codeam-cli 2.39.16 → 2.39.18

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to `codeam-cli` are documented here.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.39.16] — 2026-06-14
+
+### Added
+
+- **jetbrains-plugin:** Proof-of-possession secret for /status + /reconnect (SEC crit1)
+
+## [2.39.15] — 2026-06-14
+
+### Added
+
+- **vsc-plugin:** Proof-of-possession secret for /status + /reconnect (SEC crit1)
+
 ## [2.39.14] — 2026-06-14
 
 ### Added

package/dist/index.js

@@ -498,7 +498,7 @@ var import_qrcode_terminal = __toESM(require("qrcode-terminal"));
 // package.json
 var package_default = {
   name: "codeam-cli",
-  version: "2.39.16",
+  version: "2.39.18",
   description: "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device \u2014 async. The terminal companion for CodeAgent Mobile.",
   type: "commonjs",
   main: "dist/index.js",
@@ -989,7 +989,7 @@ async function _postJson(url, body, extraHeaders) {
     req.end();
   });
 }
-async function _getJson(url) {
+async function _getJson(url, extraHeaders) {
   return new Promise((resolve7, reject) => {
     const u2 = new URL(url);
     const transport = u2.protocol === "https:" ? https : http;
@@ -999,7 +999,7 @@ async function _getJson(url) {
         port: u2.port || (u2.protocol === "https:" ? 443 : 80),
         path: u2.pathname + u2.search,
         method: "GET",
-        headers: { ...vercelBypassHeader() },
+        headers: { ...vercelBypassHeader(), ...extraHeaders ?? {} },
         timeout: 1e4
       },
       (res) => {
@@ -5908,7 +5908,7 @@ function readAnonId() {
 }
 function superProperties() {
   return {
-    cliVersion: true ? "2.39.16" : "0.0.0-dev",
+    cliVersion: true ? "2.39.18" : "0.0.0-dev",
     nodeVersion: process.version,
     platform: process.platform,
     arch: process.arch,
@@ -6111,7 +6111,12 @@ var CommandRelayService = class {
         port: url.port || (url.protocol === "https:" ? 443 : 80),
         path: `${url.pathname}${url.search}`,
         method: "GET",
-        headers: { Accept: "text/event-stream", "Cache-Control": "no-cache", ...vercelBypassHeader() },
+        headers: {
+          Accept: "text/event-stream",
+          "Cache-Control": "no-cache",
+          ...vercelBypassHeader(),
+          ...this.pollSecretHeader()
+        },
         timeout: 35e3
       },
       (res) => {
@@ -6264,9 +6269,27 @@ var CommandRelayService = class {
       this.pollTimer = setTimeout(() => this.pollLoop(), delay);
     }
   }
+  // SEC crit1 (#8): the command-delivery endpoints are gated on the
+  // per-pairing pollSecret when the backend enforces it. Look it up from
+  // the persisted session (keyed by this relay's pluginId) and replay it
+  // as X-Plugin-Poll-Secret. Empty {} for legacy sessions / older
+  // backends (which ignore it).
+  pollSecretHeader() {
+    try {
+      const secret = loadCliConfig().sessions.find(
+        (s) => s.pluginId === this.pluginId
+      )?.pollSecret;
+      return secret ? { "X-Plugin-Poll-Secret": secret } : {};
+    } catch {
+      return {};
+    }
+  }
   async pollOnce() {
     try {
-      const data = await _getJson(`${API_BASE2}/api/commands/pending?pluginId=${this.pluginId}`);
+      const data = await _getJson(
+        `${API_BASE2}/api/commands/pending?pluginId=${this.pluginId}`,
+        this.pollSecretHeader()
+      );
       const commands = data?.data;
       this.pollFailures = 0;
       if (!Array.isArray(commands) || commands.length === 0) {
@@ -16661,7 +16684,7 @@ var http4 = __toESM(require("http"));
 var API_BASE3 = resolveApiBaseUrl();
 var PAIR_TIMEOUT_MS = 5 * 60 * 1e3;
 var dispatchers = /* @__PURE__ */ new Set();
-function subscribeToPairCompletion(pluginId, onPaired, onTimeout) {
+function subscribeToPairCompletion(pluginId, onPaired, onTimeout, pollSecret) {
   let stopped = false;
   let req = null;
   let timeoutTimer = null;
@@ -16696,7 +16719,8 @@ function subscribeToPairCompletion(pluginId, onPaired, onTimeout) {
         headers: {
           Accept: "text/event-stream",
           "Cache-Control": "no-cache",
-          ...vercelBypassHeader()
+          ...vercelBypassHeader(),
+          ...pollSecret ? { "X-Plugin-Poll-Secret": pollSecret } : {}
         },
         timeout: 35e3
       },
@@ -23022,7 +23046,7 @@ function parseJsonl(filePath) {
   }
   return messages;
 }
-function post(endpoint, body) {
+function post(endpoint, body, pluginAuthToken) {
   return new Promise((resolve7) => {
     const payload = JSON.stringify(body);
     const u2 = new URL(`${API_BASE8}${endpoint}`);
@@ -23036,7 +23060,11 @@ function post(endpoint, body) {
         headers: {
           "Content-Type": "application/json",
           "Content-Length": Buffer.byteLength(payload),
-          ...vercelBypassHeader()
+          ...vercelBypassHeader(),
+          // SEC crit1 (#819): authenticate conversation-history writes so
