@atercates/claude-deck 0.2.2 → 0.2.4

package/lib/auth/session.ts

@@ -0,0 +1,83 @@
+import { randomBytes } from "crypto";
+import { queries } from "@/lib/db";
+import type { User } from "@/lib/db";
+
+const SESSION_DURATION_DAYS = 30;
+const SESSION_TOKEN_BYTES = 32;
+
+export function createSession(userId: string): {
+  token: string;
+  expiresAt: string;
+} {
+  const id = randomBytes(16).toString("hex");
+  const token = randomBytes(SESSION_TOKEN_BYTES).toString("hex");
+  const expiresAt = new Date(
+    Date.now() + SESSION_DURATION_DAYS * 24 * 60 * 60 * 1000
+  ).toISOString();
+
+  queries.createAuthSession(id, token, userId, expiresAt);
+
+  return { token, expiresAt };
+}
+
+export function validateSession(token: string): User | null {
+  if (!token || token.length !== SESSION_TOKEN_BYTES * 2) return null;
+
+  const session = queries.getAuthSessionByToken(token);
+  if (!session) return null;
+
+  if (new Date(session.expires_at) < new Date()) {
+    queries.deleteAuthSession(token);
+    return null;
+  }
+
+  const user = queries.getUserById(session.user_id);
+  if (!user) {
+    queries.deleteAuthSession(token);
+    return null;
+  }
+
+  return user;
+}
+
+export function renewSession(token: string): void {
+  const expiresAt = new Date(
+    Date.now() + SESSION_DURATION_DAYS * 24 * 60 * 60 * 1000
+  ).toISOString();
+  queries.renewAuthSession(token, expiresAt);
+}
+
+export function deleteSession(token: string): void {
+  queries.deleteAuthSession(token);
+}
+
+export function cleanupExpiredSessions(): void {
+  queries.deleteExpiredAuthSessions();
+}
+
+export const COOKIE_NAME = "claude_deck_session";
+
+export function buildSessionCookie(token: string): string {
+  const maxAge = SESSION_DURATION_DAYS * 24 * 60 * 60;
+  return `${COOKIE_NAME}=${token}; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=${maxAge}`;
+}
+
+export function buildClearCookie(): string {
+  return `${COOKIE_NAME}=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0`;
+}
+
+export function parseCookies(
+  cookieHeader: string | undefined
+): Record<string, string> {
+  if (!cookieHeader) return {};
+  return Object.fromEntries(
+    cookieHeader.split(";").map((c) => {
+      const [key, ...rest] = c.trim().split("=");
+      return [key, rest.join("=")];
+    })
+  );
+}
+
+export function hasUsers(): boolean {
+  return queries.getUserCount() > 0;
+}

package/lib/auth/totp.ts

@@ -0,0 +1,36 @@
+import { TOTP, Secret } from "otpauth";
+
+const ISSUER = "ClaudeDeck";
+
+export function generateTotpSecret(username: string): {
+  secret: string;
+  uri: string;
+} {
+  const secret = new Secret({ size: 20 });
+  const totp = new TOTP({
+    issuer: ISSUER,
+    label: username,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret,
+  });
+
+  return {
+    secret: secret.base32,
+    uri: totp.toString(),
+  };
+}
+
+export function verifyTotpCode(secret: string, code: string): boolean {
+  const totp = new TOTP({
+    issuer: ISSUER,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret: Secret.fromBase32(secret),
+  });
+
+  const delta = totp.validate({ token: code, window: 1 });
+  return delta !== null;
+}

package/lib/claude/watcher.ts

@@ -3,6 +3,8 @@ import path from "path";
 import os from "os";
 import { WebSocket } from "ws";
 import { invalidateProject, invalidateAll } from "./jsonl-cache";
+import { onStateFileChange, invalidateSessionName } from "../status-monitor";
+import { STATES_DIR } from "../hooks/setup";
 
 const CLAUDE_PROJECTS_DIR = path.join(os.homedir(), ".claude", "projects");
 
@@ -13,7 +15,7 @@ export function addUpdateClient(ws: WebSocket): void {
   ws.on("close", () => updateClients.delete(ws));
 }
 
-function broadcast(msg: object): void {
+export function broadcast(msg: object): void {
   const data = JSON.stringify(msg);
   for (const ws of updateClients) {
     if (ws.readyState === WebSocket.OPEN) {
@@ -44,14 +46,21 @@ function handleFileChange(filePath: string): void {
 
 export function startWatcher(): void {
   try {
-    const watcher = watch(CLAUDE_PROJECTS_DIR, {
+    // Watch Claude projects for session list updates
+    const projectsWatcher = watch(CLAUDE_PROJECTS_DIR, {
       ignoreInitial: true,
       depth: 2,
       ignored: [/node_modules/, /\.git/, /subagents/],
     });
 
-    watcher.on("change", handleFileChange);
-    watcher.on("add", (fp) => {
+    projectsWatcher.on("change", (fp) => {
+      handleFileChange(fp);
+      if (fp.endsWith(".jsonl")) {
+        const sessionId = path.basename(fp, ".jsonl");
+        invalidateSessionName(sessionId);
+      }
+    });
+    projectsWatcher.on("add", (fp) => {
       handleFileChange(fp);
       const relative = path.relative(CLAUDE_PROJECTS_DIR, fp);
       if (!relative.includes(path.sep)) {
@@ -59,12 +68,26 @@ export function startWatcher(): void {
         broadcast({ type: "projects-changed" });
       }
     });
-    watcher.on("addDir", () => {
+    projectsWatcher.on("addDir", () => {
       invalidateAll();
       broadcast({ type: "projects-changed" });
     });
 
     console.log("> File watcher started on ~/.claude/projects/");
+
+    // Watch session state files written by hooks
+    const statesWatcher = watch(STATES_DIR, {
+      ignoreInitial: true,
+      depth: 0,
+    });
+
+    statesWatcher.on("change", onStateFileChange);
+    statesWatcher.on("add", onStateFileChange);
+    statesWatcher.on("unlink", onStateFileChange);
+
+    console.log(
+      "> State file watcher started on ~/.claude-deck/session-states/"
+    );
   } catch (err) {
     console.error("Failed to start file watcher:", err);
   }

package/lib/db/queries.ts

@@ -6,6 +6,8 @@ import type {
   ProjectDevServer,
   ProjectRepository,
   DevServer,
+  User,
+  AuthSession,
 } from "./types";
 
 function query<T>(sql: string, params: unknown[] = []): T[] {
@@ -457,4 +459,66 @@ export const queries = {
       itemType,
       itemId,
     ]),
+
+  getUserCount(): number {
+    return (
+      queryOne<{ count: number }>("SELECT COUNT(*) as count FROM users") ?? {
+        count: 0,
+      }
+    ).count;
+  },
+
+  getUserByUsername(username: string): User | null {
+    return queryOne<User>("SELECT * FROM users WHERE username = ?", [username]);
+  },
+
+  getUserById(id: string): User | null {
+    return queryOne<User>("SELECT * FROM users WHERE id = ?", [id]);
+  },
+
+  createUser(
+    id: string,
+    username: string,
+    passwordHash: string,
+    totpSecret: string | null
+  ): void {
+    execute(
+      "INSERT INTO users (id, username, password_hash, totp_secret) VALUES (?, ?, ?, ?)",
+      [id, username, passwordHash, totpSecret]
+    );
+  },
+
+  getAuthSessionByToken(token: string): AuthSession | null {
+    return queryOne<AuthSession>(
+      "SELECT * FROM auth_sessions WHERE token = ?",
+      [token]
+    );
+  },
+
+  createAuthSession(
+    id: string,
+    token: string,
+    userId: string,
+    expiresAt: string
+  ): void {
+    execute(
+      "INSERT INTO auth_sessions (id, token, user_id, expires_at) VALUES (?, ?, ?, ?)",
+      [id, token, userId, expiresAt]
+    );
+  },
+
+  renewAuthSession(token: string, expiresAt: string): void {
+    execute("UPDATE auth_sessions SET expires_at = ? WHERE token = ?", [
+      expiresAt,
+      token,
+    ]);
+  },
+
+  deleteAuthSession(token: string): void {
+    execute("DELETE FROM auth_sessions WHERE token = ?", [token]);
+  },
+
+  deleteExpiredAuthSessions(): void {
+    execute("DELETE FROM auth_sessions WHERE expires_at < datetime('now')");
+  },
 };

