@aion0/forge 0.2.11 → 0.2.13

package/CLAUDE.md

@@ -5,15 +5,15 @@
 # ── Start ──
 ./start.sh              # production (kill old processes → build → start)
 ./start.sh dev           # development (hot-reload)
-forge-server             # production via npm link/install
-forge-server --dev       # dev mode
-forge-server --background  # background, logs to ~/.forge/forge.log
-forge-server --stop      # stop background server
-forge-server --restart   # stop + start (safe for remote)
-forge-server --rebuild   # force rebuild
-forge-server --port 4000 --terminal-port 4001 --dir ~/.forge-staging
-forge-server --reset-terminal  # kill terminal server (loses tmux attach)
-forge-server --version   # show version
+forge server start              # production via npm link/install
+forge server start --dev        # dev mode
+forge server start --background # background, logs to ~/.forge/forge.log
+forge server stop               # stop background server
+forge server restart            # stop + start (safe for remote)
+forge server rebuild            # force rebuild
+forge server start --port 4000 --terminal-port 4001 --dir ~/.forge-staging
+forge server start --reset-terminal  # kill terminal server (loses tmux attach)
+forge --version                 # show version
 
 # ── Test ──
 ./dev-test.sh            # test instance (port 4000, data ~/.forge-test)

package/README.md

@@ -51,7 +51,7 @@ Forge is a self-hosted web platform that turns [Claude Code](https://docs.anthro
 
 ```bash
 npm install -g @aion0/forge
-forge-server
+forge server start
 ```
 
 Open `http://localhost:3000` — a login password is printed in the console.
@@ -74,9 +74,9 @@ pnpm install
 
 ## Quick Start
 
-1. **Start Forge** — `forge-server` or `./start.sh`
+1. **Start Forge** — `forge server start` or `./start.sh`
 2. **Open browser** — `http://localhost:3000`
-3. **Log in** — password is in the console output, rotates daily. Run `forge password` if you forget.
+3. **Log in** — set an admin password in Settings. Run `forge password` for info.
 4. **Configure** — Settings → add project directories and (optionally) Telegram bot token
 5. **Start coding** — Open a terminal tab, run `claude`, and vibe
 
@@ -86,7 +86,7 @@ Access Forge from anywhere — iPad, phone, coffee shop:
 
 1. Click the **tunnel button** in the header
 2. A temporary Cloudflare URL is generated (no account needed)
-3. Open it on any device — protected by your daily rotating password
+3. Open it on any device — requires admin password + session code (2FA)
 
 Health checks run every 60 seconds. If the tunnel drops, it auto-restarts and notifies you via Telegram.
 
@@ -101,9 +101,9 @@ Mobile-first control for Forge. Create a bot via [@BotFather](https://t.me/botfa
 | `/sessions` | AI summary of Claude Code sessions |
 | `/docs` | Docs session summary or file search |
 | `/note` | Quick note — sent to Docs Claude for filing |
-| `/tunnel_start` | Start Cloudflare Tunnel |
+| `/tunnel_start <admin_pw>` | Start Cloudflare Tunnel |
 | `/tunnel_stop` | Stop tunnel |
-| `/tunnel_password <pw>` | Get login password + tunnel URL |
+| `/tunnel_code <admin_pw>` | Get session code for remote login |
 | `/watch` | Monitor session / list watchers |
 
 Whitelist-protected — only configured Chat IDs can interact. Supports multiple users (comma-separated IDs).
@@ -210,7 +210,7 @@ All data lives in `~/.forge/`:
 ~/.forge/
 ├── .env.local            # Environment variables (AUTH_SECRET, API keys)
 ├── settings.yaml         # Main configuration
-├── password.json         # Daily auto-generated login password
+├── session-code.json     # Session code for remote login 2FA
 ├── data.db               # SQLite database (tasks, sessions)
 ├── terminal-state.json   # Terminal tab layout
 ├── tunnel-state.json     # Tunnel process state
@@ -232,7 +232,7 @@ claudePath: claude
 tunnelAutoStart: false
 telegramBotToken: ""
 telegramChatId: ""              # Comma-separated for multiple users
-telegramTunnelPassword: ""
+telegramTunnelPassword: ""      # Admin password (encrypted)
 notifyOnComplete: true
 notifyOnFailure: true
 taskModel: default              # default / sonnet / opus / haiku
@@ -281,7 +281,7 @@ forge-server.mjs (single process)
 | Frontend | Next.js 16, React 19, Tailwind CSS 4, xterm.js, ReactFlow |
 | Backend | Next.js Route Handlers, SQLite (better-sqlite3) |
 | Terminal | node-pty, tmux, WebSocket |
-| Auth | NextAuth v5 (daily rotating password + OAuth) |
+| Auth | NextAuth v5 (admin password + session code 2FA + OAuth) |
 | Tunnel | Cloudflare cloudflared (zero-config) |
 | Bot | Telegram Bot API |
 | Pipeline | YAML-based DAG engine with visual editor |
@@ -314,7 +314,7 @@ echo "AUTH_SECRET=$(openssl rand -hex 32)" >> ~/.forge/.env.local
 <details>
 <summary><strong>Orphan processes after Ctrl+C</strong></summary>
 
