Skip to content

chore: version packages#1989

Merged
pikonha merged 1 commit into
devfrom
changeset-release/dev
Jul 2, 2026
Merged

chore: version packages#1989
pikonha merged 1 commit into
devfrom
changeset-release/dev

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to dev, this PR will be updated.

Releases

@anticapture/client@1.4.0

Minor Changes

  • #1971 4a85cf4 Thanks @brunod-e! - Per-tenant API tokens (DEV-758): new Authful service issues, validates and revokes tenant tokens (sha256-only storage, manual minting); Gateful gains an optional token-auth middleware with Redis-cached validation, per-token rate limiting and per-tenant request metrics exposed on its /metrics endpoint (Prometheus counter tenant_requests_total{tenant, route}), enabled via TOKEN_SERVICE_URL (legacy BLOCKFUL_API_TOKEN behavior unchanged when unset). The MCP server can forward the caller's Authorization header to Gateful via FORWARD_CLIENT_AUTH=true; in that mode the shared ANTICAPTURE_API_KEY is never attached, so unauthenticated requests get a per-tenant 401 instead of riding the shared key.

  • #1971 e57bf06 Thanks @brunod-e! - MCP server can now forward each caller's own Authorization header to the upstream Gateful API (enable with FORWARD_CLIENT_AUTH=true), laying the groundwork for per-tenant tokens with rate limiting and usage tracking. Disabled by default; existing shared-key behavior is unchanged.

  • #1993 add9bd1 Thanks @caveman-eth! - Surface ENS social records and EFP stats for addresses.

    • address-enrichment now reads the EFP /details endpoint, capturing the ENS com.twitter, org.telegram, email, and com.github text records plus EFP follower/following counts. These are exposed under ens (socials) and a new efp object, cached under the existing ENS TTL. EFP counts are returned even when the address has no primary ENS name.
    • The Holders & Delegates drawer header now shows follower/following counts (linked to the EFP profile) and social links (X, Telegram, GitHub, email) for the selected address.
  • #1971 2dea74c Thanks @brunod-e! - The MCP HTTP server no longer does an equality check against the shared ANTICAPTURE_MCP_API_KEY (now removed). Token validation is delegated to Gateful: callers present their own per-tenant token, which the MCP server forwards upstream (FORWARD_CLIENT_AUTH=true) for Gateful's tokenAuthMiddleware to validate and attribute per tenant. Validation is intentionally not duplicated at the MCP layer — Gateful owns it, including the Redis cache and fail-open fallback that keep cache-warm tenants serving through an Authful restart.

Patch Changes

  • #1971 51e110a Thanks @brunod-e! - Standardize environment-variable handling to match the API module. The MCP server now loads .env via dotenv and validates PORT, HOST, ANTICAPTURE_API_URL, ANTICAPTURE_API_KEY, and FORWARD_CLIENT_AUTH through a single zod schema instead of ad-hoc process.env reads. Authful's env parsing switches to the same safeParse + friendly-error pattern and folds TOKEN_PLAINTEXT into the schema so the mint script no longer reads process.env directly. Gateful now normalizes TOKEN_SERVICE_URL (trailing-slash trimming) in its zod env schema rather than manually inside AuthfulClient.

  • #1995 172558c Thanks @pikonha! - Resolve the Gateful OpenAPI spec from the matching PR-preview Gateful on Vercel previews (derived from VERCEL_GIT_PULL_REQUEST_ID), so codegen-dependent builds (e.g. dashboard/storybook) no longer fail with "Config failed loading" when neither ANTICAPTURE_API_URL nor RAILWAY_ENVIRONMENT_NAME is set.

  • #1995 eaacf28 Thanks @pikonha! - Drop the shared-dev-Gateful fallback for untrusted/fork Vercel PR previews. Those previews get no PR-scoped Railway service, so they can never reflect a PR's API/Gateful changes — pointing them at dev-gateful only produced a misleading preview. The dashboard next.config.ts and the @anticapture/client Gateful OpenAPI spec resolver now rely solely on an explicit ANTICAPTURE_API_URL (injected by CI for trusted PRs / set on dev & production) or a Railway PR-preview environment; anything else throws instead of silently falling back.

