npm - agent-relay-server - Versions diffs - 0.4.4 → 0.4.5 - Mend

agent-relay-server 0.4.4 → 0.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CONTRIBUTING.md +63 -0
package/README.md +3 -0
package/SECURITY.md +67 -0
package/codex/plugin/.codex-plugin/plugin.json +1 -1
package/package.json +4 -2

package/CONTRIBUTING.md ADDED Viewed

@@ -0,0 +1,63 @@
+# Contributing
+Thanks for helping improve Agent Relay. This project is small infrastructure,
+so the best contributions are focused, tested, and easy to reason about.
+## Before You Start
+- Open an issue before large features, protocol changes, persistence changes, or
+  UX rewrites.
+- Keep pull requests narrow. One behavior change per PR is ideal.
+- Security reports belong in private email, not public issues. See
+  [SECURITY.md](SECURITY.md).
+## Development Setup
+Agent Relay uses Bun and TypeScript.
+```bash
+git clone https://github.com/edimuj/agent-relay.git
+cd agent-relay
+bun install
+bun run dev
+```
+Useful checks:
+```bash
+bun run typecheck
+bun test
+```
+The server defaults to `http://127.0.0.1:4850`.
+## Project Shape
+- `src/`: relay server, API routes, SQLite persistence, daemon/setup CLI.
+- `public/`: dashboard markup and Alpine model.
+- `claude/`: Claude Code plugin package.
+- `codex/`: Codex launcher, hook, live sidecar, and plugin bundle.
+- `examples/integrations/`: practical task/event connector examples.
+## Pull Request Expectations
+- Add or update tests for behavior changes.
+- Preserve the local-first trust model: localhost by default, token required for
+  non-loopback binds, conservative daemon behavior.
+- Avoid broad refactors unless they directly support the change.
+- Do not introduce new runtime services unless the issue explicitly calls for it.
+- Update README/API docs when user-facing behavior changes.
+## Coding Style
+- Prefer existing local patterns over new abstractions.
+- Keep API validation explicit and boring.
+- Use structured parsing for structured data; avoid ad hoc string parsing when a
+  standard API is available.
+- Keep dashboard changes responsive on both desktop and mobile.
+## Licensing
+By contributing, you agree that your contribution is licensed under the project
+license: AGPL-3.0-or-later.

package/README.md CHANGED Viewed

@@ -538,6 +538,9 @@ codex/                               # Codex integration
 ## Development
+See [CONTRIBUTING.md](CONTRIBUTING.md) for contribution guidelines and
+[SECURITY.md](SECURITY.md) for vulnerability reporting.
 ```bash
 git clone https://github.com/edimuj/agent-relay.git
 cd agent-relay

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,67 @@
+# Security Policy
+Agent Relay is local-first coordination infrastructure for trusted agents,
+scripts, and tools. It is designed for localhost, VPN, or trusted LAN use. Do
+not expose it directly to the public internet.
+## Supported Versions
+Security fixes are released on the latest published version.
+| Version | Supported |
+|---------|-----------|
+| latest | Yes |
+| older releases | Best effort |
+## Reporting a Vulnerability
+Please do not open a public GitHub issue for suspected vulnerabilities.
+Report security issues by email:
+```text
+edin@exelerus.com
+```
+Include as much detail as you can:
+- Affected version and install method.
+- Whether the relay was bound to localhost, VPN/LAN, or a public interface.
+- Relevant environment variables, with secrets redacted.
+- Reproduction steps or a proof of concept.
+- Expected impact.
+I will acknowledge valid reports as quickly as practical and coordinate a fix
+before public disclosure.
+## Security Model
+Agent Relay assumes the operators and registered agents are trusted. It is not a
+multi-tenant service boundary.
+Important defaults and constraints:
+- The server binds to `127.0.0.1` by default.
+- Non-loopback binds require `AGENT_RELAY_TOKEN` unless
+  `AGENT_RELAY_ALLOW_UNAUTH=1` is explicitly set.
+- Browser access is same-origin by default unless
+  `AGENT_RELAY_CORS_ORIGINS` is configured.
+- The dashboard stores its token in browser `localStorage` for the relay origin.
+- Agent messages, task data, and integration events are stored in local SQLite.
+- TLS termination, reverse proxy hardening, and network ACLs are deployment
+  responsibilities.
+Use a private network such as Tailscale, WireGuard, SSH tunnels, or localhost
+port forwarding for remote access.
+## Out of Scope
+These are usually configuration or trust-model issues rather than project
+vulnerabilities:
+- A relay intentionally exposed to the public internet.
+- A relay started with `AGENT_RELAY_ALLOW_UNAUTH=1` on an untrusted network.
+- A leaked shared token after it has been stored in shell history, logs, browser
+  storage, or third-party tooling.
+- Malicious behavior by an already trusted local agent or script.

package/codex/plugin/.codex-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-relay",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Agent Relay integration for Codex sessions",
   "author": {
     "name": "Edin Mujkanovic"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-relay-server",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Lightweight HTTP message relay for inter-agent communication across machines",
   "module": "src/index.ts",
   "type": "module",
@@ -19,7 +19,9 @@
     "codex/plugin/**",
     "examples/**",
     "public/**",
-    "README.md"
+    "README.md",
+    "SECURITY.md",
+    "CONTRIBUTING.md"
   ],
   "scripts": {
     "start": "bun run src/index.ts",