Skip to content

fix: align CLI auth compatibility checks#1

Merged
tnunamak merged 5 commits into
mainfrom
audit/web3signed-bodyhash-compat
Jun 30, 2026
Merged

fix: align CLI auth compatibility checks#1
tnunamak merged 5 commits into
mainfrom
audit/web3signed-bodyhash-compat

Conversation

@tnunamak

@tnunamak tnunamak commented Jun 29, 2026

Copy link
Copy Markdown
Member

Summary

  • Align Web3Signed bodyHash with the current SDK and Personal Server format where needed, while preserving Session Relay legacy body-hash compatibility.
  • Point SDK/Data Portability gateway defaults at the current DP RPC hosts: https://dp-rpc-dev.vana.org and https://dp-rpc.vana.org.
  • Keep connect --json --no-input state as needs_input when a connector emits collection-complete after requiring credentials.
  • Refresh a stale auth test fixture expiry.

Verification

  • pnpm test
  • pnpm build
  • pnpm lint
  • pnpm lint:eslint
  • pnpm format:check
  • pnpm pack:check
  • pnpm pack --pack-destination /home/tnunamak/.tmp/vana-cli-pack
  • temp global install with pnpm add -g /home/tnunamak/.tmp/vana-cli-pack/vana-cli-2.0.0.tgz
  • installed binary smoke: vana --help, vana version --json, vana sources --json, vana status --json, vana connect github --json --no-input
  • 2026-06-30 focused retest: pnpm test test/core/constants.test.ts test/server/session-relay.test.ts test/server/connect.test.ts
  • 2026-06-30 focused retest: pnpm build
  • 2026-06-30 live Session Relay proof against dev stack: local Next starter created a session, Vana Desktop claimed and approved it, relay returned approved grant 0x7982f184894fdaa8d9743849a230e29f4a4a876080f08863a45c1ba73ee1e346, and /api/data read instagram.profile + instagram.posts from the user's Personal Server after rebuilding dist with the dp-rpc-dev default.

Notes
This PR is intentionally limited to compatibility fixes found during the modern stack audit. Larger product/API gaps remain in the audit report.

@tnunamak

Copy link
Copy Markdown
Member Author

Merged #2 into this branch via 700b708 and re-ran validation.

Local checks:

  • pnpm install --frozen-lockfile
  • pnpm test: 259/259 passing
  • pnpm build
  • pnpm lint / lint:eslint / format:check
  • pnpm pack:check
  • pnpm preflight:cli (passed; discarded local transcript regeneration noise)
  • pnpm build:sea:smoke
  • pnpm sea:check for linux artifact
  • pnpm test:install:unix
  • Node 20 + Node 22 pnpm test and pnpm lint via npx

Independent agent checks:

  • Sonnet confirmed the combined diff is only the CLI auth/bodyHash/no-input fix plus the DataConnect DOWNLOAD_VERSION 0.7.35 -> 0.7.52 bump.
  • Sonnet passed lint, eslint, format, test, build, and pack:check.

GitHub CI after push: all 6 checks passing, including Node 20/22, Linux SEA, Windows SEA, demo-preview, and semantic PR title.

Residual risk: this repo proves the client emits the new sha256: bodyHash format and packages/installs cleanly, but it cannot by itself prove the remote Personal Server verifier accepts that wire format. Confidence is high for merge/package/install behavior; live cloud read would be the last >95% proof.

@tnunamak

Copy link
Copy Markdown
Member Author

Follow-up from live-stack probing before merge:

I found the previous branch state was not safe for current cloud relay:

  • sha256:<hex> bodyHash on POST /v1/session/init returned 401 INVALID_SIGNATURE on both prod and dev Session Relay.
  • The old bare-hex bodyHash returned the expected 403 BUILDER_NOT_REGISTERED for the public test key, proving the request shape/signature got past relay verification.

Fix pushed in baa22bd:

  • createRequestSigner() now defaults to the current relay-compatible legacy format: bare hex for non-empty bodies and empty string for empty bodies.
  • createDataClient() explicitly opts into bodyHashFormat: "prefixed" for Personal Server reads.
  • Added tests proving Session Relay stays legacy and DataClient emits sha256:.

Validation after the fix:

  • Focused server tests: pass, 26/26.
  • Full pnpm test: pass, 260/260.
  • pnpm lint: pass.
  • pnpm lint:eslint: pass.
  • pnpm format:check: pass.
  • pnpm build: pass.
  • Live prod/dev Session Relay probe now returns BUILDER_NOT_REGISTERED instead of INVALID_SIGNATURE, which is the expected result for the public unregistered test key.

Remaining gap for absolute confidence is a real registered-builder grant/read against a Personal Server. But the human-auth question is no longer the main blocker; the branch had a cloud-relay compatibility issue and this commit addresses it.

@tnunamak tnunamak merged commit 8a7cc43 into main Jun 30, 2026
7 checks passed
@tnunamak tnunamak deleted the audit/web3signed-bodyhash-compat branch June 30, 2026 21:45
github-actions Bot pushed a commit that referenced this pull request Jul 1, 2026
## [0.15.0](v0.14.0...v0.15.0) (2026-07-01)

### Features

* support account oauth device login ([#3](#3)) ([05328cb](05328cb))

### Bug Fixes

* align CLI auth compatibility checks ([#1](#1)) ([8a7cc43](8a7cc43))
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 0.15.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant