npm - codeam-cli - Versions diffs - 2.39.12 → 2.39.14 - Mend

codeam-cli 2.39.12 → 2.39.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,18 @@ All notable changes to `codeam-cli` are documented here.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.39.13] — 2026-06-14
+### Added
+- **cli:** Proof-of-possession secret for /status + /reconnect (SEC crit1)
+## [2.39.12] — 2026-06-13
+### Fixed
+- **vsc-plugin,jetbrains-plugin:** Auto-reconnect the last session on IDE startup
 ## [2.39.11] — 2026-06-13
 ### Fixed

package/dist/index.js CHANGED Viewed

@@ -498,7 +498,7 @@ var import_qrcode_terminal = __toESM(require("qrcode-terminal"));
 // package.json
 var package_default = {
   name: "codeam-cli",
-  version: "2.39.12",
+  version: "2.39.14",
   description: "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device \u2014 async. The terminal companion for CodeAgent Mobile.",
   type: "commonjs",
   main: "dist/index.js",
@@ -694,7 +694,7 @@ var _execSeam = {
 // src/services/pairing.service.ts
 var API_BASE = resolveApiBaseUrl();
 var REQUEST_CODE_TIMEOUT_MS = 1e4;
-async function requestCode(pluginId) {
+async function requestCode(pluginId, pluginSecretHash) {
   try {
     const runtime = process.env.CODESPACES === "true" ? "github-codespaces" : "local";
     const codespaceName = process.env.CODESPACE_NAME;
@@ -706,7 +706,11 @@ async function requestCode(pluginId) {
       hostname: os2.hostname(),
       runtime,
       branch,
-      ...codespaceName ? { codespaceName } : {}
+      ...codespaceName ? { codespaceName } : {},
+      // SEC: proof-of-possession enrollment. Backend carries this hash
+      // onto the session and requires the raw secret on /status +
+      // /reconnect. Older backends ignore the unknown field.
+      ...pluginSecretHash ? { pluginSecretHash } : {}
     });
     let timer;
     const timeoutSentinel = /* @__PURE__ */ Symbol("request-code-timeout");
@@ -738,11 +742,14 @@ async function requestCode(pluginId) {
     return { ok: false, reason: "network" };
   }
 }
-async function fetchCurrentPluginAuthToken(sessionId, pluginId) {
+async function fetchCurrentPluginAuthToken(sessionId, pluginId, pollSecret) {
   try {
     const result = await _transport.postJson(
       `${API_BASE}/api/pairing/reconnect`,
-      { sessionId, pluginId }
+      { sessionId, pluginId },
+      // SEC: prove possession so the gated /reconnect returns the token.
+      // Omitted for legacy sessions (no secret) → backend legacy path.
+      pollSecret ? { "X-Plugin-Poll-Secret": pollSecret } : void 0
     );
     const data = result?.data;
     if (!data?.paired) return null;
@@ -935,7 +942,7 @@ function makeHttpError(statusCode, retryAfterHeader, responseBody) {
   if (typeof retryAfterSeconds === "number") err.retryAfterSeconds = retryAfterSeconds;
   return err;
 }
-async function _postJson(url, body) {
+async function _postJson(url, body, extraHeaders) {
   return new Promise((resolve7, reject) => {
     const data = JSON.stringify(body);
     const u2 = new URL(url);
@@ -949,7 +956,8 @@ async function _postJson(url, body) {
         headers: {
           "Content-Type": "application/json",
           "Content-Length": Buffer.byteLength(data),
-          ...vercelBypassHeader()
+          ...vercelBypassHeader(),
+          ...extraHeaders ?? {}
         },
         timeout: 1e4
       },
@@ -5900,7 +5908,7 @@ function readAnonId() {
 }
 function superProperties() {
   return {
-    cliVersion: true ? "2.39.12" : "0.0.0-dev",
+    cliVersion: true ? "2.39.14" : "0.0.0-dev",
     nodeVersion: process.version,
     platform: process.platform,
     arch: process.arch,
@@ -23938,7 +23946,11 @@ async function start(requestedAgent) {
     requestedAgent: requestedAgent ?? null
   });
   const cwd = process.cwd();
-  const refreshed = await fetchCurrentPluginAuthToken(session.id, pluginId);
+  const refreshed = await fetchCurrentPluginAuthToken(
+    session.id,
+    pluginId,
+    session.pollSecret
+  );
   if (refreshed && refreshed !== session.pluginAuthToken) {
     addSession({ ...session, pluginAuthToken: refreshed });
     session.pluginAuthToken = refreshed;
@@ -24223,10 +24235,12 @@ async function pair(args2 = []) {
   const agentId = dryRun ? flagAgent ?? config.preferredAgent ?? "claude" : flagAgent ?? await promptForAgent(config.preferredAgent ?? "claude");
   showIntro();
   const pluginId = (0, import_crypto6.randomUUID)();
+  const pollSecret = (0, import_crypto6.randomBytes)(32).toString("base64url");
+  const pluginSecretHash = (0, import_crypto6.createHash)("sha256").update(pollSecret).digest("hex");
   capture("pair_started", { agentId, pluginId, dryRun });
   const spin = dist_exports.spinner();
   spin.start("Requesting pairing code...");