  • #1994 d94129c Thanks @PedroBinotto! - Remove the transitional single shared-token auth path now that per-tenant Authful auth is fully rolled out. Gateful drops the legacy BLOCKFUL_API_TOKEN bearerAuth fallback (and the BLOCKFUL_API_TOKEN env var it read); per-tenant token auth via TOKEN_SERVICE_URL is the only auth mode. The @anticapture/client package drops an orphaned, never-imported AuthfulClient (MCP token validation is delegated to Gateful, not performed in-process).

@anticapture/address-enrichment@1.1.0

Minor Changes

  • #1993 add9bd1 Thanks @caveman-eth! - Surface ENS social records and EFP stats for addresses.
    • address-enrichment now reads the EFP /details endpoint, capturing the ENS com.twitter, org.telegram, email, and com.github text records plus EFP follower/following counts. These are exposed under ens (socials) and a new efp object, cached under the existing ENS TTL. EFP counts are returned even when the address has no primary ENS name.
    • The Holders & Delegates drawer header now shows follower/following counts (linked to the EFP profile) and social links (X, Telegram, GitHub, email) for the selected address.

Patch Changes

@anticapture/api@1.5.0

Minor Changes

  • #2002 451db65 Thanks @pikonha! - Integrate Tornado Cash DAO (TORN): custom stake-to-vote indexer (lock-based delegated supply, timestamp governance), timestamp-based proposal-status API client, and dashboard config/icon.

Patch Changes

  • #2002 2f0aca6 Thanks @pikonha! - Return unsupported-offchain errors consistently across offchain proposal and vote routes.

  • #2002 873bb45 Thanks @pikonha! - Normalize TORN lock/unlock transfer direction in voting-power history so the locker (not the custody contract) is shown as the delegator.

  • #2002 2fc7174 Thanks @pikonha! - Fix TORN historical voting power rows being rendered as bogus zero-address delegations. TORN derives voting power directly from Transfers, so each history row shares the Transfer's log index, which the generic repository's strict < join never matched. Added a dedicated TORN voting-power repository that links the causing event at logIndex <= row logIndex. Dashboard also formats the auto-delegation fallback amount instead of dumping the raw delta.

@anticapture/authful@0.2.0

Minor Changes

  • #2000 1e6c3fb Thanks @PedroBinotto! - On Railway PR previews (RAILWAY_ENVIRONMENT_NAME other than dev/production) the service now seeds a fixed token from the required SEED_TOKEN_PLAINTEXT env var on boot — idempotently, so it survives restarts — giving the rest of the preview stack a known key to authenticate with. The seeding capability is internal only; the admin API still mints exclusively with server-generated values.

  • #1971 4a85cf4 Thanks @brunod-e! - Per-tenant API tokens (DEV-758): new Authful service issues, validates and revokes tenant tokens (sha256-only storage, manual minting); Gateful gains an optional token-auth middleware with Redis-cached validation, per-token rate limiting and per-tenant request metrics exposed on its /metrics endpoint (Prometheus counter tenant_requests_total{tenant, route}), enabled via TOKEN_SERVICE_URL (legacy BLOCKFUL_API_TOKEN behavior unchanged when unset). The MCP server can forward the caller's Authorization header to Gateful via FORWARD_CLIENT_AUTH=true; in that mode the shared ANTICAPTURE_API_KEY is never attached, so unauthenticated requests get a per-tenant 401 instead of riding the shared key.

Patch Changes

  • #1971 dd8756c Thanks @brunod-e! - Add project-standard observability to Authful: structured Pino request logging, OpenTelemetry metrics/tracing via @anticapture/observability, an HTTP request-duration histogram, and a public /metrics Prometheus endpoint. Instrumentation is emitted as its own bundle entry and loaded with node --import so it registers before pg/http are required.

