From efa1750cac8b21d0209579895d362308167f8e5b Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 30 May 2026 18:33:41 -0400
Subject: [PATCH 1/2] fix: base64-encode Patchmon Basic auth credentials
 server-side
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patchmon's API uses standard RFC 7617 Basic auth — `Basic base64(token_key:token_secret)`. The handler was sending the api_token field verbatim, so it only worked if the user had manually base64-encoded the credential. After a Patchmon upgrade, the sync started returning HTML (the SPA, served when auth is rejected) and failing with "Unexpected token '<'" on JSON.parse.

Now: if the token contains ':' (raw key:secret), encode it server-side; otherwise pass through unchanged for backward compatibility. UI gets a placeholder hint showing the expected format.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 js/ui.js       | 2 ++
 server/jobs.js | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/js/ui.js b/js/ui.js
index 2c41a57..f0ffa1f 100644
--- a/js/ui.js
+++ b/js/ui.js
@@ -539,6 +539,7 @@ function _renderJobConfigFields(key, cfg) {
     </div>`;
   if (key === 'patchmon_sync' || key === 'semaphore_sync') {
     const label = key === 'semaphore_sync' ? 'API Token (Bearer)' : 'API Token (Basic)';
+    const tokenPlaceholder = key === 'patchmon_sync' ? 'token_key:token_secret' : '';
     return `
     <div class="form-group">
       <label class="form-label" for="job-cfg-api-url">API URL</label>
@@ -548,6 +549,7 @@ function _renderJobConfigFields(key, cfg) {
     <div class="form-group">
       <label class="form-label" for="job-cfg-api-token">${label}</label>
       <input class="form-input" id="job-cfg-api-token" type="password"
+        placeholder="${tokenPlaceholder}"
         value="${esc(cfg.api_token ?? '')}">
     </div>`;
   }
diff --git a/server/jobs.js b/server/jobs.js
index dc61d1f..160bea3 100644
--- a/server/jobs.js
+++ b/server/jobs.js
@@ -41,8 +41,14 @@ async function patchmonSyncHandler(cfg) {
   const { api_url, api_token } = cfg;
   if (!api_url || !api_token) throw new Error('Patchmon not configured — set API URL and token');
 
+  // Accept raw "key:secret" (recommended) or a pre-encoded base64 string.
+  // ":" cannot appear in a valid base64 string, so it's a reliable discriminator.
+  const credential = api_token.includes(':')
+    ? Buffer.from(api_token).toString('base64')
+    : api_token;
+
   const res = await fetch(api_url, {
-    headers: { Authorization: `Basic ${api_token}` },
+    headers: { Authorization: `Basic ${credential}` },
   });
   if (!res.ok) throw new Error(`Patchmon API ${res.status}`);
 

From ac71ea2c49bd65af3559cb902395c352303be2c0 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 30 May 2026 18:51:27 -0400
Subject: [PATCH 2/2] chore: bump to version 1.7.1

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 js/version.js | 2 +-
 package.json  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/js/version.js b/js/version.js
index 2b45f39..43c9ed9 100644
--- a/js/version.js
+++ b/js/version.js
@@ -1 +1 @@
-const VERSION = "1.5.0";
+const VERSION = "1.7.1";
diff --git a/package.json b/package.json
index d43a406..712dabe 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "catalyst",
-  "version": "1.6.0",
+  "version": "1.7.1",
   "type": "module",
   "scripts": {
     "start": "node server/server.js",