Lines 318-358javascript
319 // --- upgrade: compare .volt/version to npm latest, and run the update ---
320 if (req.method === "GET" && p === "/setup/upgrade-check") {
321 const vf = path.join(__dirname, ".volt", "version");
322 const current = (fs.existsSync(vf) ? fs.readFileSync(vf, "utf8").trim() : "") || "?";
323 fetch("https://registry.npmjs.org/create-volt/latest")
324 .then((r) => r.json())
326 const latest = j.version || "?";
327 res.setHeader("Content-Type", "application/json");
328 res.end(JSON.stringify({ current, latest, available: latest !== "?" && current !== "?" && latest !== current }));
331 res.setHeader("Content-Type", "application/json");
332 res.end(JSON.stringify({ current, latest: "?", available: false }));
336 if (req.method === "POST" && p === "/setup/upgrade") {
337 res.setHeader("Content-Type", "application/json");
339 const r = spawnSync("npx", ["--yes", "create-volt@latest", "update"], { cwd: __dirname, encoding: "utf8", shell: process.platform === "win32" });
340 res.end(JSON.stringify({ ok: r.status === 0, output: ((r.stdout || "") + (r.stderr || "")).slice(-2000) }));
342 res.statusCode = 500;
343 res.end(JSON.stringify({ ok: false, error: e.message }));
347 // --- generate a free hosted-AI token from the gateway (self-service) ---
348 if (req.method === "POST" && p === "/setup/gen-token") {
349 res.setHeader("Content-Type", "application/json");
350 const env = readEnvFile();
351 const base = (env.VOLT_AI_GATEWAY || "https://voltjs.com/api/ai").replace(/\/api\/ai\/?$/, "");
352 fetch(base + "/api/register", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ app: env.SITE_NAME || "volt-app" }) })
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
templates/default/server.jsView on unpkg · L338 353 .then((r) => r.json())
354 .then((j) => res.end(JSON.stringify(j)))
355 .catch(() => res.end(JSON.stringify({ ok: false, error: "gateway unreachable" })));
358 // --- AI proxy for the in-config editor (RTEPro). Uses a local provider key