-Use `./start.sh` or `forge-server` which clean up old processes on start. Or manually:
+Use `./start.sh` or `forge server start` which clean up old processes on start. Or manually:
 
 ```bash
 ./check-forge-status.sh  # see what's running

package/app/api/settings/route.ts

@@ -1,15 +1,62 @@
 import { NextResponse } from 'next/server';
-import { loadSettings, saveSettings, type Settings } from '@/lib/settings';
+import { loadSettings, loadSettingsMasked, saveSettings, type Settings } from '@/lib/settings';
 import { restartTelegramBot } from '@/lib/init';
+import { SECRET_FIELDS } from '@/lib/crypto';
+import { verifyAdmin } from '@/lib/password';
 
 export async function GET() {
-  return NextResponse.json(loadSettings());
+  return NextResponse.json(loadSettingsMasked());
 }
 
 export async function PUT(req: Request) {
-  const body = await req.json() as Settings;
-  saveSettings(body);
-  // Restart Telegram bot in case token/chatId changed
+  const body = await req.json();
+
+  // Handle secret field updates separately
+  if (body._secretUpdate) {
+    const { field, adminPassword, newValue } = body._secretUpdate as {
+      field: string;
+      adminPassword: string;
+      newValue: string;
+    };
+
+    // Validate field name
+    if (!SECRET_FIELDS.includes(field as any)) {
+      return NextResponse.json({ ok: false, error: 'Invalid field' }, { status: 400 });
+    }
+
+    // Verify admin password
+    if (!verifyAdmin(adminPassword)) {
+      return NextResponse.json({ ok: false, error: 'Wrong password' }, { status: 403 });
+    }
+
+    // Update the specific field
+    const current = loadSettings();
+    (current as any)[field] = newValue;
+    saveSettings(current);
+
+    // Restart Telegram bot if token changed
+    if (field === 'telegramBotToken') {
+      restartTelegramBot();
+    }
+
+    return NextResponse.json({ ok: true });
+  }
+
+  // Normal settings update — strip masked secrets so we don't overwrite with placeholder
+  const settings = loadSettings();
+  const updated = body as Settings;
+
+  for (const field of SECRET_FIELDS) {
+    // Keep existing encrypted value if frontend sent masked placeholder
+    if (updated[field] === '••••••••' || updated[field] === '') {
+      updated[field] = settings[field];
+    }
+  }
+
+  // Remove internal fields
+  delete (updated as any)._secretStatus;
+
+  saveSettings(updated);
   restartTelegramBot();
   return NextResponse.json({ ok: true });
 }

package/app/api/tunnel/route.ts

@@ -1,18 +1,26 @@
 import { NextResponse } from 'next/server';
 import { startTunnel, stopTunnel, getTunnelStatus } from '@/lib/cloudflared';
+import { verifyAdmin } from '@/lib/password';
 
 export async function GET() {
   return NextResponse.json(getTunnelStatus());
 }
 
 export async function POST(req: Request) {
-  const { action } = await req.json() as { action: 'start' | 'stop' };
+  const body = await req.json() as { action: 'start' | 'stop'; password?: string };
 
-  if (action === 'stop') {
+  if (body.action === 'start') {
+    if (!body.password || !verifyAdmin(body.password)) {
+      return NextResponse.json({ ok: false, error: 'Wrong password' }, { status: 403 });
+    }
+    const result = await startTunnel();
+    return NextResponse.json({ ok: !result.error, ...getTunnelStatus() });
+  }
+
+  if (body.action === 'stop') {
     stopTunnel();
     return NextResponse.json({ ok: true, ...getTunnelStatus() });
   }
 
-  const result = await startTunnel();
-  return NextResponse.json({ ok: !result.error, ...getTunnelStatus() });
+  return NextResponse.json({ ok: false, error: 'Invalid action' }, { status: 400 });
 }

package/app/api/upgrade/route.ts

@@ -0,0 +1,31 @@
+import { NextResponse } from 'next/server';
+import { join } from 'node:path';
+import { lstatSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+
+export async function POST() {
+  try {
+    // Check if installed via npm link (symlink = local dev)
+    let isLinked = false;
+    try { isLinked = lstatSync(join(process.cwd())).isSymbolicLink(); } catch {}
