agentgui 1.0.968 → 1.0.969

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/AGENTS.md +6 -0
  2. package/package.json +1 -1
  3. package/site/app/js/backend.js +10 -5
package/AGENTS.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # AgentGUI — Agent Notes
2
2
 
3
+ ## CRITICAL — `authedFetch` must NOT set `Authorization: Bearer` behind an nginx Basic-Auth proxy (2026-06-18)
4
+
5
+ Witnessed on the boxone.off.l-inc.co.za/gm deploy: the page HTML/JS/CSS loaded (browser sends its cached HTTP Basic creds) but every app `fetch()` (`/gm/health`, `/gm/v1/history/sessions`, `/api/*`) returned **401 from nginx**, and the user saw a repeating Basic-Auth prompt. Root cause: `site/app/js/backend.js` `authedFetch` set `Authorization: Bearer <window.__WS_TOKEN>`, which **overwrites** the browser's cached `Authorization: Basic` credentials. nginx `auth_basic` only accepts `Basic`, so a `Bearer` header is rejected at the proxy before it ever reaches agentgui. The WS survived because it auths via `?token=` query on an `auth_basic off` path. Fix: thread the token via the **`?token=` query param** (`withToken()`, exactly like the WS / EventSource / image / download URLs) and never override `Authorization` — the query param coexists with the upstream Basic auth, and agentgui accepts `?token=` on every HTTP route. Rule: **same-origin app auth must never use the `Authorization` header when an upstream proxy may own Basic auth** — use the query param + the `agentgui_token` cookie. boxone runs the published `agentgui@latest`, so this reaches it only after an npm publish + service restart (or via the gmweb nginx `auth_basic off` mitigation on the agentgui-proxied API paths).
6
+
3
7
  ## UX-craft sweep + empirical-witness-first (2026-06-11) — twelfth run
4
8
 
5
9
  Two-track run: EMPIRICAL baseline witnessing of the live page found 18 shipped janks BEFORE theorizing, then a fresh hunt workflow `.claude/workflows/gui-ux-craft.js` (6 lenses the 11 prior sweeps never used: typography-rhythm, copy-tone, perceived-performance, kit-DX, light-theme-contrast, interaction-density; 46 agents -> 40 confirmed, `PUNCHLIST-UX.md`). ALL 58 implemented. Server on this env runs `PORT=3009` (3000 owned by another app).
@@ -257,3 +261,5 @@ GUI source keeps typographic product characters — the middot separator `·`, t
257
261
 
258
262
  **`index.html` loads the DS kit from the local `./vendor/anentrypoint-design/247420.{js,css}`, NOT unpkg.** The prior "moved to unpkg @latest" note described a transient state that was reverted: the kit was re-vendored (with `AgentChat`) in `eb1eab3` and witnessed loading from `./vendor/` again (2026-06-04 and 2026-06-05 runs). The vendored copy IS the shipped UI — predictable, no upstream-publish drift. Update flow: edit the kit at `c:\dev\anentrypoint-design`, `node scripts/build.mjs`, copy `dist/247420.{js,css}` into `site/app/vendor/anentrypoint-design/`, browser-witness, then push the kit so unpkg stays in sync for other consumers. (The markdown stack marked/dompurify/prismjs still fetches from jsdelivr on first chat render.)
259
263
 
264
+
265
+ @.gm/next-step.md
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentgui",
3
- "version": "1.0.968",
3
+ "version": "1.0.969",
4
4
  "description": "Multi-agent ACP client with real-time communication",
5
5
  "type": "module",
6
6
  "main": "electron/main.js",
package/site/app/js/backend.js CHANGED
@@ -14,11 +14,16 @@ function authToken() {
14
14
  }
15
15
 
16
16
  function authedFetch(url, opts = {}) {
17
- const tok = authToken();
18
- if (!tok) return fetch(url, opts);
19
- const h = new Headers(opts.headers || {});
20
- h.set('Authorization', 'Bearer ' + tok);
21
- return fetch(url, { ...opts, headers: h });
17
+ // Thread the agentgui token via the ?token= query param (exactly like the WS,
18
+ // EventSource, and image/download URLs) rather than an `Authorization: Bearer`
19
+ // header. A Bearer header OVERWRITES the browser's cached HTTP Basic Auth
20
+ // credentials, so behind an nginx `auth_basic` proxy (e.g. the boxone /gm
21
+ // deploy) every app fetch is rejected with 401 at the proxy before it ever
22
+ // reaches agentgui - the page HTML/JS load (browser sends Basic creds) but
23
+ // /health, /v1/history/*, and /api/* all 401. The query param coexists with
24
+ // Basic auth; agentgui accepts ?token= on every HTTP route. credentials are
25
+ // kept same-origin so the agentgui_token cookie also flows.
26
+ return fetch(withToken(url), { credentials: 'same-origin', ...opts });
22
27
  }
23
28
 
24
29
  function withToken(url) {