21 Commits

Author SHA1 Message Date
f83b2870f2 release 2.0.9: scope=ninja + api.cal.com egress declaration
Re-declares allowed_hosts (bug: the pre-fix `ninja plugin bump` stripped it
on the 2.0.7->2.0.8 bump, so the published 2.0.8 reached no egress consent
gate and Cal.com calls were denied at runtime). Sets scope=ninja and drops
the stray private flag to match the registry's @ninja/calcomblock entry.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v2.0.9
2026-07-09 09:53:35 +08:00
de02dfb0ee bump to 2.0.8 2026-07-09 09:40:36 +08:00
bd7f9fad15 fix: flat absolute routes + declare api.cal.com egress (2.0.7)
Register the chi routes as flat absolute paths (httpBase+"/slots" …)
instead of a nested r.Route mount: the wasm host forwards the full
original path with no prefix strip, so the nested mount's RoutePath
rebasing never matched and 404'd the entire HTTP surface.

Declare allowed_hosts = ["api.cal.com"] so the ADR-0023 install consent
dialog asks the admin to grant egress; without it every Cal.com call was
denied at runtime (ABI_ERROR_CODE_EGRESS_DENIED, no egress grant).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v2.0.7
2026-07-09 09:38:31 +08:00
5a138b9ac8 Add plugin.mod 2026-07-09 09:25:20 +08:00
29c17440a5 bump to 2.0.7 2026-07-09 09:24:14 +08:00
6ec3353b12 bump to 2.0.7 2026-07-09 09:23:39 +08:00
0d56f6adf1 feat(calcom): route Cal.com egress through host OutboundHTTP (ADR 0023)
Under wasm the guest has no network, so every Cal.com v2 call was dying at
"dial tcp: lookup api.cal.com". Thread deps.OutboundHTTP (http.RoundTripper)
from NewCalcomRouter onto CalcomHandler.rt and into NewCalcomClient, building
the client with Transport: rt. A nil rt (native/DESCRIBE/test) falls back to
the default transport, so bundled/httptest paths are unchanged.

Declare allowed_hosts = ["api.cal.com"] (deny-by-default; admin-granted at
install per the Phase 3 consent gate) and bump pluginsdk v0.2.4 -> v0.2.5 for
CoreServices.OutboundHTTP. Bump 2.0.5 -> 2.0.6.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v2.0.6
2026-07-08 08:57:10 +08:00
f597fa8b52 chore(web): rebuild dist bundle for v2.0.5 captchaEnabled editor
The v2.0.5 captchaEnabled editor toggle (fe5d117) changed web/src but never
rebuilt the committed web/dist. Rebuild so the shipped bundle matches source.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-08 08:57:02 +08:00
fe5d11754a feat(editor): expose the captchaEnabled toggle — v2.0.5
The schema declares captchaEnabled (x-editor checkbox) but the custom
MF editor replaces schema-driven rendering and never drew a control for
it, so the captcha gate could not be enabled through the visual editor
at all. Add the switch beside Show Timezone. pnpm build-script approval
for esbuild (package.json onlyBuiltDependencies) so the editor bundle
rebuilds non-interactively.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 00:15:30 +08:00
3967fa955a fix: rebuild admin claims from trusted headers — v2.0.4
Context does not cross the wasm ABI, so requireAdmin's
auth.GetUserFromContext only sees claims if the guest rebuilds them from
the host-stamped X-Bn-Verified-* headers. 2.0.3 never mounted
auth.TrustedHeaderMiddleware, so every admin endpoint (settings save,
event-types, test, rotate) returned 401 for real admins — the settings
panel could not store the Cal.com API key. Mount the middleware on the
router and pin the contract with a header-driven test (viewer headers
must reach requireAdmin and 403, never 401): the existing admin tests
injected claims straight into context, which is exactly the path wasm
does not have.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 00:03:28 +08:00
7c7bceb9d7 fix!: absolute routes + live captcha requirement — v2.0.3
Two wasm-era regressions fixed:

Routes: the wasm host forwards the FULL request path with no prefix
strip, but every route was registered relative — the plugin's entire
HTTP surface (slots/book/cancel/date-grid/admin) 404'd at runtime on
every instance since 2.0.0. All routes now register under
/api/plugins/calcomblock (testplugin's httpBase convention), pinned by
a route-matching test.