package/lib/db/schema.ts

@@ -110,5 +110,24 @@ export function createSchema(db: Database.Database): void {
 
     INSERT OR IGNORE INTO projects (id, name, working_directory, is_uncategorized, sort_order)
     VALUES ('uncategorized', 'Uncategorized', '~', 1, 999999);
+
+    CREATE TABLE IF NOT EXISTS users (
+      id TEXT PRIMARY KEY,
+      username TEXT NOT NULL UNIQUE,
+      password_hash TEXT NOT NULL,
+      totp_secret TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS auth_sessions (
+      id TEXT PRIMARY KEY,
+      token TEXT NOT NULL UNIQUE,
+      user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      expires_at TEXT NOT NULL,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_auth_sessions_token ON auth_sessions(token);
+    CREATE INDEX IF NOT EXISTS idx_auth_sessions_expires ON auth_sessions(expires_at);
   `);
 }

package/lib/db/types.ts

@@ -90,3 +90,19 @@ export interface DevServer {
   created_at: string;
   updated_at: string;
 }
+
+export interface User {
+  id: string;
+  username: string;
+  password_hash: string;
+  totp_secret: string | null;
+  created_at: string;
+}
+
+export interface AuthSession {
+  id: string;
+  token: string;
+  user_id: string;
+  expires_at: string;
+  created_at: string;
+}

package/lib/hooks/reporter.ts

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+/**
+ * Claude Code hook reporter.
+ *
+ * Invoked by Claude Code hooks on state transitions. Reads JSON from stdin
+ * and writes a session state file to ~/.claude-deck/session-states/{session_id}.json.
+ *
+ * Installed to ~/.claude-deck/hooks/state-reporter by the setup module.
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+const STATES_DIR = path.join(os.homedir(), ".claude-deck", "session-states");
+
+interface HookInput {
+  session_id: string;
+  hook_event_name: string;
+  tool_name?: string;
+  tool_input?: unknown;
+  last_assistant_message?: string;
+  stop_hook_active?: boolean;
+  reason?: string;
+}
+
+interface StateFile {
+  status: "running" | "waiting" | "idle";
+  lastLine: string;
+  waitingContext?: string;
+  ts: number;
+}
+
+function readStdin(): Promise<string> {
+  return new Promise((resolve) => {
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => (data += chunk));
+    process.stdin.on("end", () => resolve(data));
+    // Safety timeout — don't hang if stdin never closes
+    setTimeout(() => resolve(data), 1000);
+  });
+}
+
+function getStatePath(sessionId: string): string {
+  return path.join(STATES_DIR, `${sessionId}.json`);
+}
+
+function writeState(sessionId: string, state: StateFile): void {
+  fs.mkdirSync(STATES_DIR, { recursive: true });
+  fs.writeFileSync(getStatePath(sessionId), JSON.stringify(state));
+}
+
+function deleteState(sessionId: string): void {
+  try {
+    fs.unlinkSync(getStatePath(sessionId));
+  } catch {
+    // file may not exist
+  }
+}
+
+async function main(): Promise<void> {
+  const raw = await readStdin();
+  if (!raw.trim()) return;
+
+  let input: HookInput;
+  try {
+    input = JSON.parse(raw);
+  } catch {
+    return;
+  }
+
+  const { session_id, hook_event_name } = input;
+  if (!session_id) return;
+
+  switch (hook_event_name) {
+    case "SessionEnd":
+      deleteState(session_id);
+      break;
+
+    case "PermissionRequest":
+      writeState(session_id, {
+        status: "waiting",
+        lastLine: `Waiting: ${input.tool_name || "permission"}`,
+        waitingContext: input.tool_name
+          ? `Permission requested for ${input.tool_name}`
+          : "Permission requested",
+        ts: Date.now(),
+      });
+      break;
+
+    case "Stop":
+      // Only transition to idle if not in a stop-hook re-run loop
+      if (!input.stop_hook_active) {
+        writeState(session_id, {
+          status: "idle",
+          lastLine: input.last_assistant_message?.slice(0, 200) || "",
+          ts: Date.now(),
+        });
+      }
+      break;
+
+    default:
+      // UserPromptSubmit, SessionStart, PreToolUse, PostToolUse, PermissionDenied
+      writeState(session_id, {
+        status: "running",
+        lastLine: input.tool_name
+          ? `Running: ${input.tool_name}`
+          : "Running...",
+        ts: Date.now(),
+      });
+      break;
+  }
+}
+
+main().catch(() => process.exit(0));

