@seedvault/server 0.1.4 → 0.2.0

package/dist/server.js

@@ -1,12 +1,12 @@
 // @bun
 // src/index.ts
-import { join as join2 } from "path";
+import { join } from "path";
 import { homedir } from "os";
-import { mkdir as mkdir2 } from "fs/promises";
+import { mkdir } from "fs/promises";
 
 // src/db.ts
 import { Database } from "bun:sqlite";
-import { randomUUID } from "crypto";
+import { randomBytes, randomUUID } from "crypto";
 var db;
 function getDb() {
   if (!db)
@@ -20,7 +20,7 @@ function initDb(dbPath) {
   db.exec(`
     CREATE TABLE IF NOT EXISTS contributors (
       username TEXT PRIMARY KEY,
-      is_operator BOOLEAN NOT NULL DEFAULT FALSE,
+      is_admin BOOLEAN NOT NULL DEFAULT FALSE,
       created_at TEXT NOT NULL
     );
 
@@ -41,17 +41,52 @@ function initDb(dbPath) {
       used_by TEXT REFERENCES contributors(username)
     );
 
-    CREATE TABLE IF NOT EXISTS files (
+    CREATE TABLE IF NOT EXISTS items (
       contributor TEXT NOT NULL,
       path TEXT NOT NULL,
-      origin_ctime TEXT NOT NULL,
-      origin_mtime TEXT NOT NULL,
-      server_created_at TEXT NOT NULL,
-      server_modified_at TEXT NOT NULL,
+      content TEXT NOT NULL,
+      created_at TEXT NOT NULL,
+      modified_at TEXT NOT NULL,
       PRIMARY KEY (contributor, path),
       FOREIGN KEY (contributor) REFERENCES contributors(username)
     );
+
+    CREATE TABLE IF NOT EXISTS activity (
+      id TEXT PRIMARY KEY,
+      contributor TEXT NOT NULL REFERENCES contributors(username),
+      action TEXT NOT NULL,
+      detail TEXT,
+      created_at TEXT NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_activity_contributor ON activity(contributor);
+    CREATE INDEX IF NOT EXISTS idx_activity_created_at ON activity(created_at);
+    CREATE INDEX IF NOT EXISTS idx_activity_action ON activity(action);
   `);
+  const hasFts = db.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='items_fts'").get();
+  if (!hasFts) {
+    db.exec(`
+      CREATE VIRTUAL TABLE items_fts USING fts5(
+        path, content, content=items, content_rowid=rowid
+      );
+
+      CREATE TRIGGER items_ai AFTER INSERT ON items BEGIN
+        INSERT INTO items_fts(rowid, path, content)
+        VALUES (new.rowid, new.path, new.content);
+      END;
+
+      CREATE TRIGGER items_ad AFTER DELETE ON items BEGIN
+        INSERT INTO items_fts(items_fts, rowid, path, content)
+        VALUES ('delete', old.rowid, old.path, old.content);
+      END;
+
+      CREATE TRIGGER items_au AFTER UPDATE ON items BEGIN
+        INSERT INTO items_fts(items_fts, rowid, path, content)
+        VALUES ('delete', old.rowid, old.path, old.content);
+        INSERT INTO items_fts(rowid, path, content)
+        VALUES (new.rowid, new.path, new.content);
+      END;
+    `);
+  }
   return db;
 }
 function validateUsername(username) {
@@ -66,20 +101,58 @@ function validateUsername(username) {
   }
   return null;
 }
-function createContributor(username, isOperator) {
+function validatePath(filePath) {
+  if (!filePath || filePath.length === 0) {
+    return "Path cannot be empty";
+  }
+  if (filePath.startsWith("/")) {
+    return "Path cannot start with /";
+  }
+  if (filePath.includes("\\")) {
+    return "Path cannot contain backslashes";
+  }
+  if (filePath.includes("//")) {
+    return "Path cannot contain double slashes";
+  }
+  if (!filePath.endsWith(".md")) {
+    return "Path must end in .md";
+  }
+  const segments = filePath.split("/");
+  for (const seg of segments) {
+    if (seg === "." || seg === "..") {
+      return "Path cannot contain . or .. segments";
+    }
+    if (seg.length === 0) {
+      return "Path cannot contain empty segments";
+    }
+  }
+  return null;
+}
+function createContributor(username, isAdmin) {
   const now = new Date().toISOString();
-  getDb().prepare("INSERT INTO contributors (username, is_operator, created_at) VALUES (?, ?, ?)").run(username, isOperator ? 1 : 0, now);
-  return { username, is_operator: isOperator, created_at: now };
+  getDb().prepare("INSERT INTO contributors (username, is_admin, created_at) VALUES (?, ?, ?)").run(username, isAdmin ? 1 : 0, now);
+  return { username, is_admin: isAdmin, created_at: now };
 }
 function getContributor(username) {
-  const row = getDb().prepare("SELECT username, is_operator, created_at FROM contributors WHERE username = ?").get(username);
+  const row = getDb().prepare("SELECT username, is_admin, created_at FROM contributors WHERE username = ?").get(username);
   if (row)
-    row.is_operator = Boolean(row.is_operator);
+    row.is_admin = Boolean(row.is_admin);
   return row;
 }
 function listContributors() {
-  const rows = getDb().prepare("SELECT username, is_operator, created_at FROM contributors ORDER BY created_at ASC").all();
