@oh-my-pi/pi-coding-agent 15.11.8 → 15.12.0

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-coding-agent",
-	"version": "15.11.8",
+	"version": "15.12.0",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -40,25 +40,24 @@
 		"fmt": "biome format --write . && bun run format-prompts",
 		"format-prompts": "bun scripts/format-prompts.ts",
 		"generate-docs-index": "bun scripts/generate-docs-index.ts",
-		"prepack": "bun scripts/generate-docs-index.ts && bun scripts/bundle-dist.ts",
-		"generate-template": "bun scripts/generate-template.ts",
+		"prepack": "bun scripts/generate-docs-index.ts && bun --cwd=../collab-web run build:tool-views && bun scripts/bundle-dist.ts",
 		"bench:guard": "bun scripts/bench-guard.ts"
 	},
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.22.1",
 		"@babel/parser": "^7.29.7",
 		"@mozilla/readability": "^0.6.0",
-		"@oh-my-pi/hashline": "15.11.8",
-		"@oh-my-pi/omp-stats": "15.11.8",
-		"@oh-my-pi/pi-agent-core": "15.11.8",
-		"@oh-my-pi/pi-ai": "15.11.8",
-		"@oh-my-pi/pi-catalog": "15.11.8",
-		"@oh-my-pi/pi-mnemopi": "15.11.8",
-		"@oh-my-pi/pi-natives": "15.11.8",
-		"@oh-my-pi/pi-tui": "15.11.8",
-		"@oh-my-pi/pi-utils": "15.11.8",
-		"@oh-my-pi/pi-wire": "15.11.8",
-		"@oh-my-pi/snapcompact": "15.11.8",
+		"@oh-my-pi/hashline": "15.12.0",
+		"@oh-my-pi/omp-stats": "15.12.0",
+		"@oh-my-pi/pi-agent-core": "15.12.0",
+		"@oh-my-pi/pi-ai": "15.12.0",
+		"@oh-my-pi/pi-catalog": "15.12.0",
+		"@oh-my-pi/pi-mnemopi": "15.12.0",
+		"@oh-my-pi/pi-natives": "15.12.0",
+		"@oh-my-pi/pi-tui": "15.12.0",
+		"@oh-my-pi/pi-utils": "15.12.0",
+		"@oh-my-pi/pi-wire": "15.12.0",
+		"@oh-my-pi/snapcompact": "15.12.0",
 		"@opentelemetry/api": "^1.9.1",
 		"@opentelemetry/context-async-hooks": "^2.7.1",
 		"@opentelemetry/exporter-trace-otlp-proto": "^0.218.0",

package/scripts/build-binary.ts

@@ -59,6 +59,10 @@ async function main(): Promise<void> {
 					`process.env.PI_TINY_TRANSFORMERS_VERSION=${JSON.stringify(transformersVersion)}`,
 					"--external",
 					"mupdf",
+					"--external",
+					"fastembed",
+					"--external",
+					"onnxruntime-node",
 					"--root",
 					".",
 					"./packages/coding-agent/src/cli.ts",

package/scripts/bundle-dist.ts

@@ -72,6 +72,10 @@ async function main(): Promise<void> {
 			"@oh-my-pi/pi-natives",
 			"--external",
 			"@huggingface/transformers",
+			"--external",
+			"fastembed",
+			"--external",
+			"onnxruntime-node",
 			"--define",
 			'process.env.PI_BUNDLED="true"',
 			"./src/cli.ts",