package/lib/hooks/setup.ts

@@ -0,0 +1,164 @@
+/**
+ * Hooks setup module.
+ *
+ * Installs the state-reporter script to ~/.claude-deck/hooks/ and
+ * merges hook configuration into ~/.claude/settings.json idempotently.
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+const CLAUDE_DECK_DIR = path.join(os.homedir(), ".claude-deck");
+const HOOKS_DIR = path.join(CLAUDE_DECK_DIR, "hooks");
+const STATES_DIR = path.join(CLAUDE_DECK_DIR, "session-states");
+const REPORTER_PATH = path.join(HOOKS_DIR, "state-reporter");
+const SETTINGS_PATH = path.join(os.homedir(), ".claude", "settings.json");
+
+// Events we hook into and whether they run async
+const HOOK_EVENTS: Array<{ event: string; async: boolean }> = [
+  { event: "UserPromptSubmit", async: true },
+  { event: "PreToolUse", async: true },
+  { event: "PermissionRequest", async: false },
+  { event: "Elicitation", async: false },
+  { event: "Stop", async: true },
+  { event: "SessionStart", async: true },
+  { event: "SessionEnd", async: true },
+];
+
+// The reporter is a self-contained Node.js script (no tsx, no ESM, no deps)
+const REPORTER_SCRIPT = `#!/usr/bin/env node
+"use strict";
+var fs = require("fs");
+var path = require("path");
+var os = require("os");
+var STATES_DIR = path.join(os.homedir(), ".claude-deck", "session-states");
+
+var data = "";
+process.stdin.setEncoding("utf-8");
+process.stdin.on("data", function(c) { data += c; });
+process.stdin.on("end", function() {
+  try {
+    var input = JSON.parse(data);
+    var id = input.session_id;
+    if (!id) return;
+    fs.mkdirSync(STATES_DIR, { recursive: true });
+    var fp = path.join(STATES_DIR, id + ".json");
+    var evt = input.hook_event_name;
+
+    if (evt === "SessionEnd") {
+      try { fs.unlinkSync(fp); } catch(e) {}
+      return;
+    }
+
+    var status = "running";
+    var lastLine = input.tool_name ? "Running: " + input.tool_name : "Running...";
+    var state = { status: status, lastLine: lastLine, ts: Date.now() };
+
+    if (evt === "SessionStart") {
+      state.status = "idle";
+      state.lastLine = "";
+    } else if (evt === "PermissionRequest" || evt === "Elicitation") {
+      state.status = "waiting";
+      state.lastLine = "Waiting: " + (input.tool_name || "input required");
+      state.waitingContext = input.tool_name
+        ? "Permission requested for " + input.tool_name
+        : "Input required";
+    } else if (evt === "Stop" && !input.stop_hook_active) {
+      state.status = "idle";
+      state.lastLine = (input.last_assistant_message || "").slice(0, 200);
+    }
+
+    fs.writeFileSync(fp, JSON.stringify(state));
+  } catch(e) {}
+});
+setTimeout(function() { process.exit(0); }, 2000);
+`;
+
+function installReporterScript(): void {
+  fs.mkdirSync(HOOKS_DIR, { recursive: true });
+  fs.mkdirSync(STATES_DIR, { recursive: true });
+  fs.writeFileSync(REPORTER_PATH, REPORTER_SCRIPT, { mode: 0o755 });
+}
+
+interface HookCommand {
+  type: "command";
+  command: string;
+  async?: boolean;
+}
+
+interface HookMatcher {
+  matcher?: string;
+  hooks: HookCommand[];
+}
+
+type SettingsHooks = Record<string, HookMatcher[]>;
+
+interface Settings {
+  hooks?: SettingsHooks;
+  [key: string]: unknown;
+}
+
+function isOurHook(hook: HookCommand): boolean {
+  return hook.command === REPORTER_PATH;
+}
+
+function mergeHooksIntoSettings(): void {
+  let settings: Settings = {};
+
+  try {
+    const raw = fs.readFileSync(SETTINGS_PATH, "utf-8");
+    settings = JSON.parse(raw);
+  } catch {
+    // File doesn't exist or is invalid
+  }
+
+  if (!settings.hooks) {
+    settings.hooks = {};
+  }
+
+  let changed = false;
+
+  for (const { event, async: isAsync } of HOOK_EVENTS) {
+    if (!settings.hooks[event]) {
+      settings.hooks[event] = [];
+    }
+
+    const eventHooks = settings.hooks[event];
+    const alreadyInstalled = eventHooks.some((matcher) =>
+      matcher.hooks?.some((h) => isOurHook(h))
+    );
+
+    if (!alreadyInstalled) {
+      const hookDef: HookCommand = {
+        type: "command",
+        command: REPORTER_PATH,
+      };
+      if (isAsync) {
+        hookDef.async = true;
+      }
+      eventHooks.push({ hooks: [hookDef] });
+      changed = true;
+    }
+  }
+
+  if (changed) {
+    fs.mkdirSync(path.dirname(SETTINGS_PATH), { recursive: true });
+    fs.writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2) + "\n");
+    console.log("> Hooks configured in ~/.claude/settings.json");
+  }
+}
+
+export function setupHooks(): void {
+  try {
+    installReporterScript();
+    mergeHooksIntoSettings();
+    console.log(
+      "> Hook reporter installed at ~/.claude-deck/hooks/state-reporter"
+    );
+  } catch (err) {
+    console.error("Failed to setup hooks:", err);
+  }
+}
+
+export { STATES_DIR };

