npm - codeam-cli - Versions diffs - 2.39.13 → 2.39.14 - Mend

codeam-cli 2.39.13 → 2.39.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,12 @@ All notable changes to `codeam-cli` are documented here.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.39.13] — 2026-06-14
+### Added
+- **cli:** Proof-of-possession secret for /status + /reconnect (SEC crit1)
 ## [2.39.12] — 2026-06-13
 ### Fixed

package/dist/index.js CHANGED Viewed

@@ -498,7 +498,7 @@ var import_qrcode_terminal = __toESM(require("qrcode-terminal"));
 // package.json
 var package_default = {
   name: "codeam-cli",
-  version: "2.39.13",
+  version: "2.39.14",
   description: "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device \u2014 async. The terminal companion for CodeAgent Mobile.",
   type: "commonjs",
   main: "dist/index.js",
@@ -5908,7 +5908,7 @@ function readAnonId() {
 }
 function superProperties() {
   return {
-    cliVersion: true ? "2.39.13" : "0.0.0-dev",
+    cliVersion: true ? "2.39.14" : "0.0.0-dev",
     nodeVersion: process.version,
     platform: process.platform,
     arch: process.arch,
@@ -24605,7 +24605,7 @@ function networkError(msg, cause) {
   if (cause !== void 0) err.cause = cause;
   return err;
 }
-async function claimOnce(token, pluginId) {
+async function claimOnce(token, pluginId, pluginSecretHash) {
   const url = `${API_BASE10}/api/pairing/claim-auto-token`;
   const body = {
     token,
@@ -24617,7 +24617,11 @@ async function claimOnce(token, pluginId) {
     // Current git branch of the codespace's working directory, so the
     // backend can populate `PairedSession.branch` for the codespace pair.
     // `null` when detached HEAD / not a git repo.
-    branch: detectCurrentBranch()
+    branch: detectCurrentBranch(),
+    // SEC crit1 (#813): enroll the PoP hash so /status + /reconnect for
+    // this codespace session require the raw secret. Older backends
+    // ignore the unknown field.
+    ...pluginSecretHash ? { pluginSecretHash } : {}
   };
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), CLAIM_TIMEOUT_MS);
@@ -24654,14 +24658,14 @@ async function claimOnce(token, pluginId) {
   }
   return ok.data;
 }
-async function claim(token, pluginId) {
+async function claim(token, pluginId, pluginSecretHash) {
   try {
-    return await claimOnce(token, pluginId);
+    return await claimOnce(token, pluginId, pluginSecretHash);
   } catch (err) {
     if (err.code !== "NETWORK") throw err;
     await new Promise((r) => setTimeout(r, RETRY_BACKOFF_MS3));
     try {
-      return await claimOnce(token, pluginId);
+      return await claimOnce(token, pluginId, pluginSecretHash);
     } catch (retryErr) {
       const netErr = retryErr;
       fail(`Auto-pair failed (NETWORK): ${netErr.message}`);
@@ -24717,9 +24721,11 @@ async function pairAuto(args2) {
   }
   const token = readTokenFromArgs(args2);
   const pluginId = (0, import_crypto7.randomUUID)();
+  const pollSecret = (0, import_crypto7.randomBytes)(32).toString("base64url");
+  const pluginSecretHash = (0, import_crypto7.createHash)("sha256").update(pollSecret).digest("hex");
   capture("pair_auto_started", { pluginId });
   console.log("  Claiming pairing token\u2026");
-  const claimed = await claim(token, pluginId);
+  const claimed = await claim(token, pluginId, pluginSecretHash);
   if (!isKnownAgentId(claimed.agent)) {
     fail(
       `agent "${claimed.agent}" is not supported in this codeam-cli version. Upgrade with 'npm i -g codeam-cli@latest'.`
@@ -24733,6 +24739,8 @@ async function pairAuto(args2) {
     plan: claimed.user.plan,
     pairedAt: Date.now(),
     pluginAuthToken: claimed.pluginAuthToken,
+    // SEC crit1 (#813): persist so boot-time /reconnect proves possession.
+    pollSecret,
     agent: claimed.agent
   });
   identifyUser({
@@ -27009,7 +27017,7 @@ function checkChokidar() {
 }
 async function doctor(args2 = []) {
   const json = args2.includes("--json");
-  const cliVersion = true ? "2.39.13" : "0.0.0-dev";
+  const cliVersion = true ? "2.39.14" : "0.0.0-dev";
   const apiBase = resolveApiBaseUrl();
   const diagnosticId = (0, import_node_crypto8.randomUUID)();
   log.info("doctor", `run id=${diagnosticId} cli=${cliVersion}`);
@@ -27208,7 +27216,7 @@ async function completion(args2) {
 // src/commands/version.ts
 var import_picocolors13 = __toESM(require("picocolors"));
 function version2() {
-  const v = true ? "2.39.13" : "unknown";
+  const v = true ? "2.39.14" : "unknown";
   console.log(`${import_picocolors13.default.bold("codeam-cli")} ${import_picocolors13.default.cyan(v)}`);
 }
@@ -27494,7 +27502,7 @@ function checkForUpdates() {
   if (process.env.CODEAM_DISABLE_UPDATE_CHECK === "1") return;
   if (process.env.CI) return;
   if (!process.stdout.isTTY) return;
-  const current = true ? "2.39.13" : null;
+  const current = true ? "2.39.14" : null;
   if (!current) return;
   const cache = readCache();
   const fresh = cache && Date.now() - cache.fetchedAt < TTL_MS;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeam-cli",
-  "version": "2.39.13",
+  "version": "2.39.14",
   "description": "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.",
   "type": "commonjs",
   "main": "dist/index.js",