  • #1971 858d286 Thanks @brunod-e! - Mark request bodies as required on the Authful POST /tokens and /validate routes. Without it, @hono/zod-openapi skips validation and substitutes an empty body when a request omits the JSON content-type — letting POST /tokens mint a token with a null tenant (NOT NULL violation / 500) instead of returning a 400. Malformed and empty bodies are now rejected with 400.

  • #1971 51e110a Thanks @brunod-e! - Standardize environment-variable handling to match the API module. The MCP server now loads .env via dotenv and validates PORT, HOST, ANTICAPTURE_API_URL, ANTICAPTURE_API_KEY, and FORWARD_CLIENT_AUTH through a single zod schema instead of ad-hoc process.env reads. Authful's env parsing switches to the same safeParse + friendly-error pattern and folds TOKEN_PLAINTEXT into the schema so the mint script no longer reads process.env directly. Gateful now normalizes TOKEN_SERVICE_URL (trailing-slash trimming) in its zod env schema rather than manually inside AuthfulClient.

@anticapture/dashboard@2.7.0

Minor Changes

  • #1997 8ed6328 Thanks @brunod-e! - feat(create-proposal): recursive calldata builder covering every Solidity type (arrays, fixed/multidimensional, tuples/structs, nested) with two-way paste & decode and a live encoded-calldata preview; debounced contract-address validation; "Duplicate action" alongside edit/delete; and improved transfer UX — treasury "Max", always-visible helper text, per-token USD via CoinGecko, and a clearer selected-token state.

  • #1993 add9bd1 Thanks @caveman-eth! - Surface ENS social records and EFP stats for addresses.

    • address-enrichment now reads the EFP /details endpoint, capturing the ENS com.twitter, org.telegram, email, and com.github text records plus EFP follower/following counts. These are exposed under ens (socials) and a new efp object, cached under the existing ENS TTL. EFP counts are returned even when the address has no primary ENS name.
    • The Holders & Delegates drawer header now shows follower/following counts (linked to the EFP profile) and social links (X, Telegram, GitHub, email) for the selected address.
  • #2009 36992d7 Thanks @Zeugh-eth! - support Tornado Cash proposal creation

  • #1990 5cb8a21 Thanks @brunod-e! - Shareable proposal drafts: add an Editor/Preview toggle, a read-only draft preview, and a recipient flow for shared draft links — publish the draft on-chain or edit it to fork your own copy.

  • #2012 3031315 Thanks @PedroBinotto! - Render Tornado Cash proposal descriptions as Markdown (unwrapping the stringified-JSON body) and show a proposal Info card on the Actions tab for proposals without executable actions.

  • #2002 412b9e8 Thanks @pikonha! - Make TORN vote recasting reachable (show "Change your vote" on already-voted onchain proposals when the DAO allows changing votes) and hide the Abstain option for Tornado Cash, whose binary governor rejects abstain votes.

  • #2002 451db65 Thanks @pikonha! - Integrate Tornado Cash DAO (TORN): custom stake-to-vote indexer (lock-based delegated supply, timestamp governance), timestamp-based proposal-status API client, and dashboard config/icon.

Patch Changes

  • #2015 196de31 Thanks @pikonha! - Fix proposal descriptions rendering blank for DAOs (e.g. Compound) whose on-chain descriptions use escaped \n newlines, by normalizing them to real line breaks for display.

  • #1995 eaacf28 Thanks @pikonha! - Drop the shared-dev-Gateful fallback for untrusted/fork Vercel PR previews. Those previews get no PR-scoped Railway service, so they can never reflect a PR's API/Gateful changes — pointing them at dev-gateful only produced a misleading preview. The dashboard next.config.ts and the @anticapture/client Gateful OpenAPI spec resolver now rely solely on an explicit ANTICAPTURE_API_URL (injected by CI for trusted PRs / set on dev & production) or a Railway PR-preview environment; anything else throws instead of silently falling back.

  • #2011 acdaf82 Thanks @brunod-e! - fix(dashboard): use dynamic viewport height (dvh) for the app/whitelabel shells so the sticky bottom action bar (e.g. create-proposal Publish/Save Draft) is no longer hidden behind the mobile browser's bottom toolbar.

