@vellumai/cli 0.10.1 → 0.10.2-dev.202606241651.2d2b40d

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/commands/client.ts +17 -4
  3. package/src/lib/confirm-action.ts +4 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vellumai/cli",
3
- "version": "0.10.1",
3
+ "version": "0.10.2-dev.202606241651.2d2b40d",
4
4
  "description": "CLI tools for vellum-assistant",
5
5
  "type": "module",
6
6
  "exports": {
package/src/commands/client.ts CHANGED
@@ -895,14 +895,27 @@ async function runWebInterface(
895
895
  headers.delete("Origin");
896
896
  headers.delete("Referer");
897
897
 
898
- // Authenticate with the loopback session token the SPA registered. The
899
- // platform expects it both as the Django session cookie and as
900
- // X-Session-Token (for DRF views that accept header-based auth). Only
898
+ // The DRF API authenticates by header (X-Session-Token); the allauth /
899
+ // accounts session endpoints need the Django session cookie.
900
+ const isApiRequest = pathname.startsWith("/v1/");
901
+
902
+ // Authenticate with the loopback session token the SPA registered. Only
901
903
  // same-origin SPA traffic gets the credential — never a cross-site caller.
902
904
  const sessionToken = isSameOriginRequest(req)
903
905
  ? currentPlatformToken()
904
906
  : null;
905
- if (sessionToken) {
907
+ if (isApiRequest) {
908
+ // Header-only auth for the DRF API. Sending a `sessionid` cookie would
909
+ // engage Django's SessionAuthentication, which enforces CSRF — and the
910
+ // proxy strips Origin/Referer above, so the CSRF Referer check would
911
+ // reject every unsafe (POST/PUT/PATCH) request. Drop any browser cookie
912
+ // (localhost jar) so it can't re-engage that path.
913
+ headers.delete("Cookie");
914
+ if (sessionToken) {
915
+ headers.set("X-Session-Token", sessionToken);
916
+ }
917
+ } else if (sessionToken) {
918
+ // allauth / accounts: the platform expects the Django session cookie.
906
919
  headers.set(
907
920
  "Cookie",
908
921
  `sessionid=${sessionToken}; __Secure-sessionid=${sessionToken}`,
package/src/lib/confirm-action.ts CHANGED
@@ -18,6 +18,9 @@ export function canPromptForConfirmation(): boolean {
18
18
  * Show `prompt` and resolve true on Enter, false on Esc/q/Ctrl-C. Restores the
19
19
  * prior stdin raw/paused state on exit. Caller must gate on
20
20
  * {@link canPromptForConfirmation} first.
21
+ *
22
+ * `unref()`s stdin on cleanup so the resumed handle doesn't keep the process
23
+ * alive after the prompt resolves.
21
24
  */
22
25
  export async function confirmAction(prompt: string): Promise<boolean> {
23
26
  const stdin = process.stdin;
@@ -36,6 +39,7 @@ export async function confirmAction(prompt: string): Promise<boolean> {
36
39
  if (wasPaused) {
37
40
  stdin.pause();
38
41
  }
42
+ stdin.unref?.();
39
43
  stdout.write("\n");
40
44
  };
41
45