-  return rows.map((r) => ({ ...r, is_operator: Boolean(r.is_operator) }));
+  const rows = getDb().prepare("SELECT username, is_admin, created_at FROM contributors ORDER BY created_at ASC").all();
+  return rows.map((r) => ({ ...r, is_admin: Boolean(r.is_admin) }));
+}
+function deleteContributor(username) {
+  const d = getDb();
+  const exists = d.prepare("SELECT 1 FROM contributors WHERE username = ?").get(username);
+  if (!exists)
+    return false;
+  d.prepare("DELETE FROM activity WHERE contributor = ?").run(username);
+  d.prepare("DELETE FROM items WHERE contributor = ?").run(username);
+  d.prepare("DELETE FROM api_keys WHERE contributor = ?").run(username);
+  d.prepare("DELETE FROM contributors WHERE username = ?").run(username);
+  return true;
 }
 function hasAnyContributor() {
   const row = getDb().prepare("SELECT COUNT(*) as count FROM contributors").get();
@@ -89,7 +162,14 @@ function createApiKey(keyHash, label, contributor) {
   const id = `key_${randomUUID().replace(/-/g, "").slice(0, 12)}`;
   const now = new Date().toISOString();
   getDb().prepare("INSERT INTO api_keys (id, key_hash, label, contributor, created_at) VALUES (?, ?, ?, ?, ?)").run(id, keyHash, label, contributor, now);
-  return { id, key_hash: keyHash, label, contributor, created_at: now, last_used_at: null };
+  return {
+    id,
+    key_hash: keyHash,
+    label,
+    contributor,
+    created_at: now,
+    last_used_at: null
+  };
 }
 function getApiKeyByHash(keyHash) {
   return getDb().prepare("SELECT * FROM api_keys WHERE key_hash = ?").get(keyHash);
@@ -101,7 +181,13 @@ function createInvite(createdBy) {
   const id = randomUUID().replace(/-/g, "").slice(0, 12);
   const now = new Date().toISOString();
   getDb().prepare("INSERT INTO invites (id, created_by, created_at) VALUES (?, ?, ?)").run(id, createdBy, now);
-  return { id, created_by: createdBy, created_at: now, used_at: null, used_by: null };
+  return {
+    id,
+    created_by: createdBy,
+    created_at: now,
+    used_at: null,
+    used_by: null
+  };
 }
 function getInvite(id) {
   return getDb().prepare("SELECT * FROM invites WHERE id = ?").get(id);
@@ -109,33 +195,110 @@ function getInvite(id) {
 function markInviteUsed(id, usedBy) {
   getDb().prepare("UPDATE invites SET used_at = ?, used_by = ? WHERE id = ?").run(new Date().toISOString(), usedBy, id);
 }
-function upsertFileMetadata(contributor, path, originCtime, originMtime) {
+function validateOriginCtime(originCtime, originMtime) {
+  if (originCtime) {
+    const ms = new Date(originCtime).getTime();
+    if (ms > 0 && !isNaN(ms))
+      return originCtime;
+  }
+  if (originMtime) {
+    const ms = new Date(originMtime).getTime();
+    if (ms > 0 && !isNaN(ms))
+      return originMtime;
+  }
+  return new Date().toISOString();
+}
+var MAX_CONTENT_SIZE = 10 * 1024 * 1024;
+function upsertItem(contributor, path, content, originCtime, originMtime) {
+  if (Buffer.byteLength(content) > MAX_CONTENT_SIZE) {
+    throw new ItemTooLargeError(Buffer.byteLength(content));
+  }
   const now = new Date().toISOString();
-  getDb().prepare(`INSERT INTO files (contributor, path, origin_ctime, origin_mtime, server_created_at, server_modified_at)
-       VALUES (?, ?, ?, ?, ?, ?)
+  const createdAt = validateOriginCtime(originCtime, originMtime);
+  const modifiedAt = originMtime || now;
+  getDb().prepare(`INSERT INTO items (contributor, path, content, created_at, modified_at)
+       VALUES (?, ?, ?, ?, ?)
        ON CONFLICT (contributor, path) DO UPDATE SET
-         origin_mtime = excluded.origin_mtime,
-         server_modified_at = excluded.server_modified_at`).run(contributor, path, originCtime, originMtime, now, now);
-  return getFileMetadata(contributor, path);
+         content = excluded.content,
+         modified_at = excluded.modified_at`).run(contributor, path, content, createdAt, modifiedAt);
+  return getItem(contributor, path);
 }
-function getFileMetadata(contributor, path) {
-  return getDb().prepare("SELECT * FROM files WHERE contributor = ? AND path = ?").get(contributor, path);
+function getItem(contributor, path) {
+  return getDb().prepare("SELECT contributor, path, content, created_at, modified_at FROM items WHERE contributor = ? AND path = ?").get(contributor, path);
 }
-function listFileMetadata(contributor, prefix) {
-  const map = new Map;
+function listItems(contributor, prefix) {
   let rows;
   if (prefix) {
-    rows = getDb().prepare("SELECT * FROM files WHERE contributor = ? AND path LIKE ?").all(contributor, prefix + "%");
+    rows = getDb().prepare(`SELECT path, length(content) as size, created_at, modified_at
+         FROM items WHERE contributor = ? AND path LIKE ?
