openclacky 0.9.24 → 0.9.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5338bcdeaf4b2aafed416365f56467a99a6107911b24df2bfe9d94d757d03528
-  data.tar.gz: 8e06f6ca6b0d5a0a9c70ab758fc13b2f84d755f7d61e30a9708fdadd4db82309
+  metadata.gz: 931a504ff578fcee85cf5d361feeca8b772a0aafe3438c4f27cc7da52573453a
+  data.tar.gz: f1cef39e28c531fef2b2b0fb3cf435ffb05729fdeaae12dadb4e338df073ec1e
 SHA512:
-  metadata.gz: 7862cd557ea5ba9e88184b314fd88fc820d1f4e0c5a9bbebbfcdee75f33301876aff7df7f13cf07eaa21c7fb47d0efa65e7f051c1641ced6c20d1142e9e52819
-  data.tar.gz: b33e3cc3331e70328d366a38b67e472c760eb6bbe4b5621532ee4ae60585303d9042c4953f29f31e4256f357765d8aafee2b3e69fa87f31c386f9310be790c46
+  metadata.gz: 8b8bc2a7dd702beb4570e40264b63b75f170c26dea56a354b20c9afdd1d97fb0ef1e2a8010457170d23823ed6bc82353bbfd390c9ef8f6137ad9bbf73e15ee17
+  data.tar.gz: dc13201eda667f31435309a3664503fd53f1973983e0494f2b29b2ff5c0fca336b9801c265aa18830e1878e0a970237de16ab41833992119d8ea24f2eea66b62

data/CHANGELOG.md

@@ -7,6 +7,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.25] - 2026-04-02
+
+### Added
+- **CSV file upload support**: you can now upload `.csv` files in the Web UI — agent can read and analyse tabular data directly
+- **Browser install tips**: when a browser-dependent command fails, the agent now shows a clear install tip with instructions to set up Chrome/Edge, rather than a cryptic error
+- **Auto-focus on file upload dialog**: the file input field is now auto-focused when the upload dialog opens, improving keyboard UX
+- **Session ID search in Web UI**: you can now search sessions by session ID in addition to session name
+
+### Fixed
+- **WeChat (Weixin) file upload**: fixed a bug where file attachments sent via WeChat were not correctly forwarded to the agent
+- **WeChat without browser**: WeChat channel now works even when no browser tool is configured — falls back gracefully
+- **API message timeout**: fixed a race condition in message compression / session serialisation that could cause API requests to time out mid-conversation
+- **Session chunk replay**: fixed a bug where streaming (chunk-based) messages were incorrectly replayed when restoring a session
+
+### Improved
+- **Shell tool robustness**: `pkill` commands are now scope-limited to prevent accidental process kills; server process cleans up properly when the terminal is closed
+- **Broken pipe handling**: improved error handling in the HTTP server and shell tool to avoid noisy broken-pipe errors on abrupt connection close
+
+### More
+- Updated product-help skill with new session search and CSV upload documentation
+- Updated channel-setup skill with improved WeChat non-browser setup guide
+
 ## [0.9.24] - 2026-04-02
 
 ### Added

data/lib/clacky/agent/message_compressor_helper.rb

@@ -128,7 +128,11 @@ module Clacky
         original_messages = @history.to_a[0..-2]  # All except the last (compression instruction)
 
         # Archive compressed messages to a chunk MD file before discarding them
-        chunk_index = @compressed_summaries.size + 1
+        # Count existing compressed_summary messages in history to determine the next chunk index.
+        # Using @compressed_summaries.size would reset to 0 on process restart and overwrite existing
+        # chunk files, creating circular chunk references. Counting from history is always accurate.
+        existing_chunk_count = original_messages.count { |m| m[:compressed_summary] }
+        chunk_index = existing_chunk_count + 1
         chunk_path = save_compressed_chunk(
           original_messages,
           compression_context[:recent_messages],

data/lib/clacky/agent/session_serializer.rb

@@ -152,6 +152,16 @@ module Clacky
             # Compressed summary sitting before any user rounds — expand it from chunk md
             chunk_rounds = parse_chunk_md_to_rounds(msg[:chunk_path])
             rounds.concat(chunk_rounds)
+            # After expanding, treat the last chunk round as the current round so that
+            # any orphaned assistant/tool messages that follow in session.json (belonging
+            # to the same task whose user message was compressed into the chunk) get
+            # appended here instead of being silently discarded.
+            current_round = rounds.last
+          elsif rounds.last
+            # Orphaned non-user message with no current_round yet (e.g. recent_messages
+            # after compression started mid-task with no leading user message).
+            # Attach to the last known round rather than drop silently.
+            rounds.last[:events] << msg
           end
         end
 
@@ -211,10 +221,27 @@ module Clacky
       #
       # @param chunk_path [String] Path to the chunk md file
       # @return [Array<Hash>] rounds array (may be empty if file missing/unreadable)
-      private def parse_chunk_md_to_rounds(chunk_path)
-        return [] unless chunk_path && File.exist?(chunk_path.to_s)
+      private def parse_chunk_md_to_rounds(chunk_path, visited: Set.new)
+        return [] unless chunk_path
+
+        # 1. Try the stored absolute path first (same machine, normal case).
+        # 2. If not found, fall back to basename + SESSIONS_DIR (cross-user / cross-machine).
+        resolved = chunk_path.to_s
+        unless File.exist?(resolved)
+          resolved = File.join(Clacky::SessionManager::SESSIONS_DIR, File.basename(resolved))
+        end
+
+        return [] unless File.exist?(resolved)
+
+        # Guard against circular chunk references (e.g. chunk-3 → chunk-2 → chunk-1 → chunk-9 → … → chunk-3)
+        canonical = File.expand_path(resolved)
+        if visited.include?(canonical)
+          Clacky::Logger.warn("parse_chunk_md_to_rounds: circular reference detected, skipping #{canonical}")
+          return []
+        end
+        visited = visited.dup.add(canonical)
 
