npm - een-api-toolkit - Versions diffs - 0.3.69 → 0.3.78 - Mend

een-api-toolkit 0.3.69 → 0.3.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +83 -51
package/README.md +2 -0
package/dist/index.cjs +3 -3
package/dist/index.cjs.map +1 -1
package/dist/index.js +398 -370
package/dist/index.js.map +1 -1
package/docs/AI-CONTEXT.md +1 -1
package/docs/ai-reference/AI-AUTH.md +1 -1
package/docs/ai-reference/AI-AUTOMATIONS.md +1 -1
package/docs/ai-reference/AI-DEVICES.md +1 -1
package/docs/ai-reference/AI-EVENT-DATA-SCHEMAS.md +1 -1
package/docs/ai-reference/AI-EVENTS.md +1 -1
package/docs/ai-reference/AI-GROUPING.md +1 -1
package/docs/ai-reference/AI-JOBS.md +1 -1
package/docs/ai-reference/AI-MEDIA.md +1 -1
package/docs/ai-reference/AI-SETUP.md +1 -1
package/docs/ai-reference/AI-USERS.md +1 -1
package/package.json +5 -5

package/CHANGELOG.md CHANGED Viewed

@@ -2,72 +2,94 @@
 All notable changes to this project will be documented in this file.
-## [0.3.69] - 2026-02-10
+## [0.3.78] - 2026-02-12
 ### Release Summary
-#### PR #92: Release v0.3.66 - GitHub Issues Resolution & vue-feeds Fix
-## Release v0.3.66
+#### PR #102: Release v0.3.69: CI improvements and dependency management
+## Summary
+- Dynamic E2E test matrix discovery (auto-detects example apps with `playwright.config.ts`)
+- Added missing `vue-jobs` to CI E2E testing
+- Dependabot configuration for automated dependency updates
+- Pinned GitHub Actions to immutable commit SHAs for supply chain security
-This PR merges develop into production with GitHub issue resolutions, automation improvements, and critical bug fixes.
+## Commits
+- `474e9bb` ci: Dynamically discover example apps for E2E matrix
+- `ad3f318` fix: pin GitHub Actions to immutable commit SHAs
+- `cc706d8` chore: add Dependabot configuration for automated dependency updates
+- `24a385b` Merge PR #95 (workflow SHA pinning security fix)
-### Summary
+## Test Results
+- **Lint**: Passed (0 errors, 1 warning)
+- **Unit tests**: 619/619 passed
+- **Build**: Successful
+- **E2E tests**: 11/11 example apps passed (1 transient OAuth timeout on vue-users, passed on rerun)
-- Resolved all 7 open GitHub issues
-- Automated event data schemas documentation generation
-- Fixed vue-feeds navigation reactivity issue
-- Added camera utility functions
-- Improved accessibility with aria-labels
+## Security Review
+Changes are CI/infrastructure only (workflow files, dependabot config). No source code changes. No security vulnerabilities.
-### Changes
+## Version
+`v0.3.69`
-**Closed Issues:**
-- ✅ #84 - Added aria-label to JSON viewer button for screen reader accessibility
-- ✅ #70 - Implemented getCameraStatusString() utility function
-- ✅ #71 - Implemented isStatusObject() TypeScript type guard
-- ✅ #87 - Documented auto-generated vs manually maintained files
-- ✅ #89 - Fully automated event data schemas documentation generation
-- ❌ #85 - Closed as won't-do (JSON viewer E2E tests)
-- ❌ #76 - Closed as won't-do (datetime persistence test timezone)
+#### PR #106: Release v0.3.70: Fix Dependabot TypeScript minor version ignore
+## Summary
-**New Features:**
-- `src/utils/camera.ts` - Camera status utility functions with full JSDoc
-- `scripts/generate-event-data-schemas-doc.ts` - Auto-generates AI-EVENT-DATA-SCHEMAS.md from TypeScript source
-- CLAUDE.md documentation section explaining auto-generated vs manual files
+- Re-add `semver-minor` ignore for TypeScript in Dependabot config to prevent unwanted 5.8→5.9 bump PRs
+- Dependabot modifies `package.json` directly, bypassing the `~5.8.x` constraint — must be blocked at the Dependabot level
+- Addresses review feedback from PR #102 and closes Dependabot PR #104
+- Documentation updates: fix inaccuracies in CLAUDE.md and README.md, regenerate API docs
+- Remove misleading auto-merge comment, add CodeQL and SHA pinning guidance to CLAUDE.md
-**Bug Fixes:**
-- Fixed vue-feeds navigation not appearing after OAuth login (computed property for reactivity)
-- Updated all example app READMEs with accurate function lists
+## Changes
-### Test Results
+- `.github/dependabot.yml` - Re-add semver-minor to TypeScript ignore, clarify comments
+- `.github/workflows/validate-pr.yml` - Add validation to discover-examples job
+- `.github/workflows/claude-code-review.yml` - Update SHA version comment to v1.0.48
+- `CLAUDE.md` - Fix 7 documentation inaccuracies, add SHA pinning guidance
+- `README.md` - Add vue-automations and vue-jobs to examples table
+- `docs/` - Regenerated API docs and AI reference docs
-**✅ Passed (8 of 11 apps - 148 tests):**
-- vue-alerts-metrics: 20 tests
-- vue-automations: 24 tests
-- vue-bridges: 13 tests
-- vue-event-subscriptions: 15 tests