+         ORDER BY modified_at DESC`).all(contributor, prefix + "%");
   } else {
-    rows = getDb().prepare("SELECT * FROM files WHERE contributor = ?").all(contributor);
-  }
-  for (const row of rows) {
-    map.set(row.path, row);
+    rows = getDb().prepare(`SELECT path, length(content) as size, created_at, modified_at
+         FROM items WHERE contributor = ?
+         ORDER BY modified_at DESC`).all(contributor);
   }
-  return map;
+  return rows;
 }
-function deleteFileMetadata(contributor, path) {
-  getDb().prepare("DELETE FROM files WHERE contributor = ? AND path = ?").run(contributor, path);
+function deleteItem(contributor, path) {
+  const result = getDb().prepare("DELETE FROM items WHERE contributor = ? AND path = ?").run(contributor, path);
+  return result.changes > 0;
+}
+function searchItems(query, contributor, limit = 10) {
+  if (contributor) {
+    return getDb().prepare(`SELECT i.contributor, i.path,
+                snippet(items_fts, 1, '<b>', '</b>', '...', 32) as snippet,
+                rank
+         FROM items_fts
+         JOIN items i ON items_fts.rowid = i.rowid
+         WHERE items_fts MATCH ?
+           AND i.contributor = ?
+         ORDER BY rank
+         LIMIT ?`).all(query, contributor, limit);
+  }
+  return getDb().prepare(`SELECT i.contributor, i.path,
+              snippet(items_fts, 1, '<b>', '</b>', '...', 32) as snippet,
+              rank
+       FROM items_fts
+       JOIN items i ON items_fts.rowid = i.rowid
+       WHERE items_fts MATCH ?
+       ORDER BY rank
+       LIMIT ?`).all(query, limit);
+}
+function createActivityEvent(contributor, action, detail) {
+  const id = `act_${randomBytes(6).toString("hex")}`;
+  const now = new Date().toISOString();
+  const detailJson = detail ? JSON.stringify(detail) : null;
+  getDb().prepare("INSERT INTO activity (id, contributor, action, detail, created_at) VALUES (?, ?, ?, ?, ?)").run(id, contributor, action, detailJson, now);
+  return { id, contributor, action, detail: detailJson, created_at: now };
+}
+function listActivityEvents(opts) {
+  const conditions = [];
+  const params = [];
+  if (opts?.contributor) {
+    conditions.push("contributor = ?");
+    params.push(opts.contributor);
+  }
+  if (opts?.action) {
+    conditions.push("action = ?");
+    params.push(opts.action);
+  }
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const limit = opts?.limit ?? 50;
+  const offset = opts?.offset ?? 0;
+  params.push(limit, offset);
+  return getDb().prepare(`SELECT id, contributor, action, detail, created_at
+       FROM activity ${where}
+       ORDER BY created_at DESC
+       LIMIT ? OFFSET ?`).all(...params);
+}
+
+class ItemTooLargeError extends Error {
+  size;
+  constructor(size) {
+    super(`Content too large: ${size} bytes (max ${MAX_CONTENT_SIZE})`);
+    this.name = "ItemTooLargeError";
+    this.size = size;
+  }
 }
 
 // ../node_modules/.bun/hono@4.11.9/node_modules/hono/dist/compose.js
@@ -1662,9 +1825,9 @@ import { readFileSync } from "fs";
 import { resolve } from "path";
 
 // src/auth.ts
-import { createHash, randomBytes } from "crypto";
+import { createHash, randomBytes as randomBytes2 } from "crypto";
 function generateToken() {
-  return `sv_${randomBytes(16).toString("hex")}`;
+  return `sv_${randomBytes2(16).toString("hex")}`;
 }
 function hashToken(raw2) {
   return createHash("sha256").update(raw2).digest("hex");
@@ -1700,140 +1863,6 @@ function getAuthCtx(c) {
   return c.get("authCtx");
 }
 
-// src/storage.ts
-import { join, dirname, relative, sep } from "path";
-import { mkdir, writeFile, unlink, readdir, stat, readFile, rename, rmdir } from "fs/promises";
-import { existsSync } from "fs";
-import { randomUUID as randomUUID2 } from "crypto";
-var MAX_FILE_SIZE = 10 * 1024 * 1024;
-function validatePath(filePath) {
-  if (!filePath || filePath.length === 0) {
-    return "Path cannot be empty";
-  }
-  if (filePath.startsWith("/")) {
-    return "Path cannot start with /";
-  }
-  if (filePath.includes("\\")) {
-    return "Path cannot contain backslashes";
-  }
-  if (filePath.includes("//")) {
-    return "Path cannot contain double slashes";
-  }
-  if (!filePath.endsWith(".md")) {
-    return "Path must end in .md";
-  }
-  const segments = filePath.split("/");
-  for (const seg of segments) {
-    if (seg === "." || seg === "..") {
-      return "Path cannot contain . or .. segments";
-    }
-    if (seg.length === 0) {
-      return "Path cannot contain empty segments";
-    }
-  }
-  return null;
-}
-function resolvePath(storageRoot, contributor, filePath) {
-  return join(storageRoot, contributor, filePath);
-}
-async function ensureContributorDir(storageRoot, contributor) {
-  const dir = join(storageRoot, contributor);
-  await mkdir(dir, { recursive: true });
-}
-async function writeFileAtomic(storageRoot, contributor, filePath, content) {
-  const contentBuf = typeof content === "string" ? Buffer.from(content) : content;
-  if (contentBuf.length > MAX_FILE_SIZE) {
-    throw new FileTooLargeError(contentBuf.length);
-  }
-  const absPath = resolvePath(storageRoot, contributor, filePath);
-  const dir = dirname(absPath);
-  await mkdir(dir, { recursive: true });
-  const tmpPath = `${absPath}.tmp.${randomUUID2().slice(0, 8)}`;
-  try {
-    await writeFile(tmpPath, contentBuf);
-    await rename(tmpPath, absPath);
-  } catch (e) {
-    try {
-      await unlink(tmpPath);
-    } catch {}
-    throw e;
-  }
-  const fileStat = await stat(absPath);
-  return {
-    path: filePath,
-    size: fileStat.size,
-    modifiedAt: fileStat.mtime.toISOString()
-  };
-}
-async function deleteFile(storageRoot, contributor, filePath) {
-  const absPath = resolvePath(storageRoot, contributor, filePath);
-  if (!existsSync(absPath)) {
-    throw new FileNotFoundError(filePath);
-  }
-  await unlink(absPath);
-  const contributorRoot = join(storageRoot, contributor);
-  let dir = dirname(absPath);
-  while (dir !== contributorRoot && dir.startsWith(contributorRoot)) {
-    try {
-      await rmdir(dir);
-      dir = dirname(dir);
-    } catch {
-      break;
-    }
-  }
-}
-async function listFiles(storageRoot, contributor, prefix) {
-  const contributorRoot = join(storageRoot, contributor);
-  if (!existsSync(contributorRoot)) {
-    return [];
-  }
-  const files = [];
-  await walkDir(contributorRoot, contributorRoot, prefix, files);
-  files.sort((a, b) => b.modifiedAt.localeCompare(a.modifiedAt));
-  return files;
-}
-async function walkDir(dir, contributorRoot, prefix, results) {
-  let entries;
-  try {
-    entries = await readdir(dir, { withFileTypes: true });
-  } catch {
-    return;
-  }
-  for (const entry of entries) {
-    const fullPath = join(dir, entry.name);
-    if (entry.isDirectory()) {
-      await walkDir(fullPath, contributorRoot, prefix, results);
-    } else if (entry.isFile() && entry.name.endsWith(".md")) {
-      const relPath = relative(contributorRoot, fullPath).split(sep).join("/");
-      if (prefix && !relPath.startsWith(prefix)) {
-        continue;
-      }
-      const fileStat = await stat(fullPath);
-      results.push({
-        path: relPath,
-        size: fileStat.size,
-        modifiedAt: fileStat.mtime.toISOString()
-      });
-    }
-  }
-}
-
-class FileNotFoundError extends Error {
-  constructor(path) {
-    super(`File not found: ${path}`);
-    this.name = "FileNotFoundError";
-  }
-}
-
-class FileTooLargeError extends Error {
-  size;
-  constructor(size) {
-    super(`File too large: ${size} bytes (max ${MAX_FILE_SIZE})`);
-    this.name = "FileTooLargeError";
-    this.size = size;
-  }
-}
-
 // src/sse.ts
 var clients = new Set;
 function addClient(controller) {
@@ -1857,181 +1886,161 @@ data: ${JSON.stringify(data)}
   }
 }
 
-// src/qmd.ts
-async function isQmdAvailable() {
-  try {
-    const proc = Bun.spawn(["qmd", "status"], { stdout: "pipe", stderr: "pipe" });
-    await proc.exited;
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function addCollection(storageRoot, contributor) {
-  const dir = `${storageRoot}/${contributor.username}`;
-  const proc = Bun.spawn(["qmd", "collection", "add", dir, "--name", contributor.username, "--mask", "**/*.md"], { stdout: "pipe", stderr: "pipe" });
-  const exitCode = await proc.exited;
-  if (exitCode !== 0) {
-    const stderr = await new Response(proc.stderr).text();
-    if (!stderr.includes("already exists")) {
-      console.error(`QMD collection add failed for ${contributor.username}:`, stderr);
-    }
-  }
-}
-var updateInFlight = false;
-var updateQueued = false;
-function triggerUpdate() {
-  if (updateInFlight) {
-    updateQueued = true;
-    return;
-  }
-  runUpdate();
-}
-async function runUpdate() {
-  updateInFlight = true;
-  try {
-    const proc = Bun.spawn(["qmd", "update"], { stdout: "pipe", stderr: "pipe" });
-    const exitCode = await proc.exited;
-    if (exitCode !== 0) {
-      const stderr = await new Response(proc.stderr).text();
-      console.error("QMD update failed:", stderr);
+// src/diff.ts
+var DIFF_MAX_BYTES = 5000;
+function computeDiff(oldText, newText) {
+  if (oldText === newText)
+    return null;
+  if (oldText === "")
+    return null;
+  const oldLines = oldText.split(`
+`);
+  const newLines = newText.split(`
+`);
+  const editScript = myersDiff(oldLines, newLines);
+  const hunks = buildHunks(editScript, oldLines, newLines, 3);
+  let diff = "";
+  let truncated = false;
+  for (const hunk of hunks) {
+    const header = `@@ -${hunk.oldStart},${hunk.oldCount}` + ` +${hunk.newStart},${hunk.newCount} @@
+`;
+    diff += header;
+    for (const line of hunk.lines) {
+      diff += line + `
+`;
     }
-  } catch (e) {
-    console.error("QMD update error:", e);
-  } finally {
-    updateInFlight = false;
-    if (updateQueued) {
-      updateQueued = false;
-      runUpdate();
+    if (diff.length > DIFF_MAX_BYTES) {
+      diff = diff.slice(0, DIFF_MAX_BYTES);
+      truncated = true;
+      break;
     }
   }
+  return { diff, truncated };
 }
-async function search(query, options = {}) {
-  const limit = options.limit ?? 10;
-  const args = ["search", query, "--json", "-n", String(limit)];
-  if (options.collection) {
-    args.push("-c", options.collection);
-  }
-  try {
-    const proc = Bun.spawn(["qmd", ...args], { stdout: "pipe", stderr: "pipe" });
-    const stdout = await new Response(proc.stdout).text();
-    const exitCode = await proc.exited;
-    if (exitCode !== 0) {
-      const stderr = await new Response(proc.stderr).text();
-      console.error("QMD search failed:", stderr);
-      return [];
-    }
-    if (!stdout.trim())
-      return [];
-    return JSON.parse(stdout);
-  } catch (e) {
-    console.error("QMD search error:", e);
-    return [];
-  }
-}
-async function syncContributors(storageRoot, contributors) {
-  for (const contributor of contributors) {
-    await addCollection(storageRoot, contributor);
-  }
-}
-
-// src/shell.ts
-var ALLOWED_COMMANDS = new Set([
-  "ls",
-  "cat",
-  "head",
-  "tail",
-  "find",
-  "grep",
-  "wc",
-  "tree",
-  "stat"
-]);
-var MAX_STDOUT = 1024 * 1024;
-var TIMEOUT_MS = 1e4;
-function parseCommand(cmd) {
-  const args = [];
-  let current = "";
-  let inSingle = false;
-  let inDouble = false;
-  for (let i = 0;i < cmd.length; i++) {
-    const ch = cmd[i];
-    if (ch === "'" && !inDouble) {
-      inSingle = !inSingle;
-    } else if (ch === '"' && !inSingle) {
-      inDouble = !inDouble;
-    } else if (ch === " " && !inSingle && !inDouble) {
-      if (current.length > 0) {
-        args.push(current);
-        current = "";
+function myersDiff(a, b) {
+  const n = a.length;
+  const m = b.length;
+  const max = n + m;
+  const vSize = 2 * max + 1;
+  const v = new Int32Array(vSize);
+  v.fill(-1);
+  const offset = max;
+  v[offset + 1] = 0;
+  const trace = [];
+  outer:
+    for (let d = 0;d <= max; d++) {
+      trace.push(v.slice());
+      for (let k = -d;k <= d; k += 2) {
+        let x2;
+        if (k === -d || k !== d && v[offset + k - 1] < v[offset + k + 1]) {
+          x2 = v[offset + k + 1];
+        } else {
+          x2 = v[offset + k - 1] + 1;
+        }
+        let y2 = x2 - k;
+        while (x2 < n && y2 < m && a[x2] === b[y2]) {
+          x2++;
+          y2++;
+        }
+        v[offset + k] = x2;
+        if (x2 >= n && y2 >= m)
+          break outer;
       }
+    }
+  const edits = [];
+  let x = n;
+  let y = m;
+  for (let d = trace.length - 1;d >= 0; d--) {
+    const tv = trace[d];
+    const k = x - y;
+    let prevK;
+    if (k === -d || k !== d && tv[offset + k - 1] < tv[offset + k + 1]) {
+      prevK = k + 1;
     } else {
-      current += ch;
+      prevK = k - 1;
+    }
+    const prevX = tv[offset + prevK];
+    const prevY = prevX - prevK;
+    while (x > prevX && y > prevY) {
+      x--;
+      y--;
+      edits.push({ op: 0 /* Equal */, oldIdx: x, newIdx: y });
+    }
+    if (d > 0) {
+      if (x === prevX) {
+        edits.push({ op: 1 /* Insert */, oldIdx: x, newIdx: prevY });
+        y--;
+      } else {
+        edits.push({ op: 2 /* Delete */, oldIdx: prevX, newIdx: y });
+        x--;
+      }
     }
   }
-  if (current.length > 0) {
-    args.push(current);
-  }
-  return args;
+  edits.reverse();
+  return edits;
 }
-async function executeCommand(cmd, storageRoot) {
-  const argv = parseCommand(cmd.trim());
-  if (argv.length === 0) {
-    throw new ShellValidationError("Empty command");
-  }
-  const command = argv[0];
-  if (!ALLOWED_COMMANDS.has(command)) {
-    throw new ShellValidationError(`Command not allowed: ${command}. Allowed: ${[...ALLOWED_COMMANDS].join(", ")}`);
-  }
-  for (const arg of argv.slice(1)) {
-    if (arg.includes("..")) {
-      throw new ShellValidationError("Path traversal (..) is not allowed");