+
+    if (isLinked) {
+      return NextResponse.json({
+        ok: false,
+        error: 'Local dev install (npm link). Run: git pull && pnpm install && pnpm build',
+      });
+    }
+
+    execSync('cd /tmp && npm install -g @aion0/forge', { timeout: 120000 });
+
+    return NextResponse.json({
+      ok: true,
+      message: 'Upgraded. Restart server to apply.',
+    });
+  } catch (e) {
+    return NextResponse.json({
+      ok: false,
+      error: `Upgrade failed: ${e instanceof Error ? e.message : String(e)}`,
+    });
+  }
+}

package/app/api/version/route.ts

@@ -0,0 +1,59 @@
+import { NextResponse } from 'next/server';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+// Cache npm version check for 1 hour
+let cachedLatest: { version: string; checkedAt: number } | null = null;
+const CACHE_TTL = 60 * 60 * 1000; // 1 hour
+
+function getCurrentVersion(): string {
+  try {
+    const pkg = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf-8'));
+    return pkg.version;
+  } catch {
+    return '0.0.0';
+  }
+}
+
+async function getLatestVersion(): Promise<string> {
+  if (cachedLatest && Date.now() - cachedLatest.checkedAt < CACHE_TTL) {
+    return cachedLatest.version;
+  }
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5000);
+    const res = await fetch('https://registry.npmjs.org/@aion0/forge/latest', {
+      signal: controller.signal,
+      headers: { 'Accept': 'application/json' },
+    });
+    clearTimeout(timeout);
+    if (!res.ok) return cachedLatest?.version || '';
+    const data = await res.json();
+    cachedLatest = { version: data.version, checkedAt: Date.now() };
+    return data.version;
+  } catch {
+    return cachedLatest?.version || '';
+  }
+}
+
+function compareVersions(a: string, b: string): number {
+  const pa = a.split('.').map(Number);
+  const pb = b.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] || 0) < (pb[i] || 0)) return -1;
+    if ((pa[i] || 0) > (pb[i] || 0)) return 1;
+  }
+  return 0;
+}
+
+export async function GET() {
+  const current = getCurrentVersion();
+  const latest = await getLatestVersion();
+  const hasUpdate = latest && compareVersions(current, latest) < 0;
+
+  return NextResponse.json({
+    current,
+    latest: latest || current,
+    hasUpdate,
+  });
+}

package/app/login/page.tsx

@@ -1,20 +1,30 @@
 'use client';
 
-import { useState } from 'react';
+import { useState, useEffect } from 'react';
 import { signIn } from 'next-auth/react';
 
 export default function LoginPage() {
   const [password, setPassword] = useState('');
+  const [sessionCode, setSessionCode] = useState('');
   const [error, setError] = useState('');
+  const [isRemote, setIsRemote] = useState(false);
+
+  useEffect(() => {
+    const host = window.location.hostname;
+    setIsRemote(!['localhost', '127.0.0.1'].includes(host));
+  }, []);
 
   const handleLocal = async (e: React.FormEvent) => {
     e.preventDefault();
+    setError('');
     const result = await signIn('credentials', {
       password,
+      sessionCode: isRemote ? sessionCode : '',
+      isRemote: String(isRemote),
       redirect: false,
     }) as { error?: string; ok?: boolean } | undefined;
     if (result?.error) {
-      setError('Wrong password');
+      setError(isRemote ? 'Wrong password or session code' : 'Wrong password');
     } else if (result?.ok) {
       window.location.href = window.location.origin + '/';
     }
@@ -25,18 +35,32 @@ export default function LoginPage() {
       <div className="w-80 space-y-6">
         <div className="text-center">
           <h1 className="text-2xl font-bold text-[var(--text-primary)]">Forge</h1>
-          <p className="text-sm text-[var(--text-secondary)] mt-1">Unified AI Platform</p>
+          <p className="text-sm text-[var(--text-secondary)] mt-1">
+            {isRemote ? 'Remote Access' : 'Local Access'}
+          </p>
         </div>
 
-        {/* Local password login */}
         <form onSubmit={handleLocal} className="space-y-3">