-        raw = File.read(chunk_path.to_s, encoding: "utf-8")
+        raw = File.read(resolved)
 
         # Parse YAML front matter to get archived_at for synthetic timestamps
         archived_at = nil
@@ -275,7 +302,7 @@ module Clacky
 
           # Nested chunk: expand it recursively, prepend before current rounds
           if sec[:nested_chunk]
-            nested = parse_chunk_md_to_rounds(sec[:nested_chunk])
+            nested = parse_chunk_md_to_rounds(sec[:nested_chunk], visited: visited)
             rounds = nested + rounds unless nested.empty?
             # Also render its summary text as an assistant event in current round if any
             if current_round && !text.empty?

data/lib/clacky/default_skills/channel-setup/SKILL.md

@@ -206,7 +206,7 @@ On success: "✅ WeCom channel configured. WeCom client → Contacts → Smart B
 
 Weixin uses a QR code login — no app_id/app_secret needed. The token from the QR scan is saved directly in `channels.yml`.
 
-#### Step 1 — Fetch QR code and open in browser
+#### Step 1 — Fetch QR code
 
 Run the script in `--fetch-qr` mode to get the QR URL without blocking:
 
@@ -221,17 +221,29 @@ Parse the JSON output:
 
 If the output contains `"error"`, show it and stop.
 
-Tell the user:
-> Opening the WeChat QR code in your browser. Please scan it with WeChat, then confirm in the app.
+#### Step 2 — Show QR code to user (browser or manual fallback)
 
-**Open the QR code page in browser** — build a local URL and navigate to it:
+Build the local QR page URL (include current Unix timestamp as `since` to detect new logins only):
+```
+http://${CLACKY_SERVER_HOST}:${CLACKY_SERVER_PORT}/weixin-qr.html?url=<URL-encoded qrcode_url>&since=<current_unix_timestamp>
+```
 
+**Try browser first** — attempt to open the QR page using the browser tool:
 ```
-http://${CLACKY_SERVER_HOST}:${CLACKY_SERVER_PORT}/weixin-qr.html?url=<URL-encoded qrcode_url>
+browser(action="navigate", url="<qr_page_url>")
 ```
 
-Use the browser tool to open this URL. The page renders a proper scannable QR code image using qrcode.js.
-Do NOT open the raw `qrcode_url` directly — that page shows "请使用微信扫码打开" with no actual QR image.
+**If browser succeeds:** Tell the user:
+> I've opened the WeChat QR code in your browser. Please scan it with WeChat, then confirm in the app.
+
+**If browser fails (not configured or unavailable):** Fall back to manual — tell the user:
+> Please open the following link in your browser to scan the WeChat QR code:
+>
+> `http://${CLACKY_SERVER_HOST}:${CLACKY_SERVER_PORT}/weixin-qr.html?url=<URL-encoded qrcode_url>`
+>
+> Scan the QR code with WeChat, confirm in the app, then reply "done".
+
+The page renders a proper scannable QR code image. Do NOT open the raw `qrcode_url` directly — that page shows "请使用微信扫码打开" with no actual QR image.
 
 #### Step 3 — Wait for scan and save credentials
 
@@ -243,7 +255,11 @@ ruby "SKILL_DIR/weixin_setup.rb" --qrcode-id "$QRCODE_ID"
 
 Where `$QRCODE_ID` is the `qrcode_id` from Step 2's JSON output.
 
-This command blocks until the user scans and confirms in WeChat (up to 5 minutes), then automatically saves the token via `POST /api/channels/weixin`.
+Run this command with `timeout: 60`. If it doesn't succeed, **retry up to 3 times with the same `$QRCODE_ID`** — the QR code stays valid for 5 minutes. Only stop retrying if:
+- Exit code is 0 → success
+- Output contains "expired" → QR expired, offer to restart from Step 1
+- Output contains "timed out" → offer to restart from Step 1
+- 3 retries exhausted → show error and offer to restart from Step 1
 
 Tell the user while waiting:
 > Waiting for you to scan the QR code and confirm in WeChat... (this may take a moment)

data/lib/clacky/default_skills/product-help/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: product-help
-description: 'Use this skill when the user asks about my own features, configuration, or usage — installation, skills, Web UI, CLI, API config, memory, sessions, encryption, white-label, publishing, pricing, or troubleshooting. Do NOT trigger for general coding tasks unrelated to me.'
+description: 'Use this skill when the user asks about my own features, configuration, or usage — installation, skills, Web UI, CLI, API config, memory, sessions, encryption, white-label, publishing, pricing, troubleshooting, or restarting the server. Do NOT trigger for general coding tasks unrelated to me.'
 fork_agent: true
 user-invocable: false
 auto_summarize: true
@@ -90,3 +90,16 @@ web_fetch(url: "<URL>", max_length: 5000)
 - If the fetched page doesn't answer the question, try the next most relevant URL (max 2 fetches)
 - If still no answer, tell the user: "请访问 https://www.openclacky.com/docs 查看完整文档"
 - Keep answers concise — extract what's relevant, don't paste the whole page
+
+## Restarting the server
+
+If the user asks to restart the clacky/openclacky server (e.g. "重启", "restart", "请重启openclacky"):
+
+**Do NOT fetch any docs.** Just return this answer directly:
+
+> To restart the server gracefully (hot restart, zero downtime):
+> ```
+> kill -USR1 $CLACKY_MASTER_PID
+> ```
+> This sends USR1 to the Master process, which spawns a new Worker and gracefully stops the old one.
+> The `$CLACKY_MASTER_PID` environment variable is already set in the current session.