+          // the backend can verify the (sessionId, pluginId) ownership.
+          // Older backends ignore the header.
+          ...pluginAuthToken ? { "X-Plugin-Auth-Token": pluginAuthToken } : {}
         },
         timeout: 15e3
       },
@@ -23065,6 +23093,7 @@ var HistoryService = class _HistoryService {
     this.pluginId = pluginId;
     this.cwd = cwd;
     this.runtime = runtime;
+    this.pluginAuthToken = options?.pluginAuthToken;
     this.bootTimeMs = options?.bootTimeMs ?? Date.now();
   }
   pluginId;
@@ -23101,6 +23130,7 @@ var HistoryService = class _HistoryService {
    */
   static BIRTHTIME_GRACE_MS = 5e3;
   runtime;
+  pluginAuthToken;
   /** Store rate limit reset info detected from Claude Code output */
   setRateLimitReset(reset) {
     this._rateLimitReset = reset;
@@ -23340,11 +23370,15 @@ var HistoryService = class _HistoryService {
     }
     const sessions3 = this.runtime.listResumableSessions(this.cwd);
     if (sessions3.length === 0) return;
-    await post("/api/sessions/list", {
-      pluginId: this.pluginId,
-      agentId: this.runtime.id,
-      sessions: sessions3
-    });
+    await post(
+      "/api/sessions/list",
+      {
+        pluginId: this.pluginId,
+        agentId: this.runtime.id,
+        sessions: sessions3
+      },
+      this.pluginAuthToken
+    );
   }
   /**
    * Read a specific session's full conversation and POST it to the API in batches.
@@ -23374,10 +23408,10 @@ var HistoryService = class _HistoryService {
         batchIndex: i,
         totalBatches
       };
-      let ok = await post("/api/sessions/conversation", body);
+      let ok = await post("/api/sessions/conversation", body, this.pluginAuthToken);
       for (let attempt = 0; !ok && attempt < RETRY_DELAYS.length; attempt++) {
         await new Promise((r) => setTimeout(r, RETRY_DELAYS[attempt]));
-        ok = await post("/api/sessions/conversation", body);
+        ok = await post("/api/sessions/conversation", body, this.pluginAuthToken);
       }
       if (!ok) {
         throw new Error(`Failed to upload conversation batch ${i + 1}/${totalBatches} after all retries`);
@@ -23428,7 +23462,7 @@ var HistoryService = class _HistoryService {
       messages: newMessages,
       mode: "append"
     };
-    const ok = await post("/api/sessions/conversation", body);
+    const ok = await post("/api/sessions/conversation", body, this.pluginAuthToken);
     if (ok) {
       const last = newMessages[newMessages.length - 1];
       this.lastUploadedUuid.set(sessionId, last.id);
@@ -24018,7 +24052,9 @@ async function start(requestedAgent) {
     showInfo("CODEAM_ACP_DISABLED is set \u2014 running the legacy PTY pipeline.");
   }
   const runtime = createRuntimeStrategy(session.agent);
-  const historySvc = new HistoryService(runtime, pluginId, cwd);
+  const historySvc = new HistoryService(runtime, pluginId, cwd, {
+    pluginAuthToken: session.pluginAuthToken
+  });
   const keepAliveCtx = {
     inCodespace: process.env.CODESPACES === "true",
     codespaceName: process.env.CODESPACE_NAME
@@ -24340,7 +24376,10 @@ async function pair(args2 = []) {
         capture("pair_timed_out", { agentId, pluginId });
         showError("Pairing timed out after 5 minutes. Run codeam pair to try again.");
         process.exit(1);
-      }
+      },
+      // SEC crit1 (#8): replay this pairing's secret on the pre-pair
+      // subscription so it passes the command-endpoint gate when enforced.
+      pollSecret
     );
     process.once("SIGINT", sigintHandler);
   });
@@ -27017,7 +27056,7 @@ function checkChokidar() {
 }
 async function doctor(args2 = []) {
   const json = args2.includes("--json");
-  const cliVersion = true ? "2.39.16" : "0.0.0-dev";
+  const cliVersion = true ? "2.39.18" : "0.0.0-dev";
   const apiBase = resolveApiBaseUrl();
   const diagnosticId = (0, import_node_crypto8.randomUUID)();
   log.info("doctor", `run id=${diagnosticId} cli=${cliVersion}`);
@@ -27216,7 +27255,7 @@ async function completion(args2) {
 // src/commands/version.ts
 var import_picocolors13 = __toESM(require("picocolors"));
 function version2() {
-  const v = true ? "2.39.16" : "unknown";
+  const v = true ? "2.39.18" : "unknown";
   console.log(`${import_picocolors13.default.bold("codeam-cli")} ${import_picocolors13.default.cyan(v)}`);
 }
 
@@ -27502,7 +27541,7 @@ function checkForUpdates() {
   if (process.env.CODEAM_DISABLE_UPDATE_CHECK === "1") return;
   if (process.env.CI) return;
   if (!process.stdout.isTTY) return;
-  const current = true ? "2.39.16" : null;
+  const current = true ? "2.39.18" : null;
   if (!current) return;
   const cache = readCache();
   const fresh = cache && Date.now() - cache.fetchedAt < TTL_MS;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeam-cli",
-  "version": "2.39.16",
+  "version": "2.39.18",
   "description": "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.",
   "type": "commonjs",
   "main": "dist/index.js",