@poncho-ai/cli 0.30.3 → 0.30.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/cli@0.30.3 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
+> @poncho-ai/cli@0.30.4 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
 > tsup src/index.ts src/cli.ts --format esm --dts
 
 CLI Building entry: src/cli.ts, src/index.ts
@@ -9,10 +9,10 @@
 ESM Build start
 ESM dist/cli.js                          94.00 B
 ESM dist/index.js                        857.00 B
-ESM dist/run-interactive-ink-FUMHN6DS.js 56.86 KB
-ESM dist/chunk-FA546WPW.js               490.84 KB
-ESM ⚡️ Build success in 63ms
+ESM dist/run-interactive-ink-VEUZATR3.js 56.86 KB
+ESM dist/chunk-EZUW7UI3.js               491.51 KB
+ESM ⚡️ Build success in 62ms
 DTS Build start
-DTS ⚡️ Build success in 3898ms
+DTS ⚡️ Build success in 3983ms
 DTS dist/cli.d.ts   20.00 B
 DTS dist/index.d.ts 4.16 KB

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @poncho-ai/cli
 
+## 0.30.4
+
+### Patch Changes
+
+- [`ea8b5da`](https://github.com/cesr/poncho-ai/commit/ea8b5da1bca5d45c05a68a43c4850aacee612ffb) Thanks [@cesr](https://github.com/cesr)! - Fix internal self-fetch blocked by Vercel Deployment Protection and PONCHO_AUTH_TOKEN
+  - Include x-vercel-protection-bypass header when VERCEL_AUTOMATION_BYPASS_SECRET is set
+  - Internal requests with valid x-poncho-internal header bypass the PONCHO_AUTH_TOKEN auth gate
+  - Better error messages distinguishing Vercel Deployment Protection from internal auth failures
+
 ## 0.30.3
 
 ### Patch Changes

package/dist/{chunk-FA546WPW.js → chunk-EZUW7UI3.js}

@@ -9821,6 +9821,7 @@ ${resultBody}`,
   const doWaitUntil = (promise) => {
     if (waitUntilHook) waitUntilHook(promise);
   };
+  const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
   const selfFetchWithRetry = async (path, body, retries = 3) => {
     if (!selfBaseUrl) {
       console.error(`[poncho][self-fetch] Missing self base URL for ${path}`);
@@ -9829,12 +9830,16 @@ ${resultBody}`,
     let lastError;
     for (let attempt = 0; attempt < retries; attempt++) {
       try {
+        const headers = {
+          "Content-Type": "application/json",
+          "x-poncho-internal": internalSecret
+        };
+        if (vercelBypassSecret) {
+          headers["x-vercel-protection-bypass"] = vercelBypassSecret;
+        }
         const result = await fetch(`${selfBaseUrl}${path}`, {
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "x-poncho-internal": internalSecret
-          },
+          headers,
           body: body ? JSON.stringify(body) : void 0
         });
         if (result.ok) {
@@ -9858,9 +9863,15 @@ ${resultBody}`,
         lastError instanceof Error ? lastError.message : String(lastError)
       );
       if (lastError instanceof Error && (lastError.message.includes("HTTP 403") || lastError.message.includes("HTTP 401"))) {
-        console.error(
-          "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET."
-        );
+        if (lastError.message.includes("HTTP 401") && lastError.message.includes("<!doctype")) {
+          console.error(
+            "[poncho][self-fetch] Blocked by Vercel Deployment Protection. Set VERCEL_AUTOMATION_BYPASS_SECRET in your Vercel project settings and env vars."
+          );
+        } else {
+          console.error(
+            "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET."
+          );
+        }
       }
     } else {
       console.error(`[poncho][self-fetch] Failed ${path} after ${retries} attempt(s).`);
@@ -10309,8 +10320,9 @@ ${resultBody}`,
       return;
     }
     if (pathname.startsWith("/api/")) {
+      const isInternal = pathname.startsWith("/api/internal/") && request.method === "POST" && isValidInternalRequest(request.headers);
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
-      const isAuthenticated = !requireAuth || session || validateBearerToken(request.headers.authorization);
+      const isAuthenticated = isInternal || !requireAuth || session || validateBearerToken(request.headers.authorization);
       if (!isAuthenticated) {
         writeJson(response, 401, {
           code: "AUTH_ERROR",
@@ -12171,7 +12183,7 @@ var runInteractive = async (workingDir, params) => {
   await harness.initialize();
   const identity = await ensureAgentIdentity2(workingDir);
   try {
-    const { runInteractiveInk } = await import("./run-interactive-ink-FUMHN6DS.js");
+    const { runInteractiveInk } = await import("./run-interactive-ink-VEUZATR3.js");
     await runInteractiveInk({
       harness,
       params,

