@co0ontty/wand 1.15.0 → 1.17.2

package/dist/server.js

@@ -1,4 +1,5 @@
 import crypto from "node:crypto";
+import compression from "compression";
 import express from "express";
 import { createReadStream, existsSync, readFileSync, writeFileSync } from "node:fs";
 import { mkdir, readdir, readFile, stat } from "node:fs/promises";
@@ -13,10 +14,12 @@ import { ensureAvatarSeed, getAvatarSvg } from "./avatar.js";
 import { createSession, revokeSession, setAuthStorage, validateSession } from "./auth.js";
 import { ensureCertificates } from "./cert.js";
 import { isExecutionMode, normalizeCardDefaults, resolveConfigDir, saveConfig } from "./config.js";
+import { getCachedModels, refreshModels } from "./models.js";
 import { ProcessManager } from "./process-manager.js";
 import { StructuredSessionManager } from "./structured-session-manager.js";
 import { generatePwaManifest, generateServiceWorker } from "./pwa.js";
 import { getErrorMessage, registerClaudeHistoryRoutes, registerSessionRoutes } from "./server-session-routes.js";
+import { registerUploadRoutes } from "./upload-routes.js";
 import { resolveDatabasePath, WandStorage } from "./storage.js";
 import { renderApp } from "./web-ui/index.js";
 import { WsBroadcastManager } from "./ws-broadcast.js";
@@ -485,9 +488,12 @@ export async function startServer(config, configPath) {
     const protocol = useHttps ? "https" : "http";
     const nodeModulesDir = path.join(RUNTIME_ROOT_DIR, "node_modules");
     app.use(express.json({ limit: "1mb" }));
-    app.use("/vendor/xterm", express.static(path.join(nodeModulesDir, "@xterm", "xterm")));
-    app.use("/vendor/xterm-addon-fit", express.static(path.join(nodeModulesDir, "@xterm", "addon-fit")));
-    app.use("/vendor/xterm-addon-serialize", express.static(path.join(nodeModulesDir, "@xterm", "addon-serialize")));
+    app.use(compression({ threshold: 1024 }));
+    const vendorCacheOpts = { maxAge: "7d", immutable: true };
+    const contentDir = existsSync(path.join(SERVER_MODULE_DIR, "web-ui", "content"))
+        ? path.join(SERVER_MODULE_DIR, "web-ui", "content")
+        : path.join(RUNTIME_ROOT_DIR, "src", "web-ui", "content");
+    app.use("/vendor/wterm", express.static(path.join(contentDir, "vendor", "wterm"), vendorCacheOpts));
     // ── Web UI and PWA endpoints ──
     app.get("/", (_req, res) => {
         res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
@@ -691,6 +697,10 @@ export async function startServer(config, configPath) {
             hasCert: existsSync(certPaths.keyPath) && existsSync(certPaths.certPath),
             updateAvailable: cachedUpdateInfo?.updateAvailable ?? false,
             latestVersion: cachedUpdateInfo?.latest ?? null,
+            autoUpdate: {
+                web: storage.getConfigValue("autoUpdateWeb") === "true",
+                apk: storage.getConfigValue("autoUpdateApk") === "true",
+            },
             androidApk: {
                 enabled: config.android?.enabled === true,
                 apkDir,
@@ -742,7 +752,7 @@ export async function startServer(config, configPath) {
     });
     app.post("/api/settings/config", async (req, res) => {
         const body = req.body;
-        const allowedFields = ["host", "port", "https", "defaultMode", "defaultCwd", "shell", "language"];
+        const allowedFields = ["host", "port", "https", "defaultMode", "defaultCwd", "shell", "language", "defaultModel"];
         let changed = false;
         for (const field of allowedFields) {
             if (field in body && body[field] !== undefined) {
@@ -776,6 +786,9 @@ export async function startServer(config, configPath) {
                 else if (field === "language") {
                     config.language = typeof body.language === "string" ? body.language.trim() : "";
                 }
+                else if (field === "defaultModel") {
+                    config.defaultModel = typeof body.defaultModel === "string" ? body.defaultModel.trim() : "";
+                }
                 changed = true;
             }
         }
@@ -799,6 +812,29 @@ export async function startServer(config, configPath) {
             res.status(500).json({ error: getErrorMessage(error, "保存配置失败。") });
         }
     });
+    app.get("/api/models", (_req, res) => {
+        const cached = getCachedModels();
+        res.json({
+            models: cached.models,
+            claudeVersion: cached.claudeVersion,
+            refreshedAt: cached.refreshedAt,
+            defaultModel: config.defaultModel ?? "",
+        });
+    });
+    app.post("/api/models/refresh", async (_req, res) => {
+        try {
+            const refreshed = await refreshModels();
+            res.json({
+                models: refreshed.models,
+                claudeVersion: refreshed.claudeVersion,
+                refreshedAt: refreshed.refreshedAt,
+                defaultModel: config.defaultModel ?? "",
+            });
+        }
+        catch (error) {
+            res.status(500).json({ error: getErrorMessage(error, "刷新模型列表失败。") });
+        }
+    });
     app.post("/api/settings/upload-cert", async (req, res) => {
         const { key, cert } = req.body;
         if (!key || !cert) {
@@ -854,6 +890,7 @@ export async function startServer(config, configPath) {
     });
     registerSessionRoutes(app, processes, structuredSessions, storage, config.defaultMode);
     registerClaudeHistoryRoutes(app, processes, storage);
+    registerUploadRoutes(app, processes);
     // ── Path suggestion ──
     app.get("/api/path-suggestions", async (req, res) => {
         const query = typeof req.query.q === "string" ? req.query.q : "";
@@ -869,10 +906,9 @@ export async function startServer(config, configPath) {
     app.get("/api/directory", async (req, res) => {
         const q = typeof req.query.q === "string" ? req.query.q : "";
         const includeGitStatus = req.query.gitStatus === "true";
-        const targetPath = path.resolve(process.cwd(), q);