package/lib/orchestration.ts

@@ -12,7 +12,8 @@ import { queries, type Session } from "./db";
 import { createWorktree, deleteWorktree } from "./worktrees";
 import { setupWorktree } from "./env-setup";
 import { type AgentType, getProvider } from "./providers";
-import { statusDetector } from "./status-detector";
+import { getStatusSnapshot } from "./status-monitor";
+import { getSessionIdFromName } from "./providers/registry";
 import { wrapWithBanner } from "./banner";
 import { runInBackground } from "./async-operations";
 
@@ -273,13 +274,10 @@ export async function getWorkers(
     const provider = getProvider(worker.agent_type || "claude");
     const tmuxSessionName = worker.tmux_name || `${provider.id}-${worker.id}`;
 
-    // Get live status from tmux
-    let liveStatus: string;
-    try {
-      liveStatus = await statusDetector.getStatus(tmuxSessionName);
-    } catch {
-      liveStatus = "dead";
-    }
+    // Get live status from cached monitor snapshot
+    const sessionId = getSessionIdFromName(tmuxSessionName);
+    const snapshot = getStatusSnapshot();
+    const liveStatus = snapshot[sessionId]?.status || "dead";
 
     // Combine DB status with live status
     let status: WorkerInfo["status"];

package/lib/providers/registry.ts

@@ -53,7 +53,7 @@ export function isValidProviderId(value: string): value is ProviderId {
 }
 
 export function getManagedSessionPattern(): RegExp {
-  return /^claude-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  return /^claude-(new-)?[0-9a-z]{4,}/i;
 }
 
 export function getProviderIdFromSessionName(