subto 8.0.0 → 8.0.1

package/dist/package/README.md

@@ -40,7 +40,7 @@ Commands
 {
   "url": "https://example.com",
   "source": "cli",
-  "client": { "name": "subto-cli", "version": "8.0.0" }
+  "client": { "name": "subto-cli", "version": "8.0.1" }
 }
 ```
 
@@ -98,11 +98,11 @@ Download
 After publishing or packing, a distributable tarball will be available under `./dist/` e.g.:
 
 ```
-./dist/subto-8.0.0.tgz
+./dist/subto-8.0.1.tgz
 ```
 
 You can download that file directly and install locally with:
 
 ```bash
-npm install -g ./dist/subto-8.0.0.tgz
+npm install -g ./dist/subto-8.0.1.tgz
 ```

package/dist/package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.0' };
+const CLIENT_META = { name: 'subto-cli', version: '8.0.1' };
 
 function configFilePath() { return CONFIG_PATH; }
 

package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one/api/v1';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.0' };
+const CLIENT_META = { name: 'subto-cli', version: '8.0.1' };
 const cp = require('child_process');
 
 // Normalize SUBTO API base so callers can set either
@@ -132,6 +132,13 @@ async function storeOpenRouterKeyInteractive(keyArg, modelArg) {
 }
 
 async function promptHidden(prompt) {
+  function isByteStringSafe(s){
+    if (typeof s !== 'string') return false;
+    for (let i = 0; i < s.length; i++) {
+      if (s.charCodeAt(i) > 255) return false;
+    }
+    return true;
+  }
   if (!process.stdin.isTTY) throw new Error('Interactive prompt required');
   return new Promise((resolve, reject) => {
     const stdin = process.stdin;
@@ -172,6 +179,10 @@ async function postScan(url, apiKey) {
   const body = { url, source: 'cli', client: CLIENT_META };
   const fetchFn = global.fetch;
   if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
+  // Validate header-safety to avoid undici/node fetch ByteString conversion errors
+  if (!isByteStringSafe(String(apiKey || ''))) {
+    throw new Error('API key contains unsupported characters (non-Latin-1). Re-run `subto login` and paste a plain ASCII API key.');
+  }
   const res = await fetchFn(endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${apiKey}`, 'User-Agent': `${CLIENT_META.name}/${CLIENT_META.version}` }, body: JSON.stringify(body) });
   const text = await res.text();
   let data = null; try { data = text ? JSON.parse(text) : null; } catch (e) { data = text; }
@@ -481,7 +492,7 @@ async function startChatREPL(scanData){
 
 async function run(argv) {
   const program = new Command();
-  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '8.0.0');
+  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '8.0.1');
   program.option('-v, --verbose', 'Show verbose HTTP logs');
   program.option('--chat', 'Start local AI assistant (no command required)');
   program.option('--no-auto-skip', 'Disable automatic skipping of external APIs when scans appear stuck');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "subto",
-  "version": "8.0.0",
+  "version": "8.0.1",
   "description": "Subto CLI — thin wrapper around the Subto.One API",
   "bin": {
     "subto": "bin/subto.js"