data/lib/clacky/server/channel/adapters/weixin/adapter.rb

@@ -260,14 +260,17 @@ module Clacky
           # Extract and materialize file attachments from an inbound item_list.
           #
           # Images are downloaded from CDN and converted to data_url so the agent's
-          # vision pipeline (partition_files → resolve_vision_images) picks them up
-          # correctly. Other file types are returned with cdn_media metadata only
-          # (download-on-demand is not yet implemented for non-image types).
+          # vision pipeline (partition_files → resolve_vision_images) picks them up.
+          # Files (PDF, DOCX, etc.) are downloaded to clacky-uploads so the agent's
+          # file processing pipeline (process_path) can parse them.
+          # Voice/video are kept as cdn_media metadata only (no local download).
           #
-          # Returns Array of Hashes. Image entries include:
+          # Returns Array of Hashes. Image entries:
           #   { type: :image, name: String, mime_type: String, data_url: String }
-          # Other entries include:
-          #   { type: :file/:voice/:video, name: String, cdn_media: Hash }
+          # File entries (downloaded):
+          #   { type: :file, name: String, path: String }
+          # Voice/video entries:
+          #   { type: :voice/:video, name: String, cdn_media: Hash }
           def extract_files(item_list)
             files = []
             item_list.each do |item|
@@ -311,16 +314,46 @@ module Clacky
                   name:      "voice.amr",
                   cdn_media: v["media"]
                 }
-              when 4  # FILE
+              when 4  # FILE — download to disk so agent can parse it
                 fi = item["file_item"]
                 next unless fi
-                files << {
-                  type:      :file,
-                  name:      fi["file_name"],
-                  md5:       fi["md5"],
-                  len:       fi["len"],
-                  cdn_media: fi["media"]
-                }
+                cdn_media = fi["media"]
+                file_name = fi["file_name"].to_s
+                file_name = "attachment" if file_name.empty?
+                file_md5  = fi["md5"].to_s
+                file_len  = fi["len"].to_s
+
+                if cdn_media
+                  begin
+                    raw_bytes = @api_client.download_media(cdn_media, ApiClient::MEDIA_TYPE_FILE)
+                    saved     = Clacky::Utils::FileProcessor.save(body: raw_bytes, filename: file_name)
+                    Clacky::Logger.info("[WeixinAdapter] file downloaded to #{saved[:path]} (#{raw_bytes.bytesize} bytes)")
+                    files << {
+                      type: :file,
+                      name: saved[:name],
+                      path: saved[:path],
+                      md5:  file_md5.empty? ? nil : file_md5,
+                      len:  file_len.empty? ? nil : file_len
+                    }
+                  rescue => e
+                    Clacky::Logger.warn("[WeixinAdapter] Failed to download file #{file_name}: #{e.message}\n#{e.backtrace.first(3).join("\n")}")
+                    # Fall back to metadata-only so the agent at least knows a file was attached
+                    files << {
+                      type:      :file,
+                      name:      file_name,
+                      cdn_media: cdn_media,
+                      md5:       file_md5.empty? ? nil : file_md5,
+                      len:       file_len.empty? ? nil : file_len
+                    }
+                  end
+                else
+                  files << {
+                    type: :file,
+                    name: file_name,
+                    md5:  file_md5.empty? ? nil : file_md5,
+                    len:  file_len.empty? ? nil : file_len
+                  }
+                end
               when 5  # VIDEO
                 vi = item["video_item"]
                 next unless vi

data/lib/clacky/server/http_server.rb

@@ -9,6 +9,7 @@ require "tmpdir"
 require "uri"
 require "open3"
 require "securerandom"
+require "timeout"
 require_relative "session_registry"
 require_relative "web_ui_controller"
 require_relative "scheduler"
@@ -317,12 +318,32 @@ module Clacky
         path   = req.path
         method = req.request_method
 
-        # WebSocket upgrade
+
+
+        # WebSocket upgrade — no timeout applied (long-lived connection)
         if websocket_upgrade?(req)
           handle_websocket(req, res)
           return
         end
 
+        # Wrap all REST handlers in a timeout so a hung handler (e.g. infinite
+        # recursion in chunk parsing) returns a proper 503 instead of an empty 200.
+        timeout_sec = 10
+        Timeout.timeout(timeout_sec) do
+          _dispatch_rest(req, res)
+        end
+      rescue Timeout::Error
+        Clacky::Logger.warn("[HTTP 503] #{method} #{path} timed out after #{timeout_sec}s")
+        json_response(res, 503, { error: "Request timed out" })
+      rescue => e
+        Clacky::Logger.warn("[HTTP 500] #{e.class}: #{e.message}\n#{e.backtrace.first(5).join("\n")}")
+        json_response(res, 500, { error: e.message })
+      end
+
+      def _dispatch_rest(req, res)
+        path   = req.path
+        method = req.request_method
+
         case [method, path]
         when ["GET",    "/api/sessions"]      then api_list_sessions(req, res)
         when ["POST",   "/api/sessions"]      then api_create_session(req, res)
@@ -395,9 +416,6 @@ module Clacky
             not_found(res)
           end
         end
-      rescue => e
-        $stderr.puts "[HTTP 500] #{e.class}: #{e.message}\n#{e.backtrace.first(3).join("\n")}"
-        json_response(res, 500, { error: e.message })
       end
 
       # ── REST API ──────────────────────────────────────────────────────────────
@@ -1102,6 +1120,9 @@ module Clacky
         fields = body.transform_keys(&:to_sym).reject { |k, _| k == :platform }
         fields = fields.transform_values { |v| v.is_a?(String) ? v.strip : v }
 