package/scripts/generate-share-viewer.ts

@@ -0,0 +1,34 @@
+#!/usr/bin/env bun
+/**
+ * Build the standalone share-viewer page the omp relay serves at `GET /s/<id>`.
+ *
+ * Same template as HTML exports, but with no embedded session: share-loader.js
+ * (injected right after the empty #session-data tag) fetches the sealed blob
+ * (gist or relay store), decrypts it with the `#<key>` fragment in-browser, and
+ * hands the JSON to template.js via `window.__OMP_SESSION_DATA__`.
+ *
+ * The relay repo's build script runs this and embeds the output via go:embed.
+ */
+import * as path from "node:path";
+import { generateThemeVars, getTemplate } from "../src/export/html";
+
+const outPath = process.argv[2];
+if (!outPath) {
+	console.error("usage: bun scripts/generate-share-viewer.ts <output.html>");
+	process.exit(2);
+}
+
+const loaderJs = await Bun.file(new URL("../src/export/html/share-loader.js", import.meta.url).pathname).text();
+// Pin a built-in theme: the viewer is a public artifact, not a per-user export.
+const themeVars = await generateThemeVars("dark");
+
+const html = getTemplate()
+	.replace("<theme-vars/>", () => `<style>:root { ${themeVars} }</style>`)
+	.replace("<title>Session Export</title>", () => "<title>omp session</title>")
+	.replace("{{SESSION_DATA}}</script>", () => `</script>\n  <script>${loaderJs}</script>`);
+
+if (html.includes("{{SESSION_DATA}}")) throw new Error("session-data placeholder survived substitution");
+if (!html.includes("__OMP_SESSION_DATA__")) throw new Error("share loader not injected");
+
+await Bun.write(outPath, html);
+console.log(`Generated ${path.resolve(outPath)} (${(html.length / 1024).toFixed(0)} KB)`);

package/src/collab/crypto.ts

@@ -4,23 +4,29 @@
  * The room key lives only in the link fragment; the relay sees opaque bytes.
  * Sealed layout: `[12B IV][ciphertext+tag]`.
  */
+import { ROOM_KEY_BYTES, WRITE_TOKEN_BYTES } from "@oh-my-pi/pi-wire";
 import type { CollabFrame } from "./protocol";
 
 const AES_ALGORITHM = "AES-GCM";
 const IV_LENGTH = 12;
-const KEY_LENGTH = 32;
 const TEXT_ENCODER = new TextEncoder();
 const TEXT_DECODER = new TextDecoder();
 
 export function generateRoomKey(): Uint8Array {
-	const key = new Uint8Array(KEY_LENGTH);
+	const key = new Uint8Array(ROOM_KEY_BYTES);
 	crypto.getRandomValues(key);
 	return key;
 }
 
+export function generateWriteToken(): Uint8Array {
+	const token = new Uint8Array(WRITE_TOKEN_BYTES);
+	crypto.getRandomValues(token);
+	return token;
+}
+
 export function importRoomKey(raw: Uint8Array): Promise<CryptoKey> {
-	if (raw.byteLength !== KEY_LENGTH) {
-		throw new Error(`Room key must be ${KEY_LENGTH} bytes, got ${raw.byteLength}`);
+	if (raw.byteLength !== ROOM_KEY_BYTES) {
+		throw new Error(`Room key must be ${ROOM_KEY_BYTES} bytes, got ${raw.byteLength}`);
 	}
 	return crypto.subtle.importKey("raw", asStrict(raw), AES_ALGORITHM, false, ["encrypt", "decrypt"]);
 }

package/src/collab/guest.ts

@@ -62,6 +62,10 @@ export class CollabGuestLink {
 	#applyChain: Promise<void> = Promise.resolve();
 	#welcomed = false;
 	#left = false;
+	/** base64url write token from a full link; absent when joined via a view link. */
+	#writeToken: string | undefined;
+	/** True when the host marked this peer read-only (view link). */
+	#readOnly = false;
 	/** False until the first assistant message_start (real or synthesized) since (re)sync. */
 	#assistantStreamSynced = false;
 	state: CollabSessionState | null = null;
@@ -73,12 +77,15 @@ export class CollabGuestLink {
 	#nextReqId = 1;
 	readonly #hubRemote: AgentHubRemote = {
 		chat: (id, text) => {
+			if (this.#rejectReadOnly()) return;
 			this.#socket?.send({ t: "agent-cmd", cmd: "chat", agentId: id, text });
 		},
 		kill: id => {
+			if (this.#rejectReadOnly()) return;
 			this.#socket?.send({ t: "agent-cmd", cmd: "kill", agentId: id });
 		},
 		revive: id => {
+			if (this.#rejectReadOnly()) return;
 			this.#socket?.send({ t: "agent-cmd", cmd: "revive", agentId: id });
 		},
 		readTranscript: (id, fromByte) => {
@@ -106,6 +113,18 @@ export class CollabGuestLink {
 		return this.#hubRemote;
 	}
 
+	/** True when this guest joined through a read-only (view) link. */
+	get readOnly(): boolean {
+		return this.#readOnly;
+	}
+
+	/** Shows the read-only status hint when applicable; true when the action must be dropped. */
+	#rejectReadOnly(): boolean {
+		if (!this.#readOnly) return false;
+		this.#ctx.showStatus("This collab link is read-only");
+		return true;
+	}
+
 	constructor(ctx: InteractiveModeContext) {
 		this.#ctx = ctx;
 	}
@@ -114,6 +133,7 @@ export class CollabGuestLink {
 		const parsed = parseCollabLink(link);
 		if ("error" in parsed) throw new Error(parsed.error);
 		this.#roomId = parsed.roomId;
+		this.#writeToken = parsed.writeToken ? Buffer.from(parsed.writeToken).toString("base64url") : undefined;
 		const key = await importRoomKey(parsed.key);
 
 		this.#returnSessionFile = this.#ctx.sessionManager.getSessionFile() ?? null;
@@ -128,7 +148,12 @@ export class CollabGuestLink {
 			// (Re)connect: re-introduce ourselves; the host answers with a fresh
 			// welcome which (re)syncs the replica.
 			this.#welcomed = false;
-			socket.send({ t: "hello", proto: COLLAB_PROTO, name: collabDisplayName(this.#ctx) });
+			socket.send({
+				t: "hello",
+				proto: COLLAB_PROTO,
+				name: collabDisplayName(this.#ctx),
+				writeToken: this.#writeToken,
+			});
 		};
 		socket.onFrame = frame => {
 			this.#applyChain = this.#applyChain
@@ -188,10 +213,12 @@ export class CollabGuestLink {
 	}
 
 	sendPrompt(text: string, images?: ImageContent[]): void {
+		if (this.#rejectReadOnly()) return;
 		this.#socket?.send({ t: "prompt", text, images: images && images.length > 0 ? images : undefined });
 	}
 
 	sendAbort(): void {
+		if (this.#rejectReadOnly()) return;
 		this.#socket?.send({ t: "abort" });
 	}
 
@@ -218,8 +245,10 @@ export class CollabGuestLink {
 		this.#ctx.renderInitialMessages({ clearTerminalHistory: true });
 		await this.#ctx.reloadTodos();
 		this.#updateStatusSegment();
+		this.#readOnly = frame.readOnly === true;
 		this.#welcomed = true;
-		this.#ctx.showStatus(isResync ? "Reconnected to collab session" : "Joined collab session");
+		const suffix = this.#readOnly ? " (read-only)" : "";
+		this.#ctx.showStatus(isResync ? `Reconnected to collab session${suffix}` : `Joined collab session${suffix}`);
 	}
 
