Lines 319-359javascript
320 // --- upgrade: compare .volt/version to npm latest, and run the update ---
321 if (req.method === "GET" && p === "/setup/upgrade-check") {
322 const vf = path.join(__dirname, ".volt", "version");
323 const current = (fs.existsSync(vf) ? fs.readFileSync(vf, "utf8").trim() : "") || "?";
324 fetch("https://registry.npmjs.org/create-volt/latest")
325 .then((r) => r.json())
327 const latest = j.version || "?";
328 res.setHeader("Content-Type", "application/json");
329 res.end(JSON.stringify({ current, latest, available: latest !== "?" && current !== "?" && latest !== current }));
332 res.setHeader("Content-Type", "application/json");
333 res.end(JSON.stringify({ current, latest: "?", available: false }));
337 if (req.method === "POST" && p === "/setup/upgrade") {
338 res.setHeader("Content-Type", "application/json");
340 const r = spawnSync("npx", ["--yes", "create-volt@latest", "update"], { cwd: __dirname, encoding: "utf8", shell: process.platform === "win32" });
341 res.end(JSON.stringify({ ok: r.status === 0, output: ((r.stdout || "") + (r.stderr || "")).slice(-2000) }));
343 res.statusCode = 500;
344 res.end(JSON.stringify({ ok: false, error: e.message }));
348 // --- generate a free hosted-AI token from the gateway (self-service) ---
349 if (req.method === "POST" && p === "/setup/gen-token") {
350 res.setHeader("Content-Type", "application/json");
351 const env = readEnvFile();
352 const base = (env.VOLT_AI_GATEWAY || "https://voltjs.com/api/ai").replace(/\/api\/ai\/?$/, "");
353 fetch(base + "/api/register", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ app: env.SITE_NAME || "volt-app" }) })
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
templates/business/server.jsView on unpkg · L339 354 .then((r) => (r.ok ? r.json() : { ok: false, error: `hosted AI gateway not available (HTTP ${r.status}) — is it deployed?` }))
355 .then((j) => res.end(JSON.stringify(j)))
356 .catch(() => res.end(JSON.stringify({ ok: false, error: "hosted AI gateway unreachable" })));
359 // --- AI proxy for the in-config editor (RTEPro). Uses a local provider key