-  const result = await requestCode(pluginId);
+  const result = await requestCode(pluginId, pluginSecretHash);
   if (!result.ok) {
     spin.stop("Failed");
     if (result.reason === "rate-limited") {
@@ -24289,6 +24303,9 @@ async function pair(args2 = []) {
           plan: info.plan,
           pairedAt: Date.now(),
           pluginAuthToken: info.pluginAuthToken,
+          // SEC: persist the PoP secret so boot-time /reconnect can prove
+          // possession and refresh the token on the gated endpoint.
+          pollSecret,
           agent: agentId
         });
         saveCliConfig({ ...loadCliConfig(), preferredAgent: agentId });
@@ -24588,7 +24605,7 @@ function networkError(msg, cause) {
   if (cause !== void 0) err.cause = cause;
   return err;
 }
-async function claimOnce(token, pluginId) {
+async function claimOnce(token, pluginId, pluginSecretHash) {
   const url = `${API_BASE10}/api/pairing/claim-auto-token`;
   const body = {
     token,
@@ -24600,7 +24617,11 @@ async function claimOnce(token, pluginId) {
     // Current git branch of the codespace's working directory, so the
     // backend can populate `PairedSession.branch` for the codespace pair.
     // `null` when detached HEAD / not a git repo.
-    branch: detectCurrentBranch()
+    branch: detectCurrentBranch(),
+    // SEC crit1 (#813): enroll the PoP hash so /status + /reconnect for
+    // this codespace session require the raw secret. Older backends
+    // ignore the unknown field.
+    ...pluginSecretHash ? { pluginSecretHash } : {}
   };
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), CLAIM_TIMEOUT_MS);
@@ -24637,14 +24658,14 @@ async function claimOnce(token, pluginId) {
   }
   return ok.data;
 }
-async function claim(token, pluginId) {
+async function claim(token, pluginId, pluginSecretHash) {
   try {
-    return await claimOnce(token, pluginId);
+    return await claimOnce(token, pluginId, pluginSecretHash);
   } catch (err) {
     if (err.code !== "NETWORK") throw err;
     await new Promise((r) => setTimeout(r, RETRY_BACKOFF_MS3));
     try {
-      return await claimOnce(token, pluginId);
+      return await claimOnce(token, pluginId, pluginSecretHash);
     } catch (retryErr) {
       const netErr = retryErr;
       fail(`Auto-pair failed (NETWORK): ${netErr.message}`);
@@ -24700,9 +24721,11 @@ async function pairAuto(args2) {
   }
   const token = readTokenFromArgs(args2);
   const pluginId = (0, import_crypto7.randomUUID)();
+  const pollSecret = (0, import_crypto7.randomBytes)(32).toString("base64url");
+  const pluginSecretHash = (0, import_crypto7.createHash)("sha256").update(pollSecret).digest("hex");
   capture("pair_auto_started", { pluginId });
   console.log("  Claiming pairing token\u2026");
-  const claimed = await claim(token, pluginId);
+  const claimed = await claim(token, pluginId, pluginSecretHash);
   if (!isKnownAgentId(claimed.agent)) {
     fail(
       `agent "${claimed.agent}" is not supported in this codeam-cli version. Upgrade with 'npm i -g codeam-cli@latest'.`
@@ -24716,6 +24739,8 @@ async function pairAuto(args2) {
     plan: claimed.user.plan,
     pairedAt: Date.now(),
     pluginAuthToken: claimed.pluginAuthToken,
+    // SEC crit1 (#813): persist so boot-time /reconnect proves possession.
+    pollSecret,
     agent: claimed.agent
   });
   identifyUser({
@@ -26992,7 +27017,7 @@ function checkChokidar() {
 }
 async function doctor(args2 = []) {
   const json = args2.includes("--json");
-  const cliVersion = true ? "2.39.12" : "0.0.0-dev";
+  const cliVersion = true ? "2.39.14" : "0.0.0-dev";
   const apiBase = resolveApiBaseUrl();
   const diagnosticId = (0, import_node_crypto8.randomUUID)();
   log.info("doctor", `run id=${diagnosticId} cli=${cliVersion}`);
@@ -27191,7 +27216,7 @@ async function completion(args2) {
 // src/commands/version.ts
 var import_picocolors13 = __toESM(require("picocolors"));
 function version2() {
-  const v = true ? "2.39.12" : "unknown";
+  const v = true ? "2.39.14" : "unknown";
   console.log(`${import_picocolors13.default.bold("codeam-cli")} ${import_picocolors13.default.cyan(v)}`);
 }
@@ -27477,7 +27502,7 @@ function checkForUpdates() {
   if (process.env.CODEAM_DISABLE_UPDATE_CHECK === "1") return;
   if (process.env.CI) return;
   if (!process.stdout.isTTY) return;
-  const current = true ? "2.39.12" : null;
+  const current = true ? "2.39.14" : null;
   if (!current) return;
   const cache = readCache();
   const fresh = cache && Date.now() - cache.fetchedAt < TTL_MS;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeam-cli",
-  "version": "2.39.12",
+  "version": "2.39.14",
   "description": "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.",
   "type": "commonjs",
   "main": "dist/index.js",