internal authentication is disabled");
+        }
+        return this.requireAuthStore().setPassword({ password, markUserProvided: true });
     }
     isLoopbackRequest(request) {
         return isLoopbackAddress(request.socket.remoteAddress);
     }
     getSessionFromRequest(request) {
+        if (!this.authEnabled) {
+            // When auth is disabled, treat all requests as authenticated.
+            // We still return a stable username so callers can display it.
+            return { username: this.init.username, sessionId: "auth-disabled" };
+        }
         const cookies = parseCookies(request.headers.cookie);
         const sessionId = cookies[this.cookieName];
         const session = this.sessionManager.getSession(sessionId);
@@ -67,6 +93,12 @@ export class AuthManager {
     clearSessionCookie(reply) {
         reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0 }));
     }
+    requireAuthStore() {
+        if (!this.authStore) {
+            throw new Error("Auth store is unavailable");
+        }
+        return this.authStore;
+    }
 }
 function resolveAuthFilePath(configPath) {
     const resolvedConfigPath = resolvePath(configPath);

package/dist/config/schema.js

@@ -10,8 +10,10 @@ const PreferencesSchema = z.object({
     thinkingBlocksExpansion: z.enum(["expanded", "collapsed"]).default("expanded"),
     showTimelineTools: z.boolean().default(true),
     lastUsedBinary: z.string().optional(),
+    locale: z.string().optional(),
     environmentVariables: z.record(z.string()).default({}),
     modelRecents: z.array(ModelPreferenceSchema).default([]),
+    modelFavorites: z.array(ModelPreferenceSchema).default([]),
     modelThinkingSelections: z.record(z.string(), z.string()).default({}),
     diffViewMode: z.enum(["split", "unified"]).default("split"),
     toolOutputExpansion: z.enum(["expanded", "collapsed"]).default("expanded"),

package/dist/index.js

@@ -51,9 +51,16 @@ function parseCliOptions(argv) {
         .addOption(new Option("--password <password>", "Password for server authentication").env("CODENOMAD_SERVER_PASSWORD"))
         .addOption(new Option("--generate-token", "Emit a one-time bootstrap token for desktop")
         .env("CODENOMAD_GENERATE_TOKEN")
+        .default(false))
+        .addOption(new Option("--dangerously-skip-auth", "Disable CodeNomad's internal auth. Use only behind a trusted perimeter (SSO/VPN/etc).")
+        .env("CODENOMAD_SKIP_AUTH")
         .default(false));
     program.parse(argv, { from: "user" });
     const parsed = program.opts();
+    const parseBooleanEnv = (value) => {
+        const normalized = (value ?? "").trim().toLowerCase();
+        return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "y" || normalized === "on";
+    };
     const resolvedRoot = parsed.workspaceRoot ?? parsed.root ?? process.cwd();
     const normalizedHost = resolveHost(parsed.host);
     const autoUpdateString = (parsed.uiAutoUpdate ?? "true").trim().toLowerCase();
@@ -75,6 +82,7 @@ function parseCliOptions(argv) {
         authUsername: parsed.username,
         authPassword: parsed.password,
         generateToken: Boolean(parsed.generateToken),
+        dangerouslySkipAuth: Boolean(parsed.dangerouslySkipAuth),
     };
 }
 function parsePort(input) {
@@ -110,6 +118,9 @@ async function main() {
         authPassword: options.authPassword ? "[REDACTED]" : undefined,
     };
     logger.info({ options: logOptions }, "Starting CodeNomad CLI server");
+    if (options.dangerouslySkipAuth) {
+        logger.warn("DANGEROUS: internal authentication is disabled (--dangerously-skip-auth / CODENOMAD_SKIP_AUTH).");
+    }
     const eventBus = new EventBus(eventLogger);
     const isLoopbackHost = (host) => host === "127.0.0.1" || host === "::1" || host.startsWith("127.");
     const serverMeta = {
@@ -127,8 +138,9 @@ async function main() {
         username: options.authUsername,
         password: options.authPassword,
         generateToken: options.generateToken,
+        dangerouslySkipAuth: options.dangerouslySkipAuth,
     }, logger.child({ component: "auth" }));
-    if (options.generateToken) {
+    if (options.generateToken && !options.dangerouslySkipAuth) {
         const token = authManager.issueBootstrapToken();
         if (token) {
             console.log(`${BOOTSTRAP_TOKEN_STDOUT_PREFIX}${token}`);

package/dist/opencode-config/package.json

@@ -3,6 +3,6 @@
   "version": "0.5.0",
   "private": true,
   "dependencies": {
-    "@opencode-ai/plugin": "1.1.30"
+    "@opencode-ai/plugin": "1.1.36"
   }
 }

package/dist/server/http-server.js

@@ -288,6 +288,12 @@ async function proxyWorkspaceRequest(args) {
             if (instanceAuthHeader) {
                 headers.authorization = instanceAuthHeader;
             }
+            // Enforce per-workspace directory scoping for all proxied OpenCode requests.
+            // OpenCode expects the *full* path; we send it via header to avoid query tampering.
+            const directory = workspace.path;
+            const isNonASCII = /[^\x00-\x7F]/.test(directory);
+            const encodedDirectory = isNonASCII ? encodeURIComponent(directory) : directory;
+            headers["x-opencode-directory"] = encodedDirectory;
             return headers;
         },
         onError: (proxyReply, { error }) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@neuralnomads/codenomad",
-  "version": "0.9.1",
+  "version": "0.9.3",
   "description": "CodeNomad Server",
   "author": {
     "name": "Neural Nomads",