instar 0.6.5 → 0.6.6

package/dist/publishing/PrivateViewer.d.ts

@@ -12,6 +12,8 @@ export interface PrivateView {
     id: string;
     title: string;
     markdown: string;
+    /** SHA-256 hash of the PIN, if PIN-protected */
+    pinHash?: string;
     createdAt: string;
     updatedAt?: string;
 }
@@ -25,9 +27,9 @@ export declare class PrivateViewer {
     constructor(config: PrivateViewerConfig);
     /**
      * Store markdown content for private viewing.
-     * Returns the view ID.
+     * If a PIN is provided, the view requires PIN entry before content is shown.
      */
-    create(title: string, markdown: string): PrivateView;
+    create(title: string, markdown: string, pin?: string): PrivateView;
     /**
      * Update an existing view.
      */
@@ -44,6 +46,14 @@ export declare class PrivateViewer {
      * Delete a view.
      */
     delete(id: string): boolean;
+    /**
+     * Verify a PIN against a view's stored hash.
+     */
+    verifyPin(id: string, pin: string): boolean;
+    /**
+     * Render a PIN entry page for a protected view.
+     */
+    renderPinPage(view: PrivateView, error?: boolean): string;
     /**
      * Render a view as self-contained HTML.
      */

package/dist/publishing/PrivateViewer.js

@@ -24,9 +24,9 @@ export class PrivateViewer {
     }
     /**
      * Store markdown content for private viewing.
-     * Returns the view ID.
+     * If a PIN is provided, the view requires PIN entry before content is shown.
      */
-    create(title, markdown) {
+    create(title, markdown, pin) {
         const id = crypto.randomUUID();
         // Ensure monotonically increasing timestamps even within same millisecond
         let now = Date.now();
@@ -40,6 +40,9 @@ export class PrivateViewer {
             markdown,
             createdAt: new Date(now).toISOString(),
         };
+        if (pin) {
+            view.pinHash = crypto.createHash('sha256').update(pin).digest('hex');
+        }
         this.save(view);
         return view;
     }
@@ -105,6 +108,139 @@ export class PrivateViewer {
             return false;
         }
     }
+    /**
+     * Verify a PIN against a view's stored hash.
+     */
+    verifyPin(id, pin) {
+        const view = this.get(id);
+        if (!view || !view.pinHash)
+            return false;
+        const hash = crypto.createHash('sha256').update(pin).digest('hex');
+        return crypto.timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(view.pinHash, 'hex'));
+    }
+    /**
+     * Render a PIN entry page for a protected view.
+     */
+    renderPinPage(view, error = false) {
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(view.title)}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #f8f9fa;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+      color: #1a1a2e;
+    }
+    .pin-box {
+      background: #fff;
+      border-radius: 12px;
+      padding: 2.5rem;
+      box-shadow: 0 2px 12px rgba(0,0,0,0.08);
+      max-width: 380px;
+      width: 90%;
+      text-align: center;
+    }
+    .pin-box h1 {
+      font-size: 1.3rem;
+      margin-bottom: 0.5rem;
+      color: #16213e;
+    }
+    .pin-box p {
+      font-size: 0.9rem;
+      color: #666;
+      margin-bottom: 1.5rem;
+    }
+    .pin-input {
+      width: 100%;
+      padding: 0.75rem 1rem;
+      font-size: 1.5rem;
+      letter-spacing: 0.3em;
+      text-align: center;
+      border: 2px solid #e0e0e0;
+      border-radius: 8px;
+      outline: none;
+      transition: border-color 0.2s;
+    }
+    .pin-input:focus { border-color: #533483; }
+    .pin-input.error { border-color: #e74c3c; }
+    .error-msg {
+      color: #e74c3c;
+      font-size: 0.85rem;
+      margin-top: 0.5rem;
+      display: ${error ? 'block' : 'none'};
+    }
+    .submit-btn {
+      width: 100%;
+      padding: 0.75rem;
+      margin-top: 1.25rem;
+      background: #16213e;
+      color: #fff;
+      border: none;
+      border-radius: 8px;
+      font-size: 1rem;
+      cursor: pointer;
+      transition: background 0.2s;
+    }
+    .submit-btn:hover { background: #533483; }
+    .submit-btn:disabled { background: #aaa; cursor: not-allowed; }
+    .lock-icon { font-size: 2rem; margin-bottom: 0.75rem; }
+  </style>
+</head>
+<body>
+  <div class="pin-box">
+    <div class="lock-icon">&#128274;</div>
+    <h1>${escapeHtml(view.title)}</h1>
+    <p>This content is PIN-protected.</p>
+    <form id="pin-form">
+      <input type="password" class="pin-input${error ? ' error' : ''}" id="pin" name="pin"
+        placeholder="Enter PIN" autocomplete="off" inputmode="numeric" autofocus>
+      <div class="error-msg" id="error-msg">Incorrect PIN. Please try again.</div>
+      <button type="submit" class="submit-btn">Unlock</button>
+    </form>
+  </div>
+  <script>
+    document.getElementById('pin-form').addEventListener('submit', async (e) => {
+      e.preventDefault();
+      const pin = document.getElementById('pin').value;
+      const btn = document.querySelector('.submit-btn');
+      btn.disabled = true;
+      btn.textContent = 'Verifying...';
+      try {
+        const res = await fetch(window.location.pathname + '/unlock', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ pin }),
+        });
+        if (res.ok) {
+          const html = await res.text();
+          document.open();
+          document.write(html);
+          document.close();
+        } else {
+          document.getElementById('error-msg').style.display = 'block';
+          document.getElementById('pin').classList.add('error');
+          document.getElementById('pin').value = '';
+          document.getElementById('pin').focus();
+          btn.disabled = false;
+          btn.textContent = 'Unlock';
+        }
+      } catch {
+        btn.disabled = false;
+        btn.textContent = 'Unlock';
+      }
+    });
+  </script>
+</body>
+</html>`;
+    }
     /**
      * Render a view as self-contained HTML.
      */

