npm - claudekit-cli - Versions diffs - 3.37.0-dev.1 → 3.37.0-dev.2 - Mend

claudekit-cli 3.37.0-dev.1 → 3.37.0-dev.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -91,6 +91,9 @@ ck --help
 # Open config dashboard immediately
 ck config
+# Expose the dashboard intentionally to your LAN/Tailscale
+ck config --host 0.0.0.0 --no-open
 # Command-level help (recommended)
 ck config --help
 ck skills --help
@@ -99,6 +102,23 @@ ck commands --help
 ck migrate --help
 ```
+### Config Dashboard Access
+By default, `ck config` binds the dashboard to `127.0.0.1` for local-only access.
+Use `--host` when you intentionally want remote access from another device on the same trusted network:
+```bash
+# Bind to all interfaces
+ck config --host 0.0.0.0 --no-open
+# Bind to a specific interface or hostname
+ck config --host 100.88.12.4 --no-open
+ck config --host dashboard.local --no-open
+```
+The dashboard still enforces same-origin browser access. Remote access works when you open the UI from the same host/origin that reaches the server, instead of relying on a hardcoded IP allowlist.
 ### Create New Project
 ```bash

package/dist/index.js CHANGED Viewed

@@ -46709,21 +46709,15 @@ var init_file_watcher = __esm(() => {
 // src/domains/web-server/middleware/cors.ts
 function corsMiddleware(req, res, next) {
-  const origin = req.headers.origin;
-  if (origin && !origin.match(/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/)) {
+  const origin = getHeaderValue(req.headers.origin);
+  const normalizedOrigin = origin ? normalizeOrigin(origin) : null;
+  if (origin && (!normalizedOrigin || !isAllowedOrigin(normalizedOrigin, req))) {
     res.status(403).json({ error: "Forbidden: invalid origin" });
     return;
   }
-  const allowedOrigins = [
-    "http://localhost:3000",
-    "http://localhost:3456",
-    "http://localhost:5173",
-    "http://127.0.0.1:3000",
-    "http://127.0.0.1:3456",
-    "http://127.0.0.1:5173"
-  ];
-  if (origin && allowedOrigins.includes(origin)) {
-    res.setHeader("Access-Control-Allow-Origin", origin);
+  if (normalizedOrigin) {
+    appendVaryHeader(res, "Origin");
+    res.setHeader("Access-Control-Allow-Origin", normalizedOrigin);
   }
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
   res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
@@ -46734,6 +46728,68 @@ function corsMiddleware(req, res, next) {
   }
   next();
 }
+function isAllowedOrigin(origin, req) {
+  if (LOCAL_DEV_ORIGINS.has(origin)) {
+    return true;
+  }
+  return getRequestOrigins(req).has(origin);
+}
+function getRequestOrigins(req) {
+  const origins = new Set;
+  const hosts = getHeaderValues(req.headers["x-forwarded-host"]).concat(getHeaderValues(req.headers.host));
+  const protocols = getForwardedProtocols(req);
+  for (const host of hosts) {
+    for (const protocol of protocols) {
+      origins.add(`${protocol}://${host}`);
+    }
+  }
+  return origins;
+}
+function getForwardedProtocols(req) {
+  const forwarded = getHeaderValues(req.headers["x-forwarded-proto"]).map((value) => value.toLowerCase());
+  const current = typeof req.protocol === "string" && req.protocol ? [req.protocol.toLowerCase()] : ["http"];
+  return Array.from(new Set([...forwarded, ...current].filter((value) => value === "http" || value === "https")));
+}
+function normalizeOrigin(origin) {
+  try {
+    return new URL(origin).origin;
+  } catch {
+    return null;
+  }
+}
+function getHeaderValue(value) {
+  if (Array.isArray(value)) {
+    return value[0];
+  }
+  return value;
+}
+function getHeaderValues(value) {
+  const raw = Array.isArray(value) ? value.join(",") : value;
+  if (!raw) {
+    return [];
+  }
+  return raw.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function appendVaryHeader(res, value) {
+  const current = res.getHeader("Vary");
+  if (!current) {
+    res.setHeader("Vary", value);
+    return;
+  }
+  const entries = String(current).split(",").map((entry) => entry.trim()).filter(Boolean);
+  if (!entries.includes(value)) {
+    entries.push(value);
+    res.setHeader("Vary", entries.join(", "));
+  }
+}
+var LOCAL_DEV_ORIGINS;
+var init_cors = __esm(() => {
+  LOCAL_DEV_ORIGINS = new Set(["localhost", "127.0.0.1", "[::1]"].flatMap((host) => [
+    `http://${host}:3000`,
+    `http://${host}:3456`,
+    `http://${host}:5173`
+  ]));
