Releases: keyqcloud/kyte-shipyard
Release list
kyte-shipyard v2.3.0
Fix: password reset works in JWT mode (KYTE-#268)
Shipyard is platform-level — it initializes the Kyte client with no applicationId — so in JWT mode its anonymous password-reset calls could ride neither the legacy HMAC-anonymous path nor the v4.11.0 AppContextStrategy (which requires an x-kyte-appid). Result: password reset was broken on JWT-mode Shipyard (the request failed closed before ever reaching the server).
reset.js and password.js now call the dedicated kyte-php endpoints when in JWT mode (_ks.authMode === 'jwt'), mirroring how login already works appid-less:
- request reset →
POST /jwt/password-reset(no-reveal UX unchanged: same message whether or not the email exists) - token check on password.html →
POST /jwt/password-validate(invalid/expired → redirect to/, as before) - set new password →
POST /jwt/password-update(server also revokes every refresh-token session for the user)
HMAC mode keeps the existing KytePasswordReset model-CRUD calls untouched. Requires kyte-php v4.11.0+ for the /jwt/password-* endpoints.
Fix: password page UI bugs (surfaced during #268 QA)
- The show/hide-password eye icons on password.html threw
ReferenceError: togglePassword is not definedon every click in every deployment — the handler was scoped inside theKyteInitializedlistener while the HTML wires it via inlineonclick. Now exposed globally. - A failed password update displayed
[object Object]—showErrorrendered the HMAC error-callback object directly. It now extracts the message string.
kyte-shipyard v2.2.0
Improvement: show the file path under the name in the IDE explorer
Pages and scripts in the IDE file tree now show their path (s3key) in a muted second line under the file name. Same-named files (common for pages) are now distinguishable at a glance without having to open each one. The full path is also available as a hover tooltip.
Feature: "Republish all pages" + per-page republish result (KYTE-#181)
Pairs with kyte-php v4.8.1, which makes the republish hook fault-isolated and returns a republish_summary. On the app configuration page:
- A "Republish all pages" button (on the Authentication Mode card) — an explicit recovery action that re-stamps and re-deploys every published page with the current Kyte Connect code, then reports the result. Useful when an auto-republish half-completed.
- The per-page result is now surfaced: the auth-mode flip / kyte-connect update and the new button all read
republish_summaryand show how many pages succeeded/failed (failures are listed and logged to the console) — instead of a blind "it worked" toast.
Feature: Publish action in the IDE (KYTE-#189)
The in-app IDE could only Save (which persists content); there was no way to publish from it. Added a Publish action for publishable file types (pages and scripts — the ones that deploy to S3):
- A green rocket button in the IDE tab bar, shown only when the active file is a page or script.
- Ctrl+Shift+S keyboard shortcut (Save remains Ctrl+S); added to the welcome-screen shortcut list.
- Publishing sends
state=1alongside the content, so the backend runs its normal publish path (page →publishPage→ S3 + CloudFront; script →handleScriptPublication→ S3) and creates a version with the change summary. Unlike Save, Publish is allowed even when the file isn't dirty (re-deploy current content), and it persists any pending edits in the same request.
Pairs with kyte-php v4.8.1 (block_layout partial-save guard). The "IDE save didn't persist" issue from #189 was already fixed by kyte-php v4.8.0.
kyte-shipyard v2.1.0
Change: remove JavaScript obfuscation (pairs with kyte-php v4.7.0 — KYTE-#191)
Shipyard was the client-side obfuscation engine: it loaded the javascript-obfuscator CDN library and ran JavaScriptObfuscator.obfuscate(...) on customer page/script/section JS and the app kyte_connect string before sending the obfuscated copy to the API. Obfuscation has no real security value (client JS is readable in the browser), bloats stored content, and has had WAFs/firewalls block legitimate obfuscated JS. No customer asked for it.
This release removes obfuscation generation entirely:
- Obfuscation engine removed from the page code editor, block editor, script editor, section editor, and application/configuration screens. The
javascript-obfuscatorCDN<script>include is dropped from all 9 HTML pages that carried it. - Payloads now send plain source. The
*_obfuscatedfields (javascript_obfuscated,content_js_obfuscated,kyte_connect_obfuscated) are still sent but as empty strings, and theobfuscate_js/obfuscate_kyte_connectflags are sent as0. (Sending the keys — empty — keeps kyte-php's content-save guards satisfied during mixed-version rollout; kyte-php drops the columns in a later release.) - UI removed: the obfuscation toggles on the page/script/section editors and the "Kyte Connect Obfuscation" settings card (and its Save button) on the app configuration page, plus the now-unused obfuscation i18n keys across en/es/ja/ko.
- Editor fixes: the obfuscation field is removed from the unsaved-changes (dirty) checks in the page and script editors — left in, it would have falsely reported "unsaved changes" once the toggle was gone (
parseInt(undefined)→NaN/0mismatch).