-        const allowedBase = process.cwd();
-        if (!isPathWithinBase(targetPath, allowedBase)) {
-            res.status(403).json({ error: "访问被拒绝：路径必须在项目目录内。" });
+        const targetPath = path.resolve(q || config.defaultCwd);
+        if (isBlockedFolderPath(targetPath)) {
+            res.status(403).json({ error: "访问被拒绝：无法访问系统敏感目录。" });
             return;
         }
         try {
@@ -908,8 +944,7 @@ export async function startServer(config, configPath) {
             return;
         }
         const resolvedPath = path.resolve(filePath);
-        const allowedBase = process.cwd();
-        if (!isPathWithinBase(resolvedPath, allowedBase)) {
+        if (isBlockedFolderPath(resolvedPath)) {
             res.status(403).json({ error: "Access denied" });
             return;
         }
@@ -1125,9 +1160,12 @@ export async function startServer(config, configPath) {
         }
         const initialInput = body.initialInput?.trim();
         try {
+            const rawModel = typeof body.model === "string" ? body.model.trim() : "";
+            const effectiveModel = rawModel || (config.defaultModel ?? "").trim() || undefined;
             const snapshot = processes.start(body.command, body.cwd, normalizeMode(body.mode, config.defaultMode), initialInput || undefined, {
                 worktreeEnabled: body.worktreeEnabled === true,
                 provider: body.provider,
+                model: effectiveModel,
             });
             res.status(201).json(snapshot);
         }
@@ -1142,7 +1180,15 @@ export async function startServer(config, configPath) {
             return createHttpsServer({ key: ssl.key, cert: ssl.cert }, app);
         })()
         : createHttpServer(app);
-    const wss = new WebSocketServer({ server, path: "/ws" });
+    const wss = new WebSocketServer({
+        server,
+        path: "/ws",
+        perMessageDeflate: {
+            zlibDeflateOptions: { level: 1 },
+            threshold: 512,
+            concurrencyLimit: 10,
+        },
+    });
     const wsManager = new WsBroadcastManager(wss, () => config.cardDefaults ?? {});
     wsManager.setup((id) => structuredSessions.get(id) ?? processes.get(id));
     // Wire process events to WebSocket broadcast
@@ -1196,17 +1242,80 @@ export async function startServer(config, configPath) {
     }
     // Start configured background sessions after the server is already reachable.
     processes.runStartupCommands();
-    // Background update check on startup
-    checkNpmLatestVersion().then((info) => {
+    // ── Auto-update endpoints ──
+    app.get("/api/auto-update", (_req, res) => {
+        const web = storage.getConfigValue("autoUpdateWeb") === "true";
+        const apk = storage.getConfigValue("autoUpdateApk") === "true";
+        res.json({ web, apk });
+    });
+    app.post("/api/auto-update", express.json(), (req, res) => {
+        const { web, apk } = req.body;
+        if (typeof web === "boolean") {
+            storage.setConfigValue("autoUpdateWeb", String(web));
+        }
+        if (typeof apk === "boolean") {
+            storage.setConfigValue("autoUpdateApk", String(apk));
+        }
+        res.json({
+            web: storage.getConfigValue("autoUpdateWeb") === "true",
+            apk: storage.getConfigValue("autoUpdateApk") === "true",
+        });
+    });
+    // ── Auto-update logic ──
+    async function performAutoUpdate() {
+        const info = await checkNpmLatestVersion(true);
         cachedUpdateInfo = info;
-        if (info.updateAvailable) {
+        if (!info.updateAvailable)
+            return;
+        const autoEnabled = storage.getConfigValue("autoUpdateWeb") === "true";
+        if (!autoEnabled) {
+            // Not auto-updating, just notify
             process.stdout.write(`[wand] 发现新版本 ${info.latest}（当前 ${info.current}）。运行 npm install -g ${PKG_NAME}@latest 进行更新。\n`);
-            // Broadcast update notification to all connected WS clients
             wsManager.emitEvent({
                 type: "notification",
                 sessionId: "__system__",
                 data: { kind: "update", current: info.current, latest: info.latest },
             });
+            return;
         }
-    }).catch(() => { });
+        // Auto-update: install and restart
+        process.stdout.write(`[wand] 自动更新：正在从 ${info.current} 更新到 ${info.latest}...\n`);
+        wsManager.emitEvent({
+            type: "notification",
+            sessionId: "__system__",
+            data: { kind: "auto-update-start", current: info.current, latest: info.latest },
+        });
+        try {
+            await execAsync(`npm install -g ${PKG_NAME}@latest`, { timeout: 120000 });
+            process.stdout.write(`[wand] 自动更新完成，正在重启...\n`);
+            wsManager.emitEvent({
+                type: "notification",
+                sessionId: "__system__",
+                data: { kind: "auto-update-restart", current: info.current, latest: info.latest },
+            });
+            // Restart after a brief delay
+            setTimeout(() => {
+                wss.clients.forEach((client) => client.close());
+                server.close(() => {
+                    spawn(process.execPath, process.argv.slice(1), {
+                        detached: true,
+                        stdio: "inherit",
+                        cwd: process.cwd(),
+                        env: process.env,
+                    }).unref();
+                    process.exit(0);
+                });
+                setTimeout(() => process.exit(0), 5000);
+            }, 1000);
+        }
+        catch (error) {
+            process.stdout.write(`[wand] 自动更新失败: ${getErrorMessage(error, "未知错误")}\n`);
+        }
+    }
+    // Background update check on startup
+    performAutoUpdate().catch(() => { });
+    // Periodic update check (every 30 minutes)
+    setInterval(() => {
+        performAutoUpdate().catch(() => { });
+    }, 30 * 60 * 1000);
 }

