npm - codeam-cli - Versions diffs - 2.39.11 → 2.39.13 - Mend

codeam-cli 2.39.11 → 2.39.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,23 @@ All notable changes to `codeam-cli` are documented here.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.39.12] — 2026-06-13
+### Fixed
+- **vsc-plugin,jetbrains-plugin:** Auto-reconnect the last session on IDE startup
+## [2.39.11] — 2026-06-13
+### Fixed
+- **cli:** Never let PostHog telemetry crash or spam the CLI session
+### Tests
+- **cli:** Fix Windows-only watcher path assertion (cross-platform path.join)
+- **cli:** Import only join from path in the watcher test
 ## [2.39.10] — 2026-06-13
 ### Fixed

package/dist/index.js CHANGED Viewed

@@ -498,7 +498,7 @@ var import_qrcode_terminal = __toESM(require("qrcode-terminal"));
 // package.json
 var package_default = {
   name: "codeam-cli",
-  version: "2.39.11",
+  version: "2.39.13",
   description: "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device \u2014 async. The terminal companion for CodeAgent Mobile.",
   type: "commonjs",
   main: "dist/index.js",
@@ -694,7 +694,7 @@ var _execSeam = {
 // src/services/pairing.service.ts
 var API_BASE = resolveApiBaseUrl();
 var REQUEST_CODE_TIMEOUT_MS = 1e4;
-async function requestCode(pluginId) {
+async function requestCode(pluginId, pluginSecretHash) {
   try {
     const runtime = process.env.CODESPACES === "true" ? "github-codespaces" : "local";
     const codespaceName = process.env.CODESPACE_NAME;
@@ -706,7 +706,11 @@ async function requestCode(pluginId) {
       hostname: os2.hostname(),
       runtime,
       branch,
-      ...codespaceName ? { codespaceName } : {}
+      ...codespaceName ? { codespaceName } : {},
+      // SEC: proof-of-possession enrollment. Backend carries this hash
+      // onto the session and requires the raw secret on /status +
+      // /reconnect. Older backends ignore the unknown field.
+      ...pluginSecretHash ? { pluginSecretHash } : {}
     });
     let timer;
     const timeoutSentinel = /* @__PURE__ */ Symbol("request-code-timeout");
@@ -738,11 +742,14 @@ async function requestCode(pluginId) {
     return { ok: false, reason: "network" };
   }
 }
-async function fetchCurrentPluginAuthToken(sessionId, pluginId) {
+async function fetchCurrentPluginAuthToken(sessionId, pluginId, pollSecret) {
   try {
     const result = await _transport.postJson(
       `${API_BASE}/api/pairing/reconnect`,
-      { sessionId, pluginId }
+      { sessionId, pluginId },
+      // SEC: prove possession so the gated /reconnect returns the token.
+      // Omitted for legacy sessions (no secret) → backend legacy path.
+      pollSecret ? { "X-Plugin-Poll-Secret": pollSecret } : void 0
     );
     const data = result?.data;
     if (!data?.paired) return null;
@@ -935,7 +942,7 @@ function makeHttpError(statusCode, retryAfterHeader, responseBody) {
   if (typeof retryAfterSeconds === "number") err.retryAfterSeconds = retryAfterSeconds;
   return err;
 }
-async function _postJson(url, body) {
+async function _postJson(url, body, extraHeaders) {
   return new Promise((resolve7, reject) => {
     const data = JSON.stringify(body);
     const u2 = new URL(url);
@@ -949,7 +956,8 @@ async function _postJson(url, body) {
         headers: {
           "Content-Type": "application/json",
           "Content-Length": Buffer.byteLength(data),
-          ...vercelBypassHeader()
+          ...vercelBypassHeader(),
+          ...extraHeaders ?? {}
         },
         timeout: 1e4
       },
@@ -5900,7 +5908,7 @@ function readAnonId() {
 }
 function superProperties() {
   return {
-    cliVersion: true ? "2.39.11" : "0.0.0-dev",
+    cliVersion: true ? "2.39.13" : "0.0.0-dev",
     nodeVersion: process.version,
     platform: process.platform,
     arch: process.arch,
@@ -23938,7 +23946,11 @@ async function start(requestedAgent) {
     requestedAgent: requestedAgent ?? null
   });
   const cwd = process.cwd();
-  const refreshed = await fetchCurrentPluginAuthToken(session.id, pluginId);
+  const refreshed = await fetchCurrentPluginAuthToken(
+    session.id,
+    pluginId,
+    session.pollSecret
+  );
   if (refreshed && refreshed !== session.pluginAuthToken) {
     addSession({ ...session, pluginAuthToken: refreshed });
     session.pluginAuthToken = refreshed;
@@ -24223,10 +24235,12 @@ async function pair(args2 = []) {
   const agentId = dryRun ? flagAgent ?? config.preferredAgent ?? "claude" : flagAgent ?? await promptForAgent(config.preferredAgent ?? "claude");
   showIntro();
   const pluginId = (0, import_crypto6.randomUUID)();
+  const pollSecret = (0, import_crypto6.randomBytes)(32).toString("base64url");
+  const pluginSecretHash = (0, import_crypto6.createHash)("sha256").update(pollSecret).digest("hex");
   capture("pair_started", { agentId, pluginId, dryRun });
   const spin = dist_exports.spinner();
   spin.start("Requesting pairing code...");
-  const result = await requestCode(pluginId);
+  const result = await requestCode(pluginId, pluginSecretHash);
   if (!result.ok) {
     spin.stop("Failed");
     if (result.reason === "rate-limited") {
@@ -24289,6 +24303,9 @@ async function pair(args2 = []) {
           plan: info.plan,
           pairedAt: Date.now(),
           pluginAuthToken: info.pluginAuthToken,
+          // SEC: persist the PoP secret so boot-time /reconnect can prove
+          // possession and refresh the token on the gated endpoint.
+          pollSecret,
           agent: agentId
         });
         saveCliConfig({ ...loadCliConfig(), preferredAgent: agentId });
@@ -26992,7 +27009,7 @@ function checkChokidar() {
 }
 async function doctor(args2 = []) {
   const json = args2.includes("--json");
-  const cliVersion = true ? "2.39.11" : "0.0.0-dev";
+  const cliVersion = true ? "2.39.13" : "0.0.0-dev";
   const apiBase = resolveApiBaseUrl();
   const diagnosticId = (0, import_node_crypto8.randomUUID)();
   log.info("doctor", `run id=${diagnosticId} cli=${cliVersion}`);
@@ -27191,7 +27208,7 @@ async function completion(args2) {
 // src/commands/version.ts
 var import_picocolors13 = __toESM(require("picocolors"));
 function version2() {
-  const v = true ? "2.39.11" : "unknown";
+  const v = true ? "2.39.13" : "unknown";
   console.log(`${import_picocolors13.default.bold("codeam-cli")} ${import_picocolors13.default.cyan(v)}`);
 }
@@ -27477,7 +27494,7 @@ function checkForUpdates() {
   if (process.env.CODEAM_DISABLE_UPDATE_CHECK === "1") return;
   if (process.env.CI) return;
   if (!process.stdout.isTTY) return;
-  const current = true ? "2.39.11" : null;
+  const current = true ? "2.39.13" : null;
   if (!current) return;
   const cache = readCache();
   const fresh = cache && Date.now() - cache.fetchedAt < TTL_MS;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeam-cli",
-  "version": "2.39.11",
+  "version": "2.39.13",
   "description": "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.",
   "type": "commonjs",
   "main": "dist/index.js",