package/dist/server/routes.js

@@ -897,7 +897,7 @@ export function createRoutes(ctx) {
             res.status(503).json({ error: 'Private viewer not configured' });
             return;
         }
-        const { title, markdown } = req.body;
+        const { title, markdown, pin } = req.body;
         if (!title || typeof title !== 'string' || title.length > 256) {
             res.status(400).json({ error: '"title" must be a string under 256 characters' });
             return;
@@ -910,10 +910,15 @@ export function createRoutes(ctx) {
             res.status(400).json({ error: '"markdown" must be under 500KB' });
             return;
         }
-        const view = ctx.viewer.create(title, markdown);
+        if (pin !== undefined && (typeof pin !== 'string' || pin.length < 4 || pin.length > 32)) {
+            res.status(400).json({ error: '"pin" must be a string between 4 and 32 characters' });
+            return;
+        }
+        const view = ctx.viewer.create(title, markdown, pin);
         res.status(201).json({
             id: view.id,
             title: view.title,
+            pinProtected: !!view.pinHash,
             localUrl: `/view/${view.id}`,
             tunnelUrl: viewTunnelUrl(view.id),
             createdAt: view.createdAt,
@@ -933,11 +938,52 @@ export function createRoutes(ctx) {
             res.status(404).json({ error: 'View not found' });
             return;
         }
+        // PIN-protected views show PIN entry page
+        if (view.pinHash) {
+            const html = ctx.viewer.renderPinPage(view);
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.send(html);
+            return;
+        }
         // Serve rendered HTML
         const html = ctx.viewer.renderHtml(view);
         res.setHeader('Content-Type', 'text/html; charset=utf-8');
         res.send(html);
     });
+    router.post('/view/:id/unlock', (req, res) => {
+        if (!ctx.viewer) {
+            res.status(503).json({ error: 'Private viewer not configured' });
+            return;
+        }
+        if (!UUID_RE.test(req.params.id)) {
+            res.status(400).json({ error: 'Invalid view ID' });
+            return;
+        }
+        const view = ctx.viewer.get(req.params.id);
+        if (!view) {
+            res.status(404).json({ error: 'View not found' });
+            return;
+        }
+        if (!view.pinHash) {
+            // No PIN needed — return content directly
+            const html = ctx.viewer.renderHtml(view);
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.send(html);
+            return;
+        }
+        const { pin } = req.body;
+        if (!pin || typeof pin !== 'string') {
+            res.status(400).json({ error: '"pin" is required' });
+            return;
+        }
+        if (!ctx.viewer.verifyPin(req.params.id, pin)) {
+            res.status(403).json({ error: 'Incorrect PIN' });
+            return;
+        }
+        const html = ctx.viewer.renderHtml(view);
+        res.setHeader('Content-Type', 'text/html; charset=utf-8');
+        res.send(html);
+    });
     router.get('/views', (_req, res) => {
         if (!ctx.viewer) {
             res.json({ views: [] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.6.5",
+  "version": "0.6.6",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",