instar 0.6.5 → 0.6.7

package/_demo.mjs

@@ -0,0 +1,78 @@
+import { PrivateViewer } from './dist/publishing/PrivateViewer.js';
+import express from 'express';
+import { Tunnel } from 'cloudflared';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+const PIN = '1234';
+
+// Set up viewer
+const viewsDir = path.join(os.tmpdir(), 'instar-demo-views-' + Date.now());
+fs.mkdirSync(viewsDir, { recursive: true });
+const viewer = new PrivateViewer({ viewsDir });
+
+// Create test view with PIN
+const view = viewer.create(
+  'Secret Test Report',
+  '# Hello from Instar\n\nThis is a **PIN-protected** private view.\n\nIf you can see this, the PIN worked!\n\n---\n\n*Served securely via Cloudflare Tunnel + PIN gate.*',
+  PIN
+);
+console.log('View created:', view.id);
+
+// Start express server
+const app = express();
+app.use(express.json());
+
+app.get('/view/:id', (req, res) => {
+  const v = viewer.get(req.params.id);
+  if (!v) return res.status(404).send('Not found');
+  if (v.pinHash) {
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.send(viewer.renderPinPage(v));
+  } else {
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.send(viewer.renderHtml(v));
+  }
+});
+
+app.post('/view/:id/unlock', (req, res) => {
+  const v = viewer.get(req.params.id);
+  if (!v) return res.status(404).send('Not found');
+  const pin = req.body?.pin;
+  if (!pin || !viewer.verifyPin(req.params.id, pin)) {
+    return res.status(403).json({ error: 'Incorrect PIN' });
+  }
+  res.setHeader('Content-Type', 'text/html; charset=utf-8');
+  res.send(viewer.renderHtml(v));
+});
+
+const server = app.listen(0, '127.0.0.1', () => {
+  const port = server.address().port;
+  console.log('Server on port', port);
+
+  const localUrl = `http://127.0.0.1:${port}`;
+  // Use explicit --config to prevent ~/.cloudflared/config.yml
+  // named tunnel ingress rules from overriding the quick tunnel
+  const cfgPath = path.join(os.tmpdir(), 'instar-demo-cf.yml');
+  fs.writeFileSync(cfgPath, '# Quick tunnel — no ingress rules\n');
+  const t = Tunnel.quick(localUrl, { '--config': cfgPath });
+
+  t.once('url', (tunnelUrl) => {
+    const viewUrl = `${tunnelUrl}/view/${view.id}`;
+    console.log('TUNNEL_URL=' + viewUrl);
+    console.log('PIN=' + PIN);
+    fs.writeFileSync('/tmp/instar-demo-url.txt', viewUrl + '\n' + PIN);
+  });
+
+  t.on('error', (err) => {
+    console.error('Tunnel error:', err.message);
+  });
+
+  // Keep process alive
+  process.on('SIGINT', () => {
+    t.stop();
+    server.close();
+    process.exit();
+  });
+});

package/dist/commands/init.js

@@ -648,12 +648,15 @@ function getDefaultJobs(port) {
 6. **Logs**: Check .instar/logs/server.log for recent errors: tail -50 .instar/logs/server.log | grep -i error
 7. **Settings coherence**: Are hooks in .claude/settings.json pointing to files that exist?
 8. **Design friction**: During your recent work, did anything feel unnecessarily difficult, confusing, or broken? Did you work around any issues?
+9. **CI health**: Check if the project has a GitHub repo and if CI is passing. Run: REPO=$(git remote get-url origin 2>/dev/null | sed 's/.*github.com[:/]//;s/.git$//'); if [ -n "$REPO" ]; then FAILURES=$(gh run list --repo "$REPO" --status failure --limit 3 --json databaseId,conclusion,headBranch,name,createdAt 2>/dev/null); if echo "$FAILURES" | python3 -c "import sys,json; runs=json.load(sys.stdin); exit(0 if runs else 1)" 2>/dev/null; then echo "CI FAILURES DETECTED in $REPO"; echo "$FAILURES"; echo ""; echo "FIX THESE NOW: Read the failure logs with 'gh run view RUN_ID --repo $REPO --log-failed', diagnose the issue, fix it, run tests locally, commit and push."; fi; fi
 
 For EACH issue found, submit feedback immediately:
 curl -s -X POST http://localhost:${port}/feedback -H 'Content-Type: application/json' -d '{"type":"bug","title":"TITLE","description":"FULL_CONTEXT"}'
 
 For improvements (not bugs), use type "improvement" instead.
 