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   main
-} from "./chunk-FA546WPW.js";
+} from "./chunk-EZUW7UI3.js";
 
 // src/cli.ts
 void main();

package/dist/index.js

@@ -23,7 +23,7 @@ import {
   runTests,
   startDevServer,
   updateAgentGuidance
-} from "./chunk-FA546WPW.js";
+} from "./chunk-EZUW7UI3.js";
 export {
   addSkill,
   buildCli,

package/dist/{run-interactive-ink-FUMHN6DS.js → run-interactive-ink-VEUZATR3.js}

@@ -2,7 +2,7 @@ import {
   consumeFirstRunIntro,
   inferConversationTitle,
   resolveHarnessEnvironment
-} from "./chunk-FA546WPW.js";
+} from "./chunk-EZUW7UI3.js";
 
 // src/run-interactive-ink.ts
 import * as readline from "readline";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/cli",
-  "version": "0.30.3",
+  "version": "0.30.4",
   "description": "CLI for building and deploying AI agents",
   "repository": {
     "type": "git",
@@ -27,9 +27,9 @@
     "react": "^19.2.4",
     "react-devtools-core": "^6.1.5",
     "yaml": "^2.8.1",
-    "@poncho-ai/harness": "0.28.3",
+    "@poncho-ai/messaging": "0.7.2",
     "@poncho-ai/sdk": "1.6.1",
-    "@poncho-ai/messaging": "0.7.2"
+    "@poncho-ai/harness": "0.28.3"
   },
   "devDependencies": {
     "@types/busboy": "^1.5.4",

package/src/index.ts

@@ -3074,6 +3074,8 @@ export const createRequestHandler = async (options?: {
     if (waitUntilHook) waitUntilHook(promise);
   };
 
+  const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
+
   const selfFetchWithRetry = async (path: string, body?: Record<string, unknown>, retries = 3): Promise<Response | void> => {
     if (!selfBaseUrl) {
       console.error(`[poncho][self-fetch] Missing self base URL for ${path}`);
@@ -3082,12 +3084,16 @@ export const createRequestHandler = async (options?: {
     let lastError: unknown;
     for (let attempt = 0; attempt < retries; attempt++) {
       try {
+        const headers: Record<string, string> = {
+          "Content-Type": "application/json",
+          "x-poncho-internal": internalSecret,
+        };
+        if (vercelBypassSecret) {
+          headers["x-vercel-protection-bypass"] = vercelBypassSecret;
+        }
         const result = await fetch(`${selfBaseUrl}${path}`, {
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "x-poncho-internal": internalSecret,
-          },
+          headers,
           body: body ? JSON.stringify(body) : undefined,
         });
         if (result.ok) {
@@ -3114,9 +3120,15 @@ export const createRequestHandler = async (options?: {
         lastError instanceof Error
         && (lastError.message.includes("HTTP 403") || lastError.message.includes("HTTP 401"))
       ) {
-        console.error(
-          "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET.",
-        );
+        if (lastError.message.includes("HTTP 401") && lastError.message.includes("<!doctype")) {
+          console.error(
+            "[poncho][self-fetch] Blocked by Vercel Deployment Protection. Set VERCEL_AUTOMATION_BYPASS_SECRET in your Vercel project settings and env vars.",
+          );
+        } else {
+          console.error(
+            "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET.",
+          );
+        }
       }
     } else {
       console.error(`[poncho][self-fetch] Failed ${path} after ${retries} attempt(s).`);
@@ -3634,9 +3646,12 @@ export const createRequestHandler = async (options?: {
     }
 
     if (pathname.startsWith("/api/")) {
-      // Check authentication: either valid session (Web UI) or valid Bearer token (API)
+      // Internal self-fetch requests bypass user-facing auth
+      const isInternal = pathname.startsWith("/api/internal/") && request.method === "POST" && isValidInternalRequest(request.headers);
+
+      // Check authentication: either valid session (Web UI), valid Bearer token (API), or valid internal request
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
-      const isAuthenticated = !requireAuth || session || validateBearerToken(request.headers.authorization);
+      const isAuthenticated = isInternal || !requireAuth || session || validateBearerToken(request.headers.authorization);
 
       if (!isAuthenticated) {
         writeJson(response, 401, {