@jhizzard/termdeck 0.6.7 → 0.7.0

package/README.md

@@ -171,7 +171,7 @@ Honest limits, stated upfront so the skeptic has nothing to chase:
 - **Not a replacement for reading docs.** It's the shortest path to a memory you already wrote. If the memory isn't there, the feature does nothing.
 - **Not fully local by default.** Tier 2+ reaches out to Supabase for storage and OpenAI for embeddings. Tier 1 is fully local. A fully-local Tier 2 (local Postgres + local embeddings) is on the roadmap.
 - **Not free forever.** Tier 2+ pays OpenAI fractions of a cent per memory for embeddings. Self-hosted embeddings via Ollama are on the roadmap.
-- **Not proven at scale.** v0.6.4, validated against 4,669 memories in one developer's production store. The Rumen 2026-04-19 re-kickstart processed 166 sessions into 166 insights in ~5.5 minutes. No multi-user data yet. Bug reports and issues welcome.
+- **Not proven at scale.** v0.7.0, validated against 4,669 memories in one developer's production store. The Rumen 2026-04-19 re-kickstart processed 166 sessions into 166 insights in ~5.5 minutes. No multi-user data yet. Bug reports and issues welcome.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jhizzard/termdeck",
-  "version": "0.6.7",
+  "version": "0.7.0",
   "description": "Browser-based terminal multiplexer with metadata overlays, panel flashback memory recall, and AI-aware session management",
   "bin": {
     "termdeck": "./packages/cli/src/index.js"

package/packages/cli/src/init-mnestra.js

@@ -43,7 +43,8 @@ const {
   yaml,
   supabaseUrl: urlHelper,
   migrations,
-  pgRunner
+  pgRunner,
+  preconditions
 } = require(SETUP_DIR);
 
 const HELP = [
@@ -514,7 +515,19 @@ async function main(argv) {
     await checkExistingStore(client);
     await applyMigrations(client, false);
     writeYamlConfig(false);
+    // v0.6.9: post-write outcome verification. Confirms each migration's
+    // expected schema bits actually landed — including memory_items.
+    // source_session_id (the v0.6.5 column whose absence cascaded into
+    // Brad's Rumen failures). This is the test that, if it had existed
+    // before v0.6.5, would have caught the silent-shadow saga at install
+    // time instead of cron-tick time.
     if (!flags.skipVerify) {
+      const verify = await preconditions.verifyMnestraOutcomes({ secrets: { DATABASE_URL: inputs.databaseUrl }, _pgClient: client });
+      preconditions.printVerifyReport(verify, 'mnestra');
+      if (!verify.ok) {
+        printResumeHint();
+        return 8;
+      }
       const verified = await verifyStatus(client);
       if (!verified) {
         process.stdout.write(

package/packages/cli/src/init-rumen.js

@@ -34,7 +34,8 @@ const {
   dotenv,
   supabaseUrl: urlHelper,
   migrations,
-  pgRunner
+  pgRunner,
+  preconditions
 } = require(SETUP_DIR);
 
 // Pinned fallback used only when the npm registry is unreachable. Bump this
@@ -593,6 +594,18 @@ async function main(argv) {
     }
   }
 
+  // v0.6.9: front-loaded precondition audit. Runs BEFORE link so we don't
+  // create state (function deploy, function secrets, schedule SQL) that the
+  // user would have to manually clean up if a precondition is missing. Every
+  // gap is reported in one pass with actionable hints. The audit class — env
+  // tokens, pg extensions, Vault secret — covers the v0.6.4 / v0.6.6 / v0.6.7
+  // / v0.6.9-equivalent failure modes that previously surfaced one-per-patch.
+  if (!flags.dryRun) {
+    const audit = await preconditions.auditRumenPreconditions({ secrets, env: process.env });
+    preconditions.printAuditReport(audit, 'rumen');
+    if (!audit.ok) return 10;
+  }
+
   if (!(await link(projectRef, flags.dryRun))) return 4;
 
   // Backfill SUPABASE_ACCESS_TOKEN into ~/.claude/mcp.json now that
@@ -630,6 +643,15 @@ async function main(argv) {
   if (!(await testFunction(projectRef, secrets, flags.dryRun))) return 8;
   if (!flags.skipSchedule) {
     if (!(await applySchedule(projectRef, secrets, flags.dryRun))) return 9;
+    // v0.6.9: post-write outcome verification. Confirms cron.job has the
+    // active rumen-tick row. Doesn't poll for the first 15-min tick — that's
+    // too long for an interactive wizard — but tells the user the exact
+    // query to run after waiting if they want firing-confirmation.
+    if (!flags.dryRun) {
+      const verify = await preconditions.verifyRumenOutcomes({ secrets });
+      preconditions.printVerifyReport(verify, 'rumen');
+      if (!verify.ok) return 11;
+    }
   } else {
     process.stdout.write('→ Skipping pg_cron schedule (per --skip-schedule) ✓\n');
   }

package/packages/client/public/app.js

@@ -159,6 +159,7 @@
                     `<option value="${tid}" ${tid === meta.theme ? 'selected' : ''}>${t.label}</option>`
                   ).join('')}
                 </select>
+                <a class="theme-reset" id="theme-reset-${id}" href="javascript:void(0)" onclick="resetTheme('${id}')" title="Revert to project / global default from config.yaml" style="font-size:11px;color:#7aa2f7;text-decoration:none;margin-left:4px;opacity:0.7;cursor:pointer">↺ default</a>
                 <button class="ctrl-btn" onclick="focusPanel('${id}')">focus</button>
                 <button class="ctrl-btn" onclick="halfPanel('${id}')">half</button>
                 <button class="ctrl-btn reply-toggle" id="reply-btn-${id}" onclick="toggleReplyForm('${id}')" title="Send text to another terminal">reply ▸</button>
@@ -1309,10 +1310,25 @@
       const themeObj = getThemeObject(themeId);
       entry.terminal.options.theme = themeObj;
 
-      // Persist to server
+      // Persist to server (writes to sessions.theme_override server-side)
       api('PATCH', `/api/sessions/${id}`, { theme: themeId });
     }
 
+    // v0.7.0: clear sessions.theme_override server-side and snap the panel back
+    // to whatever the resolver currently picks (project default → global default
+    // → tokyo-night). Server returns the resolved value in the PATCH response so
+    // the dropdown + xterm theme update without waiting for the 2s broadcast.
+    async function resetTheme(id) {
+      const entry = state.sessions.get(id);
+      if (!entry) return;
+      const updated = await api('PATCH', '/api/sessions/' + id, { theme: null });
+      const resolved = updated && updated.meta && updated.meta.theme;
+      if (!resolved) return;
+      entry.terminal.options.theme = getThemeObject(resolved);
+      const sel = document.getElementById('theme-' + id);
+      if (sel && sel.value !== resolved) sel.value = resolved;
+    }
+
     async function askAI(id, question) {
       if (!question.trim()) return;
       const entry = state.sessions.get(id);

package/packages/server/src/auth.js

@@ -1,4 +1,4 @@
-// Optional token authentication for TermDeck (Sprint 9 T3).
+// Optional token authentication for TermDeck (Sprint 9 T3, extended Sprint 32).
 //
 // When no token is configured, auth is a no-op — `createAuthMiddleware()` returns
 // null and callers skip wiring. When a token is configured (config.auth.token
@@ -9,8 +9,19 @@
 //   - termdeck_token=<token> cookie
 //
 // Browser requests without a valid token receive a minimal HTML login page that
-// stores the token in a cookie client-side and retries. API requests get a
-// JSON 401.
+// POSTs to /api/auth/login. The login handler validates the token and issues a
+// Set-Cookie header with HttpOnly + SameSite=Lax + Max-Age=2592000 (30 days),
+// and Secure when the request was over HTTPS (direct or via X-Forwarded-Proto).
+// API requests get a JSON 401.
+//
+// 30-day cookie trade-off (v0.7.0):
+// TermDeck is intended as a local dev tool. Brad's 2026-04-26 feedback ("is
+// there a way not to have to enter the token at each termdeck session?")
+// showed the per-browser-session re-prompt was a real adoption tax. The
+// compromise risk of a longer cookie is bounded by the local-only attack
+// surface (HttpOnly blocks JS exfiltration, SameSite=Lax blocks CSRF on
+// cross-site POSTs, Secure-when-HTTPS prevents plaintext sniffing on the
+// reverse-proxy path documented in docs/DEPLOYMENT.md). UX wins.
 
 function getConfiguredToken(config) {
   const fromConfig = config && config.auth && config.auth.token;
@@ -63,6 +74,51 @@ function extractToken(req) {
   return null;
 }
 
+// 30 days in seconds — see head-of-file trade-off note.
+const COOKIE_MAX_AGE_SECONDS = 2592000;
+
+// HTTPS detection for the Secure cookie flag. Express sets req.protocol from
+// the socket; behind a reverse proxy with `app.set('trust proxy', ...)` it
+// reads X-Forwarded-Proto. We also fall back to reading the header directly
+// so the helper is correct even when trust-proxy isn't enabled.
+function isSecureRequest(req) {
+  if (!req) return false;
+  if (req.protocol === 'https') return true;
+  const xfp = req.headers && req.headers['x-forwarded-proto'];
+  if (typeof xfp === 'string') {
+    const first = xfp.split(',')[0].trim().toLowerCase();
+    if (first === 'https') return true;
+  }
+  return false;
+}
+
+function buildAuthCookie(token, secure) {
+  const parts = [
+    `termdeck_token=${encodeURIComponent(token)}`,
+    'Path=/',
+    `Max-Age=${COOKIE_MAX_AGE_SECONDS}`,
+    'HttpOnly',
+    'SameSite=Lax',
+  ];
+  if (secure) parts.push('Secure');
+  return parts.join('; ');
+}
+
+function writeAuthCookie(req, res, token) {
+  res.setHeader('Set-Cookie', buildAuthCookie(token, isSecureRequest(req)));
+}
+
+function handleLogin(req, res, configuredToken) {
+  const provided =
+    (req.body && typeof req.body.token === 'string' && req.body.token.trim()) ||
+    extractToken(req);
+  if (!provided || provided !== configuredToken) {
+    return res.status(401).json({ error: 'unauthorized' });
+  }
+  writeAuthCookie(req, res, configuredToken);
+  return res.status(200).json({ ok: true });
+}
+
 function loginPage() {
   return `<!doctype html>
 <html lang="en">
@@ -104,12 +160,14 @@ function submitToken(e) {
   err.textContent = '';
   var t = document.getElementById('t').value.trim();
   if (!t) return false;
-  document.cookie = 'termdeck_token=' + encodeURIComponent(t) +
-    '; path=/; SameSite=Strict; Max-Age=2592000';
   var next = new URLSearchParams(location.search).get('next') || '/';
-  fetch('/api/config', { credentials: 'same-origin' }).then(function(r) {
+  fetch('/api/auth/login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'same-origin',
+    body: JSON.stringify({ token: t })
+  }).then(function(r) {
     if (r.ok) { location.href = next; return; }
-    document.cookie = 'termdeck_token=; path=/; Max-Age=0';
     err.textContent = 'Invalid token.';
   }).catch(function() {
     err.textContent = 'Network error.';
@@ -130,6 +188,13 @@ function createAuthMiddleware(config) {
     // without being handed a secret.
     if (req.path === '/api/health') return next();
 
