gamedev 0.2.2 → 0.2.4

package/build/public/admin.html

@@ -25,14 +25,14 @@
     <meta name="apple-mobile-web-app-capable" content="yes" />
     <meta name="mobile-web-app-capable" content="yes" />
     <link rel="preload" href="/SpaceMono-regular.woff2" as="font" type="font/woff2" crossorigin />
-    <link rel="stylesheet" type="text/css" href="/index.css?v=1774736577741" />
+    <link rel="stylesheet" type="text/css" href="/index.css?v=1774801170959" />
     <script>
       window.PARTICLES_PATH = '/particles-4YQR4CFO.js'
     </script>
   </head>
   <body>
     <div id="root"></div>
-    <script src="/env.js?v=1774736577741"></script>
+    <script src="/env.js?v=1774801170959"></script>
     <script src="/admin-3ATEWWG5.js" type="module"></script>
   </body>
 </html>

package/build/public/index.html

@@ -44,14 +44,14 @@
     <meta name="theme-color" content="#ffffff"> -->
 
     <link rel="preload" href="/SpaceMono-regular.woff2" as="font" type="font/woff2" crossorigin />
-    <link rel="stylesheet" type="text/css" href="/index.css?v=1774736577740" />
+    <link rel="stylesheet" type="text/css" href="/index.css?v=1774801170822" />
     <script>
       window.PARTICLES_PATH = '/particles-4YQR4CFO.js'
     </script>
   </head>
   <body>
     <div id="root"></div>
-    <script src="/env.js?v=1774736577740"></script>
+    <script src="/env.js?v=1774801170822"></script>
     <script src="/index-4H3CVLQ5.js" type="module"></script>
   </body>
 </html>

package/docs/App-server.md

@@ -12,7 +12,8 @@ App-server is the dev server that syncs local files to a world via `/admin`. It
     - direct runtime: `http://localhost:3000`
     - platform slug proxy: `https://<host>/worlds/<slug>`
   - `WORLD_ID` (must match the target worldId)
-- Run `gamedev auth` once in the project to cache a browser-authenticated world token in `.lobby/auth.json`.
+- Run `gamedev auth` or start `gamedev dev`/`gamedev app-server` once in the project to cache a browser-authenticated world token in `.lobby/auth.json`.
+  Continuous script sync requires deploy access; if the cached token only has builder access, the CLI will prompt for stronger auth.
 - `ADMIN_CODE` is no longer used by the CLI or app-server. On standalone worlds it is only for in-world `/admin <code>` privilege escalation. Bootstrapped worlds ignore admin-code auth and rely on account roles instead.
 
 ---
@@ -130,7 +131,7 @@ For prod targets, the CLI asks for confirmation unless you pass `--yes`.
 ### Troubleshooting
 
 - Bootstrap didn’t happen: ensure the target world is empty/default or run `gamedev world export` (add `--include-built-scripts` for legacy single-file apps).
-- Unauthorized: rerun `gamedev auth`, then confirm the signed-in account has builder or admin access in the world.
+- Unauthorized: rerun `gamedev auth`, then confirm the signed-in account has deploy access in the world.
 - Script updates rejected: confirm the signed-in account has deploy access and the deploy lock is free.
 - WORLD_ID mismatch: set `WORLD_ID` to match the target world id.
 - Changes not appearing: confirm `apps/<appName>/index.js` (or blueprint JSON) is being edited and app-server is connected.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gamedev",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "type": "module",
   "main": "index.node.js",
   "types": "index.d.ts",

package/src/server/admin.js

@@ -10,7 +10,7 @@ import {
   handleRuntimeCredentialCommand,
 } from './adminCredentials.js'
 import { ADMIN_SHUTDOWN_COMMAND, handleAdminShutdownCommand } from './adminShutdown.js'
-import { hasSupportedAdminCode } from './runtimeBootstrap.js'
+import { allowsOpenAdminAccess, hasSupportedAdminCode } from './runtimeBootstrap.js'
 import { describeWebSocketConnection, resolveWebSocketConnection } from './websocketConnection.js'
 import { getMaxUploadSizeBytes, getMaxUploadSizeMb } from './worldLimits.js'
 
@@ -390,6 +390,9 @@ export async function admin(
   }
 
   async function getCapabilitiesFromAuthToken(token) {
+    if (allowsOpenAdminAccess(process.env)) {
+      return { builder: true, deploy: true }
+    }
     if (!token || !db) return { builder: false, deploy: false }
     const worldId = world?.network?.worldId || process.env.WORLD_ID
     const claims = await readJWT(token, { worldId })
@@ -828,9 +831,10 @@ export async function admin(
             ws.close()
             return
           }
+          const openAdminAccess = allowsOpenAdminAccess(process.env)
           const codeCapabilities = getCapabilitiesFromAdminCode(data?.code)
-          let builderOk = codeCapabilities.builder
-          let deployOk = codeCapabilities.deploy
+          let builderOk = openAdminAccess || codeCapabilities.builder
+          let deployOk = openAdminAccess || codeCapabilities.deploy
           if (!builderOk || !deployOk) {
             const payloadToken = typeof data?.authToken === 'string' ? data.authToken.trim() : ''
             const headerToken = getRuntimeAuthTokenFromRequest(req) || ''

