npm - @promptbook/cli - Versions diffs - 0.112.0-93 → 0.112.0-96 - Mend

@promptbook/cli 0.112.0-93 → 0.112.0-96

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/apps/agents-server/src/languages/translations/czech.yaml CHANGED Viewed

@@ -120,6 +120,7 @@ header.logOut: Odhlásit se
 header.changePassword: Změnit heslo
 header.menuLabel: Nabídka
 header.myAccount: Můj účet
+header.superAdmin: Super administrace
 header.administration: Administrace
 header.monitoringAndUsage: Monitoring a využití
 header.integrationsAndKeys: Integrace a klíče
@@ -134,6 +135,10 @@ header.mockedChats: Ukázkové chaty
 header.viewAllUsers: Zobrazit všechny uživatele
 header.createNewUser: Vytvořit nového uživatele
 header.servers: Servery
+header.environmentVariables: Proměnné prostředí
+header.database: Databáze
+header.logs: Logy
+header.codeRunners: Code runnery
 header.models: Modely
 header.openApiDocumentation: Dokumentace OpenAPI
 header.apiTokens: API tokeny

package/apps/agents-server/src/languages/translations/english.yaml CHANGED Viewed

@@ -122,6 +122,7 @@ header.logOut: Log out
 header.changePassword: Change Password
 header.menuLabel: Menu
 header.myAccount: My Account
+header.superAdmin: Super Admin
 header.administration: Administration
 header.monitoringAndUsage: Monitoring & Usage
 header.integrationsAndKeys: Integrations & Keys
@@ -136,6 +137,10 @@ header.mockedChats: Mocked Chats
 header.viewAllUsers: View all users
 header.createNewUser: Create new user
 header.servers: Servers
+header.environmentVariables: Environment variables
+header.database: Database
+header.logs: Logs
+header.codeRunners: Code runners
 header.models: Models
 header.openApiDocumentation: OpenAPI Documentation
 header.apiTokens: API Tokens

package/apps/agents-server/src/tools/$provideServer.ts CHANGED Viewed

@@ -55,6 +55,14 @@ const getCachedProvidedServer = cache(async (): Promise<ProvidedServer> => {
             });
             if (!resolvedSqliteServer) {
+                if (isIpAddressHost(requestHost)) {
+                    return {
+                        id: null,
+                        publicUrl: resolveFallbackPublicUrl(requestHost),
+                        tablePrefix: SUPABASE_TABLE_PREFIX,
+                    };
+                }
                 throw new Error(`Server with host "${requestHost}" is not registered in SERVERS`);
             }
@@ -156,3 +164,22 @@ function isLocalDevelopmentHost(host: string | null): boolean {
         normalizedHost.startsWith('[::1]:')
     );
 }
+/**
+ * Checks whether the current request host is a raw IP address.
+ *
+ * @param host - Raw request host.
+ * @returns `true` when the host is IPv4 or IPv6.
+ */
+function isIpAddressHost(host: string | null): boolean {
+    if (!host) {
+        return false;
+    }
+    const hostname = host
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(hostname) || hostname.includes(':');
+}

package/apps/agents-server/src/utils/serverRegistry.ts CHANGED Viewed

@@ -241,7 +241,11 @@ export function createServerPublicUrl(domain: string): URL {
     }
     const protocol =
-        normalizedDomain.startsWith('localhost') || normalizedDomain.startsWith('127.0.0.1') ? 'http' : 'https';
+        normalizedDomain.startsWith('localhost') ||
+        normalizedDomain.startsWith('127.0.0.1') ||
+        isIpAddressHost(normalizedDomain)
+            ? 'http'
+            : 'https';
     return new URL(`${protocol}://${normalizedDomain}`);
 }
@@ -435,6 +439,21 @@ function hasHttpProtocol(value: string): boolean {
     return value.startsWith('http://') || value.startsWith('https://');
 }
+/**
+ * Checks whether a normalized host is a raw IPv4 or IPv6 address.
+ *
+ * @param host - Normalized host or host with port.
+ * @returns `true` for raw IP hosts.
+ */
+function isIpAddressHost(host: string): boolean {
+    const hostname = host
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(hostname) || hostname.includes(':');
+}
 /**
  * Checks whether a port is implicit for the given protocol and can be omitted.
  *