+    // The login endpoint validates credentials and issues the cookie itself —
+    // it must run before the token-required check below or browsers could
+    // never reach it.
+    if (req.method === 'POST' && req.path === '/api/auth/login') {
+      return handleLogin(req, res, token);
+    }
+
     const provided = extractToken(req);
     if (provided && provided === token) return next();
 
@@ -168,5 +233,11 @@ module.exports = {
   verifyWebSocketUpgrade,
   getConfiguredToken,
   hasAuth,
-  loginPage
+  loginPage,
+  // Exposed for tests + future reuse by other server modules.
+  buildAuthCookie,
+  isSecureRequest,
+  writeAuthCookie,
+  handleLogin,
+  COOKIE_MAX_AGE_SECONDS,
 };

package/packages/server/src/database.js

@@ -27,7 +27,8 @@ function initDatabase(Database) {
       exited_at TEXT,
       exit_code INTEGER,
       reason TEXT,
-      theme TEXT DEFAULT 'tokyo-night'
+      theme TEXT DEFAULT 'tokyo-night',
+      theme_override TEXT
     );
 
     CREATE TABLE IF NOT EXISTS command_history (
@@ -54,7 +55,6 @@ function initDatabase(Database) {
     CREATE TABLE IF NOT EXISTS projects (
       name TEXT PRIMARY KEY,
       path TEXT NOT NULL,
-      default_theme TEXT DEFAULT 'tokyo-night',
       default_command TEXT DEFAULT 'bash',
       rag_namespace TEXT,
       created_at TEXT NOT NULL
@@ -79,6 +79,42 @@ function initDatabase(Database) {
     console.warn('[db] command_history.source migration failed:', err.message);
   }
 
+  // Migration (v0.7.0): add sessions.theme_override and backfill from theme.
+  // The backfill runs exactly once — only when the column is being added — so
+  // post-migration sessions created with theme_override=NULL stay un-overridden
+  // and pick up config.yaml changes via the theme-resolver. Pre-v0.7.0 rows
+  // had `theme` written by the dropdown PATCH, so treating them as user-set is
+  // the correct preservation of customizations.
+  // (SQLite has no `ADD COLUMN IF NOT EXISTS`, so we PRAGMA-check first — same
+  // pattern as the command_history.source migration above.)
+  try {
+    const cols = db.prepare(`PRAGMA table_info(sessions)`).all();
+    const hasOverride = cols.some((c) => c.name === 'theme_override');
+    if (!hasOverride) {
+      db.exec(`ALTER TABLE sessions ADD COLUMN theme_override TEXT`);
+      const updated = db.prepare(`UPDATE sessions SET theme_override = theme WHERE theme IS NOT NULL`).run();
+      console.log(`[db] Migrated sessions: added 'theme_override' column, backfilled ${updated.changes} row(s) from theme`);
+    }
+  } catch (err) {
+    console.warn('[db] sessions.theme_override migration failed:', err.message);
+  }
+
+  // Migration (v0.7.0): drop the dead projects.default_theme column. It was
+  // CREATE'd in early v0.1 but was never read or written by any code path
+  // (see Sprint 32 T1 grep). Removing it eliminates a latent contract-drift
+  // trap. SQLite supports DROP COLUMN since 3.35 (well below better-sqlite3's
+  // bundled version). No `IF EXISTS` in SQLite, so PRAGMA-check first.
+  try {
+    const cols = db.prepare(`PRAGMA table_info(projects)`).all();
+    const hasDefaultTheme = cols.some((c) => c.name === 'default_theme');
+    if (hasDefaultTheme) {
+      db.exec(`ALTER TABLE projects DROP COLUMN default_theme`);
+      console.log("[db] Migrated projects: dropped dead 'default_theme' column");
+    }
+  } catch (err) {
+    console.warn('[db] projects.default_theme drop migration failed:', err.message);
+  }
+
   return db;
 }