+        # Record when the token was last updated so clients can detect re-login
+        fields[:token_updated_at] = Time.now.to_i if platform == :weixin && fields.key?(:token)
+
         # Validate credentials against live API before persisting.
         # Merge with existing config so partial updates (e.g. allowed_users only) still validate correctly.
         klass = Clacky::Channel::Adapters.find(platform)
@@ -1177,10 +1198,10 @@ module Clacky
           }
         when :weixin
           {
-            base_url:      raw["base_url"] || Clacky::Channel::Adapters::Weixin::ApiClient::DEFAULT_BASE_URL,
-            allowed_users: raw["allowed_users"] || [],
-            # Indicate whether a token is present (never expose the token itself)
-            has_token:     !raw["token"].to_s.strip.empty?
+            base_url:          raw["base_url"] || Clacky::Channel::Adapters::Weixin::ApiClient::DEFAULT_BASE_URL,
+            allowed_users:     raw["allowed_users"] || [],
+            has_token:         !raw["token"].to_s.strip.empty?,
+            token_updated_at:  raw["token_updated_at"]  # Unix timestamp, nil if never set
           }
         else
           {}
@@ -1624,6 +1645,7 @@ module Clacky
       # Returns a list of UI events (same format as WS events) for the frontend to render.
       def api_session_messages(session_id, req, res)
         unless @registry.ensure(session_id)
+          Clacky::Logger.warn("[messages] registry.ensure failed", session_id: session_id)
           return json_response(res, 404, { error: "Session not found" })
         end
 
@@ -1636,6 +1658,7 @@ module Clacky
         @registry.with_session(session_id) { |s| agent = s[:agent] }
 
         unless agent
+          Clacky::Logger.warn("[messages] agent is nil", session_id: session_id)
           return json_response(res, 200, { events: [], has_more: false })
         end
 
@@ -1691,7 +1714,7 @@ module Clacky
         handshake = WebSocket::Handshake::Server.new
         handshake << build_handshake_request(req)
         unless handshake.finished? && handshake.valid?
-          $stderr.puts "WebSocket handshake invalid"
+          Clacky::Logger.warn("WebSocket handshake invalid")
           return
         end
 
@@ -1730,8 +1753,8 @@ module Clacky
               end
             end
           end
-        rescue IOError, Errno::ECONNRESET, Errno::EPIPE
-          # Client disconnected
+        rescue IOError, Errno::ECONNRESET, Errno::EPIPE, Errno::EBADF
+          # Client disconnected or socket became invalid
         ensure
           on_ws_close(conn)
           socket.close rescue nil
@@ -1741,7 +1764,7 @@ module Clacky
         res.instance_variable_set(:@header, {})
         res.status = -1
       rescue => e
-        $stderr.puts "WebSocket handler error: #{e.class}: #{e.message}"
+        Clacky::Logger.error("WebSocket handler error: #{e.class}: #{e.message}")
       end
 
       # Build a raw HTTP request string from WEBrick request for WebSocket::Handshake::Server
@@ -1946,15 +1969,28 @@ module Clacky
       end
 
       # Broadcast an event to all clients subscribed to a session.
+      # Dead connections (broken pipe / closed socket) are removed automatically.
       def broadcast(session_id, event)
         clients = @ws_mutex.synchronize { (@ws_clients[session_id] || []).dup }
-        clients.each { |conn| conn.send_json(event) rescue nil }
+        dead = clients.reject { |conn| conn.send_json(event) }
+        return if dead.empty?
+
+        @ws_mutex.synchronize do
+          (@ws_clients[session_id] || []).reject! { |conn| dead.include?(conn) }
+        end
       end
 
       # Broadcast an event to every connected client (regardless of session subscription).
+      # Dead connections are removed automatically.
       def broadcast_all(event)
         clients = @ws_mutex.synchronize { @all_ws_conns.dup }
-        clients.each { |conn| conn.send_json(event) rescue nil }
+        dead = clients.reject { |conn| conn.send_json(event) }
+        return if dead.empty?
+
+        @ws_mutex.synchronize do
+          @all_ws_conns.reject! { |conn| dead.include?(conn) }
+          @ws_clients.each_value { |list| list.reject! { |conn| dead.include?(conn) } }
+        end
       end
 
       # Broadcast a session_update event to all clients so they can patch their
@@ -2163,16 +2199,29 @@ module Clacky
           @socket     = socket
           @version    = version
           @send_mutex = Mutex.new
+          @closed     = false
         end
 
+        # Returns true if the underlying socket has been detected as dead.
+        def closed?
+          @closed
+        end
+
+        # Send a JSON-serializable object over the WebSocket.
+        # Returns true on success, false if the connection is dead.
         def send_json(data)
           send_raw(:text, JSON.generate(data))
         rescue => e
-          $stderr.puts "WS send error: #{e.message}"
+          Clacky::Logger.debug("WS send error (connection dead): #{e.message}")
+          false
         end
 
+        # Send a raw WebSocket frame.
+        # Returns true on success, false on broken/closed socket.
         def send_raw(type, data)
           @send_mutex.synchronize do
+            return false if @closed
+
             outgoing = WebSocket::Frame::Outgoing::Server.new(
               version: @version,
               data: data,
@@ -2180,8 +2229,15 @@ module Clacky
             )
             @socket.write(outgoing.to_s)
           end
+          true
+        rescue Errno::EPIPE, Errno::ECONNRESET, IOError, Errno::EBADF => e
+          @closed = true
+          Clacky::Logger.debug("WS send_raw error (client disconnected): #{e.message}")
+          false
         rescue => e
-          $stderr.puts "WS send_raw error: #{e.message}"
+          @closed = true
+          Clacky::Logger.debug("WS send_raw unexpected error: #{e.message}")
+          false
         end
       end
     end

data/lib/clacky/server/server_master.rb

@@ -58,6 +58,7 @@ module Clacky
         Signal.trap("USR1") { @restart_requested  = true }
         Signal.trap("TERM") { @shutdown_requested = true }
         Signal.trap("INT")  { @shutdown_requested = true }
+        Signal.trap("HUP")  { @shutdown_requested = true }
 
