thevoidforge 21.0.12 → 21.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/wizard/lib/pty-manager.js +5 -3
  2. package/dist/wizard/ui/index.html +1 -1
  3. package/package.json +1 -1
package/dist/wizard/lib/pty-manager.js CHANGED
@@ -6,7 +6,7 @@
6
6
  * Haku moves between worlds seamlessly.
7
7
  */
8
8
  import { randomUUID } from 'node:crypto';
9
- import { isRemoteMode } from './tower-auth.js';
9
+ import { isRemoteMode, isLanMode } from './tower-auth.js';
10
10
  import { audit } from './audit-log.js';
11
11
  // node-pty is a native module — dynamic import to handle missing installs gracefully
12
12
  let pty = null;
@@ -34,7 +34,9 @@ const ALLOWED_INITIAL_COMMANDS = ['claude', 'claude --dangerously-skip-permissio
34
34
  const BASE_SAFE_ENV_KEYS = ['PATH', 'HOME', 'SHELL', 'USER', 'LANG', 'LC_ALL', 'LC_CTYPE', 'TERM_PROGRAM', 'EDITOR', 'VISUAL', 'XDG_CONFIG_HOME', 'XDG_DATA_HOME', 'NVM_DIR', 'NVM_BIN', 'NVM_INC', 'TMPDIR', 'TEMP', 'SSH_AUTH_SOCK', 'COLORTERM'];
35
35
  // FLOW-R2-007: Only pass ANTHROPIC_API_KEY in local mode
36
36
  function getSafeEnvKeys() {
37
- if (isRemoteMode())
37
+ // Remote mode (internet-facing): exclude API key — operator's key must not leak
38
+ // Local + LAN mode: include API key — it's the user's own key on their network
39
+ if (isRemoteMode() && !isLanMode())
38
40
  return BASE_SAFE_ENV_KEYS;
39
41
  return [...BASE_SAFE_ENV_KEYS, 'ANTHROPIC_API_KEY'];
40
42
  }
@@ -69,7 +71,7 @@ export async function createSession(projectDir, projectName, label, initialComma
69
71
  }
70
72
  }
71
73
  const nodePty = await loadPty();
72
- const shell = process.env['SHELL'] || '/bin/zsh';
74
+ const shell = process.env['SHELL'] || '/bin/bash';
73
75
  const id = randomUUID();
74
76
  // SEC-013: Build clean environment — no credential leakage into PTY
75
77
  const safeEnv = {};
package/dist/wizard/ui/index.html CHANGED
@@ -377,7 +377,7 @@
377
377
  <div class="card" style="margin-top: 16px; border-color: var(--accent); background: rgba(91, 91, 247, 0.03);">
378
378
  <h2>Ready to deploy?</h2>
379
379
  <p style="font-size: 14px; color: var(--text-dim);">After building your app, run the deploy wizard to provision infrastructure and ship.</p>
380
- <p style="font-family: var(--mono); font-size: 14px; margin-top: 8px;"><code>npm run deploy</code></p>
380
+ <p style="font-family: var(--mono); font-size: 14px; margin-top: 8px;"><code>voidforge deploy</code></p>
381
381
  </div>
382
382
 
383
383
  <div class="btn-row">
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "thevoidforge",
3
- "version": "21.0.12",
3
+ "version": "21.0.14",
4
4
  "description": "From nothing, everything. A methodology framework for building with Claude Code.",
5
5
  "type": "module",
6
6
  "engines": {