 	#applyFrame(frame: CollabFrame): void {

package/src/collab/host.ts

@@ -8,6 +8,8 @@
  * agent-registry snapshots (Agent Hub table), hub chat/kill/revive commands,
  * and incremental subagent-transcript reads.
  */
+
+import { timingSafeEqual } from "node:crypto";
 import * as fs from "node:fs/promises";
 import * as os from "node:os";
 import type { ImageContent, TextContent } from "@oh-my-pi/pi-ai";
@@ -20,7 +22,7 @@ import type { AgentSessionEvent } from "../session/agent-session";
 import { stripImagesFromMessage, USER_INTERRUPT_LABEL } from "../session/messages";
 import type { SessionEntry as StoredSessionEntry } from "../session/session-manager";
 import { TASK_SUBAGENT_LIFECYCLE_CHANNEL, TASK_SUBAGENT_PROGRESS_CHANNEL } from "../task";
-import { generateRoomKey, importRoomKey } from "./crypto";
+import { generateRoomKey, generateWriteToken, importRoomKey } from "./crypto";
 import {
 	type AgentSnapshot,
 	COLLAB_PROMPT_MESSAGE_TYPE,
@@ -29,6 +31,7 @@ import {
 	type CollabParticipant,
 	type CollabSessionState,
 	formatCollabLink,
+	formatCollabWebLink,
 	generateRoomId,
 	parseCollabLink,
 } from "./protocol";
@@ -106,9 +109,13 @@ export class CollabHost {
 	#ctx: InteractiveModeContext;
 	#socket: CollabSocket | null = null;
 	#link = "";
+	#webLink = "";
+	#viewLink = "";
+	#webViewLink = "";
+	#writeToken: Uint8Array | null = null;
 	#sessionId = "";
 	#unsubscribe?: () => void;
-	#peers = new Map<number, string>();
+	#peers = new Map<number, { name: string; canWrite: boolean }>();
 	#lastStateJson = "";
 	#stateDebounce: Timer | null = null;
 	#streamingInterval: Timer | null = null;
@@ -125,16 +132,38 @@ export class CollabHost {
 		return this.#link;
 	}
 
+	/** Browser deep link (`https://<relay>/#<link>`) — the relay serves the web client at `/`. */
+	get webLink(): string {
+		return this.#webLink;
+	}
+
+	/** Read-only variant of {@link link}: bare room key, no write token. */
+	get viewLink(): string {
+		return this.#viewLink;
+	}
+
+	/** Read-only variant of {@link webLink}. */
+	get webViewLink(): string {
+		return this.#webViewLink;
+	}
+
 	get participants(): CollabParticipant[] {
 		const list: CollabParticipant[] = [{ name: collabDisplayName(this.#ctx), role: "host" }];
-		for (const name of this.#peers.values()) list.push({ name, role: "guest" });
+		for (const peer of this.#peers.values()) {
+			list.push({ name: peer.name, role: "guest", readOnly: peer.canWrite ? undefined : true });
+		}
 		return list;
 	}
 
 	async start(relayUrl: string): Promise<void> {
 		const rawKey = generateRoomKey();
+		const writeToken = generateWriteToken();
 		const roomId = generateRoomId();
-		this.#link = formatCollabLink(relayUrl, roomId, rawKey);
+		this.#writeToken = writeToken;
+		this.#link = formatCollabLink(relayUrl, roomId, rawKey, writeToken);
+		this.#webLink = formatCollabWebLink(relayUrl, roomId, rawKey, writeToken);
+		this.#viewLink = formatCollabLink(relayUrl, roomId, rawKey);
+		this.#webViewLink = formatCollabWebLink(relayUrl, roomId, rawKey);
 		const parsed = parseCollabLink(this.#link);
 		if ("error" in parsed) throw new Error(parsed.error);
 		const key = await importRoomKey(rawKey);
@@ -249,7 +278,7 @@ export class CollabHost {
 	#handleFrame(frame: CollabFrame, fromPeer: number): void {
 		switch (frame.t) {
 			case "hello":
-				this.#handleHello(frame.name, frame.proto, fromPeer);
+				this.#handleHello(frame.name, frame.proto, frame.writeToken, fromPeer);
 				break;
 			case "prompt":
 				this.#handlePrompt(frame.text, frame.images, fromPeer);
@@ -268,7 +297,20 @@ export class CollabHost {
 		}
 	}
 
-	#handleHello(name: string, proto: number, fromPeer: number): void {
+	/** Timing-safe write-token check; peers without a valid token are read-only. */
+	#verifyWriteToken(token: string | undefined): boolean {
+		const expected = this.#writeToken;
+		if (!expected || !token) return false;
+		const bytes = Buffer.from(token, "base64url");
+		return bytes.byteLength === expected.byteLength && timingSafeEqual(bytes, expected);
+	}
+
+	/** Reject a mutating frame from a read-only peer with a targeted error. */
+	#rejectReadOnly(action: string, fromPeer: number): void {
+		this.#socket?.send({ t: "error", message: `${action} is disabled on a read-only link` }, fromPeer);
+	}
+
+	#handleHello(name: string, proto: number, writeToken: string | undefined, fromPeer: number): void {
 		if (proto !== COLLAB_PROTO) {
 			this.#socket?.send(
 				{ t: "error", message: `protocol mismatch: host speaks v${COLLAB_PROTO}, guest sent v${proto}` },
@@ -277,7 +319,8 @@ export class CollabHost {
 			return;
 		}
 		const cleanName = name.trim().slice(0, 64) || `guest-${fromPeer}`;
-		this.#peers.set(fromPeer, cleanName);
+		const canWrite = this.#verifyWriteToken(writeToken);
+		this.#peers.set(fromPeer, { name: cleanName, canWrite });
 
 		// Snapshot and send synchronously: no awaits between snapshot and send, so
 		// later entries/events queue behind the welcome on the same socket and the
@@ -299,16 +342,26 @@ export class CollabHost {
 				entries,
 				state: this.#buildState(),
 				agents: this.#snapshotAgents(),
+				readOnly: canWrite ? undefined : true,
 			},
 			fromPeer,
 		);
-		this.#ctx.session.emitNotice("info", `${cleanName} joined the collab session`, "collab");
+		this.#ctx.session.emitNotice(
+			"info",
+			`${cleanName} joined the collab session${canWrite ? "" : " (read-only)"}`,
+			"collab",
+		);
 		this.#updateStatusSegment();
 		this.#scheduleStateBroadcast();
 	}
 
 	#handlePrompt(text: string, images: ImageContent[] | undefined, fromPeer: number): void {
-		const name = this.#peers.get(fromPeer) ?? `guest-${fromPeer}`;
+		const peer = this.#peers.get(fromPeer);
+		if (!peer?.canWrite) {
+			this.#rejectReadOnly("prompting", fromPeer);
+			return;
+		}
+		const name = peer.name;
 		const content: string | (TextContent | ImageContent)[] =
 			images && images.length > 0 ? [{ type: "text", text }, ...images] : text;
 		this.#ctx.session
@@ -329,7 +382,12 @@ export class CollabHost {
 	}
 
 	#handleAbort(fromPeer: number): void {
-		const name = this.#peers.get(fromPeer) ?? `guest-${fromPeer}`;
+		const peer = this.#peers.get(fromPeer);
+		if (!peer?.canWrite) {
+			this.#rejectReadOnly("interrupting", fromPeer);
+			return;
+		}
+		const name = peer.name;
 		void this.#ctx.session
 			.abort()
 			.then(() => this.#ctx.session.emitNotice("info", `${name} interrupted`, "collab"))
@@ -337,7 +395,7 @@ export class CollabHost {
 	}
 
 	#handlePeerLeft(peer: number): void {
-		const name = this.#peers.get(peer);
+		const name = this.#peers.get(peer)?.name;
 		this.#peers.delete(peer);
 		if (name) this.#ctx.session.emitNotice("info", `${name} left the collab session`, "collab");
 		this.#updateStatusSegment();
@@ -401,6 +459,10 @@ export class CollabHost {
 	}
 