+function buildHunks(edits, oldLines, newLines, context) {
+  const hunks = [];
+  let i = 0;
+  while (i < edits.length) {
+    while (i < edits.length && edits[i].op === 0 /* Equal */)
+      i++;
+    if (i >= edits.length)
+      break;
+    let start = i;
+    for (let c = 0;c < context && start > 0; c++)
+      start--;
+    let end = i;
+    while (end < edits.length) {
+      if (edits[end].op !== 0 /* Equal */) {
+        end++;
+        continue;
+      }
+      let run = 0;
+      let j = end;
+      while (j < edits.length && edits[j].op === 0 /* Equal */) {
+        run++;
+        j++;
+      }
+      if (j >= edits.length || run > context * 2) {
+        end = Math.min(end + context, edits.length);
+        break;
+      }
+      end = j;
+    }
+    const hunkEdits = edits.slice(start, end);
+    const firstEdit = hunkEdits[0];
+    let oldStart = firstEdit.oldIdx + 1;
+    let newStart = firstEdit.newIdx + 1;
+    let oldCount = 0;
+    let newCount = 0;
+    const lines = [];
+    for (const e of hunkEdits) {
+      if (e.op === 0 /* Equal */) {
+        lines.push(" " + oldLines[e.oldIdx]);
+        oldCount++;
+        newCount++;
+      } else if (e.op === 2 /* Delete */) {
+        lines.push("-" + oldLines[e.oldIdx]);
+        oldCount++;
+      } else {
+        lines.push("+" + newLines[e.newIdx]);
+        newCount++;
+      }
     }
+    hunks.push({ oldStart, oldCount, newStart, newCount, lines });
+    i = end;
   }
-  const proc = Bun.spawn(argv, {
-    cwd: storageRoot,
-    stdout: "pipe",
-    stderr: "pipe",
-    env: {}
-  });
-  const timeout = setTimeout(() => {
-    proc.kill();
-  }, TIMEOUT_MS);
-  try {
-    const [stdoutBuf, stderrBuf] = await Promise.all([
-      new Response(proc.stdout).arrayBuffer(),
-      new Response(proc.stderr).arrayBuffer()
-    ]);
-    await proc.exited;
-    const truncated = stdoutBuf.byteLength > MAX_STDOUT;
-    const stdoutBytes = truncated ? stdoutBuf.slice(0, MAX_STDOUT) : stdoutBuf;
-    let stdout = new TextDecoder().decode(stdoutBytes);
-    if (truncated) {
-      stdout += `
-[truncated]`;
-    }
-    const stderr = new TextDecoder().decode(stderrBuf);
-    return {
-      stdout,
-      stderr,
-      exitCode: proc.exitCode ?? 1,
-      truncated
-    };
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-
-class ShellValidationError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ShellValidationError";
-  }
+  return hunks;
 }
 
 // src/routes.ts
 var uiPath = resolve(import.meta.dirname, "index.html");
 var isDev = true;
+function logActivity(contributor, action, detail) {
+  const event = createActivityEvent(contributor, action, detail);
+  broadcast("activity", event);
+}
 var uiHtmlCached = readFileSync(uiPath, "utf-8");
 function extractFileInfo(reqPath) {
   const raw2 = reqPath.replace("/v1/files/", "");
@@ -2049,7 +2058,7 @@ function extractFileInfo(reqPath) {
     filePath: decoded.slice(slashIdx + 1)
   };
 }
-function createApp(storageRoot) {
+function createApp() {
   const app = new Hono2;
   app.get("/", (c) => {
     return c.html(isDev ? readFileSync(uiPath, "utf-8") : uiHtmlCached);
@@ -2084,13 +2093,14 @@ function createApp(storageRoot) {
       return c.json({ error: "A contributor with that username already exists" }, 409);
     }
     const contributor = createContributor(username, isFirstUser);
-    await ensureContributorDir(storageRoot, contributor.username);
-    addCollection(storageRoot, contributor).catch((e) => console.error("Failed to register QMD collection:", e));
     const rawToken = generateToken();
     createApiKey(hashToken(rawToken), `${username}-default`, contributor.username);
     if (!isFirstUser && body.invite) {
       markInviteUsed(body.invite, contributor.username);
     }
+    logActivity(contributor.username, "contributor_created", {
+      username: contributor.username
+    });
     return c.json({
       contributor: {
         username: contributor.username,
@@ -2110,10 +2120,13 @@ function createApp(storageRoot) {
   });
   authed.post("/v1/invites", (c) => {
     const { contributor } = getAuthCtx(c);
-    if (!contributor.is_operator) {
-      return c.json({ error: "Only the operator can generate invite codes" }, 403);
+    if (!contributor.is_admin) {
+      return c.json({ error: "Only the admin can generate invite codes" }, 403);
     }
     const invite = createInvite(contributor.username);
+    logActivity(contributor.username, "invite_created", {
+      invite: invite.id
+    });
     return c.json({
       invite: invite.id,
