@venturewild/workspace 0.6.6 → 0.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/server/src/index.mjs +14 -6
  3. package/web/dist/assets/{index-BgDtn7zR.js → index-DIGCtoii.js} +19 -19
  4. package/web/dist/assets/{index-Boh9c5sE.css → index-DaYYu_T9.css} +1 -1
  5. package/web/dist/index.html +2 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@venturewild/workspace",
3
- "version": "0.6.6",
3
+ "version": "0.6.8",
4
4
  "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
5
5
  "license": "MIT",
6
6
  "bin": {
package/server/src/index.mjs CHANGED
@@ -2127,20 +2127,28 @@ export async function createServer(overrides = {}) {
2127
2127
  app.post('/api/lobby/workspaces', async (c) => {
2128
2128
  const forbidden = require(c, 'fileTree');
2129
2129
  if (forbidden) return forbidden;
2130
- if (!isHostRequest(c)) {
2130
+ const body = await c.req.json().catch(() => ({}));
2131
+ const name = typeof body.name === 'string' ? body.name.trim() : '';
2132
+ const dir = typeof body.dir === 'string' ? body.dir.trim() : '';
2133
+ if (!name && !dir) return c.json({ error: 'name_or_dir_required' }, 400);
2134
+ // Open-an-existing-folder-by-PATH stays HOST-only: it would let a remote
2135
+ // session reach into the host's disk (design §5.3 — a host never exposes disk
2136
+ // outside the shared folder). Create-by-NAME is allowed for the authenticated
2137
+ // owner from ANY device: the folder is created on THIS serving host
2138
+ // (~/Workspaces/<name>), which identity-first routing guarantees is the
2139
+ // member's OWN host (§5.1 "authorization = membership, not device-binding";
2140
+ // §5.2 "a member's every device → their own host"). `fileTree` above already
2141
+ // limits this to owner-level — never a shared-link viewer.
2142
+ if (dir && !isHostRequest(c)) {
2131
2143
  return c.json(
2132
2144
  {
2133
2145
  error: 'host_only',
2134
2146
  message:
2135
- 'Create a workspace on your computer its folder lives there. From here you can open the ones that already exist.',
2147
+ 'Open an existing folder from the computer where it lives. From here you can create a new workspace by name, or open the ones that already exist.',
2136
2148
  },
2137
2149
  403,
2138
2150
  );
2139
2151
  }
2140
- const body = await c.req.json().catch(() => ({}));
2141
- const name = typeof body.name === 'string' ? body.name.trim() : '';
2142
- const dir = typeof body.dir === 'string' ? body.dir.trim() : '';
2143
- if (!name && !dir) return c.json({ error: 'name_or_dir_required' }, 400);
2144
2152
  try {
2145
2153
  const w = registryCreateWorkspace(
2146
2154
  { name: name || undefined, dir: dir || undefined },