 	#handleAgentCmd(cmd: "chat" | "kill" | "revive", agentId: string, text: string | undefined, fromPeer: number): void {
+		if (!this.#peers.get(fromPeer)?.canWrite) {
+			this.#rejectReadOnly("agent control", fromPeer);
+			return;
+		}
 		const fail = (err: unknown) => {
 			logger.warn("collab agent-cmd failed", { cmd, agentId, error: String(err) });
 			this.#socket?.send({ t: "error", message: `agent ${agentId}: ${String(err)}` }, fromPeer);

package/src/collab/protocol.ts

@@ -16,7 +16,13 @@ import type {
 	SessionState,
 	AgentSnapshot as WireAgentSnapshot,
 } from "@oh-my-pi/pi-wire";
-import { DEFAULT_RELAY_URL, ENVELOPE_HEADER_LENGTH, ROOM_ID_BYTES } from "@oh-my-pi/pi-wire";
+import {
+	DEFAULT_RELAY_URL,
+	ENVELOPE_HEADER_LENGTH,
+	ROOM_ID_BYTES,
+	ROOM_KEY_BYTES,
+	WRITE_TOKEN_BYTES,
+} from "@oh-my-pi/pi-wire";
 import type { ContextUsage } from "../extensibility/extensions/types";
 import type { AgentSessionEvent } from "../session/agent-session";
 import type { SessionEntry, SessionHeader } from "../session/session-manager";
@@ -62,6 +68,8 @@ export type CollabFrame =
 			entries: SessionEntry[];
 			state: CollabSessionState;
 			agents: AgentSnapshot[];
+			/** True when this peer joined through a read-only (view) link. */
+			readOnly?: boolean;
 	  }
 	| { t: "entry"; entry: SessionEntry }
 	| { t: "event"; event: AgentSessionEvent }
@@ -147,11 +155,16 @@ function normalizeRelayOrigin(relayUrl: string): { origin: string } | { error: s
  * `<roomId>#<key>`, other wss relays drop the scheme (`host[:port]/r/…`);
  * only localhost ws:// links keep their full URL so parsing cannot
  * mis-infer wss.
+ *
+ * Full links append the write token to the key in the fragment
+ * (`base64url(key ∥ writeToken)`); read-only (view) links carry the bare
+ * 32-byte key, which is also the pre-token link format.
  */
-export function formatCollabLink(relayUrl: string, roomId: string, key: Uint8Array): string {
+export function formatCollabLink(relayUrl: string, roomId: string, key: Uint8Array, writeToken?: Uint8Array): string {
 	const normalized = normalizeRelayOrigin(relayUrl);
 	if ("error" in normalized) throw new Error(normalized.error);
-	const keyText = Buffer.from(key).toString("base64url");
+	const secret = writeToken ? Buffer.concat([key, writeToken]) : Buffer.from(key);
+	const keyText = secret.toString("base64url");
 	if (normalized.origin === DEFAULT_RELAY_URL) return `${roomId}#${keyText}`;
 	const compact = normalized.origin.startsWith("wss://")
 		? normalized.origin.slice("wss://".length)
@@ -159,6 +172,26 @@ export function formatCollabLink(relayUrl: string, roomId: string, key: Uint8Arr
 	return `${compact}/r/${roomId}#${keyText}`;
 }
 