       createdAt: invite.created_at
@@ -2128,27 +2141,23 @@ function createApp(storageRoot) {
       }))
     });
   });
-  authed.post("/v1/sh", async (c) => {
-    const body = await c.req.json();
-    if (!body.cmd || typeof body.cmd !== "string") {
-      return c.json({ error: "cmd is required" }, 400);
+  authed.delete("/v1/contributors/:username", (c) => {
+    const { contributor } = getAuthCtx(c);
+    const target = c.req.param("username");
+    if (!contributor.is_admin) {
+      return c.json({ error: "Only the admin can delete contributors" }, 403);
     }
-    try {
-      const result = await executeCommand(body.cmd, storageRoot);
-      return new Response(result.stdout, {
-        status: 200,
-        headers: {
-          "Content-Type": "text/plain; charset=utf-8",
-          "X-Exit-Code": String(result.exitCode),
-          "X-Stderr": encodeURIComponent(result.stderr)
-        }
-      });
-    } catch (e) {
-      if (e instanceof ShellValidationError) {
-        return c.json({ error: e.message }, 400);
-      }
-      throw e;
+    if (target === contributor.username) {
+      return c.json({ error: "Cannot delete yourself" }, 400);
     }
+    const found = deleteContributor(target);
+    if (!found) {
+      return c.json({ error: "Contributor not found" }, 404);
+    }
+    logActivity(contributor.username, "contributor_deleted", {
+      username: target
+    });
+    return c.body(null, 204);
   });
   authed.put("/v1/files/*", async (c) => {
     const { contributor } = getAuthCtx(c);
@@ -2170,31 +2179,40 @@ function createApp(storageRoot) {
     const now = new Date().toISOString();
     const originCtime = c.req.header("X-Origin-Ctime") || now;
     const originMtime = c.req.header("X-Origin-Mtime") || now;
+    const existing = getItem(parsed.username, parsed.filePath);
     try {
-      const result = await writeFileAtomic(storageRoot, parsed.username, parsed.filePath, content);
-      const meta = upsertFileMetadata(parsed.username, parsed.filePath, originCtime, originMtime);
+      const item = upsertItem(parsed.username, parsed.filePath, content, originCtime, originMtime);
+      const detail = {
+        path: item.path,
+        size: Buffer.byteLength(item.content)
+      };
+      const diffResult = computeDiff(existing?.content ?? "", content);
+      if (diffResult) {
+        detail.diff = diffResult.diff;
+        if (diffResult.truncated)
+          detail.diff_truncated = true;
+      }
+      logActivity(contributor.username, "file_upserted", detail);
       broadcast("file_updated", {
         contributor: parsed.username,
-        path: result.path,
-        size: result.size,
-        modifiedAt: result.modifiedAt
+        path: item.path,
+        size: Buffer.byteLength(item.content),
+        modifiedAt: item.modified_at
       });
-      triggerUpdate();
       return c.json({
-        ...result,
-        originCtime: meta.origin_ctime,
-        originMtime: meta.origin_mtime,
-        serverCreatedAt: meta.server_created_at,
-        serverModifiedAt: meta.server_modified_at
+        path: item.path,
+        size: Buffer.byteLength(item.content),
+        createdAt: item.created_at,
+        modifiedAt: item.modified_at
       });
     } catch (e) {
-      if (e instanceof FileTooLargeError) {
+      if (e instanceof ItemTooLargeError) {
         return c.json({ error: e.message }, 413);
       }
       throw e;
     }
   });
-  authed.delete("/v1/files/*", async (c) => {
+  authed.delete("/v1/files/*", (c) => {
     const { contributor } = getAuthCtx(c);
     const parsed = extractFileInfo(c.req.path);
     if (!parsed) {
@@ -2207,23 +2225,20 @@ function createApp(storageRoot) {
     if (pathError) {
       return c.json({ error: pathError }, 400);
     }
-    try {
-      await deleteFile(storageRoot, parsed.username, parsed.filePath);
-      deleteFileMetadata(parsed.username, parsed.filePath);
-      broadcast("file_deleted", {
-        contributor: parsed.username,
-        path: parsed.filePath
-      });
-      triggerUpdate();
-      return c.body(null, 204);
-    } catch (e) {
-      if (e instanceof FileNotFoundError) {
-        return c.json({ error: "File not found" }, 404);
-      }
-      throw e;
+    const found = deleteItem(parsed.username, parsed.filePath);
+    if (!found) {
+      return c.json({ error: "File not found" }, 404);
     }
+    logActivity(contributor.username, "file_deleted", {
+      path: parsed.filePath
+    });
+    broadcast("file_deleted", {
+      contributor: parsed.username,
+      path: parsed.filePath
