Skip to content

Releases: danilopatrial/sooket

v0.1.3

14 Jun 22:33
@danilopatrial danilopatrial
v0.1.3
cb5d848

Choose a tag to compare

View all tags
v0.1.3 Latest
Latest

Hardening + new-node release addressing a middleware-engineer review punch list. Single-process design unchanged.

New nodes

  • OpenAI node (OpenAI-compatible, configurable baseURL → OpenAI/Together/Groq/OpenRouter/Ollama/LM Studio)
  • OAuth2 Token node (client-credentials grant with token caching/refresh)
  • Schema Validator node (dependency-free JSON Schema draft-07 subset, validate-and-reject)

API & observability

  • Idempotency-Key support on POST /api/v1/chat (safe retries)
  • Prometheus GET /api/metrics endpoint
  • DB readiness probe: GET /api/health?ready=1
  • Anthropic node max_tokens now configurable (was hard-coded 8192)

Security

  • sk-wf-* API keys hashed at rest (SHA-256; migration 014)
  • SSRF egress guard on HTTP Request / Webhook nodes (opt out via SOOKET_ALLOW_PRIVATE_EGRESS)
  • Custom Code node:vm hardened against constructor-chain escape
  • Constant-time webhook token comparison
  • PBKDF2 memoised + raised to 600k iterations
  • CORS deny-by-default (opt in via CORS_ORIGIN)
  • Execution errors sanitised at the public API boundary

Resilience & engine

  • Wall-clock execution deadline + queue-wait timeout
  • Graph recursion-depth guard
  • Shared sliding-window rate limiter (closes the boundary-burst hole)
  • SQLite busy_timeout for write contention

Fixes

  • Docker image builds on glibc base; lazy onnxruntime load; skip puppeteer Chrome download
  • Execution server uses per-request CORS headers after the CORS refactor

See TODO.md for the full review and per-item notes.

Assets 2
Loading

v0.1.2

10 Jun 18:46
@danilopatrial danilopatrial
v0.1.2
c3ce179

Choose a tag to compare

View all tags
v0.1.2

Sooket v0.1.2Install and run straight from npm.

What's new

  • npx sooket — Sooket is now installable and runnable from npm, no clone needed. The CLI starts the full server (sooket) or the standalone execution server (sooket execution-server); see npx sooket --help for ports and host binding. Data (SQLite database + a generated encryption secret) lives in ~/.sooket, overridable with SOOKET_DATA_DIR. The package ships a prebuilt production .next, built in isolation so no local data or secrets can leak into the tarball.
  • Crashes are no longer silent: the CLI previously turned a signal-killed server (e.g. SIGBUS from a truncated native module after an interrupted npx install) into a clean exit 0 right after "Ready". Signal deaths now exit 128+n, name the signal, and print a corrupted-install hint for crash signals (SIGBUS/SIGSEGV/SIGILL/SIGABRT/SIGFPE).
  • Install troubleshooting docs: README now covers the system-wide libvips/sharp build failure (SHARP_IGNORE_GLOBAL_LIBVIPS=1) and how a failed install can poison the npx cache (rm -rf ~/.npm/_npx).

Requires Node.js ≥ 22.5. Loopback bind remains the default security model — see the v0.1.1 notes for the optional SOOKET_AUTH_TOKEN gate.

License: source-available under FSL-1.1-MIT (converts to MIT two years after release).

Loading

v0.1.1

07 Jun 12:13
@danilopatrial danilopatrial
v0.1.1
7ab536e

Choose a tag to compare

View all tags
v0.1.1

Sooket v0.1.1Optional auth for the management surface.

What's new

  • Shared-secret auth gate (opt-in): set SOOKET_AUTH_TOKEN to require a secret on the management API + dashboard. Programmatic callers send Authorization: Bearer <token>; the browser unlocks once at /unlock. Enforced centrally in proxy.ts; all token checks are constant-time. Public routes (/api/v1/*, /api/webhooks/*, /api/health, /unlock) stay open, and the management-key-gated admin backup is exempt. Unset = open (the historical default).
  • Exposure warning (always on): a loud startup banner now fires when the server binds to a non-loopback host without SOOKET_AUTH_TOKEN, in both the Next.js and execution-server processes.
  • CI now runs on pushes to dev as well as main.

Still no per-user accounts — this is a single shared secret for self-hosted exposure, not a multi-user auth system. Loopback bind remains the default security model.

License: source-available under FSL-1.1-MIT (converts to MIT two years after release).

Loading

v0.1.0

06 Jun 18:06
@danilopatrial danilopatrial
v0.1.0
eb61055

Choose a tag to compare

View all tags
v0.1.0

Sooket v0.1.0Build API middleware on a canvas, run it inline in the request path.

A self-hosted visual canvas for the logic that sits between a caller and your API — rate limiting, auth checks, PII redaction, caching, LLM calls, request/response shaping — exposed as a single synchronous HTTP endpoint.

Highlights

  • Visual React Flow canvas: auto-insert-into-edge, per-node config, live sandbox testing
  • 45 nodes across AI, request, external, format, logic, transform, and static families
  • Inline execution: POST /api/v1/chat runs the graph synchronously and returns the result
  • Token-gated webhooks per workflow (/api/webhooks/[slug])
  • Per-workflow sk-wf-* API keys with scopes, rate-limit overrides, expiry, 30-day stats
  • Encrypted secrets (AES-GCM + PBKDF2) for provider keys, credentials, variables
  • Versioning (50-snapshot cap), per-request/per-node logs, paginated execution history
  • Self-hosted: single Next.js process + local SQLite; Docker Compose included; no cloud

Requirements

Node ≥ 22 (uses the built-in node:sqlite). See the README and docs/.

Security: the management API is unauthenticated by design and binds to 127.0.0.1 — don't expose it to an untrusted network without an authenticating reverse proxy.

License: source-available under FSL-1.1-MIT (converts to MIT two years after release).

Loading