         # 4. Spawn first worker
         @worker_pid = spawn_worker

data/lib/clacky/server/session_registry.rb

@@ -64,15 +64,17 @@ module Clacky
         session_data = nil
 
         @mutex.synchronize do
-          # Already fully ready — fast path.
-          return true if @sessions.key?(session_id)
-
-          # Another thread is currently restoring this session — wait for it.
+          # Another thread is currently restoring this session (including the case where
+          # @registry.create was already called but with_session agent-set is not yet done) —
+          # wait for it to finish so callers never see agent=nil.
           if @restoring[session_id]
             @restore_cond.wait(@mutex) until !@restoring[session_id]
             return @sessions.key?(session_id)
           end
 
+          # Already fully ready (not being restored) — fast path.
+          return true if @sessions.key?(session_id)
+
           return false unless @session_manager && @session_restorer
 
           session_data = @session_manager.load(session_id)
@@ -174,10 +176,13 @@ module Clacky
         # ── date filter (YYYY-MM-DD, matches created_at prefix) ──────────────
         all = all.select { |s| s[:created_at].to_s.start_with?(date) } if date
 
-        # ── name search ──────────────────────────────────────────────────────
+        # ── name / id search ─────────────────────────────────────────────────
         if q && !q.empty?
           q_down = q.downcase
-          all = all.select { |s| (s[:name] || "").downcase.include?(q_down) }
+          all = all.select { |s|
+            (s[:name] || "").downcase.include?(q_down) ||
+              (s[:session_id] || "").downcase.include?(q_down)
+          }
         end
 
         all = all.select { |s| (s[:created_at] || "") < before } if before

data/lib/clacky/tools/safe_shell.rb

@@ -341,6 +341,10 @@ module Clacky
         @safe_check_command = Clacky::Utils::Encoding.safe_check(command)
 
         case @safe_check_command
+        when /pkill.*clacky|killall.*clacky|kill\s+.*\bclacky\b/i
+          raise SecurityError, "Killing the clacky server process is not allowed. To restart, use: kill -USR1 $CLACKY_MASTER_PID"
+        when /clacky\s+server/
+          raise SecurityError, "Managing the clacky server from within a session is not allowed. To restart, use: kill -USR1 $CLACKY_MASTER_PID"
         when /^rm\s+/
           replace_rm_command(command)
         when /^chmod\s+x/

data/lib/clacky/tools/shell.rb

@@ -63,7 +63,7 @@ module Clacky
         [/[Pp]assword\s*:\s*$|Enter password|enter password/, 'password'],
         [/^\s*>>>\s*$|^\s*>>?\s*$|^irb\(.*\):\d+:\d+[>*]\s*$|^\>\s*$/, 'repl'],
         [/^\s*:\s*$|\(END\)|--More--|Press .* to continue|lines \d+-\d+/, 'pager'],
-        [/Are you sure|Continue\?|Proceed\?|Confirm|Overwrite/i, 'question'],
+        [/Are you sure|Continue\?|Proceed\?|\bConfirm\b|\bConfirm\?|Overwrite/i, 'question'],
         [/Enter\s+\w+:|Input\s+\w+:|Please enter|please provide/i, 'input'],
         [/Select an option|Choose|Which one|select one/i, 'selection']
       ].freeze
@@ -251,45 +251,83 @@ module Clacky
         end
       end
 
-      # Wrap command in a login shell and explicitly source the user's interactive
-      # rc file so that PATH customisations from nvm, rbenv, brew, etc. are available.
+      # Wrap command in a login shell when shell config files have changed since
+      # the last check. This ensures PATH updates (nvm, rbenv, mise, brew, etc.)
+      # are picked up without paying the ~1s startup cost on every command.
       #
-      # We use -l (login) instead of -i (interactive) to avoid SIGTTIN: when the
-      # process runs in a new process group (pgroup: 0) it is not the terminal's
-      # foreground group, so an interactive shell trying to acquire /dev/tty gets
-      # stopped by the kernel immediately.
+      # Strategy:
+      #   - On first call: snapshot MD5 hashes of all shell config files in memory.
+      #   - On subsequent calls: re-hash and compare. If any file changed, use
+      #     `shell -l -i -c ...` once to get the fresh environment, then update snapshot.
+      #   - If nothing changed: run command directly (zero overhead).
       #
-      # -l loads ~/.zprofile / ~/.bash_profile which is enough for most PATH setup.
-      # We additionally source the interactive rc file (~/.zshrc or ~/.bashrc) so
-      # aliases, functions, and tool shims (rbenv init, nvm, etc.) are also present.
+      # We avoid -i (interactive) in normal mode because it causes SIGTTIN when the
+      # process is not in the terminal's foreground group (pgroup: 0).
+      # When configs have changed we do use -l -i so that all shell init hooks
+      # (nvm, rbenv init, mise activate, etc.) run in the correct order.
       def wrap_with_shell(command)
-        # shell = ENV['SHELL'].to_s
-        # shell = '/bin/bash' if shell.empty?
+        shell = current_shell
 