+IMPORTANT for CI failures: Don't just report them as feedback — FIX THEM. Read the logs, diagnose the root cause, apply the fix, run tests locally to verify, then commit and push. Only submit feedback if the fix is beyond your capability (e.g., requires credentials or external service changes). CI health is your responsibility as the agent running this project.
+
 If everything looks healthy, exit silently. Only report issues.`,
             },
             tags: ['coherence', 'default'],

package/dist/publishing/PrivateViewer.d.ts

@@ -12,6 +12,8 @@ export interface PrivateView {
     id: string;
     title: string;
     markdown: string;
+    /** SHA-256 hash of the PIN, if PIN-protected */
+    pinHash?: string;
     createdAt: string;
     updatedAt?: string;
 }
@@ -25,9 +27,9 @@ export declare class PrivateViewer {
     constructor(config: PrivateViewerConfig);
     /**
      * Store markdown content for private viewing.
-     * Returns the view ID.
+     * If a PIN is provided, the view requires PIN entry before content is shown.
      */
-    create(title: string, markdown: string): PrivateView;
+    create(title: string, markdown: string, pin?: string): PrivateView;
     /**
      * Update an existing view.
      */
@@ -44,6 +46,14 @@ export declare class PrivateViewer {
      * Delete a view.
      */
     delete(id: string): boolean;
+    /**
+     * Verify a PIN against a view's stored hash.
+     */
+    verifyPin(id: string, pin: string): boolean;
+    /**
+     * Render a PIN entry page for a protected view.
+     */
+    renderPinPage(view: PrivateView, error?: boolean): string;
     /**
      * Render a view as self-contained HTML.
      */

package/dist/publishing/PrivateViewer.js

@@ -24,9 +24,9 @@ export class PrivateViewer {
     }
     /**
      * Store markdown content for private viewing.
-     * Returns the view ID.
+     * If a PIN is provided, the view requires PIN entry before content is shown.
      */
-    create(title, markdown) {
+    create(title, markdown, pin) {
         const id = crypto.randomUUID();
         // Ensure monotonically increasing timestamps even within same millisecond
         let now = Date.now();
@@ -40,6 +40,9 @@ export class PrivateViewer {
             markdown,
             createdAt: new Date(now).toISOString(),
         };
+        if (pin) {
+            view.pinHash = crypto.createHash('sha256').update(pin).digest('hex');
+        }
         this.save(view);
         return view;
     }
@@ -105,6 +108,139 @@ export class PrivateViewer {
             return false;
         }
     }
+    /**
+     * Verify a PIN against a view's stored hash.
+     */
+    verifyPin(id, pin) {
+        const view = this.get(id);
+        if (!view || !view.pinHash)
+            return false;
+        const hash = crypto.createHash('sha256').update(pin).digest('hex');
+        return crypto.timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(view.pinHash, 'hex'));
+    }
+    /**
+     * Render a PIN entry page for a protected view.
+     */
+    renderPinPage(view, error = false) {
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(view.title)}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #f8f9fa;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+      color: #1a1a2e;
+    }
+    .pin-box {
+      background: #fff;
+      border-radius: 12px;
+      padding: 2.5rem;
+      box-shadow: 0 2px 12px rgba(0,0,0,0.08);
+      max-width: 380px;
+      width: 90%;
+      text-align: center;
+    }
+    .pin-box h1 {
+      font-size: 1.3rem;
+      margin-bottom: 0.5rem;
+      color: #16213e;
+    }
+    .pin-box p {
+      font-size: 0.9rem;
+      color: #666;
+      margin-bottom: 1.5rem;
+    }
+    .pin-input {
+      width: 100%;
+      padding: 0.75rem 1rem;
+      font-size: 1.5rem;
+      letter-spacing: 0.3em;
+      text-align: center;
+      border: 2px solid #e0e0e0;
+      border-radius: 8px;
+      outline: none;
+      transition: border-color 0.2s;
+    }
+    .pin-input:focus { border-color: #533483; }
+    .pin-input.error { border-color: #e74c3c; }
+    .error-msg {
+      color: #e74c3c;
+      font-size: 0.85rem;
+      margin-top: 0.5rem;
+      display: ${error ? 'block' : 'none'};
+    }
+    .submit-btn {
+      width: 100%;
+      padding: 0.75rem;
+      margin-top: 1.25rem;
+      background: #16213e;
+      color: #fff;
+      border: none;
+      border-radius: 8px;
+      font-size: 1rem;
+      cursor: pointer;
+      transition: background 0.2s;
+    }
+    .submit-btn:hover { background: #533483; }
+    .submit-btn:disabled { background: #aaa; cursor: not-allowed; }
+    .lock-icon { font-size: 2rem; margin-bottom: 0.75rem; }
+  </style>
+</head>
+<body>
+  <div class="pin-box">
+    <div class="lock-icon">&#128274;</div>
+    <h1>${escapeHtml(view.title)}</h1>
+    <p>This content is PIN-protected.</p>
+    <form id="pin-form">
+      <input type="password" class="pin-input${error ? ' error' : ''}" id="pin" name="pin"
+        placeholder="Enter PIN" autocomplete="off" inputmode="numeric" autofocus>
+      <div class="error-msg" id="error-msg">Incorrect PIN. Please try again.</div>
+      <button type="submit" class="submit-btn">Unlock</button>
+    </form>
+  </div>
+  <script>
+    document.getElementById('pin-form').addEventListener('submit', async (e) => {
+      e.preventDefault();
+      const pin = document.getElementById('pin').value;
+      const btn = document.querySelector('.submit-btn');
+      btn.disabled = true;
+      btn.textContent = 'Verifying...';
+      try {
+        const res = await fetch(window.location.pathname + '/unlock', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ pin }),
+        });
+        if (res.ok) {
+          const html = await res.text();
+          document.open();
+          document.write(html);
+          document.close();
+        } else {
+          document.getElementById('error-msg').style.display = 'block';
+          document.getElementById('pin').classList.add('error');
+          document.getElementById('pin').value = '';
+          document.getElementById('pin').focus();
+          btn.disabled = false;
+          btn.textContent = 'Unlock';
+        }
+      } catch {
+        btn.disabled = false;
+        btn.textContent = 'Unlock';
+      }
+    });
+  </script>
+</body>
+</html>`;
+    }
     /**
      * Render a view as self-contained HTML.
      */