package/apps/agents-server/src/utils/session.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { createHmac } from 'crypto';
-import { cookies } from 'next/headers';
+import { cookies, headers } from 'next/headers';
 import { cache } from 'react';
 /**
@@ -30,6 +30,36 @@ export type SessionUser = {
     readonly isGlobalAdmin?: boolean;
 };
+/**
+ * Request details used to decide whether the auth cookie may require HTTPS.
+ */
+export type SessionCookieSecurityContext = {
+    /**
+     * Current deployment mode.
+     */
+    readonly isProduction: boolean;
+    /**
+     * Raw `Host` header.
+     */
+    readonly host: string | null;
+    /**
+     * Raw forwarded host header emitted by the reverse proxy.
+     */
+    readonly forwardedHost: string | null;
+    /**
+     * Raw forwarded protocol header emitted by the reverse proxy.
+     */
+    readonly forwardedProto: string | null;
+    /**
+     * Comma-separated configured domain list from `SERVERS`.
+     */
+    readonly configuredServers: string | null | undefined;
+    /**
+     * Known standalone VPS public IP address.
+     */
+    readonly publicIpAddress: string | null | undefined;
+};
 /**
  * Signs a session payload and serializes it into the cookie token format.
  *
@@ -77,6 +107,42 @@ export function parseSessionToken(token: string | null | undefined): SessionUser
     }
 }
+/**
+ * Decides whether the session cookie should keep the `Secure` flag for the current request.
+ *
+ * This keeps production-domain logins protected by HTTPS while allowing the standalone
+ * VPS bootstrap flow to authenticate over `http://<IP_ADDRESS>` before any domain exists.
+ *
+ * @param context - Request and deployment details used for the decision.
+ * @returns `true` when the cookie should require HTTPS.
+ */
+export function shouldUseSecureSessionCookieForRequest(context: SessionCookieSecurityContext): boolean {
+    if (!context.isProduction) {
+        return false;
+    }
+    if (parseConfiguredServers(context.configuredServers).length > 0) {
+        return true;
+    }
+    const requestHost = normalizeHost(context.forwardedHost ?? context.host);
+    if (!requestHost || !isIpAddressHost(requestHost)) {
+        return true;
+    }
+    const forwardedProtocol = (context.forwardedProto || '').split(',')[0]?.trim().toLowerCase() || '';
+    if (forwardedProtocol === 'https') {
+        return true;
+    }
+    const configuredPublicIpAddress = normalizeHost(context.publicIpAddress || '');
+    if (configuredPublicIpAddress && requestHost !== configuredPublicIpAddress) {
+        return true;
+    }
+    return false;
+}
 /**
  * Persists the provided session payload into the signed session cookie.
  *
@@ -84,10 +150,11 @@ export function parseSessionToken(token: string | null | undefined): SessionUser
  */
 export async function setSession(user: SessionUser) {
     const token = serializeSessionToken(user);
+    const secure = await shouldUseSecureSessionCookie();
     (await cookies()).set(SESSION_COOKIE_NAME, token, {
         httpOnly: true,
-        secure: process.env.NODE_ENV === 'production',
+        secure,
         path: '/',
         maxAge: 60 * 60 * 24 * 365 * 2, // 2 years
     });
@@ -120,3 +187,57 @@ const getCachedSession = cache(async (): Promise<SessionUser | null> => {
 export async function getSession(): Promise<SessionUser | null> {
     return getCachedSession();
 }
+/**
+ * Resolves the runtime cookie security decision from the current request headers.
+ *
+ * @returns `true` when the session cookie should keep the `Secure` flag.
+ */
+async function shouldUseSecureSessionCookie(): Promise<boolean> {
+    const headerStore = await headers();
+    return shouldUseSecureSessionCookieForRequest({
+        isProduction: process.env.NODE_ENV === 'production',
+        host: headerStore.get('host'),
+        forwardedHost: headerStore.get('x-forwarded-host'),
+        forwardedProto: headerStore.get('x-forwarded-proto'),
+        configuredServers: process.env.SERVERS,
+        publicIpAddress: process.env.PTBK_PUBLIC_IP_ADDRESS,
+    });
+}
+/**
+ * Parses the configured `SERVERS` CSV into non-empty entries.
+ *
+ * @param configuredServers - Raw environment value.
+ * @returns Normalized list of configured domains.
+ */
+function parseConfiguredServers(configuredServers: string | null | undefined): Array<string> {
+    return (configuredServers || '')
+        .split(',')
+        .map((server) => server.trim())
+        .filter(Boolean);
+}
+/**
+ * Checks whether a host string points to a raw IPv4 or IPv6 address.
+ *
+ * @param host - Host header or hostname.
+ * @returns `true` when the host is a raw IP address.
+ */
+function isIpAddressHost(host: string): boolean {
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(host) || host.includes(':');
+}
+/**
+ * Removes ports and IPv6 brackets from host-like strings.
+ *
+ * @param host - Raw host header value.
+ * @returns Normalized bare hostname or IP address.
+ */
+function normalizeHost(host: string | null | undefined): string {
+    return (host || '')
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+}