-        # rc_source = rc_source_snippet(shell)
-        # full_command = rc_source ? "#{rc_source} #{command}" : command
+        if shell_configs_changed?(shell)
+          "#{shell} -l -i -c #{Shellwords.escape(command)}"
+        else
+          command
+        end
+      end
+
+      # Detect the user's current shell binary.
+      private def current_shell
+        shell = ENV['SHELL'].to_s
+        shell.empty? ? '/bin/bash' : shell
+      end
+
+      # Returns true (and updates the in-memory snapshot) when any shell config
+      # file has changed since the last call. Returns false on the very first call
+      # so the initial snapshot is established without triggering a reload.
+      #
+      # Config files checked per shell:
+      #   zsh  — ~/.zshrc, ~/.zprofile, ~/.zshenv
+      #   bash — ~/.bashrc, ~/.bash_profile, ~/.profile
+      #   fish — ~/.config/fish/config.fish
+      #   (all shells also check ~/.profile as a fallback)
+      private def shell_configs_changed?(shell)
+        require "digest"
+
+        current = shell_config_hashes(shell)
+
+        if @shell_config_hashes.nil?
+          # First call: establish baseline, do NOT trigger reload
+          @shell_config_hashes = current
+          return false
+        end
+
+        if current != @shell_config_hashes
+          @shell_config_hashes = current
+          return true
+        end
 
-        # "#{shell} -l -c #{Shellwords.escape(full_command)}"
-        return command
+        false
       end
 
-      # Returns a shell snippet that sources the user's interactive rc file,
-      # suppressing all errors so missing files never break command execution.
-      private def rc_source_snippet(shell)
+      # Returns a hash of { filepath => md5_hex } for existing config files.
+      private def shell_config_hashes(shell)
         shell_name = File.basename(shell)
         home = ENV['HOME'].to_s
 
-        rc_file = case shell_name
-        when 'zsh'  then File.join(home, '.zshrc')
-        when 'bash' then File.join(home, '.bashrc')
-        when 'fish' then File.join(home, '.config', 'fish', 'config.fish')
+        files = case shell_name
+        when 'zsh'
+          %w[.zshrc .zprofile .zshenv].map { |f| File.join(home, f) }
+        when 'bash'
+          %w[.bashrc .bash_profile .profile].map { |f| File.join(home, f) }
+        when 'fish'
+          [File.join(home, '.config', 'fish', 'config.fish')]
+        else
+          [File.join(home, '.profile')]
         end
 
-        return nil unless rc_file
-
-        # Source silently: suppress stderr and ignore exit code so that
-        # errors in the user's rc file don't prevent the command from running.
-        "source #{Shellwords.escape(rc_file)} 2>/dev/null;"
+        files
+          .select { |f| File.exist?(f) }
+          .to_h { |f| [f, Digest::MD5.file(f).hexdigest] }
       end
 
       def determine_timeouts(command, soft_timeout, hard_timeout)

data/lib/clacky/utils/file_processor.rb

@@ -62,7 +62,8 @@ module Clacky
       ".pdf"  => :pdf,
       ".zip"  => :zip, ".gz" => :zip, ".tar" => :zip, ".rar" => :zip, ".7z" => :zip,
       ".png"  => :image, ".jpg" => :image, ".jpeg" => :image,
-      ".gif"  => :image, ".webp" => :image
+      ".gif"  => :image, ".webp" => :image,
+      ".csv"  => :csv
     }.freeze
 
     # FileRef: result of process / process_path.
@@ -109,6 +110,17 @@ module Clacky
       when ".png", ".jpg", ".jpeg", ".gif", ".webp"
         FileRef.new(name: name, type: :image, original_path: path)
 
+      when ".csv"
+        # CSV is plain text — read directly, no external parser needed.
+        # Try UTF-8 first, then GBK (common in Chinese-origin CSV), then binary with replacement.
+        begin
+          text         = read_text_with_encoding_fallback(path)
+          preview_path = save_preview(text, path)
+          FileRef.new(name: name, type: :csv, original_path: path, preview_path: preview_path)
+        rescue => e
+          FileRef.new(name: name, type: :csv, original_path: path, parse_error: e.message)
+        end
+
       else
         result = Utils::ParserManager.parse(path)
         if result[:success]
@@ -225,7 +237,27 @@ module Clacky
       base.empty? ? 'upload' : base
     end
 
-    private_class_method :parse_zip_listing, :save_preview, :sanitize_filename
+    # Read a text file with automatic encoding detection.
+    # Tries UTF-8, then GBK (common for Chinese-origin CSV/text files), then
+    # falls back to binary read with invalid byte replacement.
+    def self.read_text_with_encoding_fallback(path)
+      # Try UTF-8 first (most common, fastest path)
+      raw = File.binread(path)
+      utf8 = raw.dup.force_encoding("UTF-8")
+      return utf8.encode("UTF-8") if utf8.valid_encoding?
+
+      # Try GBK (GB2312 superset — common in Chinese Windows/Excel exports)
+      begin
+        return raw.encode("UTF-8", "GBK", invalid: :replace, undef: :replace, replace: "?")
+      rescue Encoding::InvalidByteSequenceError, Encoding::UndefinedConversionError
+        # fall through
+      end
+
+      # Last resort: binary read with replacement characters
+      raw.encode("UTF-8", "binary", invalid: :replace, undef: :replace, replace: "?")
+    end
+
+    private_class_method :parse_zip_listing, :save_preview, :sanitize_filename, :read_text_with_encoding_fallback
   end
   end
 end

data/lib/clacky/utils/scripts_manager.rb

@@ -14,7 +14,7 @@ module Clacky
     # via gem version stamp in ~/.clacky/scripts/.version).
     module ScriptsManager
       SCRIPTS_DIR         = File.expand_path("~/.clacky/scripts").freeze
-      DEFAULT_SCRIPTS_DIR = File.expand_path("../../../../scripts", __dir__).freeze
+      DEFAULT_SCRIPTS_DIR = File.expand_path("../../../scripts", __dir__).freeze
       VERSION_FILE        = File.join(SCRIPTS_DIR, ".version").freeze
 