package/dist/server/routes.js

@@ -897,7 +897,7 @@ export function createRoutes(ctx) {
             res.status(503).json({ error: 'Private viewer not configured' });
             return;
         }
-        const { title, markdown } = req.body;
+        const { title, markdown, pin } = req.body;
         if (!title || typeof title !== 'string' || title.length > 256) {
             res.status(400).json({ error: '"title" must be a string under 256 characters' });
             return;
@@ -910,10 +910,15 @@ export function createRoutes(ctx) {
             res.status(400).json({ error: '"markdown" must be under 500KB' });
             return;
         }
-        const view = ctx.viewer.create(title, markdown);
+        if (pin !== undefined && (typeof pin !== 'string' || pin.length < 4 || pin.length > 32)) {
+            res.status(400).json({ error: '"pin" must be a string between 4 and 32 characters' });
+            return;
+        }
+        const view = ctx.viewer.create(title, markdown, pin);
         res.status(201).json({
             id: view.id,
             title: view.title,
+            pinProtected: !!view.pinHash,
             localUrl: `/view/${view.id}`,
             tunnelUrl: viewTunnelUrl(view.id),
             createdAt: view.createdAt,
@@ -933,11 +938,52 @@ export function createRoutes(ctx) {
             res.status(404).json({ error: 'View not found' });
             return;
         }
+        // PIN-protected views show PIN entry page
+        if (view.pinHash) {
+            const html = ctx.viewer.renderPinPage(view);
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.send(html);
+            return;
+        }
         // Serve rendered HTML
         const html = ctx.viewer.renderHtml(view);
         res.setHeader('Content-Type', 'text/html; charset=utf-8');
         res.send(html);
     });
+    router.post('/view/:id/unlock', (req, res) => {
+        if (!ctx.viewer) {
+            res.status(503).json({ error: 'Private viewer not configured' });
+            return;
+        }
+        if (!UUID_RE.test(req.params.id)) {
+            res.status(400).json({ error: 'Invalid view ID' });
+            return;
+        }
+        const view = ctx.viewer.get(req.params.id);
+        if (!view) {
+            res.status(404).json({ error: 'View not found' });
+            return;
+        }
+        if (!view.pinHash) {
+            // No PIN needed — return content directly
+            const html = ctx.viewer.renderHtml(view);
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.send(html);
+            return;
+        }
+        const { pin } = req.body;
+        if (!pin || typeof pin !== 'string') {
+            res.status(400).json({ error: '"pin" is required' });
+            return;
+        }
+        if (!ctx.viewer.verifyPin(req.params.id, pin)) {
+            res.status(403).json({ error: 'Incorrect PIN' });
+            return;
+        }
+        const html = ctx.viewer.renderHtml(view);
+        res.setHeader('Content-Type', 'text/html; charset=utf-8');
+        res.send(html);
+    });
     router.get('/views', (_req, res) => {
         if (!ctx.viewer) {
             res.json({ views: [] });

package/dist/tunnel/TunnelManager.js

@@ -102,9 +102,18 @@ export class TunnelManager extends EventEmitter {
     }
     startQuickTunnel() {
         return new Promise((resolve, reject) => {
-            const localUrl = `http://localhost:${this.config.port}`;
+            const localUrl = `http://127.0.0.1:${this.config.port}`;
             try {
-                this.tunnel = Tunnel.quick(localUrl);
+                // Write an empty config to prevent cloudflared from loading
+                // ~/.cloudflared/config.yml, which may contain named tunnel
+                // ingress rules that override the quick tunnel's --url proxy.
+                const emptyConfig = path.join(this.config.stateDir, 'cloudflared-quick.yml');
+                const dir = path.dirname(emptyConfig);
+                if (!fs.existsSync(dir)) {
+                    fs.mkdirSync(dir, { recursive: true });
+                }
+                fs.writeFileSync(emptyConfig, '# Quick tunnel — no ingress rules\n');
+                this.tunnel = Tunnel.quick(localUrl, { '--config': emptyConfig });
             }
             catch (err) {
                 reject(new Error(`Failed to start quick tunnel: ${err instanceof Error ? err.message : String(err)}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.6.5",
+  "version": "0.6.7",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",