npm - instar - Versions diffs - 0.6.4 → 0.6.5 - Mend

instar 0.6.4 → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/core/SessionManager.js +11 -2
package/dist/server/middleware.d.ts +5 -0
package/dist/server/middleware.js +28 -12
package/dist/server/routes.js +5 -3
package/package.json +1 -1

package/dist/core/SessionManager.js CHANGED Viewed

@@ -150,13 +150,22 @@ export class SessionManager extends EventEmitter {
             return false;
         // Verify Claude process is running inside the tmux session
         try {
-            const paneCmd = execFileSync(this.config.tmuxPath, ['display-message', '-t', `=${tmuxSession}:`, '-p', '#{pane_current_command}'], { encoding: 'utf-8', timeout: 5000 }).trim();
+            const paneInfo = execFileSync(this.config.tmuxPath, ['display-message', '-t', `=${tmuxSession}:`, '-p', '#{pane_current_command}||#{pane_start_command}'], { encoding: 'utf-8', timeout: 5000 }).trim();
+            const [paneCmd, startCmd] = paneInfo.split('||');
             // Claude Code runs as 'claude' or 'node' process
             if (paneCmd && (paneCmd.includes('claude') || paneCmd.includes('node'))) {
                 return true;
             }
-            // If pane command is bash/zsh/sh, Claude may have exited — session is dead
+            // If pane command is bash/zsh/sh, check whether the session was launched
+            // with a direct command (e.g., a bash script as claudePath). In that case
+            // bash IS the expected running process — not a leftover shell after Claude exits.
+            // tmux kills sessions launched with direct commands when the command exits,
+            // so if has-session succeeds and start_command is non-empty, it's still running.
             if (paneCmd === 'bash' || paneCmd === 'zsh' || paneCmd === 'sh') {
+                if (startCmd && startCmd !== paneCmd) {
+                    // Session was launched with a specific command (not a bare shell) — still alive
+                    return true;
+                }
                 return false;
             }
             // For any other command, assume alive (could be a Claude subprocess)

package/dist/server/middleware.d.ts CHANGED Viewed

@@ -18,5 +18,10 @@ export declare function rateLimiter(windowMs?: number, maxRequests?: number): (r
  * Returns 408 if the request takes longer than the timeout.
  */
 export declare function requestTimeout(timeoutMs?: number): (req: Request, res: Response, next: NextFunction) => void;
+/**
+ * HMAC-sign a view path so the URL can be opened in a browser without exposing the auth token.
+ * The signature is path-specific — sharing a signed URL only grants access to that one view.
+ */
+export declare function signViewPath(viewPath: string, authToken: string): string;
 export declare function errorHandler(err: unknown, _req: Request, res: Response, _next: NextFunction): void;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Express middleware — JSON parsing, CORS, auth, error handling.
  */
-import { createHash, timingSafeEqual } from 'node:crypto';
+import { createHash, createHmac, timingSafeEqual } from 'node:crypto';
 export function corsMiddleware(req, res, next) {
     // Restrict CORS to localhost origins only — this is a local management API
     const origin = req.headers.origin;
@@ -32,21 +32,20 @@ export function authMiddleware(authToken) {
             next();
             return;
         }
-        // Accept token from Authorization header or ?token= query parameter.
-        // Query parameter enables browser-friendly access to rendered views.
-        const header = req.headers.authorization;
-        const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
-        let token;
-        if (header?.startsWith('Bearer ')) {
-            token = header.slice(7);
-        }
-        else if (queryToken) {
-            token = queryToken;
+        // View routes support signed URLs for browser access (see ?sig= below)
+        if (req.path.startsWith('/view/') && req.method === 'GET') {
+            const sig = typeof req.query.sig === 'string' ? req.query.sig : null;
+            if (sig && verifyViewSignature(req.path, sig, authToken)) {
+                next();
+                return;
+            }
         }
-        else {
+        const header = req.headers.authorization;
+        if (!header || !header.startsWith('Bearer ')) {
             res.status(401).json({ error: 'Missing or invalid Authorization header' });
             return;
         }
+        const token = header.slice(7);
         // Hash both sides so lengths are always equal — prevents timing leak of token length
         const ha = createHash('sha256').update(token).digest();
         const hb = createHash('sha256').update(authToken).digest();
@@ -117,6 +116,23 @@ export function requestTimeout(timeoutMs = 30_000) {
         next();
     };
 }
+/**
+ * HMAC-sign a view path so the URL can be opened in a browser without exposing the auth token.
+ * The signature is path-specific — sharing a signed URL only grants access to that one view.
+ */
+export function signViewPath(viewPath, authToken) {
+    return createHmac('sha256', authToken).update(viewPath).digest('hex');
+}
+/**
+ * Verify a signed view URL. Returns true if the sig matches the path.
+ */
+function verifyViewSignature(viewPath, sig, authToken) {
+    const expected = createHmac('sha256', authToken).update(viewPath).digest();
+    const provided = Buffer.from(sig, 'hex');
+    if (expected.length !== provided.length)
+        return false;
+    return timingSafeEqual(expected, provided);
+}
 export function errorHandler(err, _req, res, _next) {
     const message = err instanceof Error ? err.message : String(err);
     console.error(`[server] Error: ${message}`);

package/dist/server/routes.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { execFileSync } from 'node:child_process';
 import { createHash, timingSafeEqual } from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
-import { rateLimiter } from './middleware.js';
+import { rateLimiter, signViewPath } from './middleware.js';
 // Validation patterns for route parameters
 const SESSION_NAME_RE = /^[a-zA-Z0-9_-]{1,200}$/;
 const JOB_SLUG_RE = /^[a-zA-Z0-9_-]{1,100}$/;
@@ -880,13 +880,15 @@ export function createRoutes(ctx) {
     });
     // ── Private Views (auth-gated rendered markdown) ────────────────
     const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
-    /** Build a browser-clickable tunnel URL with token embedded as query param */
+    /** Build a browser-clickable tunnel URL with HMAC signature for auth */
     function viewTunnelUrl(viewId) {
         const base = ctx.tunnel?.getExternalUrl(`/view/${viewId}`);
         if (!base)
             return null;
         if (ctx.config.authToken) {
-            return `${base}?token=${encodeURIComponent(ctx.config.authToken)}`;
+            const viewPath = `/view/${viewId}`;
+            const sig = signViewPath(viewPath, ctx.config.authToken);
+            return `${base}?sig=${sig}`;
         }
         return base;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.6.4",
+  "version": "0.6.5",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",