npm - neoagent - Versions diffs - 2.1.18-beta.64 → 2.1.18-beta.66 - Mend

neoagent 2.1.18-beta.64 → 2.1.18-beta.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/docs/configuration.md +1 -0
package/lib/manager.js +4 -0
package/package.json +1 -1
package/server/http/middleware.js +5 -4
package/server/index.js +32 -2
package/server/public/flutter_bootstrap.js +1 -1
package/server/public/main.dart.js +24564 -24574
package/server/routes/auth.js +25 -8
package/server/routes/settings.js +24 -24

package/docs/configuration.md CHANGED Viewed

@@ -13,6 +13,7 @@ AI provider credentials, OAuth client secrets, and deployment controls are not c
 | `SESSION_SECRET` | required | Random string for session signing. Generate one with `openssl rand -hex 32`. |
 | `NODE_ENV` | `production` | Set to `development` to enable verbose logs. |
 | `SECURE_COOKIES` | `false` | Set `true` when NeoAgent is behind a TLS-terminating proxy. |
+| `TRUST_PROXY` | inferred from `PUBLIC_URL`/`SECURE_COOKIES` | Set `true` when NeoAgent runs behind Nginx, Caddy, Cloudflare, Fly, or another reverse proxy that sends `X-Forwarded-*` headers. |
 | `ALLOWED_ORIGINS` | none | Comma-separated CORS origins, for example `https://example.com`. |
 | `NEOAGENT_DEPLOYMENT_MODE` | `self_hosted` | `self_hosted` enables in-app update controls; `managed` hides operator-only controls for SaaS deployments. |
 | `NEOAGENT_RELEASE_CHANNEL` | `stable` | Release track used by the self-hosted updater. |

package/lib/manager.js CHANGED Viewed

@@ -444,6 +444,8 @@ async function cmdSetup() {
   const secureCookiesDefault = current.SECURE_COOKIES ||
     (String(publicUrl || '').trim().startsWith('https://') ? 'true' : 'false');
   const secureCookies = await ask('Secure cookies (true/false)', secureCookiesDefault);
+  const trustProxyDefault = current.TRUST_PROXY || secureCookiesDefault;
+  const trustProxy = await ask('Trust reverse proxy headers (true/false)', trustProxyDefault);
   const sessionSecret = await askSecret('Session secret', current.SESSION_SECRET || randomSecret());
   const deploymentMode = await ask(
     'Deployment mode (self_hosted/managed)',
@@ -546,6 +548,7 @@ async function cmdSetup() {
     current.TELNYX_WEBHOOK_TOKEN || ''
   );
   const normalizedSecureCookies = String(secureCookies || '').trim().toLowerCase() === 'true' ? 'true' : 'false';
+  const normalizedTrustProxy = String(trustProxy || '').trim().toLowerCase() === 'true' ? 'true' : 'false';
   const normalizedDeploymentMode = parseDeploymentMode(deploymentMode);
   const normalizedReleaseChannel = parseReleaseChannel(releaseChannel) || 'stable';
@@ -554,6 +557,7 @@ async function cmdSetup() {
     `PORT=${port}`,
     publicUrl ? `PUBLIC_URL=${publicUrl}` : '',
     `SECURE_COOKIES=${normalizedSecureCookies}`,
+    `TRUST_PROXY=${normalizedTrustProxy}`,
     `SESSION_SECRET=${sessionSecret}`,
     `NEOAGENT_DEPLOYMENT_MODE=${normalizedDeploymentMode}`,
     `NEOAGENT_RELEASE_CHANNEL=${normalizedReleaseChannel}`,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "neoagent",
-  "version": "2.1.18-beta.64",
+  "version": "2.1.18-beta.66",
   "description": "Proactive personal AI agent with no limits",
   "license": "MIT",
   "main": "server/index.js",

package/server/http/middleware.js CHANGED Viewed

@@ -98,7 +98,7 @@ function buildHelmetOptions({ secureCookies }) {
   };
 }
-function createSessionMiddleware({ secureCookies }) {
+function createSessionMiddleware({ secureCookies, trustProxy }) {
   return session({
     store: new SQLiteStore({
       client: sessionsDb,
@@ -109,6 +109,7 @@ function createSessionMiddleware({ secureCookies }) {
     }),
     secret: getSessionSecret(),
     name: 'neoagent.sid',
+    proxy: trustProxy,
     resave: false,
     saveUninitialized: false,
     cookie: {
@@ -120,7 +121,7 @@ function createSessionMiddleware({ secureCookies }) {
   });
 }
-function applyHttpMiddleware(app, { secureCookies, sessionMiddleware, validateOrigin }) {
+function applyHttpMiddleware(app, { secureCookies, trustProxy, sessionMiddleware, validateOrigin }) {
   const rawRecordingChunkBody = require('express').raw({ limit: '50mb', type: '*/*' });
   const jsonBody = require('express').json({
     limit: '10mb',
@@ -147,9 +148,9 @@ function applyHttpMiddleware(app, { secureCookies, sessionMiddleware, validateOr
     isRecordingChunkPath(requestPath(req)) ? next() : handler(req, res, next)
   );
-  if (secureCookies) {
+  if (trustProxy) {
     app.set('trust proxy', 1);
-    console.log('[HTTP] trust proxy enabled because secure cookies are active');
+    console.log('[HTTP] trust proxy enabled for proxied deployment handling');
   }
   app.use(helmet(buildHelmetOptions({ secureCookies })));

package/server/index.js CHANGED Viewed

@@ -35,8 +35,24 @@ const { registerErrorHandler } = require('./http/errors');
 const { startServices, stopServices } = require('./services/manager');
 const { bindBrowserExtensionGateway } = require('./services/browser/extension/gateway');
+function parseBooleanFlag(value, fallback = false) {
+  const normalized = String(value || '').trim().toLowerCase();
+  if (['1', 'true', 'yes', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'off'].includes(normalized)) return false;
+  return fallback;
+}
 const PORT = Number(process.env.PORT) || 3333;
-const SECURE_COOKIES = process.env.SECURE_COOKIES === 'true';
+const PUBLIC_URL = String(process.env.PUBLIC_URL || '').trim();
+const PUBLIC_URL_IS_HTTPS = PUBLIC_URL.startsWith('https://');
+const SECURE_COOKIES = parseBooleanFlag(
+  process.env.SECURE_COOKIES,
+  PUBLIC_URL_IS_HTTPS,
+);
+const TRUST_PROXY = parseBooleanFlag(
+  process.env.TRUST_PROXY,
+  SECURE_COOKIES || PUBLIC_URL_IS_HTTPS,
+);
 function logStartupConfig() {
   const flags = {
@@ -60,6 +76,11 @@ function logStartupConfig() {
     console.log(`[Startup] Legacy env fallback: ${LEGACY_ENV_FILE}`);
   }
   console.log('[Startup] Key availability:', flags);
+  console.log('[Startup] HTTP runtime:', {
+    publicUrl: PUBLIC_URL || null,
+    secureCookies: SECURE_COOKIES,
+    trustProxy: TRUST_PROXY,
+  });
 }
 logStartupConfig();
@@ -77,12 +98,21 @@ if (!configuredSessionSecret()) {
 const app = express();
 const httpServer = createServer(app);
 const io = createSocketServer(httpServer, { validateOrigin });
-const sessionMiddleware = createSessionMiddleware({ secureCookies: SECURE_COOKIES });
+app.locals.httpRuntimeConfig = {
+  secureCookies: SECURE_COOKIES,
+  trustProxy: TRUST_PROXY,
+  publicUrl: PUBLIC_URL || null,
+};
+const sessionMiddleware = createSessionMiddleware({
+  secureCookies: SECURE_COOKIES,
+  trustProxy: TRUST_PROXY,
+});
 const activeSockets = new Set();
 setupConsoleInterceptor(io);
 applyHttpMiddleware(app, {
   secureCookies: SECURE_COOKIES,
+  trustProxy: TRUST_PROXY,
   sessionMiddleware,
   validateOrigin
 });

package/server/public/flutter_bootstrap.js CHANGED Viewed

@@ -37,6 +37,6 @@ _flutter.buildConfig = {"engineRevision":"59aa584fdf100e6c78c785d8a5b565d1de4b48
 _flutter.loader.load({
   serviceWorkerSettings: {
-    serviceWorkerVersion: "2716929298" /* Flutter's service worker is deprecated and will be removed in a future Flutter release. */
+    serviceWorkerVersion: "4140020161" /* Flutter's service worker is deprecated and will be removed in a future Flutter release. */
   }
 });