4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/CHANGELOG.md
Nicolas Cantu 255acbaf97 fix: harden claw-harness-proxy and complete HTTP utils centralization (0.0.7) 
Initial state:
- claw-harness-proxy accepted absolute-form / scheme-relative request targets, allowing proxying to arbitrary hosts.
- claw-harness-proxy forwarded client Authorization headers upstream.
- @4nk/smart-ide-http-utils did not provide helpers for Node http.request-based proxies.
- docs/repo/ia-dev-smart-ide-integration.md still documented the old IA_DEV_ROOT default resolution order.

Motivation:
- Ensure safe proxy behavior for every HTTP relay in the monorepo.
- Keep the IA_DEV_ROOT contract consistent across code and docs.

Resolution:
- Extend @4nk/smart-ide-http-utils with copyOutgoingHeadersForProxy() for http.request.
- Harden claw-harness-proxy: reject absolute URLs and '//' targets, validate safe proxy paths, avoid forwarding Authorization, and avoid leaking internal error details.
- Align ia-dev-smart-ide-integration doc default order to ./services/ia_dev then ./ia_dev.

Root cause:
- Proxy implementation treated req.url as a URL to be resolved and allowed absolute inputs.
- Cross-proxy utilities were only implemented for fetch-based proxies.

Impacted features:
- claw-harness-proxy HTTP forwarding.
- shared HTTP utility package.
- IA_DEV_ROOT documentation.

Code modified:
- packages/smart-ide-http-utils/src/* + dist/*
- services/claw-harness-api/proxy/src/server.ts

Documentation modified:
- docs/repo/ia-dev-smart-ide-integration.md
- CHANGELOG.md

Configurations modified:
- services/claw-harness-api/proxy/package.json

Files in deploy modified:
- None

Files in logs impacted:
- None

Databases and other sources modified:
- None

Off-project modifications:
- None

Files in .smartIde modified:
- None

Files in .secrets modified:
- None

New patch version in VERSION:
- 0.0.7

CHANGELOG.md updated:
- yes
2026-04-04 20:48:11 +02:00

1.9 KiB
Raw Permalink Blame History

Changelog

0.0.7 - 2026-04-04

Changed

  • @4nk/smart-ide-http-utils: add copyOutgoingHeadersForProxy() for Node http.request proxies.
  • claw-harness-proxy: validate request-target to prevent SSRF (reject absolute URLs and //), reuse safe proxy path checks and avoid forwarding client Authorization.
  • Docs: align default IA_DEV_ROOT resolution order (./services/ia_dev then ./ia_dev).

0.0.6 - 2026-04-04

Added

  • @4nk/smart-ide-http-utils: shared HTTP proxy helpers (Bearer/body limit/hop-by-hop headers/safe proxy paths).

Changed

  • smart-ide-sso-gateway and smart-ide-global-api: reuse shared HTTP helpers (reduces duplication).
  • IA_DEV_ROOT resolution: prefer ./services/ia_dev then ./ia_dev (code + docs); fail fast if missing in ia-dev-gateway.
  • scripts/ensure-ia-dev-project-link.sh: prefer services/ia_dev when both layouts exist.

0.0.5 - 2026-04-04

Added

  • scripts/remote-data-ssh-sync.sh: mirror deployed data over SSH into .data/remote-data/ and optionally ingest into AnythingLLM.
  • AnythingLLM sync enhancements: --upload-all + --upload-prefix modes for non-git directory ingestion.
  • site-generate ia_dev tool + gateway runner to scaffold Vite/React sites with OIDC + Smart IDE chat (via sso-gateway → orchestrator).
  • Documentation: remote data SSH sync, E2E browser (Carbonyl manual mode).

Changed

  • Canonical ia_dev module location: services/ia_dev/ (with IA_DEV_ROOT resolution); docs and integration updated accordingly.
  • SSO gateway: upstream allowlist support via SSO_ALLOWED_UPSTREAMS.
  • Global API: explicit 503 when an upstream requires a token but the token is not configured.
  • install-anythingllm-post-merge-hook.sh: supports --all and --project <id> based on projects/<id>/conf.json.

Fixed

  • cron/git-pull-project-clones.sh: error propagation and summary exit code for failed pulls.