uncaged/nerve
Archived
10
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(http-api): bind 127.0.0.1, support trigger body params, fix kill-workflow fields #136

Merged
xiaomo merged 3 commits from feat/133-http-api into main 2026-04-25 06:11:57 +00:00
Conversation 1 Commits 3 Files Changed 34
+946 -90
xingyue commented 2026-04-25 06:03:24 +00:00
Owner
Copy Link
Copy Source

What

Fix 3 security/functionality issues in the Phase 1 HTTP API.

Why

  • HTTP API binds 0.0.0.0 by default — Phase 1 has no auth, should not be exposed to network
  • POST /api/trigger-workflow ignores request body, hardcodes prompt="" and dryRun=false
  • POST /api/kill-workflow requires name field but never uses it

Changes

packages/daemon/src/http-api.ts

  • Add HTTP_API_BIND_HOST = "127.0.0.1" constant, pass to server.listen() explicitly
  • POST /api/trigger-workflow: parse optional prompt (string), maxRounds (number), dryRun (boolean) from body with type validation
  • POST /api/kill-workflow: make threadId required, name optional (used for stderr logging only)

packages/daemon/src/__tests__/file-watcher.test.ts and file-watcher-workflow.test.ts

  • Clear changes.length before assertions to eliminate flaky fs.watch noise events (unrelated to HTTP changes)

Ref

  • Refs #133 (Phase 1 HTTP API)
  • Build: passed. Tests: 151/151 passed.
## What Fix 3 security/functionality issues in the Phase 1 HTTP API. ## Why - HTTP API binds `0.0.0.0` by default — Phase 1 has no auth, should not be exposed to network - `POST /api/trigger-workflow` ignores request body, hardcodes `prompt=""` and `dryRun=false` - `POST /api/kill-workflow` requires `name` field but never uses it ## Changes ### `packages/daemon/src/http-api.ts` - Add `HTTP_API_BIND_HOST = "127.0.0.1"` constant, pass to `server.listen()` explicitly - `POST /api/trigger-workflow`: parse optional `prompt` (string), `maxRounds` (number), `dryRun` (boolean) from body with type validation - `POST /api/kill-workflow`: make `threadId` required, `name` optional (used for stderr logging only) ### `packages/daemon/src/__tests__/file-watcher.test.ts` and `file-watcher-workflow.test.ts` - Clear `changes.length` before assertions to eliminate flaky `fs.watch` noise events (unrelated to HTTP changes) ## Ref - Refs #133 (Phase 1 HTTP API) - Build: passed. Tests: 151/151 passed.
xingyue added 3 commits 2026-04-25 06:03:25 +00:00
feat(core,daemon,cli): HTTP API + transport interface + workflow list (#133 Phase 1) 27df3d58e2 
- Add WorkflowStatus, HealthInfo types to core IPC protocol
- Add DaemonTransport interface (core/daemon-transport.ts)
- Add list-workflows and health IPC handlers
- WorkflowManager.listWorkflows() exposes runtime status
- Kernel: getHealth(), optional HTTP API server (--port / api.port)
- CLI: nerve workflow list command via IPC
- daemon-client: UnixTransport implements DaemonTransport

Closes: Phase 1 of #133
fix: resolve biome lint issues (format, imports, parameter property, complexity) 4d47427a52
fix(http-api): bind 127.0.0.1, support trigger body params, fix kill-workflow fields 9d46472e37 
- Default bind host to 127.0.0.1 (no auth in Phase 1)
- POST /api/trigger-workflow reads optional prompt/maxRounds/dryRun from body
- POST /api/kill-workflow: threadId required, name optional (log only)

Refs #133
xiaoju force-pushed feat/133-http-api from 9d46472e37 to e5bdcf9474 2026-04-25 06:07:52 +00:00 Compare
xiaomo approved these changes 2026-04-25 06:11:56 +00:00
xiaomo left a comment
Owner

LGTM

亮点:

  • DaemonHandlerBundle 抽象让 IPC + HTTP 共享 handler,零重复,Phase 2 transport 接入会很顺
  • 127.0.0.1 绑定 + 无 auth 阶段安全到位
  • hostname in health ✓
  • CLI/env/yaml 三层端口优先级清晰
  • HTTP body 逐字段类型校验,错误信息友好
  • nerve workflow list (daemon实时) vs runs (历史日志) 拆分合理
LGTM ✅ **亮点:** - `DaemonHandlerBundle` 抽象让 IPC + HTTP 共享 handler,零重复,Phase 2 transport 接入会很顺 - `127.0.0.1` 绑定 + 无 auth 阶段安全到位 - `hostname` in health ✓ - CLI/env/yaml 三层端口优先级清晰 - HTTP body 逐字段类型校验,错误信息友好 - `nerve workflow list` (daemon实时) vs `runs` (历史日志) 拆分合理
xiaomo merged commit efd15d4b3c into main 2026-04-25 06:11:57 +00:00
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
xiaomo
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
aobing jiashuang (Jia Shuang) jiayi (Jiayi) luming scottwei tuanzi xiaoju xiaomo xiaonuo xingyue
No Assignees
3 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: uncaged/nerve#136
Delete Branch "feat/133-http-api"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?