  • #2002 2fc7174 Thanks @pikonha! - Fix TORN historical voting power rows being rendered as bogus zero-address delegations. TORN derives voting power directly from Transfers, so each history row shares the Transfer's log index, which the generic repository's strict < join never matched. Added a dedicated TORN voting-power repository that links the causing event at logIndex <= row logIndex. Dashboard also formats the auto-delegation fallback amount instead of dumping the raw delta.

  • Updated dependencies [4a85cf4, e57bf06, add9bd1, 51e110a, 172558c, 2dea74c, eaacf28, d94129c]:

    • @anticapture/client@1.4.0

@anticapture/gateful@1.2.0

Minor Changes

  • #1971 4a85cf4 Thanks @brunod-e! - Per-tenant API tokens (DEV-758): new Authful service issues, validates and revokes tenant tokens (sha256-only storage, manual minting); Gateful gains an optional token-auth middleware with Redis-cached validation, per-token rate limiting and per-tenant request metrics exposed on its /metrics endpoint (Prometheus counter tenant_requests_total{tenant, route}), enabled via TOKEN_SERVICE_URL (legacy BLOCKFUL_API_TOKEN behavior unchanged when unset). The MCP server can forward the caller's Authorization header to Gateful via FORWARD_CLIENT_AUTH=true; in that mode the shared ANTICAPTURE_API_KEY is never attached, so unauthenticated requests get a per-tenant 401 instead of riding the shared key.

  • #1995 4d7d667 Thanks @pikonha! - Gateful /health now returns 503 unless every configured DAO API, relayer, and address-enrichment service responds on /health.

  • #1996 f5b9f24 Thanks @PedroBinotto! - Protect the public /metrics endpoint with a bearer token. When the optional GATEFUL_METRICS_TOKEN env var is set, scrapes of /metrics must present it as a bearer (constant-time compare; 401 otherwise); left open when unset for local dev. The Prometheus scraper reads the same variable name so it can be wired as a single shared Railway variable. This guard is independent of per-tenant Authful auth, so scrapes never consume a tenant token or appear in per-tenant usage metrics.

  • #1994 d94129c Thanks @PedroBinotto! - Remove the transitional single shared-token auth path now that per-tenant Authful auth is fully rolled out. Gateful drops the legacy BLOCKFUL_API_TOKEN bearerAuth fallback (and the BLOCKFUL_API_TOKEN env var it read); per-tenant token auth via TOKEN_SERVICE_URL is the only auth mode. The @anticapture/client package drops an orphaned, never-imported AuthfulClient (MCP token validation is delegated to Gateful, not performed in-process).

Patch Changes

  • #1971 51e110a Thanks @brunod-e! - Standardize environment-variable handling to match the API module. The MCP server now loads .env via dotenv and validates PORT, HOST, ANTICAPTURE_API_URL, ANTICAPTURE_API_KEY, and FORWARD_CLIENT_AUTH through a single zod schema instead of ad-hoc process.env reads. Authful's env parsing switches to the same safeParse + friendly-error pattern and folds TOKEN_PLAINTEXT into the schema so the mint script no longer reads process.env directly. Gateful now normalizes TOKEN_SERVICE_URL (trailing-slash trimming) in its zod env schema rather than manually inside AuthfulClient.

  • #1995 69c4427 Thanks @pikonha! - Gateful /health probes are now read-only: they reflect each upstream's circuit-breaker state but no longer run through breaker.execute(), so CI/orchestrator polling can't trip the real-traffic circuit (or steal its HALF_OPEN probe slot) and take routes offline.

@anticapture/indexer@1.2.0

Minor Changes

  • #2002 0d2da65 Thanks @pikonha! - TORN: route locked voting power to the locker's delegate and move it between delegates on Delegated/Undelegated. TORN emits no DelegateVotesChanged, so per-account voting power is now fully synthesized from lock/unlock Transfers plus delegation shifts.

  • #2002 451db65 Thanks @pikonha! - Integrate Tornado Cash DAO (TORN): custom stake-to-vote indexer (lock-based delegated supply, timestamp governance), timestamp-based proposal-status API client, and dashboard config/icon.

