Add contribution policy docs and PR checklist template

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

package-lock.json

@@ -7985,9 +7985,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.11.7",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.11.7.tgz",
-      "integrity": "sha512-l7qMiNee7t82bH3SeyUCt9UF15EVmaBvsppY2zQtrbIhl/yzBTny+YUxsVjSjQ6gaqaeVtZmGocom8TzBlA4Yw==",
+      "version": "4.11.10",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.11.10.tgz",
+      "integrity": "sha512-kyWP5PAiMooEvGrA9jcD3IXF7ATu8+o7B3KCbPXid5se52NPqnOpM/r9qeW2heMnOekF4kqR1fXJqCYeCLKrZg==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"
@@ -16020,7 +16020,7 @@
         "@hono/mcp": "^0.2.3",
         "@hono/node-server": "^1.19.7",
         "@modelcontextprotocol/sdk": "^1.26.0",
-        "hono": "^4.11.7",
+        "hono": "^4.11.10",
         "zod": "^3.25.76"
       },
       "devDependencies": {

plugins-external/mcp-server/package.json

@@ -18,7 +18,7 @@
     "@hono/mcp": "^0.2.3",
     "@hono/node-server": "^1.19.7",
     "@modelcontextprotocol/sdk": "^1.26.0",
-    "hono": "^4.11.7",
+    "hono": "^4.11.10",
     "zod": "^3.25.76"
   },
   "devDependencies": {

plugins/auth-ntlm/package.json

@@ -11,7 +11,8 @@
   "version": "0.1.0",
   "scripts": {
     "build": "yaakcli build",
-    "dev": "yaakcli dev"
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
   },
   "dependencies": {
     "httpntlm": "^1.8.13"

plugins/auth-ntlm/src/index.ts

@@ -2,6 +2,16 @@ import type { PluginDefinition } from '@yaakapp/api';
 
 import { ntlm } from 'httpntlm';
 
+function extractNtlmChallenge(headers: Array<{ name: string; value: string }>): string | null {
+  const authValues = headers
+    .filter((h) => h.name.toLowerCase() === 'www-authenticate')
+    .flatMap((h) => h.value.split(','))
+    .map((v) => v.trim())
+    .filter(Boolean);
+
+  return authValues.find((v) => /^NTLM\s+\S+/i.test(v)) ?? null;
+}
+
 export const plugin: PluginDefinition = {
   authentication: {
     name: 'windows',
@@ -68,15 +78,12 @@ export const plugin: PluginDefinition = {
         },
       });
 
-      const wwwAuthenticateHeader = negotiateResponse.headers.find(
-        (h) => h.name.toLowerCase() === 'www-authenticate',
-      );
-
-      if (!wwwAuthenticateHeader?.value) {
-        throw new Error('Unable to find www-authenticate response header for NTLM');
+      const ntlmChallenge = extractNtlmChallenge(negotiateResponse.headers);
+      if (ntlmChallenge == null) {
+        throw new Error('Unable to find NTLM challenge in WWW-Authenticate response headers');
       }
 
-      const type2 = ntlm.parseType2Message(wwwAuthenticateHeader.value, (err: Error | null) => {
+      const type2 = ntlm.parseType2Message(ntlmChallenge, (err: Error | null) => {
         if (err != null) throw err;
       });
       const type3 = ntlm.createType3Message(type2, options);

plugins/auth-ntlm/tests/index.test.ts

@@ -0,0 +1,84 @@
+import type { Context } from '@yaakapp/api';
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+
+const ntlmMock = vi.hoisted(() => ({
+  createType1Message: vi.fn(),
+  parseType2Message: vi.fn(),
+  createType3Message: vi.fn(),
+}));
+
+vi.mock('httpntlm', () => ({ ntlm: ntlmMock }));
+
+import { plugin } from '../src';
+
+describe('auth-ntlm', () => {
+  beforeEach(() => {
+    ntlmMock.createType1Message.mockReset();
+    ntlmMock.parseType2Message.mockReset();
+    ntlmMock.createType3Message.mockReset();
+    ntlmMock.createType1Message.mockReturnValue('NTLM TYPE1');
+    ntlmMock.parseType2Message.mockReturnValue({} as any);
+    ntlmMock.createType3Message.mockReturnValue('NTLM TYPE3');
+  });
+
+  test('uses NTLM challenge when Negotiate and NTLM headers are separate', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [
+        { name: 'WWW-Authenticate', value: 'Negotiate' },
+        { name: 'WWW-Authenticate', value: 'NTLM TlRMTVNTUAACAAAAAA==' },
+      ],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    const result = await plugin.authentication?.onApply(ctx, {
+      values: {},
+      headers: [],
+      url: 'https://example.local/resource',
+      method: 'GET',
+      contextId: 'ctx',
+    });
+
+    expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
+      'NTLM TlRMTVNTUAACAAAAAA==',
+      expect.any(Function),
+    );
+    expect(result).toEqual({ setHeaders: [{ name: 'Authorization', value: 'NTLM TYPE3' }] });
+  });
+
+  test('uses NTLM challenge when auth schemes are comma-separated in one header', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [{ name: 'www-authenticate', value: 'Negotiate, NTLM TlRMTVNTUAACAAAAAA==' }],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    await plugin.authentication?.onApply(ctx, {
+      values: {},
+      headers: [],
+      url: 'https://example.local/resource',
+      method: 'GET',
+      contextId: 'ctx',
+    });
+
+    expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
+      'NTLM TlRMTVNTUAACAAAAAA==',
+      expect.any(Function),
+    );
+  });
+
+  test('throws a clear error when NTLM challenge is missing', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [{ name: 'WWW-Authenticate', value: 'Negotiate' }],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    await expect(
+      plugin.authentication?.onApply(ctx, {
+        values: {},
+        headers: [],
+        url: 'https://example.local/resource',
+        method: 'GET',
+        contextId: 'ctx',
+      }),
+    ).rejects.toThrow('Unable to find NTLM challenge in WWW-Authenticate response headers');
+  });
+});