npm - instar - Versions diffs - 0.6.3 → 0.6.5 - Mend

instar 0.6.3 → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/core/PostUpdateMigrator.js +39 -0
package/dist/core/SessionManager.js +11 -2
package/dist/server/middleware.d.ts +5 -0
package/dist/server/middleware.js +26 -1
package/dist/server/routes.js +16 -5
package/package.json +1 -1

package/dist/core/PostUpdateMigrator.js CHANGED Viewed

@@ -163,6 +163,39 @@ Strip the \`[telegram:N]\` prefix before interpreting the message. Respond natur
                 }
             }
         }
+        // Private Viewer + Tunnel section
+        if (!content.includes('Private Viewing') && !content.includes('POST /view')) {
+            const section = `
+**Private Viewing** — Render markdown as auth-gated HTML pages, accessible only through the agent's server (local or via tunnel).
+- Create: \`curl -X POST http://localhost:${port}/view -H 'Content-Type: application/json' -d '{"title":"Report","markdown":"# Private content"}'\`
+- View (HTML): Open \`http://localhost:${port}/view/VIEW_ID\` in a browser
+- List: \`curl http://localhost:${port}/views\`
+- Update: \`curl -X PUT http://localhost:${port}/view/VIEW_ID -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
+- Delete: \`curl -X DELETE http://localhost:${port}/view/VIEW_ID\`
+**Use private views for sensitive content. Use Telegraph for public content.**
+**Cloudflare Tunnel** — Expose the local server to the internet via Cloudflare. Enables remote access to private views, the API, and file serving.
+- Status: \`curl http://localhost:${port}/tunnel\`
+- Configure in \`.instar/config.json\`: \`{"tunnel": {"enabled": true, "type": "quick"}}\`
+- Quick tunnels (default): Zero-config, ephemeral URL (*.trycloudflare.com), no account needed
+- Named tunnels: Persistent custom domain, requires token from Cloudflare dashboard
+- When a tunnel is running, private view responses include a \`tunnelUrl\` with auth token for browser-clickable access
+`;
+            // Insert after Publishing section or before Scripts section
+            const publishIdx = content.indexOf('**Scripts**');
+            if (publishIdx >= 0) {
+                content = content.slice(0, publishIdx) + section + '\n' + content.slice(publishIdx);
+            }
+            else {
+                content += '\n' + section;
+            }
+            patched = true;
+            result.upgraded.push('CLAUDE.md: added Private Viewer + Cloudflare Tunnel section');
+        }
+        else {
+            result.skipped.push('CLAUDE.md: Private Viewer section already present');
+        }
         if (patched) {
             try {
                 fs.writeFileSync(claudeMdPath, content);
@@ -283,6 +316,12 @@ if [ -f "$INSTAR_DIR/config.json" ]; then
   if [ "$HEALTH" = "200" ]; then
     CONTEXT="\${CONTEXT}Instar server is running on port \${PORT}. Query your capabilities: curl http://localhost:\${PORT}/capabilities\\n"
     CONTEXT="\${CONTEXT}IMPORTANT: Before claiming you lack a capability, check /capabilities first.\\n"
+    # Check for new features
+    CAPS=$(curl -s "http://localhost:\${PORT}/capabilities" 2>/dev/null)
+    if echo "$CAPS" | python3 -c "import sys,json; d=json.load(sys.stdin); print('tunnel' if d.get('tunnel',{}).get('enabled') else '')" 2>/dev/null | grep -q tunnel; then
+      TUNNEL_URL=$(echo "$CAPS" | python3 -c "import sys,json; print(json.load(sys.stdin).get('tunnel',{}).get('url',''))" 2>/dev/null)
+      [ -n "$TUNNEL_URL" ] && CONTEXT="\${CONTEXT}Cloudflare Tunnel active: $TUNNEL_URL — your server is accessible remotely.\\n"
+    fi
   fi
 fi

package/dist/core/SessionManager.js CHANGED Viewed

@@ -150,13 +150,22 @@ export class SessionManager extends EventEmitter {
             return false;
         // Verify Claude process is running inside the tmux session
         try {
-            const paneCmd = execFileSync(this.config.tmuxPath, ['display-message', '-t', `=${tmuxSession}:`, '-p', '#{pane_current_command}'], { encoding: 'utf-8', timeout: 5000 }).trim();
+            const paneInfo = execFileSync(this.config.tmuxPath, ['display-message', '-t', `=${tmuxSession}:`, '-p', '#{pane_current_command}||#{pane_start_command}'], { encoding: 'utf-8', timeout: 5000 }).trim();
+            const [paneCmd, startCmd] = paneInfo.split('||');
             // Claude Code runs as 'claude' or 'node' process
             if (paneCmd && (paneCmd.includes('claude') || paneCmd.includes('node'))) {
                 return true;
             }
-            // If pane command is bash/zsh/sh, Claude may have exited — session is dead
+            // If pane command is bash/zsh/sh, check whether the session was launched
+            // with a direct command (e.g., a bash script as claudePath). In that case
+            // bash IS the expected running process — not a leftover shell after Claude exits.
+            // tmux kills sessions launched with direct commands when the command exits,
+            // so if has-session succeeds and start_command is non-empty, it's still running.
             if (paneCmd === 'bash' || paneCmd === 'zsh' || paneCmd === 'sh') {
+                if (startCmd && startCmd !== paneCmd) {
+                    // Session was launched with a specific command (not a bare shell) — still alive
+                    return true;
+                }
                 return false;
             }
             // For any other command, assume alive (could be a Claude subprocess)