       SCRIPTS = %w[

data/lib/clacky/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clacky
-  VERSION = "0.9.24"
+  VERSION = "0.9.25"
 end

data/lib/clacky/web/app.js

@@ -498,6 +498,8 @@ const ACCEPTED_DOC_TYPES   = [
   "application/vnd.ms-excel",                                                  // .xls
   "application/vnd.openxmlformats-officedocument.presentationml.presentation", // .pptx
   "application/vnd.ms-powerpoint",                                             // .ppt
+  "text/csv",                                                                  // .csv
+  "application/csv",                                                           // .csv (some browsers)
 ];
 
 function _docTypeIcon(mimeType) {
@@ -506,6 +508,7 @@ function _docTypeIcon(mimeType) {
   if (mimeType.includes("wordprocessingml") || mimeType === "application/msword") return "📝";
   if (mimeType.includes("spreadsheetml") || mimeType === "application/vnd.ms-excel") return "📊";
   if (mimeType.includes("presentationml") || mimeType === "application/vnd.ms-powerpoint") return "📋";
+  if (mimeType === "text/csv" || mimeType === "application/csv") return "📊";
   return "📎";
 }
 
@@ -586,6 +589,7 @@ function _addGenericFile(file) {
         mime_type: file.type
       });
       _renderAttachmentPreviews();
+      setTimeout(() => $("user-input").focus(), 100);
     })
     .catch(err => alert(`Upload error: ${err.message}`));
 }

data/lib/clacky/web/index.html

@@ -256,7 +256,7 @@
         <div id="image-preview-strip" style="display:none"></div>
         <div id="input-bar">
           <!-- Hidden file picker -->
-          <input type="file" id="image-file-input" accept="image/png,image/jpeg,image/gif,image/webp,application/pdf,application/zip,application/x-zip-compressed,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/msword,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/vnd.ms-powerpoint" multiple style="display:none">
+          <input type="file" id="image-file-input" accept="image/png,image/jpeg,image/gif,image/webp,application/pdf,application/zip,application/x-zip-compressed,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/msword,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/vnd.ms-powerpoint,text/csv,application/csv,.csv" multiple style="display:none">
           <button id="btn-attach" title="Attach image (or drag & drop / Ctrl+V)">
             <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
               <path d="M21.44 11.05l-9.19 9.19a6 6 0 0 1-8.49-8.49l9.19-9.19a4 4 0 0 1 5.66 5.66L9.41 17.41a2 2 0 0 1-2.83-2.83l8.49-8.48"/>

data/lib/clacky/web/sessions.js

@@ -794,7 +794,6 @@ const Sessions = (() => {
       // ── Apply client-side filter (mirrors server params for instant feedback) ─
       const { q, date, type } = _filter;
       let visible = [..._sessions].sort(byTime);
-      if (q)    visible = visible.filter(s => (s.name || "").toLowerCase().includes(q.toLowerCase()));
       if (date) visible = visible.filter(s => (s.created_at || "").startsWith(date));
       if (type) {
         visible = type === "coding"

data/lib/clacky/web/weixin-qr.html

@@ -66,6 +66,57 @@
       background: #fff5f5;
       border-radius: 8px;
     }
+
+    /* Success overlay */
+    #success-overlay {
+      display: none;
+      position: fixed;
+      inset: 0;
+      background: rgba(255,255,255,0.92);
+      align-items: center;
+      justify-content: center;
+      flex-direction: column;
+      gap: 16px;
+      z-index: 100;
+    }
+    #success-overlay.show {
+      display: flex;
+    }
+    .success-icon {
+      width: 72px;
+      height: 72px;
+      background: linear-gradient(135deg, #2dc100, #1aad19);
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-size: 36px;
+      animation: pop 0.3s ease-out;
+    }
+    .success-title {
+      font-size: 20px;
+      font-weight: 700;
+      color: #111;
+    }
+    .success-sub {
+      font-size: 14px;
+      color: #888;
+    }
+    @keyframes pop {
+      0%   { transform: scale(0.5); opacity: 0; }
+      80%  { transform: scale(1.1); }
+      100% { transform: scale(1);   opacity: 1; }
+    }
+
+    /* Scanned state */
+    .scanned-hint {
+      display: none;
+      font-size: 13px;
+      color: #1aad19;
+      font-weight: 500;
+      margin-top: 8px;
+    }
+    .scanned-hint.show { display: block; }
   </style>
 </head>
 <body>
@@ -75,13 +126,25 @@
     <p>使用微信扫描下方二维码<br>在手机上点击「确认登录」</p>
     <div id="qrcode"></div>
     <div class="hint">二维码有效期 5 分钟</div>
+    <div class="scanned-hint" id="scanned-hint">✅ 已扫码，请在手机上确认…</div>
+  </div>
+
+  <!-- Success overlay shown after polling detects token -->
+  <div id="success-overlay">
+    <div class="success-icon">✓</div>
+    <div class="success-title">登录成功</div>
+    <div class="success-sub">微信已连接，可以开始聊天了</div>
   </div>
 