+});
 // src/domains/web-server/middleware/error-handler.ts
 function errorHandler(err, _req, res, _next) {
@@ -56724,7 +56780,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "claudekit-cli",
-    version: "3.37.0-dev.1",
+    version: "3.37.0-dev.2",
     description: "CLI tool for bootstrapping and updating ClaudeKit projects",
     type: "module",
     repository: {
@@ -62150,7 +62206,12 @@ var init_websocket_manager = __esm(() => {
 import { createServer } from "node:http";
 import { fileURLToPath as fileURLToPath3 } from "node:url";
 async function createAppServer(options2 = {}) {
-  const { port: preferredPort, openBrowser = true, devMode = false } = options2;
+  const {
+    port: preferredPort,
+    openBrowser = true,
+    devMode = false,
+    host = DEFAULT_DASHBOARD_HOST
+  } = options2;
   const port = await getPorts({ port: preferredPort || [3456, 3457, 3458, 3459, 3460] });
   const app = import_express2.default();
   app.use(import_express2.default.json({ limit: "10mb" }));
@@ -62183,15 +62244,15 @@ async function createAppServer(options2 = {}) {
       };
       server.once("listening", onListening);
       server.once("error", onError);
-      server.listen(port);
+      server.listen(port, host);
     });
-    logger.debug(`Server listening on port ${port}`);
+    logger.debug(`Server listening on ${host}:${port}`);
     if (openBrowser) {
       try {
-        await open_default(`http://localhost:${port}`);
+        await open_default(getBrowserUrl(host, port));
       } catch (err) {
         logger.warning(`Failed to open browser: ${err instanceof Error ? err.message : err}`);
-        logger.info(`Open http://localhost:${port} manually`);
+        logger.info(`Open ${getBrowserUrl(host, port)} manually`);
       }
     }
   } catch (error) {
@@ -62202,6 +62263,7 @@ async function createAppServer(options2 = {}) {
   }
   return {
     port,
+    host,
     server,
     close: async () => {
       fileWatcher?.stop();
@@ -62252,17 +62314,29 @@ async function setupViteDevServer(app, httpServer, options2) {
     serveStatic(app);
   }
 }
-var import_express2;
+function getBrowserUrl(host, port) {
+  if (WILDCARD_HOSTS.has(host) || LOOPBACK_OPEN_HOSTS.has(host)) {
+    return `http://localhost:${port}`;
+  }
+  return `http://${formatHostForUrl(host)}:${port}`;
+}
+function formatHostForUrl(host) {
+  return host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+}
+var import_express2, DEFAULT_DASHBOARD_HOST = "127.0.0.1", LOOPBACK_OPEN_HOSTS, WILDCARD_HOSTS;
 var init_server = __esm(() => {
   init_logger();
   init_get_port();
   init_open();
   init_file_watcher();
+  init_cors();
   init_error_handler();
   init_routes();
   init_static_server();
   init_websocket_manager();
   import_express2 = __toESM(require_express2(), 1);
+  LOOPBACK_OPEN_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
+  WILDCARD_HOSTS = new Set(["0.0.0.0", "::"]);
 });
 // src/domains/web-server/index.ts
@@ -70604,6 +70678,10 @@ var init_config_command_help = __esm(() => {
         command: "ck config",
         description: "Launch the web dashboard (same as 'ck config ui')"
       },
+      {
+        command: "ck config --host 0.0.0.0 --no-open",
+        description: "Expose the dashboard to your network intentionally"
+      },
       {
         command: "ck config set defaults.kit engineer",
         description: "Set a config value from the CLI"
@@ -70651,6 +70729,10 @@ var init_config_command_help = __esm(() => {
             flags: "--port <port>",
             description: "Port for dashboard server"
           },
+          {
+            flags: "--host <host>",
+            description: "Bind dashboard host (default: 127.0.0.1)"
+          },
           {
             flags: "--no-open",
             description: "Do not auto-open browser when launching dashboard"
@@ -70674,7 +70756,7 @@ var init_config_command_help = __esm(() => {
     sections: [
       {
         title: "Notes",
-        content: "Run 'ck config --help' to see both CLI actions and dashboard flags. Running bare 'ck config' opens the dashboard directly."
+        content: "Run 'ck config --help' to see both CLI actions and dashboard flags. Running bare 'ck config' opens the dashboard directly. Use '--host' to expose the dashboard intentionally beyond localhost."
