@poncho-ai/cli 0.30.4 → 0.30.6

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/cli@0.30.4 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
+> @poncho-ai/cli@0.30.6 build /home/runner/work/poncho-ai/poncho-ai/packages/cli
 > tsup src/index.ts src/cli.ts --format esm --dts
 
 CLI Building entry: src/cli.ts, src/index.ts
@@ -9,10 +9,10 @@
 ESM Build start
 ESM dist/cli.js                          94.00 B
 ESM dist/index.js                        857.00 B
-ESM dist/run-interactive-ink-VEUZATR3.js 56.86 KB
-ESM dist/chunk-EZUW7UI3.js               491.51 KB
-ESM ⚡️ Build success in 62ms
+ESM dist/run-interactive-ink-OX4CI23D.js 56.86 KB
+ESM dist/chunk-3QT2S6AJ.js               492.58 KB
+ESM ⚡️ Build success in 65ms
 DTS Build start
-DTS ⚡️ Build success in 3983ms
+DTS ⚡️ Build success in 4618ms
 DTS dist/cli.d.ts   20.00 B
 DTS dist/index.d.ts 4.16 KB

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @poncho-ai/cli
 
+## 0.30.6
+
+### Patch Changes
+
+- [`56001f5`](https://github.com/cesr/poncho-ai/commit/56001f52f599f013a08e57e5de4891c02ca358d5) Thanks [@cesr](https://github.com/cesr)! - Warn at startup when CRON_SECRET is missing on Vercel with auth enabled and cron jobs configured
+
+## 0.30.5
+
+### Patch Changes
+
+- [`031abc7`](https://github.com/cesr/poncho-ai/commit/031abc770b85141da5fdd209c6bf8f594f5552e4) Thanks [@cesr](https://github.com/cesr)! - Fix cron job continuation on serverless
+  - Persist \_continuationMessages so cron continuations resume from correct harness state
+  - Use selfFetchWithRetry with doWaitUntil instead of raw fetch for cron continuation trigger
+  - Extend internal auth bypass to /api/cron/ paths for continuation self-fetch
+  - Add startup warning when VERCEL_AUTOMATION_BYPASS_SECRET is missing
+
 ## 0.30.4
 
