Re-declares allowed_hosts (bug: the pre-fix `ninja plugin bump` stripped it
on the 2.0.7->2.0.8 bump, so the published 2.0.8 reached no egress consent
gate and Cal.com calls were denied at runtime). Sets scope=ninja and drops
the stray private flag to match the registry's @ninja/calcomblock entry.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Register the chi routes as flat absolute paths (httpBase+"/slots" …)
instead of a nested r.Route mount: the wasm host forwards the full
original path with no prefix strip, so the nested mount's RoutePath
rebasing never matched and 404'd the entire HTTP surface.
Declare allowed_hosts = ["api.cal.com"] so the ADR-0023 install consent
dialog asks the admin to grant egress; without it every Cal.com call was
denied at runtime (ABI_ERROR_CODE_EGRESS_DENIED, no egress grant).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Under wasm the guest has no network, so every Cal.com v2 call was dying at
"dial tcp: lookup api.cal.com". Thread deps.OutboundHTTP (http.RoundTripper)
from NewCalcomRouter onto CalcomHandler.rt and into NewCalcomClient, building
the client with Transport: rt. A nil rt (native/DESCRIBE/test) falls back to
the default transport, so bundled/httptest paths are unchanged.
Declare allowed_hosts = ["api.cal.com"] (deny-by-default; admin-granted at
install per the Phase 3 consent gate) and bump pluginsdk v0.2.4 -> v0.2.5 for
CoreServices.OutboundHTTP. Bump 2.0.5 -> 2.0.6.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The v2.0.5 captchaEnabled editor toggle (fe5d117) changed web/src but never
rebuilt the committed web/dist. Rebuild so the shipped bundle matches source.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The schema declares captchaEnabled (x-editor checkbox) but the custom
MF editor replaces schema-driven rendering and never drew a control for
it, so the captcha gate could not be enabled through the visual editor
at all. Add the switch beside Show Timezone. pnpm build-script approval
for esbuild (package.json onlyBuiltDependencies) so the editor bundle
rebuilds non-interactively.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Context does not cross the wasm ABI, so requireAdmin's
auth.GetUserFromContext only sees claims if the guest rebuilds them from
the host-stamped X-Bn-Verified-* headers. 2.0.3 never mounted
auth.TrustedHeaderMiddleware, so every admin endpoint (settings save,
event-types, test, rotate) returned 401 for real admins — the settings
panel could not store the Cal.com API key. Mount the middleware on the
router and pin the contract with a header-driven test (viewer headers
must reach requireAdmin and 403, never 401): the existing admin tests
injected claims straight into context, which is exactly the path wasm
does not have.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Two wasm-era regressions fixed:
Routes: the wasm host forwards the FULL request path with no prefix
strip, but every route was registered relative — the plugin's entire
HTTP surface (slots/book/cancel/date-grid/admin) 404'd at runtime on
every instance since 2.0.0. All routes now register under
/api/plugins/calcomblock (testplugin's httpBase convention), pinned by
a route-matching test.
Captcha requirement: blockConfig was hardcoded nil (no capability
exposed published block content), so bookingRequiresCaptcha always
reported false — the widget never rendered and the gate never ran.
publishedBlockResolver now answers it via pluginsdk v0.2.4's
content.published_block_configs: any currently-published calcom:booking
block matching the posted username+eventTypeSlug with
captchaEnabled=true demands the host-stamped X-Bn-Verified-Captcha
header; an empty config username applies to any posted username.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SetCaptchaServer was .so-era injection — nothing wasm-side ever called
it, so the verifier was permanently nil and captcha-enabled booking
blocks failed closed on every submission. A guest can't hold the host's
stateful captcha server; the host now verifies+consumes the cap-token
before dispatch and stamps the unforgeable X-Bn-Verified-Captcha
trusted header (pluginsdk v0.2.2 auth.CaptchaVerified). Fail-closed
semantics preserved: no stamp = reject.
Deletes the last block/core import (captcha) and the test-side PoW
solver; go.mod no longer requires core.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Picks up the render package move-in (BlockNote renderer now reads
embed-resolver/human-proof context keys from pluginsdk/blocks) and
keeps the check-safety 2c fleet version anchor satisfied.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Rewrite imports for plugin, blocks, templates, auth, settings, crypto, and
rbac packages from git.dev.alexdunmow.com/block/core/* to
git.dev.alexdunmow.com/block/pluginsdk/* across all Go files. The captcha
package stays on block/core, so the repo keeps both requires.
go.mod: add pluginsdk v0.1.0; bump core v0.20.2 -> v0.20.3 (satisfies the
check-safety core-version gate); transitive churn pgx v5.9.2 -> v5.10.0 and
x/mod v0.34.0 -> v0.37.0 from go mod tidy.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- plugin.mod: scope normalized to @ninja (via ninja plugin init against the
dev registry).
- Track web/pnpm-lock.yaml for reproducible admin-frontend installs.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Convert the bundled backend/internal/plugins/calcomblock package into a
standalone reactor-mode wasm plugin, dropping every git.dev.alexdunmow.com/block/cms
import (forbidden in standalone plugins):
- package calcomblock -> package main; add wasip1 main.go with
wasmguest.Serve(Registration). go.mod module
git.dev.alexdunmow.com/block/calcomblock, block/core v0.18.2, no replace
directives.
- Settings persistence: replace the pool-backed poolQuerier (direct SQL against
the public-schema `settings` table, which a sandboxed plugin role cannot read)
with capabilityQuerier over the SDK settings.Settings / settings.Updater
capabilities. GetSiteTimezone now resolves via GetSiteSettings host-side.
- Vendor the small CMS-internal helpers the plugin used into internal/helpers
(GetRealIP, StartCleanupLoop, MaskSecret, GetStringOr, the PluginSettingsQuerier
settings helpers, PluginCrypto for tests) and internal/db (minimal Setting /
UpsertSettingParams), each with a provenance header.
- Inline the captcha widget: vendor blocks.CaptchaWidget as a local
CaptchaWidget templ (captcha_widget.templ) and regenerate templ; drop the
block/cms/blocks import from booking.templ.
- blockConfig (server-authoritative captcha requirement via a
page_block_snapshots scan) has no wasm-ABI capability, so it is left nil:
honeypot + per-IP rate limit still apply. Documented as a follow-up.
- web: @block-ninja/ui workspace:* -> ^0.1.0 registry version; eslint.config.js
repointed at ../../../cms/web/eslint.config.js; rebuild web/dist.
- Rewrite CLAUDE.md for the standalone wasm reality; add .gitignore.
Full test suite preserved and passing; builds to calcomblock-2.0.0.bnp;
check-safety passes.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>