thevoidforge 21.0.13 → 21.0.14

package/dist/wizard/lib/pty-manager.js

@@ -6,7 +6,7 @@
  * Haku moves between worlds seamlessly.
  */
 import { randomUUID } from 'node:crypto';
-import { isRemoteMode } from './tower-auth.js';
+import { isRemoteMode, isLanMode } from './tower-auth.js';
 import { audit } from './audit-log.js';
 // node-pty is a native module — dynamic import to handle missing installs gracefully
 let pty = null;
@@ -34,7 +34,9 @@ const ALLOWED_INITIAL_COMMANDS = ['claude', 'claude --dangerously-skip-permissio
 const BASE_SAFE_ENV_KEYS = ['PATH', 'HOME', 'SHELL', 'USER', 'LANG', 'LC_ALL', 'LC_CTYPE', 'TERM_PROGRAM', 'EDITOR', 'VISUAL', 'XDG_CONFIG_HOME', 'XDG_DATA_HOME', 'NVM_DIR', 'NVM_BIN', 'NVM_INC', 'TMPDIR', 'TEMP', 'SSH_AUTH_SOCK', 'COLORTERM'];
 // FLOW-R2-007: Only pass ANTHROPIC_API_KEY in local mode
 function getSafeEnvKeys() {
-    if (isRemoteMode())
+    // Remote mode (internet-facing): exclude API key — operator's key must not leak
+    // Local + LAN mode: include API key — it's the user's own key on their network
+    if (isRemoteMode() && !isLanMode())
         return BASE_SAFE_ENV_KEYS;
     return [...BASE_SAFE_ENV_KEYS, 'ANTHROPIC_API_KEY'];
 }
@@ -69,7 +71,7 @@ export async function createSession(projectDir, projectName, label, initialComma
         }
     }
     const nodePty = await loadPty();
-    const shell = process.env['SHELL'] || '/bin/zsh';
+    const shell = process.env['SHELL'] || '/bin/bash';
     const id = randomUUID();
     // SEC-013: Build clean environment — no credential leakage into PTY
     const safeEnv = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thevoidforge",
-  "version": "21.0.13",
+  "version": "21.0.14",
   "description": "From nothing, everything. A methodology framework for building with Claude Code.",
   "type": "module",
   "engines": {