 ### Patch Changes

package/dist/{chunk-EZUW7UI3.js → chunk-3QT2S6AJ.js}

@@ -9822,6 +9822,18 @@ ${resultBody}`,
     if (waitUntilHook) waitUntilHook(promise);
   };
   const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
+  if (process.env.VERCEL && !vercelBypassSecret) {
+    console.warn(
+      "\n[poncho] Vercel Deployment Protection will block subagents and auto-continuation.\n  Enable 'Protection Bypass for Automation' in your Vercel project settings:\n  -> Project Settings > Deployment Protection > Protection Bypass for Automation\n  The secret is auto-provisioned as VERCEL_AUTOMATION_BYPASS_SECRET.\n"
+    );
+  }
+  const hasCronJobs = Object.keys(cronJobs).length > 0;
+  const authTokenConfigured = !!process.env[config?.auth?.tokenEnv ?? "PONCHO_AUTH_TOKEN"] && (config?.auth?.required ?? false);
+  if (process.env.VERCEL && hasCronJobs && authTokenConfigured && !process.env.CRON_SECRET) {
+    console.warn(
+      "\n[poncho] Cron jobs are configured but CRON_SECRET is not set.\n  Vercel sends CRON_SECRET as a Bearer token when invoking cron endpoints.\n  Set CRON_SECRET to the same value as PONCHO_AUTH_TOKEN in your Vercel env vars,\n  otherwise cron invocations will be rejected with 401.\n"
+    );
+  }
   const selfFetchWithRetry = async (path, body, retries = 3) => {
     if (!selfBaseUrl) {
       console.error(`[poncho][self-fetch] Missing self base URL for ${path}`);
@@ -10320,7 +10332,8 @@ ${resultBody}`,
       return;
     }
     if (pathname.startsWith("/api/")) {
-      const isInternal = pathname.startsWith("/api/internal/") && request.method === "POST" && isValidInternalRequest(request.headers);
+      const isInternalPath = pathname.startsWith("/api/internal/") || pathname.startsWith("/api/cron/");
+      const isInternal = isInternalPath && request.method === "POST" && isValidInternalRequest(request.headers);
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
       const isAuthenticated = isInternal || !requireAuth || session || validateBearerToken(request.headers.authorization);
       if (!isAuthenticated) {
@@ -11604,7 +11617,7 @@ ${cronJob.task}`;
             });
             return;
           }
-          historyMessages = [...conversation.messages];
+          historyMessages = conversation._continuationMessages?.length ? [...conversation._continuationMessages] : [...conversation.messages];
         } else {
           const timestamp = (/* @__PURE__ */ new Date()).toISOString();
           conversation = await conversationStore.create(
@@ -11622,6 +11635,7 @@ ${cronJob.task}`;
           const abortController = new AbortController();
           let assistantResponse = "";
           let latestRunId = "";
+          let runContinuationMessages;
           const toolTimeline = [];
           const sections = [];
           let currentTools = [];
@@ -11680,6 +11694,9 @@ ${cronJob.task}`;
                 contextTokens: event.result.contextTokens,
                 contextWindow: event.result.contextWindow
               };
+              if (event.result.continuation && event.result.continuationMessages) {
+                runContinuationMessages = event.result.continuationMessages;
+              }
               if (!assistantResponse && event.result.response) {
                 assistantResponse = event.result.response;
               }
@@ -11707,37 +11724,30 @@ ${cronJob.task}`;
           ];
           const freshConv = await conversationStore.get(convId);
           if (freshConv) {
-            freshConv.messages = messages;
+            if (runContinuationMessages) {
+              freshConv._continuationMessages = runContinuationMessages;
+            } else {
+              freshConv._continuationMessages = void 0;
+              freshConv.messages = messages;
+            }
             freshConv.runtimeRunId = latestRunId || freshConv.runtimeRunId;
             if (runResult.contextTokens) freshConv.contextTokens = runResult.contextTokens;
             if (runResult.contextWindow) freshConv.contextWindow = runResult.contextWindow;
             freshConv.updatedAt = Date.now();
             await conversationStore.update(freshConv);
           }
-          if (runResult.continuation && softDeadlineMs > 0) {
-            const selfUrl = `http://${request.headers.host ?? "localhost"}${pathname}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
-            try {
-              const selfRes = await fetch(selfUrl, {
-                method: "GET",
-                headers: request.headers.authorization ? { authorization: request.headers.authorization } : {}
-              });
-              const selfBody = await selfRes.json();
-              writeJson(response, 200, {
-                conversationId: convId,
-                status: "continued",
-                continuations: continuationCount + 1,
-                finalResult: selfBody,
-                duration: Date.now() - start
-              });
-            } catch (continueError) {
-              writeJson(response, 200, {
-                conversationId: convId,
-                status: "continuation_failed",
-                error: continueError instanceof Error ? continueError.message : "Unknown error",
-                duration: Date.now() - start,
-                steps: runResult.steps
-              });
-            }
+          if (runResult.continuation) {
+            const continuationPath = `/api/cron/${encodeURIComponent(jobName)}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
+            const work = selfFetchWithRetry(continuationPath).catch(
+              (err) => console.error(`[poncho][cron] Continuation self-fetch failed:`, err instanceof Error ? err.message : err)
+            );
+            doWaitUntil(work);
+            writeJson(response, 200, {
+              conversationId: convId,
+              status: "continued",
+              continuations: continuationCount + 1,
+              duration: Date.now() - start
+            });
             return;
           }
           writeJson(response, 200, {
@@ -12183,7 +12193,7 @@ var runInteractive = async (workingDir, params) => {
   await harness.initialize();
   const identity = await ensureAgentIdentity2(workingDir);
   try {
-    const { runInteractiveInk } = await import("./run-interactive-ink-VEUZATR3.js");
+    const { runInteractiveInk } = await import("./run-interactive-ink-OX4CI23D.js");
     await runInteractiveInk({
       harness,
       params,

