@venturewild/workspace 0.4.0 → 0.4.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/index.mjs

@@ -65,8 +65,12 @@ import {
   createWorkspace as registryCreateWorkspace,
   touchWorkspace,
   removeWorkspace,
+  markShared,
+  setSyncProject,
+  seedDefault,
   workspaceIdForDir,
 } from './workspace-registry.mjs';
+import { createWorkspaceRails } from './workspaces.mjs';
 import { matchCandidates } from './bazaar/mock-tickup.mjs';
 import { servePreviewFile, confineBuildDir } from './bazaar/preview-server.mjs';
 import { TURN_SYSTEM_PROMPT, writeTurnMcpConfig } from './turn-mcp.mjs';
@@ -334,6 +338,12 @@ export async function createServer(overrides = {}) {
   // cache. `canvas` above still owns the workspace-SHARED agent content (blocks +
   // agent theme). Person-scoped state stores are built lazily + cached per personKey.
   const canvasRails = overrides.canvasRails || createCanvasRails(config, config.account);
+  // Shared-workspace membership client (sharing slice — design §4). The account
+  // token is kept top-level on config (out of the broadcast `config.account`), so
+  // pass it explicitly, mirroring the CLI `wild-workspace workspace …`. Inert (and
+  // every call returns {ok:false, code:'not_configured'}) until the owner logs in.
+  const workspaceRails =
+    overrides.workspaceRails || createWorkspaceRails(config, { accountToken: config.accountToken });
   const canvasStores = new Map();
   function canvasFor(personKey) {
     let store = canvasStores.get(personKey);
@@ -1885,16 +1895,23 @@ export async function createServer(overrides = {}) {
     const src = c.get('session')?.source;
     return src === 'localhost' || src === 'loopback';
   }
-  function lobbyList() {
-    const reg = listWorkspaces(registryEnv);
-    const items = reg.map((w) => ({
+  // The client-facing shape of a lobby card. Shared workspaces (sharing slice)
+  // carry their rails identity + the local member's role so the lobby can badge
+  // the card + gate owner-only actions (invite/un-share).
+  function lobbyShape(w) {
+    return {
       id: w.id,
       name: w.name,
       dir: w.dir,
       kind: w.kind,
+      shared: w.kind === 'shared' && w.shared ? w.shared : undefined,
       lastOpenedAt: w.lastOpenedAt,
       isDefault: w.id === defaultWorkspace.id,
-    }));
+    };
+  }
+  function lobbyList() {
+    const reg = listWorkspaces(registryEnv);
+    const items = reg.map(lobbyShape);
     // The boot/default workspace is computed (never persisted) — inject it if it
     // isn't already an explicit registry entry, so the lobby is never blank.
     if (!reg.some((w) => w.id === defaultWorkspace.id)) {
@@ -1910,10 +1927,41 @@ export async function createServer(overrides = {}) {
     return items.sort((a, b) => b.lastOpenedAt - a.lastOpenedAt);
   }
 
-  app.get('/api/lobby/workspaces', (c) => {
+  // The shared workspaces THIS account belongs to, from the rails (sharing slice).
+  // Degrade-never: not logged in / rails down → []; the lobby still shows local
+  // workspaces. This is how a workspace someone shared with you APPEARS in your
+  // lobby — before you've joined it, it has no local folder yet.
+  async function sharedFromRails() {
+    if (!config.account?.email || !workspaceRails.capable) return [];
+    const r = await workspaceRails.list();
+    if (!r.ok || !Array.isArray(r.data?.workspaces)) return [];
+    return r.data.workspaces; // [{ slug, name, role, owner_email }]
+  }
+
+  // Merge the local registry with the rails membership: shared workspaces I belong
+  // to but haven't given a local home yet surface as `joinable` cards (no dir,
+  // can't be entered until joined). Ones I already host locally are deduped by slug.
+  async function lobbyListMerged() {
+    const local = lobbyList();
+    const localSlugs = new Set(local.filter((w) => w.shared?.slug).map((w) => w.shared.slug));
+    const joinable = (await sharedFromRails())
+      .filter((w) => !localSlugs.has(w.slug))
+      .map((w) => ({
+        id: `shared:${w.slug}`, // synthetic — no local folder to re-root into yet
+        name: w.name,
+        slug: w.slug,
+        kind: 'shared',
+        joinable: true,
+        shared: { slug: w.slug, ownerEmail: w.owner_email, role: w.role },
+        lastOpenedAt: 0,
+      }));
+    return [...local, ...joinable];
+  }
+
+  app.get('/api/lobby/workspaces', async (c) => {
     const forbidden = require(c, 'fileTree');
     if (forbidden) return forbidden;
-    return c.json({ workspaces: lobbyList(), defaultId: defaultWorkspace.id });
+    return c.json({ workspaces: await lobbyListMerged(), defaultId: defaultWorkspace.id });
   });
 
   app.post('/api/lobby/workspaces', async (c) => {
@@ -1969,6 +2017,224 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, removed });
   });
 
+  // --- sharing slice (design §4): promote a local workspace to shared + invite ---
+  // "Share" mints a first-class shared workspace on the bmo-sync rails (its own
+  // slug + member set) and flips THIS install's registry entry to kind:'shared'.
+  // The folder never moves (decision 7). HOST-only (you share the folder where it
+  // lives) + owner-level (fileTree) + must be logged in (the rails identity is the
+  // account's). The Decision-11 "this carries the files AND the agent's memory"
+  // heads-up lives on the client; the server just mints + records.
+
+  // Resolve a lobby workspace id to its registry entry, seeding the computed
+  // boot/default workspace on first touch so it can be shared like any other.
+  function lobbyEntryFor(id) {
+    let entry = getWorkspace(id, registryEnv);
+    if (!entry && id === defaultWorkspace.id) {
+      entry = seedDefault(
+        { dir: defaultWorkspace.dir, name: defaultWorkspace.name },
+        registryEnv,
+      );
+    }
+    return entry;
+  }
+
+  // Slice 3 "going live": start file-sync for a shared workspace by minting a
+  // membership-gated pass on the rails (provisions the file-sync project on first
+  // call) and pairing the LOCAL daemon to the folder, so it backs up to VW's
+  // rails. Best-effort by design — a down daemon or a rails hiccup must NOT fail
+  // Share (the membership identity is already minted); it returns a status the UI
+  // can surface ("backing up…" / "we'll start syncing when the daemon is up").
+  // Idempotent: a workspace already linked + already syncing is a no-op success.
+  async function startWorkspaceSync(entry, slug) {
+    try {
+      const linked = entry.shared?.projectCode || null;
+      if (linked) {
+        // Already provisioned — if the daemon is already syncing it, nothing to do.
+        const ws = await syncControl.listWorkspaces();
+        if (ws.some((w) => w.workspaceId === linked || w.projectId === linked)) {
+          return { synced: true, projectCode: linked };
+        }
+      }
+      const cred = await workspaceRails.syncCredential(slug);
+      if (!cred.ok || !cred.data?.invite_code) {
+        return { synced: false, reason: cred.code || 'rails_unreachable', message: cred.message };
+      }
+      const projectCode = cred.data.project_code;
+      try {
+        await syncControl.pair(cred.data.invite_code, entry.dir);
+      } catch (e) {
+        // The daemon is down / unreachable — file-sync will start once it's up and
+        // the owner re-shares (or a future watcher re-pairs). Membership stands.
+        return {
+          synced: false,
+          reason: 'daemon_unreachable',
+          message: String(e.message || e),
+          projectCode,
+        };
+      }
+      setSyncProject(entry.id, projectCode, registryEnv);
+      return { synced: true, projectCode };
+    } catch (e) {
+      // Belt-and-braces: file-sync is best-effort — ANY failure here leaves the
+      // workspace shared (membership minted) and just reports sync didn't start.
+      return { synced: false, reason: 'sync_error', message: String(e?.message || e) };
+    }
+  }
+
+  app.post('/api/lobby/workspaces/:id/share', async (c) => {
+    const forbidden = require(c, 'fileTree');
+    if (forbidden) return forbidden;
+    if (!isHostRequest(c)) {
+      return c.json(
+        {
+          error: 'host_only',
+          message: 'Share a workspace from the computer where its folder lives.',
+        },
+        403,
+      );
+    }
+    if (!config.account?.email || !workspaceRails.capable) {
+      return c.json(
+        {
+          error: 'login_required',
+          message: 'Sign in to VentureWild first — sharing gives the workspace an identity on the rails.',
+        },
+        400,
+      );
+    }
+    const id = c.req.param('id');
+    const entry = lobbyEntryFor(id);
+    if (!entry) return c.json({ error: 'no_such_workspace' }, 404);
+    const wasShared = entry.kind === 'shared' && Boolean(entry.shared?.slug);
+    // Mint the membership identity (idempotent: an already-shared workspace keeps
+    // its slug). Then "go live" — start backing the folder up. The file-sync step
+    // runs on BOTH a fresh share AND a re-share of an already-shared-but-not-yet-
+    // synced workspace, so a Share that happened before the daemon was up heals.
+    let shared = entry;
+    if (!wasShared) {
+      const r = await workspaceRails.create(entry.name);
+      if (!r.ok) {
+        // Surface the rails' code/message (slug_taken / unreachable / …) at a sane status.
+        const status = r.status >= 400 && r.status < 600 ? r.status : 502;
+        return c.json({ error: r.code || 'share_failed', message: r.message }, status);
+      }
+      shared = markShared(
+        id,
+        { slug: r.data.slug, ownerEmail: config.account.email, role: 'owner' },
+        registryEnv,
+      );
+      auditAction(c, 'lobby.share', `id=${id} slug=${r.data.slug}`);
+    }
+    if (!shared?.shared?.slug) return c.json({ error: 'share_failed' }, 500);
+    const sync = await startWorkspaceSync(shared, shared.shared.slug);
+    auditAction(c, 'lobby.share.sync', `id=${id} slug=${shared.shared.slug} synced=${sync.synced}`);
+    const finalEntry = getWorkspace(id, registryEnv) || shared;
+    return c.json({ ok: true, alreadyShared: wasShared, workspace: lobbyShape(finalEntry), sync });
+  });
+
+  app.post('/api/lobby/workspaces/:id/invite', async (c) => {
+    const forbidden = require(c, 'fileTree');
+    if (forbidden) return forbidden;
+    if (!isHostRequest(c)) return c.json({ error: 'host_only' }, 403);
+    if (!config.account?.email || !workspaceRails.capable) {
+      return c.json({ error: 'login_required' }, 400);
+    }
+    const id = c.req.param('id');
+    const entry = getWorkspace(id, registryEnv);
+    if (!entry || entry.kind !== 'shared' || !entry.shared?.slug) {
+      return c.json({ error: 'not_shared', message: 'Share this workspace before inviting people.' }, 400);
+    }
+    const body = await c.req.json().catch(() => ({}));
+    const email = typeof body.email === 'string' ? body.email.trim() : '';
+    if (!email || !email.includes('@')) {
+      return c.json({ error: 'invalid_email', message: 'Enter a teammate’s email address.' }, 400);
+    }
+    const r = await workspaceRails.addMember(entry.shared.slug, email);
+    if (!r.ok) {
+      const status = r.status >= 400 && r.status < 600 ? r.status : 502;
+      return c.json({ error: r.code || 'invite_failed', message: r.message }, status);
+    }
+    // No account yet → the rails recorded a PENDING invite; they'll claim it by
+    // signing in with Google + Join (no account-first requirement). Already-an-
+    // account → active immediately.
+    const pending = Boolean(r.data?.pending);
+    auditAction(c, 'lobby.invite', `slug=${entry.shared.slug} email=${email} pending=${pending}`);
+    return c.json({ ok: true, email, pending, accountId: r.data?.account_id || null });
+  });
+
+  // Join a shared workspace someone invited you to (design §4 decision 9). The
+  // invitee PICKS where it lives on their disk (a new folder under the Workspaces
+  // home, or an existing one — same mechanic as create), then it's registered
+  // locally + marked shared with this member's role. HOST-only (the folder lives
+  // here) + login. Membership is verified against the rails list, so you can only
+  // give a local home to a workspace you actually belong to. This binds the
+  // IDENTITY (so the per-person canvas syncs) AND — Slice 3 "filling in" — starts
+  // file-sync via the SAME `startWorkspaceSync` the owner uses: the joiner's daemon
+  // pairs the chosen folder and pulls the current state, so it fills with the
+  // owner's files + agent-brain instead of landing empty. Best-effort: a down
+  // daemon still joins you (you land in the folder; it fills once sync starts).
+  app.post('/api/lobby/workspaces/join', async (c) => {
+    const forbidden = require(c, 'fileTree');
+    if (forbidden) return forbidden;
+    if (!isHostRequest(c)) {
+      return c.json(
+        { error: 'host_only', message: 'Join a shared workspace from the computer where you want its folder.' },
+        403,
+      );
+    }
+    if (!config.account?.email || !workspaceRails.capable) {
+      return c.json({ error: 'login_required' }, 400);
+    }
+    const body = await c.req.json().catch(() => ({}));
+    const slug = typeof body.slug === 'string' ? body.slug.trim().toLowerCase() : '';
+    if (!slug) return c.json({ error: 'slug_required' }, 400);
+    // Claim membership on the rails: this BOTH verifies the caller belongs (an
+    // active member OR a pending invite addressed to their verified email) AND
+    // activates a pending invite (invited→active) — the invite-a-teammate-who-
+    // has-no-account-yet payoff. 403 not_a_member if neither.
+    const claimed = await workspaceRails.claim(slug);
+    if (!claimed.ok) {
+      if (claimed.code === 'not_a_member' || claimed.status === 403) {
+        return c.json({ error: 'not_a_member', message: 'You’re not a member of that workspace.' }, 403);
+      }
+      const status = claimed.status >= 400 && claimed.status < 600 ? claimed.status : 502;
+      return c.json({ error: claimed.code || 'join_failed', message: claimed.message }, status);
+    }
+    const ws = {
+      name: claimed.data?.name || slug,
+      role: claimed.data?.role || 'member',
+      owner_email: claimed.data?.owner_email || '',
+    };
+    // Already have a local home for it? Return that (idempotent re-join), and
+    // (re)start file-sync so a join that happened before the daemon was up heals.
+    const existing = listWorkspaces(registryEnv).find((w) => w.shared?.slug === slug);
+    if (existing) {
+      touchWorkspace(existing.id, registryEnv);
+      const sync = await startWorkspaceSync(existing, slug);
+      const finalEntry = getWorkspace(existing.id, registryEnv) || existing;
+      return c.json({ ok: true, alreadyJoined: true, workspace: lobbyShape(finalEntry), sync });
+    }
+    const name = typeof body.name === 'string' && body.name.trim() ? body.name.trim() : ws.name;
+    const dir = typeof body.dir === 'string' ? body.dir.trim() : '';
+    let entry;
+    try {
+      entry = registryCreateWorkspace({ name, dir: dir || undefined }, registryEnv);
+    } catch (e) {
+      return c.json({ error: 'join_failed', message: String(e.message || e) }, 400);
+    }
+    const updated = markShared(
+      entry.id,
+      { slug, ownerEmail: ws.owner_email, role: ws.role || 'member' },
+      registryEnv,
+    );
+    auditAction(c, 'lobby.join', `id=${entry.id} slug=${slug} claimed=${Boolean(claimed.data?.claimed)}`);
+    // Filling in: pair the joiner's daemon → it pulls the owner's files + brain.
+    const sync = await startWorkspaceSync(updated, slug);
+    auditAction(c, 'lobby.join.sync', `id=${entry.id} slug=${slug} synced=${sync.synced}`);
+    const finalEntry = getWorkspace(entry.id, registryEnv) || updated;
+    return c.json({ ok: true, workspace: lobbyShape(finalEntry), sync });
+  });
+
   app.get('/api/workspace/tree', async (c) => {
     if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
       return c.json({ error: 'forbidden' }, 403);

package/server/src/workspace-registry.mjs

@@ -10,9 +10,13 @@
 // Creating/opening a workspace is a HOST action (the folder lives here); a remote
 // browser only ENTERS existing ones — enforced at the route, not here.
 //
-// Local workspaces only (kind:'local'); shared workspaces arrive from the rails in
-// a later slice. `removeWorkspace` drops a folder from the LIST only — it never
-// deletes files.
+// A workspace is `kind:'local'` until the owner explicitly SHARES it (sharing
+// slice / design §4 decision 7): `markShared` promotes the entry to `kind:'shared'`
+// and records a `shared:{slug,ownerEmail,role,sharedAt}` block — the slug is the
+// workspace's first-class identity on the bmo-sync rails (membership/canvas), minted
+// by `POST /api/workspaces/create`. The folder stays exactly where it is; promoting
+// is a metadata flip on the LIST, never a move. `removeWorkspace` drops a folder
+// from the LIST only — it never deletes files.
 
 import fs from 'node:fs';
 import path from 'node:path';
@@ -71,17 +75,40 @@ function readRaw(env) {
   return [];
 }
 
+// A shared workspace carries a `shared` block (the rails identity + the local
+// member's role). Only kept when the entry is actually `kind:'shared'` AND the
+// block has a slug; anything else collapses back to a plain local entry so a
+// half-written record can't masquerade as shared.
+function sanitizeShared(s) {
+  if (!s || typeof s !== 'object' || typeof s.slug !== 'string' || !s.slug.trim()) return null;
+  const out = {
+    slug: s.slug.trim().toLowerCase(),
+    ownerEmail: typeof s.ownerEmail === 'string' ? s.ownerEmail : '',
+    role: s.role === 'owner' ? 'owner' : 'member',
+    sharedAt: Number(s.sharedAt) || 0,
+  };
+  // Slice 3: the file-sync project this workspace replicates through, recorded
+  // once the daemon is paired ("going live"). Absent until file-sync starts.
+  if (typeof s.projectCode === 'string' && s.projectCode.trim()) {
+    out.projectCode = s.projectCode.trim();
+  }
+  return out;
+}
+
 function sanitize(e) {
   if (!e || typeof e !== 'object' || typeof e.dir !== 'string' || !e.dir) return null;
   const dir = path.resolve(e.dir);
-  return {
+  const shared = sanitizeShared(e.shared);
+  const out = {
     id: typeof e.id === 'string' && e.id ? e.id : idForDir(dir),
     name: typeof e.name === 'string' && e.name.trim() ? e.name.trim() : nameForDir(dir),
     dir,
-    kind: e.kind === 'shared' ? 'shared' : 'local',
+    kind: e.kind === 'shared' && shared ? 'shared' : 'local',
     createdAt: Number(e.createdAt) || nowMs(),
     lastOpenedAt: Number(e.lastOpenedAt) || 0,
   };
+  if (out.kind === 'shared') out.shared = shared;
+  return out;
 }
 
 function writeRaw(list, env) {
@@ -215,6 +242,49 @@ export function touchWorkspace(id, env = process.env) {
   return w;
 }
 
+/**
+ * Promote a registered workspace to SHARED (sharing slice / design §4 decision 7).
+ * The workspace must already be in the registry (the boot/default workspace is
+ * seeded first by the caller). Records the rails identity (`slug`) + the local
+ * member's role; the folder is untouched. Idempotent: re-sharing updates the block.
+ * Returns the updated entry, or null if the id is unknown.
+ */
+export function markShared(id, { slug, ownerEmail = '', role = 'owner' } = {}, env = process.env) {
+  if (!slug || typeof slug !== 'string') throw new Error('markShared requires a slug');
+  const list = readRaw(env);
+  const w = list.find((x) => x.id === id);
+  if (!w) return null;
+  w.kind = 'shared';
+  w.shared = sanitizeShared({
+    slug,
+    ownerEmail,
+    role,
+    sharedAt: w.shared?.sharedAt || nowMs(),
+    // Preserve a file-sync link already recorded (re-share/re-mark must not drop it).
+    projectCode: w.shared?.projectCode,
+  });
+  writeRaw(list, env);
+  return w;
+}
+
+/**
+ * Record the file-sync project a shared workspace replicates through, once the
+ * daemon has paired the folder (Slice 3 "going live"). The entry must already be
+ * `kind:'shared'`. Idempotent. Returns the updated entry, or null if the id is
+ * unknown / not shared.
+ */
+export function setSyncProject(id, projectCode, env = process.env) {
+  if (!projectCode || typeof projectCode !== 'string') {
+    throw new Error('setSyncProject requires a projectCode');
+  }
+  const list = readRaw(env);
+  const w = list.find((x) => x.id === id);
+  if (!w || w.kind !== 'shared' || !w.shared) return null;
+  w.shared = sanitizeShared({ ...w.shared, projectCode });
+  writeRaw(list, env);
+  return w;
+}
+
 /** Remove a workspace from the LIST only. NEVER deletes the folder or its files. */
 export function removeWorkspace(id, env = process.env) {
   const list = readRaw(env);

package/server/src/workspaces.mjs

@@ -81,11 +81,35 @@ export class WorkspaceRails {
     return this._post('/api/workspaces/list', {});
   }
 
-  /** Add a member by email (owner-only; the email must already have an account). */
+  /**
+   * Add a member by email (owner-only). If the email has no account yet the
+   * rails records a PENDING invite (`data.pending === true`) instead of an
+   * active membership; the person claims it by signing in + Join.
+   */
   addMember(slug, email) {
     return this._post('/api/workspaces/members/add', { slug, member_email: email });
   }
 
+  /**
+   * Claim membership at Join time. Activates a pending invite addressed to this
+   * account's own VERIFIED email; a no-op for an already-active member. Returns
+   * `{ok, data:{role, name, owner_email, claimed}}` or a 403 `not_a_member`.
+   */
+  claim(slug) {
+    return this._post('/api/workspaces/claim', { slug });
+  }
+
+  /**
+   * Mint a file-sync pass for a shared workspace this account belongs to
+   * (Slice 3). Returns `{ok, data:{project_code, invite_code, expires_at}}` — the
+   * daemon redeems `invite_code` to pair the folder and start replicating. The
+   * project is provisioned lazily server-side; the code is stable, the invite is
+   * one-shot (each call mints a fresh one). A non-member → 403 `not_a_member`.
+   */
+  syncCredential(slug) {
+    return this._post('/api/workspaces/sync-credential', { slug });
+  }
+
   /** Remove a member by email or accountId (owner-only; the owner can't be removed). */
   removeMember(slug, ref) {
     const body = { slug };