+/**
+ * Render the browser deep link: `http(s)://<relay-host>/#<collab-link>`. The
+ * relay serves the web client at `/`, and the whole collab link (including the
+ * room key) rides in the fragment, so it never appears in any HTTP request.
+ * Terminals auto-link the https form, making it click-to-join.
+ */
+export function formatCollabWebLink(
+	relayUrl: string,
+	roomId: string,
+	key: Uint8Array,
+	writeToken?: Uint8Array,
+): string {
+	const normalized = normalizeRelayOrigin(relayUrl);
+	if ("error" in normalized) throw new Error(normalized.error);
+	const httpOrigin = normalized.origin.startsWith("wss://")
+		? `https://${normalized.origin.slice("wss://".length)}`
+		: `http://${normalized.origin.slice("ws://".length)}`;
+	return `${httpOrigin}/#${formatCollabLink(relayUrl, roomId, key, writeToken)}`;
+}
+
 export function parseCollabLink(link: string): ParsedCollabLink | { error: string } {
 	let text = link.trim();
 	// Bare `<roomId>#<key>` → default relay.
@@ -176,6 +209,12 @@ export function parseCollabLink(link: string): ParsedCollabLink | { error: strin
 	if ("error" in normalized) return normalized;
 	const match = ROOM_PATH_RE.exec(url.pathname);
 	if (!match) {
+		// Web deep link: `http(s)://<relay>/#<collab-link>` — the fragment holds
+		// the whole link (which itself contains another `#`). URL.hash spans to
+		// the end of the string, so recurse on it; the inner fragment is just
+		// the key (no `#`), which bounds the recursion.
+		const inner = url.hash.startsWith("#") ? url.hash.slice(1) : url.hash;
+		if (inner.includes("#")) return parseCollabLink(inner);
 		return { error: "Collab link must contain a /r/<roomId> path" };
 	}
 	const roomId = match[1]!;
@@ -183,9 +222,11 @@ export function parseCollabLink(link: string): ParsedCollabLink | { error: strin
 	if (!fragment) {
 		return { error: "Collab link is missing the #<key> fragment" };
 	}
-	const key = B64URL_RE.test(fragment) ? new Uint8Array(Buffer.from(fragment, "base64url")) : null;
-	if (key?.byteLength !== 32) {
-		return { error: "Collab link key must be 32 base64url bytes" };
+	const secret = B64URL_RE.test(fragment) ? new Uint8Array(Buffer.from(fragment, "base64url")) : null;
+	if (!secret || (secret.byteLength !== ROOM_KEY_BYTES && secret.byteLength !== ROOM_KEY_BYTES + WRITE_TOKEN_BYTES)) {
+		return { error: "Collab link key must be 32 (view) or 48 (full) base64url bytes" };
 	}
-	return { wsUrl: `${normalized.origin}/r/${roomId}`, roomId, key };
+	const key = secret.subarray(0, ROOM_KEY_BYTES);
+	const writeToken = secret.byteLength > ROOM_KEY_BYTES ? secret.subarray(ROOM_KEY_BYTES) : undefined;
+	return { wsUrl: `${normalized.origin}/r/${roomId}`, roomId, key, writeToken };
 }

package/src/commands/join.ts

@@ -17,7 +17,7 @@ export default class Join extends Command {
 		}),
 	};
 
-	static examples = [`${APP_NAME} join wss://relay.omp.sh/s/abc123#key`];
+	static examples = [`${APP_NAME} join "relay.example.sh/abc123#key"`];
 
 	async run(): Promise<void> {
 		const { args } = await this.parse(Join);

package/src/config/settings-schema.ts

@@ -1,4 +1,5 @@
 import { THINKING_EFFORTS } from "@oh-my-pi/pi-ai";
+import { DEFAULT_SHARE_URL } from "@oh-my-pi/pi-wire";
 import { SHAPE_VARIANT_NAMES } from "@oh-my-pi/snapcompact";
 import { DEFAULT_RELAY_URL } from "../collab/protocol";
 import { AUTO_THINKING, getConfiguredThinkingLevelMetadata, getThinkingLevelMetadata } from "../thinking";
@@ -1353,6 +1354,29 @@ export const SETTINGS_SCHEMA = {
 		},
 	},
 