Patch Changes

  • #2002 1454329 Thanks @pikonha! - Fix TORN voting power going negative from treasury transfers. TORN derives per-account voting power from lock/unlock Transfers in/out of the governor, but TORN also flows through the governor for treasury purposes (proposal executions, batch grant payouts, the governor↔vault migration). Those were misread as user unlocks and subtracted voting power from recipients that never locked (e.g. proposal #6 funding a staking pool booked a -120k unlock against a contract with zero locked balance), producing negative voting power and phantom locked balances. A custody transfer is now only counted as a lock/unlock when its counterparty is the transaction sender, which is true for genuine lock()/unlock() calls and false for treasury flows.

  • #2002 1a91eb5 Thanks @pikonha! - Fix TORN votes not reflecting vote changes. TORN's governor lets a voter re-cast to change their vote, but the Voted handler used onConflictDoNothing on the unique (voter, proposal) row and dropped every subsequent cast — so a voter who switched from For to Against still showed as For and the proposal tally kept the stale vote. The handler now overwrites the existing row and moves the voting power between the for/against buckets on a change, while still treating an exact re-processed log (backfill/reorg) as a no-op. Requires a reindex to repopulate.

@anticapture/offchain-indexer@1.1.0

Minor Changes

  • #1998 7f62a0e Thanks @pikonha! - Remove proposals and votes from the offchain indexer database when proposals are deleted from Snapshot. Reconciliation is bounded to proposals created in the last two weeks, so it never deletes older proposals and avoids overwhelming the Snapshot API and the indexer.

@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
anticapture-storybook Ready Ready Preview, Comment Jul 2, 2026 2:23pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
anticapture Ignored Ignored Preview Jul 2, 2026 2:23pm

Request Review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4dcb152cb0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

{
"name": "@anticapture/client",
"version": "1.3.0",
"version": "1.4.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Publish the MCP auth removal as a major release

This release is still advertised as 1.4.0, but the same generated changelog for @anticapture/client says the MCP HTTP server removed ANTICAPTURE_MCP_API_KEY and no longer performs that inbound shared-key check. Any deployment pinned with a normal ^1.3.0 range can pick up this package automatically and lose its configured auth path, so this should be a major version bump (or the breaking auth removal should be deferred) before publishing.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b92342e907

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread apps/authful/package.json
{
"name": "@anticapture/authful",
"version": "0.1.0",
"version": "0.2.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Mark Authful token removal as major

For Authful deployments that still seed a known TOKEN_PLAINTEXT or rely on the removed manual mint/plaintext-token path, this release removes the provisioning workflow while still advertising a normal 0.2.0 minor. The repo changeset guidance says breaking changes in 0.x packages should be treated as major, so this should either retain compatibility or be released as a major bump before the changeset is consumed.

Useful? React with 👍 / 👎.

@github-actions github-actions Bot force-pushed the changeset-release/dev branch from b92342e to a315897 Compare June 30, 2026 13:17
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from a315897 to 5d92078 Compare June 30, 2026 13:31
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from 5d92078 to c86b445 Compare June 30, 2026 14:40
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from c86b445 to 4835d67 Compare June 30, 2026 17:21
@github-actions github-actions Bot force-pushed the changeset-release/dev branch 2 times, most recently from c4d6d6b to 2198a3b Compare June 30, 2026 17:59
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from 2198a3b to 40d9355 Compare July 1, 2026 21:20
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from 40d9355 to db64afb Compare July 2, 2026 12:06
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from db64afb to 24c1d21 Compare July 2, 2026 12:13
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from 24c1d21 to bc60295 Compare July 2, 2026 13:44
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from bc60295 to c8a0494 Compare July 2, 2026 13:53
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from c8a0494 to 39908f5 Compare July 2, 2026 14:06
@github-actions github-actions Bot force-pushed the changeset-release/dev branch from 39908f5 to d0f9154 Compare July 2, 2026 14:21
@pikonha pikonha merged commit e76af20 into dev Jul 2, 2026
3 checks passed
@pikonha pikonha deleted the changeset-release/dev branch July 2, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant