@siteboon/claude-code-ui 1.24.0 → 1.25.1

package/server/cursor-cli.js

@@ -1,84 +1,124 @@
 import { spawn } from 'child_process';
 import crossSpawn from 'cross-spawn';
-import { promises as fs } from 'fs';
-import path from 'path';
-import os from 'os';
 
 // Use cross-spawn on Windows for better command execution
 const spawnFunction = process.platform === 'win32' ? crossSpawn : spawn;
 
 let activeCursorProcesses = new Map(); // Track active processes by session ID
 
+const WORKSPACE_TRUST_PATTERNS = [
+  /workspace trust required/i,
+  /do you trust the contents of this directory/i,
+  /working with untrusted contents/i,
+  /pass --trust,\s*--yolo,\s*or -f/i
+];
+
+function isWorkspaceTrustPrompt(text = '') {
+  if (!text || typeof text !== 'string') {
+    return false;
+  }
+
+  return WORKSPACE_TRUST_PATTERNS.some((pattern) => pattern.test(text));
+}
+
 async function spawnCursor(command, options = {}, ws) {
   return new Promise(async (resolve, reject) => {
-    const { sessionId, projectPath, cwd, resume, toolsSettings, skipPermissions, model, images } = options;
+    const { sessionId, projectPath, cwd, resume, toolsSettings, skipPermissions, model } = options;
     let capturedSessionId = sessionId; // Track session ID throughout the process
     let sessionCreatedSent = false; // Track if we've already sent session-created event
-    let messageBuffer = ''; // Buffer for accumulating assistant messages
-    
+    let hasRetriedWithTrust = false;
+    let settled = false;
+
     // Use tools settings passed from frontend, or defaults
     const settings = toolsSettings || {
       allowedShellCommands: [],
       skipPermissions: false
     };
-    
+
     // Build Cursor CLI command
-    const args = [];
-    
+    const baseArgs = [];
+
     // Build flags allowing both resume and prompt together (reply in existing session)
     // Treat presence of sessionId as intention to resume, regardless of resume flag
     if (sessionId) {
-      args.push('--resume=' + sessionId);
+      baseArgs.push('--resume=' + sessionId);
     }
 
     if (command && command.trim()) {
       // Provide a prompt (works for both new and resumed sessions)
-      args.push('-p', command);
+      baseArgs.push('-p', command);
 
       // Add model flag if specified (only meaningful for new sessions; harmless on resume)
       if (!sessionId && model) {
-        args.push('--model', model);
+        baseArgs.push('--model', model);
       }
 
       // Request streaming JSON when we are providing a prompt
-      args.push('--output-format', 'stream-json');
+      baseArgs.push('--output-format', 'stream-json');
     }
-    
+
     // Add skip permissions flag if enabled
     if (skipPermissions || settings.skipPermissions) {
-      args.push('-f');
-      console.log('⚠️  Using -f flag (skip permissions)');
+      baseArgs.push('-f');
+      console.log('Using -f flag (skip permissions)');
     }
-    
+
     // Use cwd (actual project directory) instead of projectPath
     const workingDir = cwd || projectPath || process.cwd();
-    
-    console.log('Spawning Cursor CLI:', 'cursor-agent', args.join(' '));
-    console.log('Working directory:', workingDir);
-    console.log('Session info - Input sessionId:', sessionId, 'Resume:', resume);
-    
-    const cursorProcess = spawnFunction('cursor-agent', args, {
-      cwd: workingDir,
-      stdio: ['pipe', 'pipe', 'pipe'],
-      env: { ...process.env } // Inherit all environment variables
-    });
-    
+
     // Store process reference for potential abort
     const processKey = capturedSessionId || Date.now().toString();
-    activeCursorProcesses.set(processKey, cursorProcess);
-    
-    // Handle stdout (streaming JSON responses)
-    cursorProcess.stdout.on('data', (data) => {
-      const rawOutput = data.toString();
-      console.log('📤 Cursor CLI stdout:', rawOutput);
-      
-      const lines = rawOutput.split('\n').filter(line => line.trim());
-      
-      for (const line of lines) {
+
+    const settleOnce = (callback) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      callback();
+    };
+
+    const runCursorProcess = (args, runReason = 'initial') => {
+      const isTrustRetry = runReason === 'trust-retry';
+      let runSawWorkspaceTrustPrompt = false;
+      let stdoutLineBuffer = '';
+
+      if (isTrustRetry) {
+        console.log('Retrying Cursor CLI with --trust after workspace trust prompt');
+      }
+
+      console.log('Spawning Cursor CLI:', 'cursor-agent', args.join(' '));
+      console.log('Working directory:', workingDir);
+      console.log('Session info - Input sessionId:', sessionId, 'Resume:', resume);
+
+      const cursorProcess = spawnFunction('cursor-agent', args, {
+        cwd: workingDir,
+        stdio: ['pipe', 'pipe', 'pipe'],
+        env: { ...process.env } // Inherit all environment variables
+      });
+
+      activeCursorProcesses.set(processKey, cursorProcess);
+
+      const shouldSuppressForTrustRetry = (text) => {
+        if (hasRetriedWithTrust || args.includes('--trust')) {
+          return false;
+        }
+        if (!isWorkspaceTrustPrompt(text)) {
+          return false;
+        }
+
+        runSawWorkspaceTrustPrompt = true;
+        return true;
+      };
+
+      const processCursorOutputLine = (line) => {
+        if (!line || !line.trim()) {
+          return;
+        }
+
         try {
           const response = JSON.parse(line);
-          console.log('📄 Parsed JSON response:', response);
-          
+          console.log('Parsed JSON response:', response);
+
           // Handle different message types
           switch (response.type) {
             case 'system':
@@ -86,14 +126,14 @@ async function spawnCursor(command, options = {}, ws) {
                 // Capture session ID
                 if (response.session_id && !capturedSessionId) {
                   capturedSessionId = response.session_id;
-                  console.log('📝 Captured session ID:', capturedSessionId);
-                  
+                  console.log('Captured session ID:', capturedSessionId);
+
                   // Update process key with captured session ID
                   if (processKey !== capturedSessionId) {
                     activeCursorProcesses.delete(processKey);
                     activeCursorProcesses.set(capturedSessionId, cursorProcess);
                   }
-                  
+
                   // Set session ID on writer (for API endpoint compatibility)
                   if (ws.setSessionId && typeof ws.setSessionId === 'function') {
                     ws.setSessionId(capturedSessionId);
@@ -110,7 +150,7 @@ async function spawnCursor(command, options = {}, ws) {
                     });
                   }
                 }
-                
+
                 // Send system info to frontend
                 ws.send({
                   type: 'cursor-system',
@@ -119,7 +159,7 @@ async function spawnCursor(command, options = {}, ws) {
                 });
               }
               break;
-              
+
             case 'user':
               // Forward user message
               ws.send({
@@ -128,13 +168,12 @@ async function spawnCursor(command, options = {}, ws) {
                 sessionId: capturedSessionId || sessionId || null
               });
               break;
-              
+
             case 'assistant':
               // Accumulate assistant message chunks
               if (response.message && response.message.content && response.message.content.length > 0) {
                 const textContent = response.message.content[0].text;
-                messageBuffer += textContent;
-                
+
                 // Send as Claude-compatible format for frontend
                 ws.send({
                   type: 'claude-response',
@@ -149,23 +188,14 @@ async function spawnCursor(command, options = {}, ws) {
                 });
               }
               break;
-              
+
             case 'result':
               // Session complete
               console.log('Cursor session result:', response);
-              
-              // Send final message if we have buffered content
-              if (messageBuffer) {
-                ws.send({
-                  type: 'claude-response',
-                  data: {
-                    type: 'content_block_stop'
-                  },
-                  sessionId: capturedSessionId || sessionId || null
-                });
-              }
-              
-              // Send completion event
+
+              // Do not emit an extra content_block_stop here.
+              // The UI already finalizes the streaming message in cursor-result handling,
+              // and emitting both can produce duplicate assistant messages.
               ws.send({
                 type: 'cursor-result',
                 sessionId: capturedSessionId || sessionId,
@@ -173,7 +203,7 @@ async function spawnCursor(command, options = {}, ws) {
                 success: response.subtype === 'success'
               });
               break;
-              
+
             default:
               // Forward any other message types
               ws.send({
@@ -183,7 +213,12 @@ async function spawnCursor(command, options = {}, ws) {
               });
           }
         } catch (parseError) {
-          console.log('📄 Non-JSON response:', line);
+          console.log('Non-JSON response:', line);
+
+          if (shouldSuppressForTrustRetry(line)) {
+            return;
+          }
+
           // If not JSON, send as raw text
           ws.send({
             type: 'cursor-output',
@@ -191,67 +226,106 @@ async function spawnCursor(command, options = {}, ws) {
             sessionId: capturedSessionId || sessionId || null
           });
         }
-      }
-    });
-    
-    // Handle stderr
-    cursorProcess.stderr.on('data', (data) => {
-      console.error('Cursor CLI stderr:', data.toString());
-      ws.send({
-        type: 'cursor-error',
-        error: data.toString(),
-        sessionId: capturedSessionId || sessionId || null
+      };
+
+      // Handle stdout (streaming JSON responses)
+      cursorProcess.stdout.on('data', (data) => {
+        const rawOutput = data.toString();
+        console.log('Cursor CLI stdout:', rawOutput);
+
+        // Stream chunks can split JSON objects across packets; keep trailing partial line.
+        stdoutLineBuffer += rawOutput;
+        const completeLines = stdoutLineBuffer.split(/\r?\n/);
+        stdoutLineBuffer = completeLines.pop() || '';
+
+        completeLines.forEach((line) => {
+          processCursorOutputLine(line.trim());
+        });
+      });
+
+      // Handle stderr
+      cursorProcess.stderr.on('data', (data) => {
+        const stderrText = data.toString();
+        console.error('Cursor CLI stderr:', stderrText);
+
+        if (shouldSuppressForTrustRetry(stderrText)) {
+          return;
+        }
+
+        ws.send({
+          type: 'cursor-error',
+          error: stderrText,
+          sessionId: capturedSessionId || sessionId || null
+        });
       });
-    });
-    
-    // Handle process completion
-    cursorProcess.on('close', async (code) => {
-      console.log(`Cursor CLI process exited with code ${code}`);
-      
-      // Clean up process reference
-      const finalSessionId = capturedSessionId || sessionId || processKey;
-      activeCursorProcesses.delete(finalSessionId);
-
-      ws.send({
-        type: 'claude-complete',
-        sessionId: finalSessionId,
-        exitCode: code,
-        isNewSession: !sessionId && !!command // Flag to indicate this was a new session
+
+      // Handle process completion
+      cursorProcess.on('close', async (code) => {
+        console.log(`Cursor CLI process exited with code ${code}`);
+
+        const finalSessionId = capturedSessionId || sessionId || processKey;
+        activeCursorProcesses.delete(finalSessionId);
+
+        // Flush any final unterminated stdout line before completion handling.
+        if (stdoutLineBuffer.trim()) {
+          processCursorOutputLine(stdoutLineBuffer.trim());
+          stdoutLineBuffer = '';
+        }
+
+        if (
+          runSawWorkspaceTrustPrompt &&
+          code !== 0 &&
+          !hasRetriedWithTrust &&
+          !args.includes('--trust')
+        ) {
+          hasRetriedWithTrust = true;
+          runCursorProcess([...args, '--trust'], 'trust-retry');
+          return;
+        }
+
+        ws.send({
+          type: 'claude-complete',
+          sessionId: finalSessionId,
+          exitCode: code,
+          isNewSession: !sessionId && !!command // Flag to indicate this was a new session
+        });
+
+        if (code === 0) {
+          settleOnce(() => resolve());
+        } else {
+          settleOnce(() => reject(new Error(`Cursor CLI exited with code ${code}`)));
+        }
       });
-      
-      if (code === 0) {
-        resolve();
-      } else {
-        reject(new Error(`Cursor CLI exited with code ${code}`));
-      }
-    });
-    
-    // Handle process errors
-    cursorProcess.on('error', (error) => {
-      console.error('Cursor CLI process error:', error);
-      
-      // Clean up process reference on error
-      const finalSessionId = capturedSessionId || sessionId || processKey;
-      activeCursorProcesses.delete(finalSessionId);
-
-      ws.send({
-        type: 'cursor-error',
-        error: error.message,
-        sessionId: capturedSessionId || sessionId || null
+
+      // Handle process errors
+      cursorProcess.on('error', (error) => {
+        console.error('Cursor CLI process error:', error);
+
+        // Clean up process reference on error
+        const finalSessionId = capturedSessionId || sessionId || processKey;
+        activeCursorProcesses.delete(finalSessionId);
+
+        ws.send({
+          type: 'cursor-error',
+          error: error.message,
+          sessionId: capturedSessionId || sessionId || null
+        });
+
+        settleOnce(() => reject(error));
       });
 
-      reject(error);
-    });
-    
-    // Close stdin since Cursor doesn't need interactive input
-    cursorProcess.stdin.end();
+      // Close stdin since Cursor doesn't need interactive input
+      cursorProcess.stdin.end();
+    };
+
+    runCursorProcess(baseArgs, 'initial');
   });
 }
 
 function abortCursorSession(sessionId) {
   const process = activeCursorProcesses.get(sessionId);
   if (process) {
-    console.log(`🛑 Aborting Cursor session: ${sessionId}`);
+    console.log(`Aborting Cursor session: ${sessionId}`);
     process.kill('SIGTERM');
     activeCursorProcesses.delete(sessionId);
     return true;

package/server/database/db.js

@@ -59,6 +59,15 @@ if (DB_PATH !== LEGACY_DB_PATH && !fs.existsSync(DB_PATH) && fs.existsSync(LEGAC
 // Create database connection
 const db = new Database(DB_PATH);
 
+// app_config must exist before any other module imports (auth.js reads the JWT secret at load time).
+// runMigrations() also creates this table, but it runs too late for existing installations
+// where auth.js is imported before initializeDatabase() is called.
+db.exec(`CREATE TABLE IF NOT EXISTS app_config (
+  key TEXT PRIMARY KEY,
+  value TEXT NOT NULL,
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+)`);
+
 // Show app installation path prominently
 const appInstallPath = path.join(__dirname, '../..');
 console.log('');
@@ -91,6 +100,13 @@ const runMigrations = () => {
       db.exec('ALTER TABLE users ADD COLUMN has_completed_onboarding BOOLEAN DEFAULT 0');
     }
 
+    // Create app_config table if it doesn't exist (for existing installations)
+    db.exec(`CREATE TABLE IF NOT EXISTS app_config (
+      key TEXT PRIMARY KEY,
+      value TEXT NOT NULL,
+      created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+    )`);
+
     // Create session_names table if it doesn't exist (for existing installations)
     db.exec(`CREATE TABLE IF NOT EXISTS session_names (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -414,6 +430,33 @@ function applyCustomSessionNames(sessions, provider) {
   }
 }
 
+// App config database operations
+const appConfigDb = {
+  get: (key) => {
+    try {
+      const row = db.prepare('SELECT value FROM app_config WHERE key = ?').get(key);
+      return row?.value || null;
+    } catch (err) {
+      return null;
+    }
+  },
+
+  set: (key, value) => {
+    db.prepare(
+      'INSERT INTO app_config (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value'
+    ).run(key, value);
+  },
+
+  getOrCreateJwtSecret: () => {
+    let secret = appConfigDb.get('jwt_secret');
+    if (!secret) {
+      secret = crypto.randomBytes(64).toString('hex');
+      appConfigDb.set('jwt_secret', secret);
+    }
+    return secret;
+  }
+};
+
 // Backward compatibility - keep old names pointing to new system
 const githubTokensDb = {
   createGithubToken: (userId, tokenName, githubToken, description = null) => {
@@ -441,5 +484,6 @@ export {
   credentialsDb,
   sessionNamesDb,
   applyCustomSessionNames,
+  appConfigDb,
   githubTokensDb // Backward compatibility
 };

package/server/database/init.sql

@@ -62,4 +62,11 @@ CREATE TABLE IF NOT EXISTS session_names (
     UNIQUE(session_id, provider)
 );
 
-CREATE INDEX IF NOT EXISTS idx_session_names_lookup ON session_names(session_id, provider);
+CREATE INDEX IF NOT EXISTS idx_session_names_lookup ON session_names(session_id, provider);
+
+-- App configuration table (auto-generated secrets, settings, etc.)
+CREATE TABLE IF NOT EXISTS app_config (
+    key TEXT PRIMARY KEY,
+    value TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);