Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Releases: bntvllnt/pi-gateway

v0.2.0

30 May 00:14
@github-actions github-actions
ca3aa3c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

Added

  • Request body size cap (16 MB) — oversized POST /v1/chat/completions payloads return HTTP 413 (#14).
  • Loopback Host header validation — requests to a loopback bind with an unexpected Host return HTTP 403 invalid_host, guarding against DNS-rebinding from browser-based clients (#14).
  • HTTP server timeouts: headers 30s, request 120s, keep-alive 5s (#14).
  • Deterministic contract + E2E test coverage using pi-ai's faux provider; added lifecycle and security tests (#14).
  • Side-effect-labeled extension tool descriptions (gateway_start / gateway_stop note "Side effect: ..."; gateway_status notes "Read-only") (#14).
  • pi-package keyword in package.json so the package is indexed by the pi.dev package gallery, which lists only npm packages tagged with that exact keyword.
  • CHANGELOG.md. The release workflow extracts the version's section as the GitHub Release body.

Changed

  • Migrated pi runtime dependencies from the deprecated @mariozechner/pi-* namespace to @earendil-works/pi-* at ^0.75.4 (latest mature version under the 7-day minimum-release-age policy). No public API changes.
  • Supported OpenAI request parameters are forwarded to pi-ai; unsupported parameters (frequency_penalty, presence_penalty, response_format, seed, stop, top_p, user) are now rejected deterministically rather than silently ignored, so clients get an explicit error instead of unexpected output (#14).
  • Centralized config security validation (validateGatewayConfigSecurity) and assert the bound address after listen() (#14).
  • Extension daemon: log to a file, sanitize the detached child's environment, and cap the footer health-probe response body (#14).
  • Contract test validates the OpenAI error envelope on non-200 responses and on mid-stream error frames (which correctly omit the trailing data: [DONE] per OpenAI's mid-stream error convention). CI passes without provider auth.
  • Publish workflow's canary job gated on vars.ENABLE_CANARY == 'true'; enabled per push to main once npm trusted-publishing is configured.

Fixed

  • Hardened auth/bind invariants and OpenAI error envelopes across the request path (#14, closes #6#13).
  • Contract test no longer fails when no provider auth is configured (CI environment).

Security

  • Loopback Host-header guard prevents DNS-rebinding access from browser-based clients on the same machine (#14).
Assets 2
Loading

AltStyle によって変換されたページ (->オリジナル) /