           <input
             type="password"
             value={password}
-            onChange={e => setPassword(e.target.value)}
-            placeholder="Password"
+            onChange={e => { setPassword(e.target.value); setError(''); }}
+            placeholder="Admin Password"
+            autoFocus
             className="w-full px-3 py-2 bg-[var(--bg-tertiary)] border border-[var(--border)] rounded text-sm text-[var(--text-primary)] focus:outline-none focus:border-[var(--accent)]"
           />
+          {isRemote && (
+            <input
+              type="text"
+              inputMode="numeric"
+              pattern="[0-9]*"
+              maxLength={8}
+              value={sessionCode}
+              onChange={e => { setSessionCode(e.target.value.replace(/\D/g, '')); setError(''); }}
+              placeholder="Session Code (8 digits)"
+              className="w-full px-3 py-2 bg-[var(--bg-tertiary)] border border-[var(--border)] rounded text-sm text-[var(--text-primary)] font-mono tracking-widest text-center focus:outline-none focus:border-[var(--accent)]"
+            />
+          )}
           {error && <p className="text-xs text-[var(--red)]">{error}</p>}
           <button
             type="submit"
@@ -44,6 +68,11 @@ export default function LoginPage() {
           >
             Sign In
           </button>
+          {isRemote && (
+            <p className="text-[10px] text-[var(--text-secondary)] text-center">
+              Session code is generated when tunnel starts. Use /tunnel_code in Telegram to get it.
+            </p>
+          )}
         </form>
 
       </div>

package/bin/forge-server.mjs

@@ -195,7 +195,7 @@ function startBackground() {
   console.log(`[forge] Terminal: ws://localhost:${terminalPort}`);
   console.log(`[forge] Data: ${DATA_DIR}`);
   console.log(`[forge] Log: ${LOG_FILE}`);
-  console.log(`[forge] Stop: forge-server --stop${DATA_DIR !== join(homedir(), '.forge') ? ` --dir ${DATA_DIR}` : ''}`);
+  console.log(`[forge] Stop: forge server stop`);
 }
 
 // ── Stop ──

package/cli/mw.ts

@@ -20,6 +20,35 @@ const BASE = process.env.MW_URL || 'http://localhost:3000';
 
 const [, , cmd, ...args] = process.argv;
 
+/** Check npm for newer version, print reminder if available */
+async function checkForUpdate() {
+  try {
+    const { readFileSync } = await import('node:fs');
+    const { join, dirname } = await import('node:path');
+    const { fileURLToPath } = await import('node:url');
+    const pkg = JSON.parse(readFileSync(join(dirname(fileURLToPath(import.meta.url)), '..', 'package.json'), 'utf-8'));
+    const current = pkg.version;
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 3000);
+    const res = await fetch('https://registry.npmjs.org/@aion0/forge/latest', {
+      signal: controller.signal,
+      headers: { 'Accept': 'application/json' },
+    });
+    clearTimeout(timeout);
+    if (!res.ok) return;
+    const data = await res.json();
+    const latest = data.version;
+
+    const [ca, cb, cc] = current.split('.').map(Number);
+    const [la, lb, lc] = latest.split('.').map(Number);
+    if (la > ca || (la === ca && lb > cb) || (la === ca && lb === cb && lc > cc)) {
+      console.log(`\n  Update available: v${current} → v${latest}`);
+      console.log(`  Run: forge upgrade\n`);
+    }
+  } catch {}
+}
+
 async function api(path: string, opts?: RequestInit) {
   const res = await fetch(`${BASE}${path}`, opts);
   if (!res.ok) {
@@ -322,22 +351,22 @@ async function main() {
 
     case 'password':
     case 'pw': {
-      const { readFileSync } = await import('node:fs');
+      const { readFileSync, existsSync } = await import('node:fs');
       const { homedir } = await import('node:os');
       const { join } = await import('node:path');
-      const pwFile = join(homedir(), '.forge', 'password.json');
+      const dataDir = process.env.FORGE_DATA_DIR || join(homedir(), '.forge');
+      const codeFile = join(dataDir, 'session-code.json');
       try {
-        const data = JSON.parse(readFileSync(pwFile, 'utf-8'));
