Skip to content

Releases: keyqcloud/kyte-shipyard

kyte-shipyard v2.3.0

Choose a tag to compare

@github-actions github-actions released this 23 Jun 06:00
dca334f

Fix: password reset works in JWT mode (KYTE-#268)

Shipyard is platform-level — it initializes the Kyte client with no applicationId — so in JWT mode its anonymous password-reset calls could ride neither the legacy HMAC-anonymous path nor the v4.11.0 AppContextStrategy (which requires an x-kyte-appid). Result: password reset was broken on JWT-mode Shipyard (the request failed closed before ever reaching the server).

reset.js and password.js now call the dedicated kyte-php endpoints when in JWT mode (_ks.authMode === 'jwt'), mirroring how login already works appid-less:

  • request reset → POST /jwt/password-reset (no-reveal UX unchanged: same message whether or not the email exists)
  • token check on password.html → POST /jwt/password-validate (invalid/expired → redirect to /, as before)
  • set new password → POST /jwt/password-update (server also revokes every refresh-token session for the user)

HMAC mode keeps the existing KytePasswordReset model-CRUD calls untouched. Requires kyte-php v4.11.0+ for the /jwt/password-* endpoints.

Fix: password page UI bugs (surfaced during #268 QA)

  • The show/hide-password eye icons on password.html threw ReferenceError: togglePassword is not defined on every click in every deployment — the handler was scoped inside the KyteInitialized listener while the HTML wires it via inline onclick. Now exposed globally.
  • A failed password update displayed [object Object]showError rendered the HMAC error-callback object directly. It now extracts the message string.

kyte-shipyard v2.2.0

Choose a tag to compare

@github-actions github-actions released this 01 Jun 00:19
a122722

Improvement: show the file path under the name in the IDE explorer

Pages and scripts in the IDE file tree now show their path (s3key) in a muted second line under the file name. Same-named files (common for pages) are now distinguishable at a glance without having to open each one. The full path is also available as a hover tooltip.

Feature: "Republish all pages" + per-page republish result (KYTE-#181)

Pairs with kyte-php v4.8.1, which makes the republish hook fault-isolated and returns a republish_summary. On the app configuration page:

  • A "Republish all pages" button (on the Authentication Mode card) — an explicit recovery action that re-stamps and re-deploys every published page with the current Kyte Connect code, then reports the result. Useful when an auto-republish half-completed.
  • The per-page result is now surfaced: the auth-mode flip / kyte-connect update and the new button all read republish_summary and show how many pages succeeded/failed (failures are listed and logged to the console) — instead of a blind "it worked" toast.

Feature: Publish action in the IDE (KYTE-#189)

The in-app IDE could only Save (which persists content); there was no way to publish from it. Added a Publish action for publishable file types (pages and scripts — the ones that deploy to S3):

  • A green rocket button in the IDE tab bar, shown only when the active file is a page or script.
  • Ctrl+Shift+S keyboard shortcut (Save remains Ctrl+S); added to the welcome-screen shortcut list.
  • Publishing sends state=1 alongside the content, so the backend runs its normal publish path (page → publishPage → S3 + CloudFront; script → handleScriptPublication → S3) and creates a version with the change summary. Unlike Save, Publish is allowed even when the file isn't dirty (re-deploy current content), and it persists any pending edits in the same request.

Pairs with kyte-php v4.8.1 (block_layout partial-save guard). The "IDE save didn't persist" issue from #189 was already fixed by kyte-php v4.8.0.

kyte-shipyard v2.1.0

Choose a tag to compare

@github-actions github-actions released this 30 May 09:56
0d65c6b

Change: remove JavaScript obfuscation (pairs with kyte-php v4.7.0 — KYTE-#191)

Shipyard was the client-side obfuscation engine: it loaded the javascript-obfuscator CDN library and ran JavaScriptObfuscator.obfuscate(...) on customer page/script/section JS and the app kyte_connect string before sending the obfuscated copy to the API. Obfuscation has no real security value (client JS is readable in the browser), bloats stored content, and has had WAFs/firewalls block legitimate obfuscated JS. No customer asked for it.

This release removes obfuscation generation entirely:

  • Obfuscation engine removed from the page code editor, block editor, script editor, section editor, and application/configuration screens. The javascript-obfuscator CDN <script> include is dropped from all 9 HTML pages that carried it.
  • Payloads now send plain source. The *_obfuscated fields (javascript_obfuscated, content_js_obfuscated, kyte_connect_obfuscated) are still sent but as empty strings, and the obfuscate_js / obfuscate_kyte_connect flags are sent as 0. (Sending the keys — empty — keeps kyte-php's content-save guards satisfied during mixed-version rollout; kyte-php drops the columns in a later release.)
  • UI removed: the obfuscation toggles on the page/script/section editors and the "Kyte Connect Obfuscation" settings card (and its Save button) on the app configuration page, plus the now-unused obfuscation i18n keys across en/es/ja/ko.
  • Editor fixes: the obfuscation field is removed from the unsaved-changes (dirty) checks in the page and script editors — left in, it would have falsely reported "unsaved changes" once the toggle was gone (parseInt(undefined)NaN/0 mismatch).