package/dist/structured-session-manager.d.ts

@@ -6,6 +6,8 @@ interface CreateStructuredSessionOptions {
     prompt?: string;
     runner?: SessionRunner;
     worktreeEnabled?: boolean;
+    /** 用户指定的 Claude 模型（别名或完整 ID）。留空则 spawn 时不加 --model。 */
+    model?: string;
 }
 export declare class StructuredSessionManager {
     private readonly storage;
@@ -25,6 +27,8 @@ export declare class StructuredSessionManager {
     approvePermission(sessionId: string): SessionSnapshot;
     /** Deny a pending permission request. */
     denyPermission(sessionId: string): SessionSnapshot;
+    /** Update the selected model for a structured session. Takes effect on the next spawn. */
+    setSessionModel(sessionId: string, model: string | null): SessionSnapshot;
     /** Toggle auto-approve for the session. */
     toggleAutoApprove(sessionId: string): SessionSnapshot;
     /** Resolve a specific escalation by requestId. */

package/dist/structured-session-manager.js

@@ -35,6 +35,17 @@ function buildStructuredOutputPayload(snapshot) {
         structuredState: snapshot.structuredState,
     };
 }
+function buildIncrementalStructuredPayload(snapshot) {
+    const messages = snapshot.messages ?? [];
+    return {
+        incremental: true,
+        queuedMessages: snapshot.queuedMessages,
+        sessionKind: "structured",
+        structuredState: snapshot.structuredState,
+        lastMessage: messages.length > 0 ? messages[messages.length - 1] : undefined,
+        messageCount: messages.length,
+    };
+}
 export class StructuredSessionManager {
     storage;
     config;
@@ -62,11 +73,12 @@ export class StructuredSessionManager {
                 structuredState: {
                     provider: snapshot.structuredState?.provider ?? snapshot.provider ?? "claude",
                     runner: snapshot.runner ?? "claude-cli-print",
-                    model: snapshot.structuredState?.model,
+                    model: snapshot.structuredState?.model ?? snapshot.selectedModel ?? undefined,
                     lastError: snapshot.structuredState?.lastError ?? null,
                     inFlight: false,
                     activeRequestId: null,
                 },
+                selectedModel: snapshot.selectedModel ?? null,
             };
             this.sessions.set(restored.id, restored);
             this.storage.saveSession(restored);
@@ -101,6 +113,7 @@ export class StructuredSessionManager {
         const worktreeSetup = options.worktreeEnabled
             ? prepareSessionWorktree({ cwd: options.cwd, sessionId: id })
             : null;
+        const selectedModel = options.model?.trim() || null;
         const snapshot = {
             id,
             sessionKind: "structured",
@@ -124,6 +137,7 @@ export class StructuredSessionManager {
             structuredState: {
                 provider: "claude",
                 runner: options.runner ?? "claude-cli-print",
+                model: selectedModel ?? undefined,
                 inFlight: false,
                 activeRequestId: null,
                 lastError: null,
@@ -131,6 +145,7 @@ export class StructuredSessionManager {
             autoRecovered: false,
             autoApprovePermissions: shouldAutoApproveForMode(options.mode),
             approvalStats: { tool: 0, command: 0, file: 0, total: 0 },
+            selectedModel,
         };
         this.sessions.set(id, snapshot);
         this.storage.saveSession(snapshot);
@@ -251,6 +266,27 @@ export class StructuredSessionManager {
     denyPermission(sessionId) {
         return this.resolvePermission(sessionId, false);
     }
+    /** Update the selected model for a structured session. Takes effect on the next spawn. */
+    setSessionModel(sessionId, model) {
+        const session = this.requireSession(sessionId);
+        const normalized = model?.trim() || null;
+        const updated = {
+            ...session,
+            selectedModel: normalized,