-- vue-events: 16 tests
-- **vue-feeds: 12 tests** ✅ (Main fix verified)
-- vue-jobs: 34 tests
-- vue-users: 14 tests
+## Test Results
-**Note:** 3 apps failed due to OAuth rate limiting (vue-cameras) and test config issues (vue-layouts, vue-media) - not related to code changes.
+- **Lint**: Passed (0 errors, 1 warning)
+- **Unit tests**: 619/619 passed
+- **Build**: Successful
+- **E2E tests**: 11/11 example apps passed
-### Security Review
+## Security Review
-✅ Security review completed - No vulnerabilities found
-- All file operations use safe path handling
-- No command injection risks
-- Regex patterns safe from ReDoS
-- Vue components follow framework security best practices
+No source code changes — infrastructure and documentation only. No security concerns.
-### Version
+## Version
-v0.3.66 (auto-incremented from 0.3.64 via Husky pre-commit hooks)
+v0.3.70
----
+#### PR #108: Release v0.3.76: Hostname validation security hardening
+## Summary
+- **Security Fix**: Validate hostname against EEN domain allowlist to prevent token exfiltration via malicious base URL injection
+- **Hardening**: Fail-secure on tampered storage - clears all auth data when poisoned hostname/port detected
+- **Validation**: Port validation (1-65535 range), protocol bypass prevention, subdomain spoofing protection
+- **Tests**: Comprehensive hostname validation test suite for auth store (46 new tests)
+- **Robustness**: Added `isAllowedEenHostname` utility with falsy guard, console.warn for rejected hostnames, `@internal` JSDoc tag on `ALLOWED_DOMAINS`
+## Commits
+- fix: Validate hostname against EEN domain allowlist to prevent token exfiltration
+- test: Add hostname validation tests for auth store security fix
+- docs: Add @internal JSDoc tag to ALLOWED_DOMAINS constant
+- fix: Use console.warn for rejected hostname validation messages
+- fix: Add falsy guard to isAllowedEenHostname for robustness
+- fix: harden hostname/port validation and fail-secure on tampered storage
+## Test Results
+- **Lint**: Passed (1 warning - pre-existing)
+- **Unit Tests**: 639 passed (23 test files)
+- **Build**: Successful (ESM + CJS)
+- **E2E Tests**: All 11 example apps passed
+## Version
+`0.3.76`
-Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
 #### PR #94: Release v0.3.69: SSRF protection fix with test coverage
 ## Summary
@@ -95,12 +117,22 @@ The only source code change is the SSRF protection in `src/media/service.ts` whi
 ### Detailed Changes
 #### Bug Fixes
-- fix: Update media tests for SSRF domain validation and add coverage
-- Fix AUTH_BYPASS vulnerability in initMediaSession()
+- fix: Repair broken JSDoc comment in hostname.ts
+- fix: Address code review concerns for PR #108
+- fix: harden hostname/port validation and fail-secure on tampered storage
+- fix: Add falsy guard to isAllowedEenHostname for robustness
+- fix: Use console.warn for rejected hostname validation messages
+- fix: Validate hostname against EEN domain allowlist to prevent token exfiltration
+- fix: Re-add semver-minor ignore for TypeScript in Dependabot
+#### Other Changes
+- Update src/utils/hostname.ts
+- docs: Add @internal JSDoc tag to ALLOWED_DOMAINS constant
+- test: Add hostname validation tests for auth store security fix
 ### Links
 - [npm package](https://www.npmjs.com/package/een-api-toolkit)
-- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.67...v0.3.69)
+- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.70...v0.3.78)
 ---
-*Released: 2026-02-10 17:09:15 CST*
+*Released: 2026-02-12 20:28:23 CST*

package/README.md CHANGED Viewed

@@ -215,6 +215,8 @@ The `examples/` directory contains complete Vue 3 applications demonstrating too
 | **[vue-events](./examples/vue-events/)** | Event listing with bounding box overlays | `listEvents()`, `listEventTypes()`, `listEventFieldValues()`, `getRecordedImage()` |
 | **[vue-alerts-metrics](./examples/vue-alerts-metrics/)** | Event metrics, alerts, and notifications dashboard | `getEventMetrics()`, `listAlerts()`, `listAlertTypes()`, `listNotifications()` |
 | **[vue-event-subscriptions](./examples/vue-event-subscriptions/)** | Real-time event streaming with SSE | `listEventSubscriptions()`, `createEventSubscription()`, `deleteEventSubscription()`, `connectToEventSubscription()` |
+| **[vue-automations](./examples/vue-automations/)** | Automation rules and alert actions | `listEventAlertConditionRules()`, `listAlertConditionRules()`, `listAlertActionRules()`, `listAlertActions()` |
+| **[vue-jobs](./examples/vue-jobs/)** | Job management, exports, and file downloads | `listJobs()`, `getJob()`, `createExportJob()`, `listFiles()`, `downloadFile()` |
 Each example includes:
 - Complete OAuth authentication flow