@poncho-ai/cli 0.30.3 → 0.30.5

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/cli@0.30.3 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
+> @poncho-ai/cli@0.30.5 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
 > tsup src/index.ts src/cli.ts --format esm --dts
 
 CLI Building entry: src/cli.ts, src/index.ts
@@ -9,10 +9,10 @@
 ESM Build start
 ESM dist/cli.js                          94.00 B
 ESM dist/index.js                        857.00 B
-ESM dist/run-interactive-ink-FUMHN6DS.js 56.86 KB
-ESM dist/chunk-FA546WPW.js               490.84 KB
-ESM ⚡️ Build success in 63ms
+ESM dist/run-interactive-ink-KA5V5BSJ.js 56.86 KB
+ESM dist/chunk-V3H773RB.js               492.00 KB
+ESM ⚡️ Build success in 62ms
 DTS Build start
-DTS ⚡️ Build success in 3898ms
+DTS ⚡️ Build success in 4158ms
 DTS dist/cli.d.ts   20.00 B
 DTS dist/index.d.ts 4.16 KB

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @poncho-ai/cli
 
+## 0.30.5
+
+### Patch Changes
+
+- [`031abc7`](https://github.com/cesr/poncho-ai/commit/031abc770b85141da5fdd209c6bf8f594f5552e4) Thanks [@cesr](https://github.com/cesr)! - Fix cron job continuation on serverless
+  - Persist \_continuationMessages so cron continuations resume from correct harness state
+  - Use selfFetchWithRetry with doWaitUntil instead of raw fetch for cron continuation trigger
+  - Extend internal auth bypass to /api/cron/ paths for continuation self-fetch
+  - Add startup warning when VERCEL_AUTOMATION_BYPASS_SECRET is missing
+
+## 0.30.4
+
+### Patch Changes
+
+- [`ea8b5da`](https://github.com/cesr/poncho-ai/commit/ea8b5da1bca5d45c05a68a43c4850aacee612ffb) Thanks [@cesr](https://github.com/cesr)! - Fix internal self-fetch blocked by Vercel Deployment Protection and PONCHO_AUTH_TOKEN
+  - Include x-vercel-protection-bypass header when VERCEL_AUTOMATION_BYPASS_SECRET is set
+  - Internal requests with valid x-poncho-internal header bypass the PONCHO_AUTH_TOKEN auth gate
+  - Better error messages distinguishing Vercel Deployment Protection from internal auth failures
+
 ## 0.30.3
 