package/dist/server/middleware.d.ts CHANGED Viewed

@@ -18,5 +18,10 @@ export declare function rateLimiter(windowMs?: number, maxRequests?: number): (r
  * Returns 408 if the request takes longer than the timeout.
  */
 export declare function requestTimeout(timeoutMs?: number): (req: Request, res: Response, next: NextFunction) => void;
+/**
+ * HMAC-sign a view path so the URL can be opened in a browser without exposing the auth token.
+ * The signature is path-specific — sharing a signed URL only grants access to that one view.
+ */
+export declare function signViewPath(viewPath: string, authToken: string): string;
 export declare function errorHandler(err: unknown, _req: Request, res: Response, _next: NextFunction): void;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Express middleware — JSON parsing, CORS, auth, error handling.
  */
-import { createHash, timingSafeEqual } from 'node:crypto';
+import { createHash, createHmac, timingSafeEqual } from 'node:crypto';
 export function corsMiddleware(req, res, next) {
     // Restrict CORS to localhost origins only — this is a local management API
     const origin = req.headers.origin;
@@ -32,6 +32,14 @@ export function authMiddleware(authToken) {
             next();
             return;
         }
+        // View routes support signed URLs for browser access (see ?sig= below)
+        if (req.path.startsWith('/view/') && req.method === 'GET') {
+            const sig = typeof req.query.sig === 'string' ? req.query.sig : null;
+            if (sig && verifyViewSignature(req.path, sig, authToken)) {
+                next();
+                return;
+            }
+        }
         const header = req.headers.authorization;
         if (!header || !header.startsWith('Bearer ')) {
             res.status(401).json({ error: 'Missing or invalid Authorization header' });
@@ -108,6 +116,23 @@ export function requestTimeout(timeoutMs = 30_000) {
         next();
     };
 }
+/**
+ * HMAC-sign a view path so the URL can be opened in a browser without exposing the auth token.
+ * The signature is path-specific — sharing a signed URL only grants access to that one view.
+ */
+export function signViewPath(viewPath, authToken) {
+    return createHmac('sha256', authToken).update(viewPath).digest('hex');
+}
+/**
+ * Verify a signed view URL. Returns true if the sig matches the path.
+ */
+function verifyViewSignature(viewPath, sig, authToken) {
+    const expected = createHmac('sha256', authToken).update(viewPath).digest();
+    const provided = Buffer.from(sig, 'hex');
+    if (expected.length !== provided.length)
+        return false;
+    return timingSafeEqual(expected, provided);
+}
 export function errorHandler(err, _req, res, _next) {
     const message = err instanceof Error ? err.message : String(err);
     console.error(`[server] Error: ${message}`);

package/dist/server/routes.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { execFileSync } from 'node:child_process';
 import { createHash, timingSafeEqual } from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
-import { rateLimiter } from './middleware.js';
+import { rateLimiter, signViewPath } from './middleware.js';
 // Validation patterns for route parameters
 const SESSION_NAME_RE = /^[a-zA-Z0-9_-]{1,200}$/;
 const JOB_SLUG_RE = /^[a-zA-Z0-9_-]{1,100}$/;
@@ -880,6 +880,18 @@ export function createRoutes(ctx) {
     });
     // ── Private Views (auth-gated rendered markdown) ────────────────
     const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+    /** Build a browser-clickable tunnel URL with HMAC signature for auth */
+    function viewTunnelUrl(viewId) {
+        const base = ctx.tunnel?.getExternalUrl(`/view/${viewId}`);
+        if (!base)
+            return null;
+        if (ctx.config.authToken) {
+            const viewPath = `/view/${viewId}`;
+            const sig = signViewPath(viewPath, ctx.config.authToken);
+            return `${base}?sig=${sig}`;
+        }
+        return base;
+    }
     router.post('/view', (req, res) => {
         if (!ctx.viewer) {
             res.status(503).json({ error: 'Private viewer not configured' });
@@ -899,12 +911,11 @@ export function createRoutes(ctx) {
             return;
         }
         const view = ctx.viewer.create(title, markdown);
-        const tunnelUrl = ctx.tunnel?.getExternalUrl(`/view/${view.id}`) ?? null;
         res.status(201).json({
             id: view.id,
             title: view.title,
             localUrl: `/view/${view.id}`,
-            tunnelUrl,
+            tunnelUrl: viewTunnelUrl(view.id),
             createdAt: view.createdAt,
         });
     });
@@ -936,7 +947,7 @@ export function createRoutes(ctx) {
             id: v.id,
             title: v.title,
             localUrl: `/view/${v.id}`,
-            tunnelUrl: ctx.tunnel?.getExternalUrl(`/view/${v.id}`) ?? null,
+            tunnelUrl: viewTunnelUrl(v.id),
             createdAt: v.createdAt,
             updatedAt: v.updatedAt,
         }));
@@ -969,7 +980,7 @@ export function createRoutes(ctx) {
             id: updated.id,
             title: updated.title,
             localUrl: `/view/${updated.id}`,
-            tunnelUrl: ctx.tunnel?.getExternalUrl(`/view/${updated.id}`) ?? null,
+            tunnelUrl: viewTunnelUrl(updated.id),
             updatedAt: updated.updatedAt,
         });
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.6.3",
+  "version": "0.6.5",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",