@vibes.diy/prompts 4.0.10 → 4.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -32,10 +32,7 @@ The whole platform is open source under Apache 2.0. Read the code, open an issue
32
32
  ## Quick Start
33
33
 
34
34
  1. [Try the demo](https://vibes.diy/) — no setup required.
35
- 2. Or run it yourself:
36
- - Clone the repository
37
- - Install with `pnpm i`
38
- - Run `pnpm dev`
35
+ 2. Or hack on the code: clone the repo, `pnpm install`, and `pnpm build` — the build, lint, and test suite work from a fresh clone with no secrets. Running the full web app locally currently requires extra setup; the [Contributing Guide](CONTRIBUTING.md#getting-started) covers exactly what works out of the box and what doesn't yet.
39
36
 
40
37
  ## Community
41
38
 
package/llms/backend.md CHANGED
@@ -51,6 +51,7 @@ identity `access.js` can genuinely restrict a database to.
51
51
  ```js
52
52
  ctx.appInfo; // { ownerHandle, appSlug } — this app's identity
53
53
  ctx.userInfo; // { userHandle } or null — who the handler is acting as
54
+ ctx.secrets; // Record<string,string> — the owner's per-vibe secrets; frozen, {} when none
54
55
  await ctx.db.put(doc, { db: "notes", id: "optional-id" }); // resolves to the doc id AFTER commit
55
56
  await ctx.db.delete(docId, { db: "notes" });
56
57
  const docs = await ctx.db.query({ db: "notes" }); // latest non-deleted docs (each with _id)
@@ -67,9 +68,15 @@ const docs = await ctx.db.query({ db: "notes" }); // latest non-deleted docs (ea
67
68
  access function cannot be queried from the backend (keep backend-read
68
69
  databases on plain ACLs). Made for `scheduled` sweeps: read, decide, then
69
70
  `put`/`delete`.
71
+ - `ctx.secrets` carries the owner's per-vibe secrets, set in the vibe's settings
72
+ page or with `vibes-diy secrets set KEY`. Use it to verify inbound credentials —
73
+ a webhook's shared secret or token — and never write a value anywhere users can
74
+ read it (a doc, a response body). Only the owner can set or rotate secrets;
75
+ handlers see the current values on every invocation.
70
76
  - **No outside network access**: `fetch()` to external URLs is refused inside
71
- `backend.js`, and there are no secrets/API keys yet. Don't call third-party
72
- APIs from the backend; AI calls stay in `App.jsx` via `callAI`.
77
+ `backend.js`, so secrets cannot be sent anywhere they can only be compared
78
+ against or used to verify what arrives. Don't call third-party APIs from the
79
+ backend; AI calls stay in `App.jsx` via `callAI`.
73
80
 
74
81
  ## fetch — the app's HTTP endpoint
75
82
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vibes.diy/prompts",
3
- "version": "4.0.10",
3
+ "version": "4.0.11",
4
4
  "type": "module",
5
5
  "main": "./index.js",
6
6
  "description": "",
@@ -24,9 +24,9 @@
24
24
  "license": "Apache-2.0",
25
25
  "dependencies": {
26
26
  "@adviser/cement": "~0.5.34",
27
- "@vibes.diy/call-ai-v2": "^4.0.10",
28
- "@vibes.diy/identity": "^4.0.10",
29
- "@vibes.diy/use-vibes-types": "^4.0.10",
27
+ "@vibes.diy/call-ai-v2": "^4.0.11",
28
+ "@vibes.diy/identity": "^4.0.11",
29
+ "@vibes.diy/use-vibes-types": "^4.0.11",
30
30
  "arktype": "~2.2.1",
31
31
  "json-schema-faker": "~0.6.2"
32
32
  },