 ### Patch Changes

package/dist/{chunk-FA546WPW.js → chunk-V3H773RB.js}

@@ -9821,6 +9821,12 @@ ${resultBody}`,
   const doWaitUntil = (promise) => {
     if (waitUntilHook) waitUntilHook(promise);
   };
+  const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
+  if (process.env.VERCEL && !vercelBypassSecret) {
+    console.warn(
+      "\n[poncho] Vercel Deployment Protection will block subagents and auto-continuation.\n  Enable 'Protection Bypass for Automation' in your Vercel project settings:\n  -> Project Settings > Deployment Protection > Protection Bypass for Automation\n  The secret is auto-provisioned as VERCEL_AUTOMATION_BYPASS_SECRET.\n"
+    );
+  }
   const selfFetchWithRetry = async (path, body, retries = 3) => {
     if (!selfBaseUrl) {
       console.error(`[poncho][self-fetch] Missing self base URL for ${path}`);
@@ -9829,12 +9835,16 @@ ${resultBody}`,
     let lastError;
     for (let attempt = 0; attempt < retries; attempt++) {
       try {
+        const headers = {
+          "Content-Type": "application/json",
+          "x-poncho-internal": internalSecret
+        };
+        if (vercelBypassSecret) {
+          headers["x-vercel-protection-bypass"] = vercelBypassSecret;
+        }
         const result = await fetch(`${selfBaseUrl}${path}`, {
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "x-poncho-internal": internalSecret
-          },
+          headers,
           body: body ? JSON.stringify(body) : void 0
         });
         if (result.ok) {
@@ -9858,9 +9868,15 @@ ${resultBody}`,
         lastError instanceof Error ? lastError.message : String(lastError)
       );
       if (lastError instanceof Error && (lastError.message.includes("HTTP 403") || lastError.message.includes("HTTP 401"))) {
-        console.error(
-          "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET."
-        );
+        if (lastError.message.includes("HTTP 401") && lastError.message.includes("<!doctype")) {
+          console.error(
+            "[poncho][self-fetch] Blocked by Vercel Deployment Protection. Set VERCEL_AUTOMATION_BYPASS_SECRET in your Vercel project settings and env vars."
+          );
+        } else {
+          console.error(
+            "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET."
+          );
+        }
       }
     } else {
       console.error(`[poncho][self-fetch] Failed ${path} after ${retries} attempt(s).`);
@@ -10309,8 +10325,10 @@ ${resultBody}`,
       return;
     }
     if (pathname.startsWith("/api/")) {
+      const isInternalPath = pathname.startsWith("/api/internal/") || pathname.startsWith("/api/cron/");
+      const isInternal = isInternalPath && request.method === "POST" && isValidInternalRequest(request.headers);
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
-      const isAuthenticated = !requireAuth || session || validateBearerToken(request.headers.authorization);
+      const isAuthenticated = isInternal || !requireAuth || session || validateBearerToken(request.headers.authorization);
       if (!isAuthenticated) {
         writeJson(response, 401, {
           code: "AUTH_ERROR",
@@ -11592,7 +11610,7 @@ ${cronJob.task}`;
             });
             return;
           }
-          historyMessages = [...conversation.messages];
+          historyMessages = conversation._continuationMessages?.length ? [...conversation._continuationMessages] : [...conversation.messages];
         } else {
           const timestamp = (/* @__PURE__ */ new Date()).toISOString();
           conversation = await conversationStore.create(
@@ -11610,6 +11628,7 @@ ${cronJob.task}`;
           const abortController = new AbortController();
           let assistantResponse = "";
           let latestRunId = "";
+          let runContinuationMessages;
           const toolTimeline = [];
           const sections = [];
           let currentTools = [];
@@ -11668,6 +11687,9 @@ ${cronJob.task}`;
                 contextTokens: event.result.contextTokens,
                 contextWindow: event.result.contextWindow
               };
+              if (event.result.continuation && event.result.continuationMessages) {
+                runContinuationMessages = event.result.continuationMessages;
+              }
               if (!assistantResponse && event.result.response) {
                 assistantResponse = event.result.response;
               }
@@ -11695,37 +11717,30 @@ ${cronJob.task}`;
           ];
           const freshConv = await conversationStore.get(convId);
           if (freshConv) {
-            freshConv.messages = messages;
+            if (runContinuationMessages) {
+              freshConv._continuationMessages = runContinuationMessages;
+            } else {
+              freshConv._continuationMessages = void 0;
+              freshConv.messages = messages;
+            }
             freshConv.runtimeRunId = latestRunId || freshConv.runtimeRunId;
             if (runResult.contextTokens) freshConv.contextTokens = runResult.contextTokens;
             if (runResult.contextWindow) freshConv.contextWindow = runResult.contextWindow;
             freshConv.updatedAt = Date.now();
             await conversationStore.update(freshConv);
           }
-          if (runResult.continuation && softDeadlineMs > 0) {
-            const selfUrl = `http://${request.headers.host ?? "localhost"}${pathname}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
-            try {
-              const selfRes = await fetch(selfUrl, {
-                method: "GET",
-                headers: request.headers.authorization ? { authorization: request.headers.authorization } : {}
-              });
-              const selfBody = await selfRes.json();
-              writeJson(response, 200, {
-                conversationId: convId,
-                status: "continued",
-                continuations: continuationCount + 1,
-                finalResult: selfBody,
-                duration: Date.now() - start
-              });
-            } catch (continueError) {
-              writeJson(response, 200, {
-                conversationId: convId,
-                status: "continuation_failed",
-                error: continueError instanceof Error ? continueError.message : "Unknown error",
-                duration: Date.now() - start,
-                steps: runResult.steps
-              });
-            }
+          if (runResult.continuation) {
+            const continuationPath = `/api/cron/${encodeURIComponent(jobName)}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
+            const work = selfFetchWithRetry(continuationPath).catch(
+              (err) => console.error(`[poncho][cron] Continuation self-fetch failed:`, err instanceof Error ? err.message : err)
+            );
+            doWaitUntil(work);
+            writeJson(response, 200, {
+              conversationId: convId,
+              status: "continued",
+              continuations: continuationCount + 1,
+              duration: Date.now() - start
+            });
             return;
           }
           writeJson(response, 200, {
@@ -12171,7 +12186,7 @@ var runInteractive = async (workingDir, params) => {
   await harness.initialize();
   const identity = await ensureAgentIdentity2(workingDir);
   try {
-    const { runInteractiveInk } = await import("./run-interactive-ink-FUMHN6DS.js");
+    const { runInteractiveInk } = await import("./run-interactive-ink-KA5V5BSJ.js");
     await runInteractiveInk({
       harness,
       params,

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   main
-} from "./chunk-FA546WPW.js";
+} from "./chunk-V3H773RB.js";
 
 // src/cli.ts
 void main();

package/dist/index.js

@@ -23,7 +23,7 @@ import {
   runTests,
   startDevServer,
   updateAgentGuidance
-} from "./chunk-FA546WPW.js";
+} from "./chunk-V3H773RB.js";
 export {
   addSkill,
   buildCli,

package/dist/{run-interactive-ink-FUMHN6DS.js → run-interactive-ink-KA5V5BSJ.js}

@@ -2,7 +2,7 @@ import {
   consumeFirstRunIntro,
   inferConversationTitle,
   resolveHarnessEnvironment
-} from "./chunk-FA546WPW.js";
+} from "./chunk-V3H773RB.js";
 
 // src/run-interactive-ink.ts
 import * as readline from "readline";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/cli",
-  "version": "0.30.3",
+  "version": "0.30.5",
   "description": "CLI for building and deploying AI agents",
   "repository": {
     "type": "git",

package/src/index.ts

@@ -3074,6 +3074,16 @@ export const createRequestHandler = async (options?: {
     if (waitUntilHook) waitUntilHook(promise);
   };
 
+  const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
+  if (process.env.VERCEL && !vercelBypassSecret) {
+    console.warn(
+      "\n[poncho] Vercel Deployment Protection will block subagents and auto-continuation." +
+      "\n  Enable 'Protection Bypass for Automation' in your Vercel project settings:" +
+      "\n  -> Project Settings > Deployment Protection > Protection Bypass for Automation" +
+      "\n  The secret is auto-provisioned as VERCEL_AUTOMATION_BYPASS_SECRET.\n",
+    );
+  }
+
   const selfFetchWithRetry = async (path: string, body?: Record<string, unknown>, retries = 3): Promise<Response | void> => {
     if (!selfBaseUrl) {
       console.error(`[poncho][self-fetch] Missing self base URL for ${path}`);
@@ -3082,12 +3092,16 @@ export const createRequestHandler = async (options?: {
     let lastError: unknown;
     for (let attempt = 0; attempt < retries; attempt++) {
       try {
+        const headers: Record<string, string> = {
+          "Content-Type": "application/json",
+          "x-poncho-internal": internalSecret,
+        };
+        if (vercelBypassSecret) {
+          headers["x-vercel-protection-bypass"] = vercelBypassSecret;
+        }
         const result = await fetch(`${selfBaseUrl}${path}`, {
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "x-poncho-internal": internalSecret,
-          },
+          headers,
           body: body ? JSON.stringify(body) : undefined,
         });
         if (result.ok) {
@@ -3114,9 +3128,15 @@ export const createRequestHandler = async (options?: {
         lastError instanceof Error
         && (lastError.message.includes("HTTP 403") || lastError.message.includes("HTTP 401"))
       ) {
-        console.error(
-          "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET.",
-        );
+        if (lastError.message.includes("HTTP 401") && lastError.message.includes("<!doctype")) {
+          console.error(
+            "[poncho][self-fetch] Blocked by Vercel Deployment Protection. Set VERCEL_AUTOMATION_BYPASS_SECRET in your Vercel project settings and env vars.",
+          );
+        } else {
+          console.error(
+            "[poncho][self-fetch] Internal auth failed. Ensure all serverless instances share PONCHO_INTERNAL_SECRET.",
+          );
+        }
       }
     } else {
       console.error(`[poncho][self-fetch] Failed ${path} after ${retries} attempt(s).`);
@@ -3634,9 +3654,13 @@ export const createRequestHandler = async (options?: {
     }
 
     if (pathname.startsWith("/api/")) {
-      // Check authentication: either valid session (Web UI) or valid Bearer token (API)
+      // Internal self-fetch requests bypass user-facing auth
+      const isInternalPath = pathname.startsWith("/api/internal/") || pathname.startsWith("/api/cron/");
+      const isInternal = isInternalPath && request.method === "POST" && isValidInternalRequest(request.headers);
+
+      // Check authentication: either valid session (Web UI), valid Bearer token (API), or valid internal request
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
-      const isAuthenticated = !requireAuth || session || validateBearerToken(request.headers.authorization);
+      const isAuthenticated = isInternal || !requireAuth || session || validateBearerToken(request.headers.authorization);
 
       if (!isAuthenticated) {
         writeJson(response, 401, {
@@ -5095,7 +5119,9 @@ export const createRequestHandler = async (options?: {
             });
             return;
           }
-          historyMessages = [...conversation.messages];
+          historyMessages = conversation._continuationMessages?.length
+            ? [...conversation._continuationMessages]
+            : [...conversation.messages];
         } else {
           const timestamp = new Date().toISOString();
           conversation = await conversationStore.create(
@@ -5115,6 +5141,7 @@ export const createRequestHandler = async (options?: {
         const abortController = new AbortController();
         let assistantResponse = "";
         let latestRunId = "";
+        let runContinuationMessages: Message[] | undefined;
         const toolTimeline: string[] = [];
         const sections: Array<{ type: "text" | "tools"; content: string | string[] }> = [];
         let currentTools: string[] = [];
@@ -5177,6 +5204,9 @@ export const createRequestHandler = async (options?: {
               contextTokens: event.result.contextTokens,
               contextWindow: event.result.contextWindow,
             };
+            if (event.result.continuation && event.result.continuationMessages) {
+              runContinuationMessages = event.result.continuationMessages;
+            }
             if (!assistantResponse && event.result.response) {
               assistantResponse = event.result.response;
             }
@@ -5216,7 +5246,12 @@ export const createRequestHandler = async (options?: {
         ];
         const freshConv = await conversationStore.get(convId);
         if (freshConv) {
-          freshConv.messages = messages;
+          if (runContinuationMessages) {
+            freshConv._continuationMessages = runContinuationMessages;
+          } else {
+            freshConv._continuationMessages = undefined;
+            freshConv.messages = messages;
+          }
           freshConv.runtimeRunId = latestRunId || freshConv.runtimeRunId;
           if (runResult.contextTokens) freshConv.contextTokens = runResult.contextTokens;
           if (runResult.contextWindow) freshConv.contextWindow = runResult.contextWindow;
@@ -5224,33 +5259,18 @@ export const createRequestHandler = async (options?: {
           await conversationStore.update(freshConv);
         }
 
-        // Self-continuation for serverless timeouts
-        if (runResult.continuation && softDeadlineMs > 0) {
-          const selfUrl = `http://${request.headers.host ?? "localhost"}${pathname}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
-          try {
-            const selfRes = await fetch(selfUrl, {
-              method: "GET",
-              headers: request.headers.authorization
-                ? { authorization: request.headers.authorization }
-                : {},
-            });
-            const selfBody = await selfRes.json() as Record<string, unknown>;
-            writeJson(response, 200, {
-              conversationId: convId,
-              status: "continued",
-              continuations: continuationCount + 1,
-              finalResult: selfBody,
-              duration: Date.now() - start,
-            });
-          } catch (continueError) {
-            writeJson(response, 200, {
-              conversationId: convId,
-              status: "continuation_failed",
-              error: continueError instanceof Error ? continueError.message : "Unknown error",
-              duration: Date.now() - start,
-              steps: runResult.steps,
-            });
-          }
+        if (runResult.continuation) {
+          const continuationPath = `/api/cron/${encodeURIComponent(jobName)}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
+          const work = selfFetchWithRetry(continuationPath).catch(err =>
+            console.error(`[poncho][cron] Continuation self-fetch failed:`, err instanceof Error ? err.message : err),
+          );
+          doWaitUntil(work);
+          writeJson(response, 200, {
+            conversationId: convId,
+            status: "continued",
+            continuations: continuationCount + 1,
+            duration: Date.now() - start,
+          });
           return;
         }