+            structuredState: {
+                ...(session.structuredState ?? { provider: "claude", runner: "claude-cli-print", inFlight: false, activeRequestId: null, lastError: null }),
+                model: normalized ?? undefined,
+            },
+        };
+        this.sessions.set(sessionId, updated);
+        this.storage.saveSession(updated);
+        this.emit({
+            type: "status",
+            sessionId,
+            data: { sessionKind: "structured", selectedModel: normalized, structuredState: updated.structuredState },
+        });
+        return updated;
+    }
     /** Toggle auto-approve for the session. */
     toggleAutoApprove(sessionId) {
         const session = this.requireSession(sessionId);
@@ -474,14 +510,24 @@ export class StructuredSessionManager {
             // Add permission args based on mode + autoApprovePermissions toggle
             const permArgs = this.buildPermissionArgs(session.mode, session.autoApprovePermissions ?? false);
             args.push(...permArgs);
+            // Append language-aware system prompts
+            const language = this.config.language?.trim();
+            const isChinese = language === "中文";
             // In managed mode, append autonomous system prompt
             if (session.mode === "managed") {
-                args.push("--append-system-prompt", "You are running in a fully managed, autonomous mode. The user may not be available to respond to questions or confirmations in a timely manner. You MUST make all decisions independently — choose the best approach yourself instead of asking the user for preferences, confirmations, or clarifications. If multiple approaches are viable, pick the one you judge most appropriate and proceed. Never block on user input unless the task is fundamentally ambiguous and cannot be reasonably inferred. Be decisive and self-directed.");
+                args.push("--append-system-prompt", isChinese
+                    ? "你正在完全托管的自主模式下运行。用户可能无法及时回复问题或确认。你必须独立做出所有决策——自行选择最佳方案，而不是向用户询问偏好、确认或澄清。如果有多种可行方案，选择你认为最合适的并继续执行。除非任务本身存在根本性的歧义且无法合理推断，否则不要等待用户输入。果断行动，自主决策。"
+                    : "You are running in a fully managed, autonomous mode. The user may not be available to respond to questions or confirmations in a timely manner. You MUST make all decisions independently — choose the best approach yourself instead of asking the user for preferences, confirmations, or clarifications. If multiple approaches are viable, pick the one you judge most appropriate and proceed. Never block on user input unless the task is fundamentally ambiguous and cannot be reasonably inferred. Be decisive and self-directed.");
             }
             // Append language preference if configured
-            const language = this.config.language?.trim();
             if (language) {
-                args.push("--append-system-prompt", `Please respond in ${language}. Use ${language} for all your explanations, comments, and conversational text.`);
+                args.push("--append-system-prompt", isChinese
+                    ? "请使用中文回复。所有解释、注释和对话文本都使用中文。"
+                    : `Please respond in ${language}. Use ${language} for all your explanations, comments, and conversational text.`);
+            }
+            const modelChoice = session.selectedModel?.trim();
+            if (modelChoice && modelChoice !== "default") {
+                args.push("--model", modelChoice);
             }
             if (session.claudeSessionId) {
                 args.push("--resume", session.claudeSessionId);
@@ -516,7 +562,7 @@ export class StructuredSessionManager {
                 this.emit({
                     type: "output",
                     sessionId,
-                    data: buildStructuredOutputPayload(current),
+                    data: buildIncrementalStructuredPayload(current),
                 });
             };
             const scheduleEmit = () => {