-        const today = new Date().toISOString().slice(0, 10);
-        if (data.date === today) {
-          console.log(`Login password: ${data.password}`);
-          console.log(`Valid for: ${data.date}`);
-        } else {
-          console.log(`Password expired (was for ${data.date}). Restart server to generate new one.`);
+        if (existsSync(codeFile)) {
+          const data = JSON.parse(readFileSync(codeFile, 'utf-8'));
+          if (data.code) {
+            console.log(`Session code: ${data.code} (for remote login 2FA)`);
+          }
         }
-      } catch {
-        console.log('No password file found. Password is set via MW_PASSWORD env var.');
-      }
+      } catch {}
+      console.log('Admin password: configured in Settings → Admin Password');
+      console.log('Local login: admin password only');
+      console.log('Remote login: admin password + session code');
       break;
     }
 
@@ -512,7 +541,7 @@ Shortcuts: t=task, ls=tasks, w=watch, s=status, l=log, f=flows, p=projects, pw=p
   }
 }
 
-main().catch(err => {
+main().then(() => checkForUpdate()).catch(err => {
   console.error(err.message);
   process.exit(1);
 });

package/components/Dashboard.tsx

@@ -50,8 +50,16 @@ export default function Dashboard({ user }: { user: any }) {
   const [providers, setProviders] = useState<ProviderInfo[]>([]);
   const [projects, setProjects] = useState<ProjectInfo[]>([]);
   const [onlineCount, setOnlineCount] = useState<{ total: number; remote: number }>({ total: 0, remote: 0 });
+  const [versionInfo, setVersionInfo] = useState<{ current: string; latest: string; hasUpdate: boolean } | null>(null);
+  const [upgrading, setUpgrading] = useState(false);
+  const [upgradeResult, setUpgradeResult] = useState<string | null>(null);
   const terminalRef = useRef<WebTerminalHandle>(null);
 
+  // Version check (once on mount)
+  useEffect(() => {
+    fetch('/api/version').then(r => r.json()).then(setVersionInfo).catch(() => {});
+  }, []);
+
   // Heartbeat for online user tracking
   useEffect(() => {
     const ping = () => {
@@ -96,6 +104,35 @@ export default function Dashboard({ user }: { user: any }) {
       <header className="h-12 border-b-2 border-[var(--border)] flex items-center justify-between px-4 shrink-0 bg-[var(--bg-secondary)]">
         <div className="flex items-center gap-4">
           <span className="text-sm font-bold text-[var(--accent)]">Forge</span>
+          {versionInfo && (
+            <span className="flex items-center gap-1.5">
+              <span className="text-[10px] text-[var(--text-secondary)]">v{versionInfo.current}</span>
+              {versionInfo.hasUpdate && !upgradeResult && (
+                <button
+                  disabled={upgrading}
+                  onClick={async () => {
+                    setUpgrading(true);
+                    try {
+                      const res = await fetch('/api/upgrade', { method: 'POST' });
+                      const data = await res.json();
+                      setUpgradeResult(data.ok ? data.message : data.error);
+                      if (data.ok) setVersionInfo(v => v ? { ...v, hasUpdate: false } : v);
+                    } catch { setUpgradeResult('Upgrade failed'); }
+                    setUpgrading(false);
+                  }}
+                  className="text-[9px] px-1.5 py-0.5 bg-[var(--accent)] text-white rounded hover:opacity-90 disabled:opacity-50"
+                  title={`Update to v${versionInfo.latest}`}
+                >
+                  {upgrading ? 'Upgrading...' : `Update v${versionInfo.latest}`}
+                </button>
+              )}
+              {upgradeResult && (
+                <span className="text-[9px] text-[var(--green)] max-w-[200px] truncate" title={upgradeResult}>
+                  {upgradeResult}
+                </span>
+              )}
+            </span>
+          )}
 
           {/* View mode toggle */}
           <div className="flex bg-[var(--bg-tertiary)] rounded p-0.5">