npm - @vellumai/cli - Versions diffs - 0.10.1-dev.202606240206.7c2bca6 → 0.10.1-staging.1 - Mend

@vellumai/cli 0.10.1-dev.202606240206.7c2bca6 → 0.10.1-staging.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/cli",
-  "version": "0.10.1-dev.202606240206.7c2bca6",
+  "version": "0.10.1-staging.1",
   "description": "CLI tools for vellum-assistant",
   "type": "module",
   "exports": {

package/src/commands/client.ts CHANGED Viewed

@@ -895,27 +895,14 @@ async function runWebInterface(
       headers.delete("Origin");
       headers.delete("Referer");
-      // The DRF API authenticates by header (X-Session-Token); the allauth /
-      // accounts session endpoints need the Django session cookie.
-      const isApiRequest = pathname.startsWith("/v1/");
-      // Authenticate with the loopback session token the SPA registered. Only
+      // Authenticate with the loopback session token the SPA registered. The
+      // platform expects it both as the Django session cookie and as
+      // X-Session-Token (for DRF views that accept header-based auth). Only
       // same-origin SPA traffic gets the credential — never a cross-site caller.
       const sessionToken = isSameOriginRequest(req)
         ? currentPlatformToken()
         : null;
-      if (isApiRequest) {
-        // Header-only auth for the DRF API. Sending a `sessionid` cookie would
-        // engage Django's SessionAuthentication, which enforces CSRF — and the
-        // proxy strips Origin/Referer above, so the CSRF Referer check would
-        // reject every unsafe (POST/PUT/PATCH) request. Drop any browser cookie
-        // (localhost jar) so it can't re-engage that path.
-        headers.delete("Cookie");
-        if (sessionToken) {
-          headers.set("X-Session-Token", sessionToken);
-        }
-      } else if (sessionToken) {
-        // allauth / accounts: the platform expects the Django session cookie.
+      if (sessionToken) {
         headers.set(
           "Cookie",
           `sessionid=${sessionToken}; __Secure-sessionid=${sessionToken}`,

package/src/lib/confirm-action.ts CHANGED Viewed

@@ -18,9 +18,6 @@ export function canPromptForConfirmation(): boolean {
  * Show `prompt` and resolve true on Enter, false on Esc/q/Ctrl-C. Restores the
  * prior stdin raw/paused state on exit. Caller must gate on
  * {@link canPromptForConfirmation} first.
- *
- * `unref()`s stdin on cleanup so the resumed handle doesn't keep the process
- * alive after the prompt resolves.
  */
 export async function confirmAction(prompt: string): Promise<boolean> {
   const stdin = process.stdin;
@@ -39,7 +36,6 @@ export async function confirmAction(prompt: string): Promise<boolean> {
       if (wasPaused) {
         stdin.pause();
       }
-      stdin.unref?.();
       stdout.write("\n");
     };