package/src/server/cliAuth.js

@@ -243,17 +243,13 @@ export async function createStandaloneGuestSession({
 }
 
 export function buildCliAuthPage({
-  callbackUrl,
   sessionId,
-  state,
   worldId,
   requiredCapability = 'builder',
   publicAuthUrl = null,
 } = {}) {
   const config = JSON.stringify({
-    callbackUrl: normalizeString(callbackUrl),
     sessionId: normalizeString(sessionId),
-    state: normalizeString(state),
     worldId: normalizeString(worldId),
     requiredCapability: normalizeString(requiredCapability) || 'builder',
     publicAuthUrl: hasValue(publicAuthUrl) ? publicAuthUrl.trim() : null,
@@ -643,18 +639,6 @@ export function buildCliAuthPage({
         return !!capabilities?.builder
       }
 
-      function validateCallbackUrl(value) {
-        try {
-          const parsed = new URL(value)
-          const hostname = parsed.hostname
-          if (!hostname) return null
-          if (hostname !== '127.0.0.1' && hostname !== 'localhost' && hostname !== '::1') return null
-          return parsed.toString()
-        } catch {
-          return null
-        }
-      }
-
       async function fetchStatus(token) {
         const response = await fetch(\`\${apiBaseUrl()}/auth/cli/status\`, {
           headers: {
@@ -712,47 +696,24 @@ export function buildCliAuthPage({
         return token
       }
 
-      async function submitToken(token, status) {
-        if (config.sessionId) {
-          const response = await fetch(\`\${apiBaseUrl()}/auth/cli/session/\${encodeURIComponent(config.sessionId)}\`, {
-            method: 'POST',
-            headers: {
-              'content-type': 'application/json',
-              accept: 'application/json',
-            },
-            body: JSON.stringify({
-              worldUrl: worldRootUrl(),
-              authToken: token,
-            }),
-          })
-          if (!response.ok) {
-            const payload = await response.json().catch(() => null)
-            throw new Error(payload?.error || 'session_complete_failed')
-          }
-          return
+      async function submitToken(token) {
+        if (!config.sessionId) {
+          throw new Error('Invalid session id')
         }
-
-        const callbackUrl = validateCallbackUrl(config.callbackUrl)
-        if (!callbackUrl) {
-          throw new Error('Invalid callback URL')
-        }
-        const response = await fetch(callbackUrl, {
+        const response = await fetch(\`\${apiBaseUrl()}/auth/cli/session/\${encodeURIComponent(config.sessionId)}\`, {
           method: 'POST',
           headers: {
             'content-type': 'application/json',
+            accept: 'application/json',
           },
           body: JSON.stringify({
-            state: config.state,
-            worldId: status?.worldId || config.worldId || '',
             worldUrl: worldRootUrl(),
             authToken: token,
-            user: status?.user || null,
-            capabilities: status?.capabilities || null,
           }),
         })
         if (!response.ok) {
           const payload = await response.json().catch(() => null)
-          throw new Error(payload?.error || 'callback_failed')
+          throw new Error(payload?.error || 'session_complete_failed')
         }
       }
 
@@ -794,7 +755,7 @@ export function buildCliAuthPage({
               'success'
             )
             setHint('Permission confirmed. The CLI is storing this world token locally.', 'success')
-            await submitToken(token, status)
+            await submitToken(token)
             clearInterval(polling)
             setTimeout(() => {
               window.close()

package/src/server/index.js

@@ -1117,21 +1117,17 @@ async function handleCliAuthPage(req, reply) {
   if (!isRuntimeReady(runtimeState)) {
     return sendRuntimeNotReady(reply, runtimeState, { html: true })
   }
-  const callbackUrl = typeof req.query?.callback === 'string' ? req.query.callback.trim() : ''
   const sessionId = typeof req.query?.session === 'string' ? req.query.session.trim() : ''
-  const state = typeof req.query?.state === 'string' ? req.query.state.trim() : ''
   const worldId = typeof req.query?.worldId === 'string' ? req.query.worldId.trim() : resolveBoundWorldId() || ''
   const requiredCapability = typeof req.query?.required === 'string' ? req.query.required.trim() : 'builder'
-  if (!sessionId && (!callbackUrl || !state)) {
+  if (!sessionId) {
     return reply.code(400).type('text/html').send(
-      '<!doctype html><html><body>Missing session or callback parameters.</body></html>'
+      '<!doctype html><html><body>Missing session.</body></html>'
     )
   }
   reply.type('text/html').send(
     buildCliAuthPage({
-      callbackUrl,
       sessionId,
-      state,
       worldId,
       requiredCapability,
       publicAuthUrl: process.env.PUBLIC_AUTH_URL || null,