npm - instar - Versions diffs - 0.6.2 → 0.6.4 - Mend

instar 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/core/PostUpdateMigrator.js +39 -0
package/dist/server/middleware.js +11 -2
package/dist/server/routes.js +13 -4
package/package.json +1 -1

package/dist/core/PostUpdateMigrator.js CHANGED Viewed

@@ -163,6 +163,39 @@ Strip the \`[telegram:N]\` prefix before interpreting the message. Respond natur
                 }
             }
         }
+        // Private Viewer + Tunnel section
+        if (!content.includes('Private Viewing') && !content.includes('POST /view')) {
+            const section = `
+**Private Viewing** — Render markdown as auth-gated HTML pages, accessible only through the agent's server (local or via tunnel).
+- Create: \`curl -X POST http://localhost:${port}/view -H 'Content-Type: application/json' -d '{"title":"Report","markdown":"# Private content"}'\`
+- View (HTML): Open \`http://localhost:${port}/view/VIEW_ID\` in a browser
+- List: \`curl http://localhost:${port}/views\`
+- Update: \`curl -X PUT http://localhost:${port}/view/VIEW_ID -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
+- Delete: \`curl -X DELETE http://localhost:${port}/view/VIEW_ID\`
+**Use private views for sensitive content. Use Telegraph for public content.**
+**Cloudflare Tunnel** — Expose the local server to the internet via Cloudflare. Enables remote access to private views, the API, and file serving.
+- Status: \`curl http://localhost:${port}/tunnel\`
+- Configure in \`.instar/config.json\`: \`{"tunnel": {"enabled": true, "type": "quick"}}\`
+- Quick tunnels (default): Zero-config, ephemeral URL (*.trycloudflare.com), no account needed
+- Named tunnels: Persistent custom domain, requires token from Cloudflare dashboard
+- When a tunnel is running, private view responses include a \`tunnelUrl\` with auth token for browser-clickable access
+`;
+            // Insert after Publishing section or before Scripts section
+            const publishIdx = content.indexOf('**Scripts**');
+            if (publishIdx >= 0) {
+                content = content.slice(0, publishIdx) + section + '\n' + content.slice(publishIdx);
+            }
+            else {
+                content += '\n' + section;
+            }
+            patched = true;
+            result.upgraded.push('CLAUDE.md: added Private Viewer + Cloudflare Tunnel section');
+        }
+        else {
+            result.skipped.push('CLAUDE.md: Private Viewer section already present');
+        }
         if (patched) {
             try {
                 fs.writeFileSync(claudeMdPath, content);
@@ -283,6 +316,12 @@ if [ -f "$INSTAR_DIR/config.json" ]; then
   if [ "$HEALTH" = "200" ]; then
     CONTEXT="\${CONTEXT}Instar server is running on port \${PORT}. Query your capabilities: curl http://localhost:\${PORT}/capabilities\\n"
     CONTEXT="\${CONTEXT}IMPORTANT: Before claiming you lack a capability, check /capabilities first.\\n"
+    # Check for new features
+    CAPS=$(curl -s "http://localhost:\${PORT}/capabilities" 2>/dev/null)
+    if echo "$CAPS" | python3 -c "import sys,json; d=json.load(sys.stdin); print('tunnel' if d.get('tunnel',{}).get('enabled') else '')" 2>/dev/null | grep -q tunnel; then
+      TUNNEL_URL=$(echo "$CAPS" | python3 -c "import sys,json; print(json.load(sys.stdin).get('tunnel',{}).get('url',''))" 2>/dev/null)
+      [ -n "$TUNNEL_URL" ] && CONTEXT="\${CONTEXT}Cloudflare Tunnel active: $TUNNEL_URL — your server is accessible remotely.\\n"
+    fi
   fi
 fi

package/dist/server/middleware.js CHANGED Viewed

@@ -32,12 +32,21 @@ export function authMiddleware(authToken) {
             next();
             return;
         }
+        // Accept token from Authorization header or ?token= query parameter.
+        // Query parameter enables browser-friendly access to rendered views.
         const header = req.headers.authorization;
-        if (!header || !header.startsWith('Bearer ')) {
+        const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
+        let token;
+        if (header?.startsWith('Bearer ')) {
+            token = header.slice(7);
+        }
+        else if (queryToken) {
+            token = queryToken;
+        }
+        else {
             res.status(401).json({ error: 'Missing or invalid Authorization header' });
             return;
         }
-        const token = header.slice(7);
         // Hash both sides so lengths are always equal — prevents timing leak of token length
         const ha = createHash('sha256').update(token).digest();
         const hb = createHash('sha256').update(authToken).digest();

package/dist/server/routes.js CHANGED Viewed

@@ -880,6 +880,16 @@ export function createRoutes(ctx) {
     });
     // ── Private Views (auth-gated rendered markdown) ────────────────
     const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+    /** Build a browser-clickable tunnel URL with token embedded as query param */
+    function viewTunnelUrl(viewId) {
+        const base = ctx.tunnel?.getExternalUrl(`/view/${viewId}`);
+        if (!base)
+            return null;
+        if (ctx.config.authToken) {
+            return `${base}?token=${encodeURIComponent(ctx.config.authToken)}`;
+        }
+        return base;
+    }
     router.post('/view', (req, res) => {
         if (!ctx.viewer) {
             res.status(503).json({ error: 'Private viewer not configured' });
@@ -899,12 +909,11 @@ export function createRoutes(ctx) {
             return;
         }
         const view = ctx.viewer.create(title, markdown);
-        const tunnelUrl = ctx.tunnel?.getExternalUrl(`/view/${view.id}`) ?? null;
         res.status(201).json({
             id: view.id,
             title: view.title,
             localUrl: `/view/${view.id}`,
-            tunnelUrl,
+            tunnelUrl: viewTunnelUrl(view.id),
             createdAt: view.createdAt,
         });
     });
@@ -936,7 +945,7 @@ export function createRoutes(ctx) {
             id: v.id,
             title: v.title,
             localUrl: `/view/${v.id}`,
-            tunnelUrl: ctx.tunnel?.getExternalUrl(`/view/${v.id}`) ?? null,
+            tunnelUrl: viewTunnelUrl(v.id),
             createdAt: v.createdAt,
             updatedAt: v.updatedAt,
         }));
@@ -969,7 +978,7 @@ export function createRoutes(ctx) {
             id: updated.id,
             title: updated.title,
             localUrl: `/view/${updated.id}`,
-            tunnelUrl: ctx.tunnel?.getExternalUrl(`/view/${updated.id}`) ?? null,
+            tunnelUrl: viewTunnelUrl(updated.id),
             updatedAt: updated.updatedAt,
         });
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",