npm - aegis-bridge - Versions diffs - 2.15.7 → 2.16.0 - Mend

aegis-bridge 2.15.7 → 2.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/config.js CHANGED Viewed

@@ -42,7 +42,7 @@ const defaults = {
     tgTopicTtlMs: 24 * 60 * 60 * 1000,
     webhooks: [],
     defaultSessionEnv: {},
-    defaultPermissionMode: 'bypassPermissions',
+    defaultPermissionMode: 'default',
     stallThresholdMs: computeStallThreshold(),
     sseMaxConnections: 100,
     sseMaxPerIp: 10,

package/dist/hook-settings.d.ts CHANGED Viewed

@@ -32,6 +32,7 @@ export type HttpHookEvent = typeof HTTP_HOOK_EVENTS[number];
 interface HttpHookConfig {
     type: 'http';
     url: string;
+    headers?: Record<string, string>;
 }
 /** Shape of the `hooks` section in CC settings.json. */
 export interface HookSettings {

package/dist/hook-settings.js CHANGED Viewed

@@ -129,15 +129,16 @@ export function generateHookSettings(baseUrl, sessionId, hookSecret) {
     const hooks = {};
     const callbackBaseUrl = normalizeHookBaseUrl(baseUrl);
     for (const event of HTTP_HOOK_EVENTS) {
-        const secretParam = hookSecret ? `&secret=${hookSecret}` : '';
+        const hookConfig = {
+            type: 'http',
+            url: `${callbackBaseUrl}/v1/hooks/${event}?sessionId=${sessionId}`,
+        };
+        if (hookSecret) {
+            hookConfig.headers = { 'X-Hook-Secret': hookSecret };
+        }
         hooks[event] = [
             {
-                hooks: [
-                    {
-                        type: 'http',
-                        url: `${callbackBaseUrl}/v1/hooks/${event}?sessionId=${sessionId}${secretParam}`,
-                    },
-                ],
+                hooks: [hookConfig],
             },
         ];
     }

package/dist/hooks.js CHANGED Viewed

@@ -128,8 +128,9 @@ export function registerHookRoutes(app, deps) {
         if (!session) {
             return reply.status(404).send({ error: `Session ${sessionId} not found` });
         }
-        // Issue #629: Validate per-session hook secret (defense in depth — also checked in auth middleware)
-        const hookSecret = req.query?.secret;
+        // Issue #629/#1131: Validate hook secret from X-Hook-Secret header (query param fallback)
+        const hookSecret = req.headers['x-hook-secret']
+            || req.query?.secret;
         if (session.hookSecret && hookSecret !== session.hookSecret) {
             return reply.status(401).send({ error: 'Unauthorized — invalid hook secret' });
         }

package/dist/server.js CHANGED Viewed

@@ -266,8 +266,9 @@ function setupAuth(authManager) {
             if (hookSessionId) {
                 const session = sessions.getSession(hookSessionId);
                 if (session) {
-                    // Issue #629: Validate hook secret from query param
-                    const hookSecret = req.query?.secret;
+                    // Issue #629/#1131: Validate hook secret from X-Hook-Secret header (query param fallback)
+                    const hookSecret = req.headers['x-hook-secret']
+                        || req.query?.secret;
                     if (!hookSecret || hookSecret !== session.hookSecret) {
                         return reply.status(401).send({ error: 'Unauthorized — invalid hook secret' });
                     }
@@ -869,7 +870,7 @@ async function spawnChildHandler(req, reply) {
     if (typeof safeChildWorkDir === 'object') {
         return reply.status(400).send({ error: `Invalid workDir: ${safeChildWorkDir.error}`, code: safeChildWorkDir.code });
     }
-    const childPermMode = permissionMode ?? parent.permissionMode ?? 'bypassPermissions';
+    const childPermMode = permissionMode ?? parent.permissionMode ?? 'default';
     const childSession = await sessions.createSession({ workDir: safeChildWorkDir, name: childName, parentId, permissionMode: childPermMode });
     let promptDelivery;
     if (prompt) {

package/dist/session.js CHANGED Viewed

@@ -510,7 +510,7 @@ export class SessionManager {
         const effectivePermissionMode = opts.permissionMode
             ?? (opts.autoApprove === true ? 'bypassPermissions' : opts.autoApprove === false ? 'default' : undefined)
             ?? this.config.defaultPermissionMode
-            ?? 'bypassPermissions';
+            ?? 'default';
         let settingsPatched = false;
         if (effectivePermissionMode !== 'bypassPermissions') {
             settingsPatched = await neutralizeBypassPermissions(opts.workDir, effectivePermissionMode);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aegis-bridge",
-  "version": "2.15.7",
+  "version": "2.16.0",
   "type": "module",
   "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
   "main": "dist/server.js",