Pairs with kyte-php v4.7.0 (which always serves plain JS and stops versioning on obfuscated content — resolving the #188 version-bloat bug). Forward/backward compatible with either kyte-php version during rollout. Minification is unrelated and unaffected (esbuild still minifies Shipyard's own bundles).

kyte-shipyard v2.0.1

Choose a tag to compare

@github-actions github-actions released this 22 May 17:43
ea13d2d

Bug Fix: auth_mode toggle was republishing pages with the OLD (HMAC) connect string

In 2.0.0, the auth_mode toggle on /app/configuration.html called updateKyteConnectCode(_ks) (which sets republish_kyte_connect=1 on the Application — the same path the obfuscation toggle uses for backend page-republish). But it did so BEFORE regenerating systemKyteCode against the new app.auth_mode. Result: the server triggered republish, but with the stale HMAC-shape connect string. Operators flipped HMAC → JWT in the UI, the "republish" message said it worked, but the pages out there still embedded the HMAC new Kyte(...) call.

Fix: call initializeKyteConnectComparison() (which regenerates systemKyteCode from the now-updated app.auth_mode) BEFORE updateKyteConnectCode(_ks). The republish now carries the correct shape.

User-visible effect: flipping the Authentication Mode toggle and clicking Save now actually republishes every page with the new connect string. No need to manually republish each page through the page editor.

kyte-shipyard v2.0.0

Choose a tag to compare

@github-actions github-actions released this 22 May 15:57
35f6c7d

Breaking Change: default to JWT bearer authentication

Shipyard's self-auth now defaults to JWT bearer tokens (kyte-php Phase 3) instead of static HMAC credentials in kyte-connect.js. The kyte-api-js v2 library handles /jwt/login, refresh-token rotation, and bearer header attachment internally — no other call sites change. login.js, isSession, sessionDestroy etc. continue to use the same _ks.* methods.

To upgrade an existing install:

Option A — Migrate to JWT (recommended)

  1. Ensure your kyte-php backend is v4.4.0+ with AUTH_STRATEGY_DISPATCHER='on' and KYTE_JWT_SECRET defined in config.php (128 hex chars recommended)
  2. Reduce your kyte-connect.js to a single line:
    let endpoint = 'https://your-kyte-api.example.com';
    No publickey / identifier / account / HMAC creds required.

Option B — Pin to legacy HMAC

Add let authMode = 'hmac'; to your existing kyte-connect.js alongside the existing publickey / identifier / account globals. Shipyard continues exactly as before.

See assets/js/source/kyte-connect.example.js for a template covering both modes.

Sensitive Flags (Phase 2.5 — merged from feature/sensitive-flag-ui)

Sensitive checkbox controls on the create forms for Controller, DataModel, and ModelAttribute. Pairs with the kyte-php three-tier sensitive flag enforcement (drop bodies from activity logs, gate MCP read tools, suppress AI error context). See kyte-php v4.4.0 CHANGELOG for the full server-side semantics.

Sensitive toggle on existing records (detail/edit views) lands in a follow-up release — see Tempo card #166.

JWT-aware page generation (Phase 3 — merged from feature/jwt-aware-page-generation)

  • Auth Mode selector on the Application create form (hmac / jwt). The selection drives generated-page connect-string shape via kyte-shipyard-application.js, kyte-shipyard-application-configuration.js, and kyte-shipyard-page-wizard.js.
  • Generated pages get the v2 constructor when auth_mode='jwt':
    new Kyte(endpoint, null, null, null, app_identifier, { authMode: 'jwt' })
  • HMAC apps continue with the v1 four-arg constructor.
  • update-kyte-loading.py script and the pre-login HTML pages (index.html, password.html, reset.html, error.html) gain conditional kyte.js loading for localhost dev vs CDN prod.

Modernization

  • Build pipeline: switched from javascript-obfuscator to esbuild via npm run build. Outputs are ~50–65% smaller than the previous obfuscated artifacts and emit source maps (.js.map) for prod debuggability. Obfuscation never provided real security — HMAC creds in kyte-connect.js were trivially extractable via DevTools — so the size + debug win has no security downside.
  • CI builds in-pipeline: .github/workflows/deploy.yml now runs npm ci && npm run build on tag push. Previously assumed artifacts were already committed; that risked shipping stale builds whenever someone tagged without running release.sh locally.
  • GitHub Releases: tag push creates a GitHub Release with notes extracted from this CHANGELOG and the kyte-shipyard.zip bundle attached.
  • release.sh pre-flight gates: enforces CHANGELOG section match, KS_VERSION match, clean working tree, on main, in-sync with origin, tag doesn't already exist. Fixes the prior 1= typo that silently passed all version mismatches.
  • assets/js/*.js artifacts removed from git: source in assets/js/source/ is the only tracked JS. Top-level *.js and *.js.map are produced by npm run build and shipped to S3 from CI. Eliminates artifact drift, oversized PR diffs, and merge conflicts on generated files.
  • obfuscate.sh removed: replaced by esbuild.
  • kyte-connect.example.js template added under assets/js/source/ documenting both JWT and HMAC modes.

Build dependency

Adds esbuild as a devDependency. CI uses Node 24 (matches kyte-php's release pipeline). Local dev: npm install once, then npm run build or npm run watch.