+    });
+    return c.body(null, 204);
   });
-  authed.get("/v1/files", async (c) => {
+  authed.get("/v1/files", (c) => {
     const prefix = c.req.query("prefix") || "";
     if (!prefix) {
       return c.json({ error: "prefix query parameter is required" }, 400);
@@ -2234,20 +2249,33 @@ function createApp(storageRoot) {
     if (!getContributor(username)) {
       return c.json({ error: "Contributor not found" }, 404);
     }
-    const files = await listFiles(storageRoot, username, subPrefix);
-    const metaMap = listFileMetadata(username, subPrefix);
+    const items = listItems(username, subPrefix);
     return c.json({
-      files: files.map((f) => {
-        const meta = metaMap.get(f.path);
-        return {
-          ...f,
-          path: `${username}/${f.path}`,
-          originCtime: meta?.origin_ctime,
-          originMtime: meta?.origin_mtime,
-          serverCreatedAt: meta?.server_created_at,
-          serverModifiedAt: meta?.server_modified_at
-        };
-      })
+      files: items.map((f) => ({
+        path: `${username}/${f.path}`,
+        size: f.size,
+        createdAt: f.created_at,
+        modifiedAt: f.modified_at
+      }))
+    });
+  });
+  authed.get("/v1/files/*", (c) => {
+    const parsed = extractFileInfo(c.req.path);
+    if (!parsed) {
+      return c.json({ error: "Invalid file path" }, 400);
+    }
+    const item = getItem(parsed.username, parsed.filePath);
+    if (!item) {
+      return c.json({ error: "File not found" }, 404);
+    }
+    return new Response(item.content, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/markdown; charset=utf-8",
+        "X-Created-At": item.created_at,
+        "X-Modified-At": item.modified_at,
+        "X-Size": String(Buffer.byteLength(item.content))
+      }
     });
   });
   authed.get("/v1/events", (c) => {
@@ -2285,52 +2313,46 @@ data: {}
       }
     });
   });
-  authed.get("/v1/search", async (c) => {
+  authed.get("/v1/search", (c) => {
     const q = c.req.query("q");
     if (!q) {
       return c.json({ error: "q parameter is required" }, 400);
     }
     const contributorParam = c.req.query("contributor") || undefined;
     const limit = parseInt(c.req.query("limit") || "10", 10);
-    let collectionName;
-    if (contributorParam) {
-      const contributor = getContributor(contributorParam);
-      if (!contributor) {
-        return c.json({ error: "Contributor not found" }, 404);
-      }
-      collectionName = contributor.username;
+    if (contributorParam && !getContributor(contributorParam)) {
+      return c.json({ error: "Contributor not found" }, 404);
     }
-    const results = await search(q, { collection: collectionName, limit });
+    const results = searchItems(q, contributorParam, limit);
     return c.json({ results });
   });
+  authed.get("/v1/activity", (c) => {
+    const contributor = c.req.query("contributor") || undefined;
+    const action = c.req.query("action") || undefined;
+    const limit = c.req.query("limit") ? parseInt(c.req.query("limit"), 10) : undefined;
+    const offset = c.req.query("offset") ? parseInt(c.req.query("offset"), 10) : undefined;
+    const events = listActivityEvents({
+      contributor,
+      action,
+      limit,
+      offset
+    });
+    return c.json({ events });
+  });
   app.route("/", authed);
   return app;
 }
 
 // src/index.ts
 var PORT = parseInt(process.env.PORT || "3000", 10);
-var DATA_DIR = process.env.DATA_DIR || join2(homedir(), ".seedvault", "data");
-var dbPath = join2(DATA_DIR, "seedvault.db");
-var storageRoot = join2(DATA_DIR, "files");
-await mkdir2(DATA_DIR, { recursive: true });
-await mkdir2(storageRoot, { recursive: true });
+var DATA_DIR = process.env.DATA_DIR || join(homedir(), ".seedvault", "data");
+var dbPath = join(DATA_DIR, "seedvault.db");
+await mkdir(DATA_DIR, { recursive: true });
 initDb(dbPath);
-var app = createApp(storageRoot);
+var app = createApp();
 console.log(`Seedvault server starting on port ${PORT}`);
 console.log(`  Data dir: ${DATA_DIR}`);
 console.log(`  Database: ${dbPath}`);
-console.log(`  Storage:  ${storageRoot}`);
-var qmdAvailable = await isQmdAvailable();
-if (qmdAvailable) {
-  console.log("  QMD:      available");
-  const contributors = listContributors();
-  if (contributors.length > 0) {
-    await syncContributors(storageRoot, contributors);
-    console.log(`  QMD:      synced ${contributors.length} collection(s)`);
-  }
-} else {
-  console.log("  QMD:      not found (search disabled)");
-}
 var server = Bun.serve({
   port: PORT,
   fetch: app.fetch