   <script src="https://cdn.jsdelivr.net/npm/qrcodejs@1.0.0/qrcode.min.js"></script>
   <script>
-    const params = new URLSearchParams(location.search);
-    const url = params.get("url");
-    const el = document.getElementById("qrcode");
+    const params  = new URLSearchParams(location.search);
+    const url     = params.get("url");
+    // since: Unix timestamp (seconds) passed by the setup skill when opening this page.
+    // We only show success if token_updated_at > since, preventing false positives
+    // when the user already had a token from a previous login.
+    const since   = parseInt(params.get("since") || "0", 10);
+    const el      = document.getElementById("qrcode");
 
     if (!url) {
       el.innerHTML = '<div class="error">缺少 url 参数</div>';
@@ -99,6 +162,48 @@
         el.innerHTML = '<div class="error">二维码生成失败: ' + e.message + '</div>';
       }
     }
+
+    // Poll GET /api/channels every 2s; show success overlay once weixin has_token = true
+    const POLL_INTERVAL_MS = 2000;
+    const POLL_TIMEOUT_MS  = 5 * 60 * 1000; // 5 minutes — matches QR expiry
+    const startedAt        = Date.now();
+    let   pollTimer        = null;
+    let   prevHasToken     = false;
+
+    function showSuccess() {
+      clearTimeout(pollTimer);
+      document.getElementById("success-overlay").classList.add("show");
+    }
+
+    async function pollChannelStatus() {
+      if (Date.now() - startedAt > POLL_TIMEOUT_MS) return; // QR expired, stop quietly
+
+      try {
+        const res  = await fetch("/api/channels", { cache: "no-store" });
+        const data = await res.json();
+        const weixin = (data.channels || []).find(c => c.platform === "weixin");
+
+        if (weixin && weixin.has_token) {
+          const updatedAt = weixin.token_updated_at || 0;
+          if (updatedAt > since) {
+            showSuccess();
+            return;
+          }
+        }
+
+        // Show "scanned, waiting for confirm" hint once token appears in-progress
+        // (iLink doesn't expose a "scanned" state via this API, so we just keep polling)
+      } catch (_) {
+        // Server temporarily unreachable — keep polling
+      }
+
+      pollTimer = setTimeout(pollChannelStatus, POLL_INTERVAL_MS);
+    }
+
+    // Start polling only when QR code is actually shown
+    if (url) {
+      pollTimer = setTimeout(pollChannelStatus, POLL_INTERVAL_MS);
+    }
   </script>
 </body>
 </html>

data/scripts/install.ps1

@@ -120,7 +120,7 @@ function Invoke-WslStatusExitCode {
     $psi.UseShellExecute = $false
     $psi.RedirectStandardOutput = $true
     $psi.RedirectStandardError = $true
-    $p = [System.Diagnostics.Process]::Start($psi)
+    try { $p = [System.Diagnostics.Process]::Start($psi) } catch { return 1 }
     $finished = $p.WaitForExit(10000)   # 10 seconds
     if (-not $finished) {
         $p.Kill()

data/scripts/install_browser.sh

@@ -29,6 +29,10 @@ CN_NPM_REGISTRY="https://registry.npmmirror.com"
 CN_NODE_MIRROR_URL="https://cdn.npmmirror.com/binaries/node/"
 DEFAULT_MISE_INSTALL_URL="https://mise.run"
 CN_MISE_INSTALL_URL="https://oss.1024code.com/mise.sh"
+# Chrome DMG — update CHROME_VERSION when re-uploading a newer build to OSS
+CHROME_VERSION="134"
+DEFAULT_CHROME_DMG_URL="https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg"
+CN_CHROME_DMG_URL="https://oss.1024code.com/browsers/googlechrome-mac-${CHROME_VERSION}.dmg"
 MISE_INSTALL_URL="$DEFAULT_MISE_INSTALL_URL"
 NPM_REGISTRY_URL="$DEFAULT_NPM_REGISTRY"
 NODE_MIRROR_URL=""
@@ -71,6 +75,48 @@ detect_network_region() {
     fi
 }
 
+# --------------------------------------------------------------------------
+# Ensure Chrome is installed (macOS only)
+# Downloads DMG to Desktop, opens it, then exits with instructions.
+# Re-run the script after Chrome is installed.
+# --------------------------------------------------------------------------
+ensure_chrome_macos() {
+    print_step "Checking Google Chrome..."
+
+    if [ -d "/Applications/Google Chrome.app" ] || [ -d "$HOME/Applications/Google Chrome.app" ]; then
+        print_success "Google Chrome is already installed"
+        return 0
+    fi
+
+    print_warning "Google Chrome not found — downloading..."
+
+    local dmg_url
+    if [ "$USE_CN_MIRRORS" = true ]; then
+        dmg_url="$CN_CHROME_DMG_URL"
+        print_info "Using OSS mirror (Chrome ${CHROME_VERSION})"
+    else
+        dmg_url="$DEFAULT_CHROME_DMG_URL"
+        print_info "Using official Google download"
+    fi
+
+    local dmg_path="$HOME/Desktop/googlechrome.dmg"
+    print_info "Downloading Chrome (~238 MB) to Desktop..."
+
+    if ! curl -L --progress-bar "$dmg_url" -o "$dmg_path"; then
+        print_error "Download failed"
+        print_info "Please download manually: ${dmg_url}"
+        exit 1
+    fi
+
+    print_success "Downloaded: ${dmg_path}"
+    print_info "Opening DMG installer..."
+    open "$dmg_path"
+
+    echo ""
+    print_info "Please drag 'Google Chrome' to the Applications folder, then re-run this script."
+    exit 0
+}
+
 # --------------------------------------------------------------------------
 # Ensure mise is available
 # --------------------------------------------------------------------------
@@ -178,6 +224,8 @@ main() {
     echo "========================"
 
     detect_network_region
+    # Install Chrome first on macOS if not present
+    [[ "$(uname)" == "Darwin" ]] && ensure_chrome_macos
     ensure_node   || exit 1
     install_chrome_devtools_mcp || exit 1
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openclacky
 version: !ruby/object:Gem::Version
-  version: 0.9.24
+  version: 0.9.25
 platform: ruby
 authors:
 - windy