package/dist/types.d.ts

@@ -86,6 +86,18 @@ export interface WandConfig {
     android?: AndroidApkConfig;
     /** Default expand/collapse state for card types in structured chat view */
     cardDefaults?: CardExpandDefaults;
+    /** 新建会话时默认使用的 Claude 模型（别名或完整 ID）。留空则不传 --model，由 claude 自行决定。 */
+    defaultModel?: string;
+}
+export interface ClaudeModelInfo {
+    /** 传给 --model 的值（别名或完整模型 ID） */
+    id: string;
+    /** UI 显示的友好标签 */
+    label: string;
+    /** 可选备注：例如 "当前默认"、"最新" */
+    note?: string;
+    /** 是否为别名（opus/sonnet 等）；完整 ID 为 false */
+    alias?: boolean;
 }
 interface WorktreeInfo {
     branch: string;
@@ -130,6 +142,8 @@ export interface CommandRequest {
     mode?: ExecutionMode;
     initialInput?: string;
     worktreeEnabled?: boolean;
+    /** Claude 模型（别名或完整 ID）。仅对 claude provider 生效。留空则回落到 config.defaultModel。 */
+    model?: string;
 }
 export interface InputRequest {
     input?: string;
@@ -273,6 +287,8 @@ export interface SessionSnapshot {
     summary?: string;
     /** 当前正在执行的任务标题（用于会话列表展示） */
     currentTaskTitle?: string;
+    /** 用户为此会话选定的 Claude 模型（别名或完整 ID）。结构化会话下次 spawn 时使用；PTY 会话仅用于展示。 */
+    selectedModel?: string | null;
 }
 export type SessionLifecycleState = "initializing" | "running" | "idle" | "thinking" | "waiting-input" | "archived";
 export interface SessionLifecycle {

package/dist/upload-routes.d.ts

@@ -0,0 +1,3 @@
+import type { Express } from "express";
+import type { ProcessManager } from "./process-manager.js";
+export declare function registerUploadRoutes(app: Express, processes: ProcessManager): void;

package/dist/upload-routes.js

@@ -0,0 +1,53 @@
+import { mkdirSync, existsSync } from "node:fs";
+import path from "node:path";
+import { randomBytes } from "node:crypto";
+import multer from "multer";
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10 MB
+const MAX_FILES = 5;
+function sanitizeFilename(name) {
+    return name.replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 200);
+}
+export function registerUploadRoutes(app, processes) {
+    const storage = multer.diskStorage({
+        destination(_req, _file, cb) {
+            const sessionId = _req.params?.id;
+            const session = sessionId ? processes.get(sessionId) : null;
+            const cwd = session?.cwd || "/tmp";
+            const uploadDir = path.join(cwd, ".wand-uploads");
+            if (!existsSync(uploadDir)) {
+                mkdirSync(uploadDir, { recursive: true });
+            }
+            cb(null, uploadDir);
+        },
+        filename(_req, file, cb) {
+            const ts = Date.now();
+            const rand = randomBytes(4).toString("hex");
+            const safe = sanitizeFilename(file.originalname);
+            cb(null, `${ts}-${rand}-${safe}`);
+        },
+    });
+    const upload = multer({
+        storage,
+        limits: { fileSize: MAX_FILE_SIZE, files: MAX_FILES },
+    });
+    app.post("/api/sessions/:id/upload", upload.array("files", MAX_FILES), (req, res) => {
+        const sessionId = req.params.id;
+        const session = processes.get(sessionId);
+        if (!session) {
+            res.status(404).json({ error: "会话不存在。" });
+            return;
+        }
+        const files = req.files || [];
+        if (files.length === 0) {
+            res.status(400).json({ error: "未收到文件。" });
+            return;
+        }
+        const result = files.map((f) => ({
+            originalName: f.originalname,
+            savedPath: f.path,
+            size: f.size,
+            mimeType: f.mimetype,
+        }));
+        res.json({ files: result });
+    });
+}