singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/src/web
History
Jeremy McSpadden ab03677567 fix(security): activate auth middleware and harden shutdown/update routes (#4023) 
The Next.js auth middleware (proxy.ts) was never wired in — it exported
`proxy` from a file named proxy.ts, but Next.js requires a `middleware`
export from middleware.ts. The middleware-manifest.json was empty,
leaving all 42 API routes accessible without authentication.

Fixes:
- Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy`
- Add defense-in-depth auth-guard to /api/shutdown and /api/update routes
- Remove shell: true from update-service spawn (command injection surface)
- Update contract tests to verify middleware file name and export

Closes #4014

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 07:52:43 -04:00
..
auto-dashboard-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
bridge-service.ts fix(web): use safePackageRootFromImportUrl for cross-platform package root (#1881) (#1893) 2026-04-05 07:43:46 -04:00
captures-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
cleanup-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
cli-entry.ts fix: resolve Node v24 web boot failure — ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING (#1864) 2026-03-21 15:24:07 -06:00
doctor-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
export-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
forensics-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
git-summary-service.ts feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
history-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
hooks-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
inspect-service.ts feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
knowledge-service.ts feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
notifications-service.ts feat(gsd): persistent notification panel with TUI overlay, widget, and web API 2026-04-05 22:13:28 -05:00
onboarding-service.ts fix(pi-ai): remove Anthropic OAuth flow for TOS compliance 2026-04-10 17:33:34 -05:00
project-discovery-service.ts fix: detect monorepo roots in project discovery to prevent workspace fragmentation (#2849) 2026-03-27 09:55:00 -06:00
recovery-diagnostics-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
safe-import-meta-resolve.ts fix(web): use safePackageRootFromImportUrl for cross-platform package root (#1881) (#1893) 2026-04-05 07:43:46 -04:00
settings-service.ts fix(gsd): align model switching and prefs surfaces 2026-04-09 05:33:13 -05:00
skill-health-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
subprocess-runner.ts refactor(web): consolidate subprocess boilerplate into shared runner (#1899) 2026-04-05 07:44:32 -04:00
ts-subprocess-flags.ts fix(web): resolve compiled .js modules for all subprocess calls under node_modules (#2320) 2026-03-24 07:34:41 -06:00
undo-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
update-service.ts fix(security): activate auth middleware and harden shutdown/update routes (#4023) 2026-04-13 07:52:43 -04:00
visualizer-service.ts fix: add windowsHide to all web-mode subprocess spawns (#2628) (#3046) 2026-03-30 14:50:13 -06:00
web-auth-storage.ts feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00