+	"share.serverUrl": {
+		type: "string",
+		default: DEFAULT_SHARE_URL,
+		ui: {
+			tab: "interaction",
+			group: "Collab",
+			label: "Share Server",
+			description:
+				"Share viewer/upload base used by /share (encrypted blob upload + viewer; links are <base>/<id>#<key>)",
+		},
+	},
+
+	"share.redactSecrets": {
+		type: "boolean",
+		default: true,
+		ui: {
+			tab: "interaction",
+			group: "Collab",
+			label: "Share Secret Redaction",
+			description: "Run the secret obfuscator over /share snapshots before upload (uses the secrets.* config)",
+		},
+	},
+
 	// Speech-to-text
 	"stt.enabled": {
 		type: "boolean",
@@ -3751,14 +3775,24 @@ export const SETTINGS_SCHEMA = {
 	},
 	// Codex saved rate-limit resets (auto-redeem)
 	"codexResets.autoRedeem": {
-		type: "boolean",
-		default: false,
+		type: "enum",
+		values: ["unset", "yes", "no"] as const,
+		default: "unset" as const,
 		ui: {
 			tab: "providers",
 			group: "Services",
 			label: "Codex Auto-Redeem Saved Resets",
 			description:
-				"When a turn is blocked by the Codex weekly limit on the active account and no other account is available, automatically spend one saved rate-limit reset (ChatGPT 'save rate limit resets'). Conservative: never fires for 5-hour-only or Spark limits, near a natural reset, or twice for the same block. Requires retries enabled.",
+				"When a turn is blocked by the Codex weekly limit on the active account and no other account is available, run the conservative saved-reset check. unset asks before spending the first eligible reset, yes spends eligible resets without prompting, and no disables the check entirely. Requires retries enabled.",
+			options: [
+				{
+					value: "unset",
+					label: "Unset",
+					description: "Check eligibility, then ask before spending the first saved reset.",
+				},
+				{ value: "yes", label: "Yes", description: "Spend eligible saved resets without prompting." },
+				{ value: "no", label: "No", description: "Do not run the saved-reset auto-redeem check." },
+			],
 		},
 	},
 	"codexResets.minBlockedMinutes": {
@@ -4170,8 +4204,10 @@ export interface ShellMinimizerSettings {
 	sourceOutlineLevel: "default" | "aggressive";
 	legacyFilters: boolean | undefined;
 }
+export type CodexAutoRedeemMode = "unset" | "yes" | "no";
+
 export interface CodexResetsSettings {
-	autoRedeem: boolean;
+	autoRedeem: CodexAutoRedeemMode;
 	minBlockedMinutes: number;
 	keepCredits: number;
 }

package/src/config/settings.ts

@@ -834,6 +834,18 @@ export class Settings {
 		}
 		delete raw["providers.parallelFetch"];
 
+		// codexResets.autoRedeem: boolean -> tri-state enum.
+		// Existing explicit false keeps the old "do not run" behavior; missing
+		// config now falls through to the new "unset" default, which asks before
+		// the first eligible spend.
+		const codexResetsObj = raw.codexResets as Record<string, unknown> | undefined;
+		if (codexResetsObj && typeof codexResetsObj.autoRedeem === "boolean") {
+			codexResetsObj.autoRedeem = codexResetsObj.autoRedeem ? "yes" : "no";
+		}
+		if (typeof raw["codexResets.autoRedeem"] === "boolean") {
+			raw["codexResets.autoRedeem"] = raw["codexResets.autoRedeem"] ? "yes" : "no";
+		}
+
 		// Map legacy `memories.enabled` boolean to the explicit `memory.backend`
 		// enum if the latter hasn't been set yet. Idempotent: subsequent
 		// migrations are no-ops once memory.backend is materialised.

package/src/export/custom-share.ts

@@ -17,7 +17,7 @@ export interface CustomShareResult {
 
 export type CustomShareFn = (htmlPath: string) => Promise<CustomShareResult | string | undefined>;
 
-interface LoadedCustomShare {
+export interface LoadedCustomShare {
 	path: string;
 	fn: CustomShareFn;
 }