clawdforge

Author SHA1 Message Date

Author	SHA1	Message	Date
Kayos	8479725513	clients/kotlin: v0.2 multi-turn Session API - Session : Closeable; AtomicBoolean idempotent close (rollback on transient) - forge.session(opts) { s -> ... } block helper preferred - ForgeClient.createSession / listSessions / getSession - Per-call HTTP timeout on /sessions/{id}/turn (audit-fix `3c77ef5` pattern) - Per-session Mutex serializes concurrent turns - TurnResult.text() helper, Session.toString redacts client - SessionTest.kt: ~14 tests covering block/idempotency/concurrent/timeout/list/state/404/redaction/regression - README "Multi-turn / Sessions (v0.2)" section v0.1 surface unchanged. Ktor 2.3.13 preserved. Spec: memory/spec-clawdforge-v0.2.md Server core: `940861f`	2026-04-29 07:03:54 -07:00
Kayos	3c77ef523e	clients/kotlin: apply audit findings — per-call HTTP timeout + token redaction (`cc54cfb` → next) MEDIUM: - B1: per-call HTTP timeout on /run via Ktor request-scoped timeout block — RunRequest.timeoutSecs > defaultTimeout no longer HTTP-disconnects LOW: - L3: AppToken.toString() redacts plaintext token (preserves null distinguishability) - L4: uploadFile validates filename has no control chars; typed IllegalArgumentException upfront - L5: RunResult.resultAsObjectOrNull / resultAsTextOrNull added (matched KDoc claim) - L1/L2: KDoc + README docs for symlink-follow + TOCTOU on uploadFile Dep: - ktor 2.3.12 → 2.3.13 — clears CVE-2024-49580 (HttpCache, plugin not used) by version-range Tests added: runHttpTimeoutHonorsPerCallTimeoutSecs, appTokenToStringRedactsTokenWhenSet (+ null preserve), uploadFileRejectsControlCharFilename, runResultAsObjectOrNull/AsTextOrNull, revokeTokenEmptyName, closeIdempotent. Audit: memory/clawdforge-audits/kotlin-cc54cfb.md	2026-04-28 23:33:08 -07:00
Kayos	cc54cfbe6c	clients/kotlin: initial Kotlin SDK for clawdforge Async Kotlin/JVM client built on Ktor + kotlinx.serialization. Every I/O method is a `suspend` function; the client is `Closeable` for `use { }`. Sealed `ForgeException` hierarchy enables exhaustive `when` over auth, run-failure, generic-API, and transport errors. Models use `@SerialName` to bridge idiomatic camelCase Kotlin properties to the snake_case wire format. `RunResult.result` is a `JsonElement` so callers can narrow with the standard `kotlinx.serialization.json` extensions. - Kotlin 1.9.25 / JVM 17 toolchain - Ktor 2.3.12 client (CIO engine; pluggable via ForgeOptions.engine) - kotlinx-serialization 1.6.3, kotlinx-coroutines 1.8.1 - 14 tests (JUnit 5 + Ktor MockEngine), all green - `./gradlew build` clean, `publishToMavenLocal` works - MIT license declared in publishing block Mirrors the surface of the Go and Rust SDKs (healthz, run, uploadFile, admin tokens CRUD).	2026-04-28 23:04:24 -07:00

Kayos

8479725513

clients/kotlin: v0.2 multi-turn Session API

- Session : Closeable; AtomicBoolean idempotent close (rollback on transient)
- forge.session(opts) { s -> ... } block helper preferred
- ForgeClient.createSession / listSessions / getSession
- Per-call HTTP timeout on /sessions/{id}/turn (audit-fix 3c77ef5 pattern)
- Per-session Mutex serializes concurrent turns
- TurnResult.text() helper, Session.toString redacts client
- SessionTest.kt: ~14 tests covering block/idempotency/concurrent/timeout/list/state/404/redaction/regression
- README "Multi-turn / Sessions (v0.2)" section

v0.1 surface unchanged. Ktor 2.3.13 preserved.

Spec: memory/spec-clawdforge-v0.2.md
Server core: 940861f

2026-04-29 07:03:54 -07:00

Kayos

3c77ef523e

clients/kotlin: apply audit findings — per-call HTTP timeout + token redaction (cc54cfb → next)

MEDIUM:
- B1: per-call HTTP timeout on /run via Ktor request-scoped timeout block — RunRequest.timeoutSecs > defaultTimeout no longer HTTP-disconnects

LOW:
- L3: AppToken.toString() redacts plaintext token (preserves null distinguishability)
- L4: uploadFile validates filename has no control chars; typed IllegalArgumentException upfront
- L5: RunResult.resultAsObjectOrNull / resultAsTextOrNull added (matched KDoc claim)
- L1/L2: KDoc + README docs for symlink-follow + TOCTOU on uploadFile

Dep:
- ktor 2.3.12 → 2.3.13 — clears CVE-2024-49580 (HttpCache, plugin not used) by version-range

Tests added: runHttpTimeoutHonorsPerCallTimeoutSecs, appTokenToStringRedactsTokenWhenSet (+ null preserve), uploadFileRejectsControlCharFilename, runResultAsObjectOrNull/AsTextOrNull, revokeTokenEmptyName, closeIdempotent.

Audit: memory/clawdforge-audits/kotlin-cc54cfb.md

2026-04-28 23:33:08 -07:00

Kayos

cc54cfbe6c

clients/kotlin: initial Kotlin SDK for clawdforge

Async Kotlin/JVM client built on Ktor + kotlinx.serialization. Every I/O
method is a `suspend` function; the client is `Closeable` for `use { }`.
Sealed `ForgeException` hierarchy enables exhaustive `when` over auth,
run-failure, generic-API, and transport errors. Models use `@SerialName`
to bridge idiomatic camelCase Kotlin properties to the snake_case wire
format. `RunResult.result` is a `JsonElement` so callers can narrow with
the standard `kotlinx.serialization.json` extensions.

- Kotlin 1.9.25 / JVM 17 toolchain
- Ktor 2.3.12 client (CIO engine; pluggable via ForgeOptions.engine)
- kotlinx-serialization 1.6.3, kotlinx-coroutines 1.8.1
- 14 tests (JUnit 5 + Ktor MockEngine), all green
- `./gradlew build` clean, `publishToMavenLocal` works
- MIT license declared in publishing block

Mirrors the surface of the Go and Rust SDKs (healthz, run, uploadFile,
admin tokens CRUD).

2026-04-28 23:04:24 -07:00

3 commits