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   main
-} from "./chunk-EZUW7UI3.js";
+} from "./chunk-3QT2S6AJ.js";
 
 // src/cli.ts
 void main();

package/dist/index.js

@@ -23,7 +23,7 @@ import {
   runTests,
   startDevServer,
   updateAgentGuidance
-} from "./chunk-EZUW7UI3.js";
+} from "./chunk-3QT2S6AJ.js";
 export {
   addSkill,
   buildCli,

package/dist/{run-interactive-ink-VEUZATR3.js → run-interactive-ink-OX4CI23D.js}

@@ -2,7 +2,7 @@ import {
   consumeFirstRunIntro,
   inferConversationTitle,
   resolveHarnessEnvironment
-} from "./chunk-EZUW7UI3.js";
+} from "./chunk-3QT2S6AJ.js";
 
 // src/run-interactive-ink.ts
 import * as readline from "readline";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/cli",
-  "version": "0.30.4",
+  "version": "0.30.6",
   "description": "CLI for building and deploying AI agents",
   "repository": {
     "type": "git",
@@ -27,9 +27,9 @@
     "react": "^19.2.4",
     "react-devtools-core": "^6.1.5",
     "yaml": "^2.8.1",
+    "@poncho-ai/harness": "0.28.3",
     "@poncho-ai/messaging": "0.7.2",
-    "@poncho-ai/sdk": "1.6.1",
-    "@poncho-ai/harness": "0.28.3"
+    "@poncho-ai/sdk": "1.6.1"
   },
   "devDependencies": {
     "@types/busboy": "^1.5.4",

package/src/index.ts

@@ -3075,6 +3075,24 @@ export const createRequestHandler = async (options?: {
   };
 
   const vercelBypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET?.trim();
+  if (process.env.VERCEL && !vercelBypassSecret) {
+    console.warn(
+      "\n[poncho] Vercel Deployment Protection will block subagents and auto-continuation." +
+      "\n  Enable 'Protection Bypass for Automation' in your Vercel project settings:" +
+      "\n  -> Project Settings > Deployment Protection > Protection Bypass for Automation" +
+      "\n  The secret is auto-provisioned as VERCEL_AUTOMATION_BYPASS_SECRET.\n",
+    );
+  }
+  const hasCronJobs = Object.keys(cronJobs).length > 0;
+  const authTokenConfigured = !!(process.env[config?.auth?.tokenEnv ?? "PONCHO_AUTH_TOKEN"]) && (config?.auth?.required ?? false);
+  if (process.env.VERCEL && hasCronJobs && authTokenConfigured && !process.env.CRON_SECRET) {
+    console.warn(
+      "\n[poncho] Cron jobs are configured but CRON_SECRET is not set." +
+      "\n  Vercel sends CRON_SECRET as a Bearer token when invoking cron endpoints." +
+      "\n  Set CRON_SECRET to the same value as PONCHO_AUTH_TOKEN in your Vercel env vars," +
+      "\n  otherwise cron invocations will be rejected with 401.\n",
+    );
+  }
 
   const selfFetchWithRetry = async (path: string, body?: Record<string, unknown>, retries = 3): Promise<Response | void> => {
     if (!selfBaseUrl) {
@@ -3647,7 +3665,8 @@ export const createRequestHandler = async (options?: {
 
     if (pathname.startsWith("/api/")) {
       // Internal self-fetch requests bypass user-facing auth
-      const isInternal = pathname.startsWith("/api/internal/") && request.method === "POST" && isValidInternalRequest(request.headers);
+      const isInternalPath = pathname.startsWith("/api/internal/") || pathname.startsWith("/api/cron/");
+      const isInternal = isInternalPath && request.method === "POST" && isValidInternalRequest(request.headers);
 
       // Check authentication: either valid session (Web UI), valid Bearer token (API), or valid internal request
       const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
@@ -5110,7 +5129,9 @@ export const createRequestHandler = async (options?: {
             });
             return;
           }
-          historyMessages = [...conversation.messages];
+          historyMessages = conversation._continuationMessages?.length
+            ? [...conversation._continuationMessages]
+            : [...conversation.messages];
         } else {
           const timestamp = new Date().toISOString();
           conversation = await conversationStore.create(
@@ -5130,6 +5151,7 @@ export const createRequestHandler = async (options?: {
         const abortController = new AbortController();
         let assistantResponse = "";
         let latestRunId = "";
+        let runContinuationMessages: Message[] | undefined;
         const toolTimeline: string[] = [];
         const sections: Array<{ type: "text" | "tools"; content: string | string[] }> = [];
         let currentTools: string[] = [];
@@ -5192,6 +5214,9 @@ export const createRequestHandler = async (options?: {
               contextTokens: event.result.contextTokens,
               contextWindow: event.result.contextWindow,
             };
+            if (event.result.continuation && event.result.continuationMessages) {
+              runContinuationMessages = event.result.continuationMessages;
+            }
             if (!assistantResponse && event.result.response) {
               assistantResponse = event.result.response;
             }
@@ -5231,7 +5256,12 @@ export const createRequestHandler = async (options?: {
         ];
         const freshConv = await conversationStore.get(convId);
         if (freshConv) {
-          freshConv.messages = messages;
+          if (runContinuationMessages) {
+            freshConv._continuationMessages = runContinuationMessages;
+          } else {
+            freshConv._continuationMessages = undefined;
+            freshConv.messages = messages;
+          }
           freshConv.runtimeRunId = latestRunId || freshConv.runtimeRunId;
           if (runResult.contextTokens) freshConv.contextTokens = runResult.contextTokens;
           if (runResult.contextWindow) freshConv.contextWindow = runResult.contextWindow;
@@ -5239,33 +5269,18 @@ export const createRequestHandler = async (options?: {
           await conversationStore.update(freshConv);
         }
 
-        // Self-continuation for serverless timeouts
-        if (runResult.continuation && softDeadlineMs > 0) {
-          const selfUrl = `http://${request.headers.host ?? "localhost"}${pathname}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
-          try {
-            const selfRes = await fetch(selfUrl, {
-              method: "GET",
-              headers: request.headers.authorization
-                ? { authorization: request.headers.authorization }
-                : {},
-            });
-            const selfBody = await selfRes.json() as Record<string, unknown>;
-            writeJson(response, 200, {
-              conversationId: convId,
-              status: "continued",
-              continuations: continuationCount + 1,
-              finalResult: selfBody,
-              duration: Date.now() - start,
-            });
-          } catch (continueError) {
-            writeJson(response, 200, {
-              conversationId: convId,
-              status: "continuation_failed",
-              error: continueError instanceof Error ? continueError.message : "Unknown error",
-              duration: Date.now() - start,
-              steps: runResult.steps,
-            });
-          }
+        if (runResult.continuation) {
+          const continuationPath = `/api/cron/${encodeURIComponent(jobName)}?continue=${encodeURIComponent(convId)}&continuation=${continuationCount + 1}`;
+          const work = selfFetchWithRetry(continuationPath).catch(err =>
+            console.error(`[poncho][cron] Continuation self-fetch failed:`, err instanceof Error ? err.message : err),
+          );
+          doWaitUntil(work);
+          writeJson(response, 200, {
+            conversationId: convId,
+            status: "continued",
+            continuations: continuationCount + 1,
+            duration: Date.now() - start,
+          });
           return;
         }