Pairs with kyte-php v4.7.0 (which always serves plain JS and stops versioning on obfuscated content — resolving the #188 version-bloat bug). Forward/backward compatible with either kyte-php version during rollout. Minification is unrelated and unaffected (esbuild still minifies Shipyard's own bundles).
kyte-shipyard v2.0.1
Bug Fix: auth_mode toggle was republishing pages with the OLD (HMAC) connect string
In 2.0.0, the auth_mode toggle on /app/configuration.html called updateKyteConnectCode(_ks) (which sets republish_kyte_connect=1 on the Application — the same path the obfuscation toggle uses for backend page-republish). But it did so BEFORE regenerating systemKyteCode against the new app.auth_mode. Result: the server triggered republish, but with the stale HMAC-shape connect string. Operators flipped HMAC → JWT in the UI, the "republish" message said it worked, but the pages out there still embedded the HMAC new Kyte(...) call.
Fix: call initializeKyteConnectComparison() (which regenerates systemKyteCode from the now-updated app.auth_mode) BEFORE updateKyteConnectCode(_ks). The republish now carries the correct shape.
User-visible effect: flipping the Authentication Mode toggle and clicking Save now actually republishes every page with the new connect string. No need to manually republish each page through the page editor.
kyte-shipyard v2.0.0
Breaking Change: default to JWT bearer authentication
Shipyard's self-auth now defaults to JWT bearer tokens (kyte-php Phase 3) instead of static HMAC credentials in kyte-connect.js. The kyte-api-js v2 library handles /jwt/login, refresh-token rotation, and bearer header attachment internally — no other call sites change. login.js, isSession, sessionDestroy etc. continue to use the same _ks.* methods.
To upgrade an existing install:
Option A — Migrate to JWT (recommended)
- Ensure your kyte-php backend is v4.4.0+ with
AUTH_STRATEGY_DISPATCHER='on'andKYTE_JWT_SECRETdefined in config.php (128 hex chars recommended) - Reduce your
kyte-connect.jsto a single line:No publickey / identifier / account / HMAC creds required.let endpoint = 'https://your-kyte-api.example.com';
Option B — Pin to legacy HMAC
Add let authMode = 'hmac'; to your existing kyte-connect.js alongside the existing publickey / identifier / account globals. Shipyard continues exactly as before.
See assets/js/source/kyte-connect.example.js for a template covering both modes.
Sensitive Flags (Phase 2.5 — merged from feature/sensitive-flag-ui)
Sensitive checkbox controls on the create forms for Controller, DataModel, and ModelAttribute. Pairs with the kyte-php three-tier sensitive flag enforcement (drop bodies from activity logs, gate MCP read tools, suppress AI error context). See kyte-php v4.4.0 CHANGELOG for the full server-side semantics.
Sensitive toggle on existing records (detail/edit views) lands in a follow-up release — see Tempo card #166.
JWT-aware page generation (Phase 3 — merged from feature/jwt-aware-page-generation)
- Auth Mode selector on the Application create form (hmac / jwt). The selection drives generated-page connect-string shape via
kyte-shipyard-application.js,kyte-shipyard-application-configuration.js, andkyte-shipyard-page-wizard.js. - Generated pages get the v2 constructor when
auth_mode='jwt':new Kyte(endpoint, null, null, null, app_identifier, { authMode: 'jwt' })
- HMAC apps continue with the v1 four-arg constructor.
update-kyte-loading.pyscript and the pre-login HTML pages (index.html,password.html,reset.html,error.html) gain conditionalkyte.jsloading for localhost dev vs CDN prod.
Modernization
- Build pipeline: switched from
javascript-obfuscatortoesbuildvianpm run build. Outputs are ~50–65% smaller than the previous obfuscated artifacts and emit source maps (.js.map) for prod debuggability. Obfuscation never provided real security — HMAC creds in kyte-connect.js were trivially extractable via DevTools — so the size + debug win has no security downside. - CI builds in-pipeline:
.github/workflows/deploy.ymlnow runsnpm ci && npm run buildon tag push. Previously assumed artifacts were already committed; that risked shipping stale builds whenever someone tagged without running release.sh locally. - GitHub Releases: tag push creates a GitHub Release with notes extracted from this CHANGELOG and the kyte-shipyard.zip bundle attached.
release.shpre-flight gates: enforces CHANGELOG section match, KS_VERSION match, clean working tree, onmain, in-sync with origin, tag doesn't already exist. Fixes the prior1=typo that silently passed all version mismatches.assets/js/*.jsartifacts removed from git: source inassets/js/source/is the only tracked JS. Top-level*.jsand*.js.mapare produced bynpm run buildand shipped to S3 from CI. Eliminates artifact drift, oversized PR diffs, and merge conflicts on generated files.obfuscate.shremoved: replaced by esbuild.kyte-connect.example.jstemplate added underassets/js/source/documenting both JWT and HMAC modes.
Build dependency
Adds esbuild as a devDependency. CI uses Node 24 (matches kyte-php's release pipeline). Local dev: npm install once, then npm run build or npm run watch.