@vibelet/cli 1.2.9 → 1.2.11

package/dist/runtime-version.cjs

@@ -1,2 +1,2 @@
-var s=require("node:fs"),n=require("node:path"),c="@vibelet/cli";function a(e){try{let r=JSON.parse((0,s.readFileSync)(e,"utf8"));if(r.name===c&&typeof r.version=="string"&&r.version.length>0)return r.version}catch{}return null}function p(){return"1.2.9"}var i=p();process.stdout.write(`${i}
+var s=require("node:fs"),n=require("node:path"),c="@vibelet/cli";function a(e){try{let r=JSON.parse((0,s.readFileSync)(e,"utf8"));if(r.name===c&&typeof r.version=="string"&&r.version.length>0)return r.version}catch{}return null}function p(){return"1.2.11"}var i=p();process.stdout.write(`${i}
 `);

package/dist/vibelet.mjs

@@ -7581,6 +7581,44 @@ function isLocalNetworkHost(host) {
     || (first === 192 && second === 168);
 }
 
+function isLoopbackHost(host) {
+  return host === 'localhost'
+    || host === '127.0.0.1'
+    || host === '::1'
+    || host === '::ffff:127.0.0.1';
+}
+
+function isPlainLocalHostname(host) {
+  return Boolean(host) && !host.includes('.') && !host.includes(':');
+}
+
+function isTrustedCleartextHost(host) {
+  const normalized = normalizeHostValue(host.replace(/^https?:\/\//, '').replace(/\/.*$/, ''));
+  return isLoopbackHost(normalized)
+    || isLocalNetworkHost(normalized)
+    || isTailscaleHost(normalized)
+    || isPlainLocalHostname(normalized);
+}
+
+function parseCommaSeparatedHosts(rawValue) {
+  return typeof rawValue === 'string'
+    ? rawValue.split(',').map((entry) => normalizeHostValue(entry)).filter(Boolean)
+    : [];
+}
+
+function validateExplicitCleartextHosts({ hostArg, fallbackHostsArg }) {
+  const unsafeHosts = [
+    ...(hostArg ? [normalizeHostValue(hostArg)] : []),
+    ...parseCommaSeparatedHosts(fallbackHostsArg),
+  ].filter((host) => host && !isTrustedCleartextHost(host));
+  if (unsafeHosts.length === 0) {
+    return;
+  }
+  fail(
+    `Refusing public cleartext host ${unsafeHosts[0]}. Use --relay=https://..., a Tailscale host, or a LAN/local address.`,
+  );
+}
+
 function isQuickTunnelHost(host) {
   return host.endsWith('.trycloudflare.com');
 }
@@ -7762,9 +7800,9 @@ function printHelp() {
   process.stdout.write(`  npx ${packageJson.name} --local   Skip the default Cloudflare Tunnel for this run\n`);
   process.stdout.write(`  npx ${packageJson.name} --force  Force a new Cloudflare Tunnel URL\n`);
   process.stdout.write(`  npx ${packageJson.name} --relay <url>  Use a custom tunnel URL for remote access\n`);
-  process.stdout.write(`  npx ${packageJson.name} --host <ip>   Set the primary host/IP address\n`);
+  process.stdout.write(`  npx ${packageJson.name} --host <ip>   Set the primary LAN/Tailscale host/IP address\n`);
   process.stdout.write(`  npx ${packageJson.name} --port <port>  Start or query the daemon on a custom port\n`);
-  process.stdout.write(`  npx ${packageJson.name} --fallback-hosts <ips>  Comma-separated fallback IPs\n`);
+  process.stdout.write(`  npx ${packageJson.name} --fallback-hosts <ips>  Comma-separated LAN/Tailscale fallback IPs\n`);
   process.stdout.write(`  npx ${packageJson.name} stop      Stop the daemon\n`);
   process.stdout.write(`  npx ${packageJson.name} restart   Restart the daemon\n`);
   process.stdout.write(`  npx ${packageJson.name} status    Show service and daemon status\n`);
@@ -8083,6 +8121,7 @@ async function main() {
   } else {
     delete process.env.VIBELET_FALLBACK_HOSTS;
   }
+  validateExplicitCleartextHosts({ hostArg, fallbackHostsArg });
   const backend = resolveBackend();
 
   if (command === 'stop') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibelet/cli",
-  "version": "1.2.9",
+  "version": "1.2.11",
   "description": "Cross-platform CLI for installing and running the Vibelet daemon",
   "homepage": "https://vibelet.icu",
   "files": [