npm - @venturewild/workspace - Versions diffs - 0.6.6 → 0.6.7 - Mend

@venturewild/workspace 0.6.6 → 0.6.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/server/src/index.mjs +14 -6
package/web/dist/assets/{index-BgDtn7zR.js → index-D9Q27wJT.js} +18 -18
package/web/dist/index.html +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.6.6",
+  "version": "0.6.7",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/index.mjs CHANGED Viewed

@@ -2127,20 +2127,28 @@ export async function createServer(overrides = {}) {
   app.post('/api/lobby/workspaces', async (c) => {
     const forbidden = require(c, 'fileTree');
     if (forbidden) return forbidden;
-    if (!isHostRequest(c)) {
+    const body = await c.req.json().catch(() => ({}));
+    const name = typeof body.name === 'string' ? body.name.trim() : '';
+    const dir = typeof body.dir === 'string' ? body.dir.trim() : '';
+    if (!name && !dir) return c.json({ error: 'name_or_dir_required' }, 400);
+    // Open-an-existing-folder-by-PATH stays HOST-only: it would let a remote
+    // session reach into the host's disk (design §5.3 — a host never exposes disk
+    // outside the shared folder). Create-by-NAME is allowed for the authenticated
+    // owner from ANY device: the folder is created on THIS serving host
+    // (~/Workspaces/<name>), which identity-first routing guarantees is the
+    // member's OWN host (§5.1 "authorization = membership, not device-binding";
+    // §5.2 "a member's every device → their own host"). `fileTree` above already
+    // limits this to owner-level — never a shared-link viewer.
+    if (dir && !isHostRequest(c)) {
       return c.json(
         {
           error: 'host_only',
           message:
-            'Create a workspace on your computer — its folder lives there. From here you can open the ones that already exist.',
+            'Open an existing folder from the computer where it lives. From here you can create a new workspace by name, or open the ones that already exist.',
         },
         403,
       );
     }
-    const body = await c.req.json().catch(() => ({}));
-    const name = typeof body.name === 'string' ? body.name.trim() : '';
-    const dir = typeof body.dir === 'string' ? body.dir.trim() : '';
-    if (!name && !dir) return c.json({ error: 'name_or_dir_required' }, 400);
     try {
       const w = registryCreateWorkspace(
         { name: name || undefined, dir: dir || undefined },