       }
     ]
   };
@@ -74708,12 +74790,16 @@ init_commands_discovery();
 // src/commands/config/config-ui-command.ts
 init_logger();
 var import_picocolors14 = __toESM(require_picocolors(), 1);
+import { networkInterfaces } from "node:os";
+var LOOPBACK_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
+var WILDCARD_HOSTS2 = new Set(["0.0.0.0", "::"]);
 async function configUICommand(options2 = {}) {
   const { port, dev = false } = options2;
+  const host = options2.host?.trim() || undefined;
   const noOpen = options2.open === false || options2.noOpen === true;
   try {
     if (port) {
-      const isAvailable = await checkPort(port);
+      const isAvailable = await checkPort(port, host);
       if (!isAvailable) {
         logger.error(`Port ${port} is already in use`);
         logger.info("Try: ck config (auto-selects available port)");
@@ -74726,13 +74812,20 @@ async function configUICommand(options2 = {}) {
     const server = await startServer({
       port,
       openBrowser: !noOpen,
-      devMode: dev
+      devMode: dev,
+      host
     });
-    const url = `http://localhost:${server.port}`;
+    const urls = getDashboardUrls(server.host, server.port);
     console.log();
     console.log(import_picocolors14.default.bold("  ClaudeKit Dashboard"));
     console.log(import_picocolors14.default.dim("  ─────────────────────"));
-    console.log(`  ${import_picocolors14.default.green("➜")} Local: ${import_picocolors14.default.cyan(url)}`);
+    if (urls.local) {
+      console.log(`  ${import_picocolors14.default.green("➜")} Local: ${import_picocolors14.default.cyan(urls.local)}`);
+    }
+    for (const url of urls.network) {
+      console.log(`  ${import_picocolors14.default.green(urls.local ? "•" : "➜")} Network: ${import_picocolors14.default.cyan(url)}`);
+    }
+    console.log(`  ${import_picocolors14.default.green("•")} Bind: ${import_picocolors14.default.cyan(server.host)}`);
     console.log();
     console.log(import_picocolors14.default.dim("  Press Ctrl+C to stop"));
     console.log();
@@ -74760,7 +74853,7 @@ async function configUICommand(options2 = {}) {
     process.exitCode = 1;
   }
 }
-async function checkPort(port) {
+async function checkPort(port, host) {
   const { createServer: createServer2 } = await import("node:net");
   return new Promise((resolve13) => {
     const server = createServer2();
@@ -74769,9 +74862,43 @@ async function checkPort(port) {
       server.close();
       resolve13(true);
     });
-    server.listen(port);
+    server.listen(port, host);
   });
 }
+function getDashboardUrls(host, port) {
+  if (WILDCARD_HOSTS2.has(host)) {
+    return {
+      local: `http://localhost:${port}`,
+      network: getDetectedNetworkUrls(port)
+    };
+  }
+  if (LOOPBACK_HOSTS.has(host)) {
+    return {
+      local: `http://localhost:${port}`,
+      network: []
+    };
+  }
+  return {
+    local: null,
+    network: [buildDashboardUrl(host, port)]
+  };
+}
+function getDetectedNetworkUrls(port) {
+  const urls = new Set;
+  for (const addresses of Object.values(networkInterfaces())) {
+    for (const address of addresses ?? []) {
+      if (address.internal) {
+        continue;
+      }
+      urls.add(buildDashboardUrl(address.address, port));
+    }
+  }
+  return Array.from(urls).sort();
+}
+function buildDashboardUrl(host, port) {
+  const formattedHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+  return `http://${formattedHost}:${port}`;
+}
 // src/commands/config/phases/get-handler.ts
 init_config();
@@ -74935,9 +75062,10 @@ async function configCommand(action, keyOrOptions, valueOrOptions, options2) {
   }
   const rawOpts = options2 || (typeof keyOrOptions === "object" ? keyOrOptions : {});
   const uiOpts = {
-    port: rawOpts?.port,
-    noOpen: rawOpts?.noOpen,
-    dev: rawOpts?.dev
+    port: rawOpts.port,
+    noOpen: rawOpts.noOpen,
+    dev: rawOpts.dev,
+    host: rawOpts.host
   };
   return configUICommand(uiOpts);
 }
@@ -102663,7 +102791,7 @@ function registerCommands(cli) {
         console.error(`Unknown action: ${action}. Available: start, stop, status, logs, setup, queue, approve, reject`);
     }
   });
-  cli.command("config [action] [key] [value]", "Manage ClaudeKit configuration").option("-g, --global", "Use global config (~/.claudekit/config.json)").option("-l, --local", "Use local config (.claude/.ck.json)").option("--json", "Output in JSON format").option("--port <port>", "Port for UI server (default: auto)").option("--no-open", "Don't auto-open browser").option("--dev", "Run UI in development mode with HMR").action(async (action, key, value, options2) => {
+  cli.command("config [action] [key] [value]", "Manage ClaudeKit configuration").option("-g, --global", "Use global config (~/.claudekit/config.json)").option("-l, --local", "Use local config (.claude/.ck.json)").option("--json", "Output in JSON format").option("--port <port>", "Port for UI server (default: auto)").option("--host <host>", "Bind dashboard host (default: 127.0.0.1)").option("--no-open", "Don't auto-open browser").option("--dev", "Run UI in development mode with HMR").action(async (action, key, value, options2) => {
     await configCommand(action, key, value, options2);
   });
   registerProjectsCommand(cli);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "claudekit-cli",
-	"version": "3.37.0-dev.1",
+	"version": "3.37.0-dev.2",
 	"description": "CLI tool for bootstrapping and updating ClaudeKit projects",
 	"type": "module",
 	"repository": {