Captcha requirement: blockConfig was hardcoded nil (no capability
exposed published block content), so bookingRequiresCaptcha always
reported false — the widget never rendered and the gate never ran.
publishedBlockResolver now answers it via pluginsdk v0.2.4's
content.published_block_configs: any currently-published calcom:booking
block matching the posted username+eventTypeSlug with
captchaEnabled=true demands the host-stamped X-Bn-Verified-Captcha
header; an empty config username applies to any posted username.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 23:47:59 +08:00
c1f8fe8a2c chore: v2.0.2 — host-verified captcha via X-Bn-Verified-Captcha
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 23:18:09 +08:00
7e9265c6a7 feat!: captcha via host-stamped X-Bn-Verified-Captcha; drop block/core entirely
SetCaptchaServer was .so-era injection — nothing wasm-side ever called
it, so the verifier was permanently nil and captcha-enabled booking
blocks failed closed on every submission. A guest can't hold the host's
stateful captcha server; the host now verifies+consumes the cap-token
before dispatch and stamps the unforgeable X-Bn-Verified-Captcha
trusted header (pluginsdk v0.2.2 auth.CaptchaVerified). Fail-closed
semantics preserved: no stamp = reject.

Deletes the last block/core import (captcha) and the test-side PoW
solver; go.mod no longer requires core.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 23:00:10 +08:00
28b50128d9 chore: bump pluginsdk to v0.2.1
Picks up the render package move-in (BlockNote renderer now reads
embed-resolver/human-proof context keys from pluginsdk/blocks) and
keeps the check-safety 2c fleet version anchor satisfied.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 20:34:04 +08:00
d5b158e0bf chore: pluginsdk v0.2.0 (P3 host-composed chrome)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 14:56:28 +08:00
324a2e6fe0 chore: migrate from block/core to block/pluginsdk (keep core for captcha)
Rewrite imports for plugin, blocks, templates, auth, settings, crypto, and
rbac packages from git.dev.alexdunmow.com/block/core/* to
git.dev.alexdunmow.com/block/pluginsdk/* across all Go files. The captcha
package stays on block/core, so the repo keeps both requires.

go.mod: add pluginsdk v0.1.0; bump core v0.20.2 -> v0.20.3 (satisfies the
check-safety core-version gate); transitive churn pgx v5.9.2 -> v5.10.0 and
x/mod v0.34.0 -> v0.37.0 from go mod tidy.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 11:03:57 +08:00
4fff9ead8c bump to 2.0.1 v2.0.1 2026-07-06 00:00:54 +08:00
f8f70fcbf0 chore: bump block/core to v0.20.2 (fleet standard, check-safety 2c)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-06 00:00:49 +08:00
c0f8209e88 chore: rename dev host localdev.blockninjacms.com -> blockninja.dev 2026-07-05 20:50:21 +08:00
599b576396 chore: register @ninja/calcomblock scope; commit web/pnpm-lock.yaml
- plugin.mod: scope normalized to @ninja (via ninja plugin init against the
  dev registry).
- Track web/pnpm-lock.yaml for reproducible admin-frontend installs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
v2.0.0
2026-07-05 03:05:23 +08:00
18b7825592 Extract calcomblock into a standalone wasm plugin repo
Convert the bundled backend/internal/plugins/calcomblock package into a
standalone reactor-mode wasm plugin, dropping every git.dev.alexdunmow.com/block/cms
import (forbidden in standalone plugins):

- package calcomblock -> package main; add wasip1 main.go with
  wasmguest.Serve(Registration). go.mod module
  git.dev.alexdunmow.com/block/calcomblock, block/core v0.18.2, no replace
  directives.
- Settings persistence: replace the pool-backed poolQuerier (direct SQL against
  the public-schema `settings` table, which a sandboxed plugin role cannot read)
  with capabilityQuerier over the SDK settings.Settings / settings.Updater
  capabilities. GetSiteTimezone now resolves via GetSiteSettings host-side.
- Vendor the small CMS-internal helpers the plugin used into internal/helpers
  (GetRealIP, StartCleanupLoop, MaskSecret, GetStringOr, the PluginSettingsQuerier
  settings helpers, PluginCrypto for tests) and internal/db (minimal Setting /
  UpsertSettingParams), each with a provenance header.
- Inline the captcha widget: vendor blocks.CaptchaWidget as a local
  CaptchaWidget templ (captcha_widget.templ) and regenerate templ; drop the
  block/cms/blocks import from booking.templ.
- blockConfig (server-authoritative captcha requirement via a
  page_block_snapshots scan) has no wasm-ABI capability, so it is left nil:
  honeypot + per-IP rate limit still apply. Documented as a follow-up.
- web: @block-ninja/ui workspace:* -> ^0.1.0 registry version; eslint.config.js
  repointed at ../../../cms/web/eslint.config.js; rebuild web/dist.
- Rewrite CLAUDE.md for the standalone wasm reality; add .gitignore.

Full test suite preserved and passing; builds to calcomblock-2.0.0.bnp;
check-safety passes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-05 03:04:18 +08:00