@venturewild/workspace 0.6.11 → 0.6.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.6.11",
+  "version": "0.6.13",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/chat-sessions.mjs

@@ -0,0 +1,262 @@
+// Chat sessions — first-class, server-backed conversations per workspace.
+//
+// WHY: chat history used to live ONLY in each browser's localStorage, so the same
+// workspace opened on a second device showed a blank chat. A "session" is now a
+// thread made first-class and stored on the HOST (under the workspace's
+// `.wild-workspace/sessions/`), so every device that reaches this host (all of one
+// account's devices do — vw-proxy → one daemon → one server) sees, switches, and
+// continues the same conversations. The Claude *resume token* still lives in
+// `chat-session[-<id>].json` (unchanged); this store holds the VISIBLE message
+// history + a per-workspace session registry.
+//
+// Content on the host disk has precedent (transcript.mjs already writes the
+// conversation to ~/.wild-workspace/transcripts/<ws>/). `.wild-workspace` is
+// gitignored AND daemon-sync-ignored, so this never pollutes the user's repo or
+// collides with file-sync. Cross-MEMBER (different accounts on different hosts)
+// sharing rides the rails — see session-rails.mjs.
+//
+// Modeled on settings.mjs / canvas/core.mjs: atomic temp-write+rename, hard caps,
+// and degrade-never-throw (a read-only FS must never break chat — it just falls
+// back to the client's localStorage cache).
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { nanoid } from 'nanoid';
+
+// The primary/legacy chat. Maps to threadId=null for turnKey + the Claude resume
+// file (`chat-session.json`) so existing single-chat installs are byte-identical
+// on upgrade. Its message history lives in `sessions/main.json`.
+export const MAIN_SESSION_ID = 'main';
+
+const MAX_MESSAGES = 200; // server keeps a bit more than the client's localStorage cap
+const MAX_BYTES = 2 * 1024 * 1024; // 2 MB per session's messages file
+const MAX_SESSIONS = 200; // registry soft cap
+const TITLE_CAP = 120;
+
+// An id is usable as a filename component ONLY if it round-trips through the same
+// charset sanitizeThreadId (index.mjs) enforces — reject anything else so the
+// `<id>.json` path can never traverse. nanoid()'s alphabet (A-Za-z0-9_-) + 'main'
+// pass unchanged.
+function safeId(id) {
+  if (typeof id !== 'string' || !id || id.length > 64) return null;
+  if (id === '.' || id === '..') return null;
+  return /^[a-zA-Z0-9._-]+$/.test(id) ? id : null;
+}
+
+function readJsonSafe(file, fallback) {
+  try {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch {
+    return fallback;
+  }
+}
+
+function nowMs() {
+  return Date.now();
+}
+
+// Recency ordering needs strictly-increasing activity stamps: two touches in the
+// same millisecond (easy on a fast machine/CI) would otherwise tie and the sort
+// would fall back to undefined order. Clamp each new stamp strictly above every
+// existing one (mirrors workspace-registry.mjs nextOpenStamp).
+function nextStamp(sessions) {
+  let max = 0;
+  for (const s of sessions) {
+    if (s.lastActivityAt > max) max = s.lastActivityAt;
+    if (s.createdAt > max) max = s.createdAt;
+  }
+  return Math.max(nowMs(), max + 1);
+}
+
+function sanitizeRec(s) {
+  const id = safeId(s?.id);
+  if (!id) return null;
+  return {
+    id,
+    title: typeof s.title === 'string' && s.title.trim() ? s.title.trim().slice(0, TITLE_CAP) : null,
+    account: typeof s.account === 'string' && s.account ? s.account : 'local',
+    createdAt: Number(s.createdAt) || nowMs(),
+    lastActivityAt: Number(s.lastActivityAt) || Number(s.createdAt) || nowMs(),
+  };
+}
+
+/**
+ * Per-workspace session store. Construct from the workspace's dataDir (the
+ * `.wild-workspace` folder) — `createChatSessions({ dataDir: workspaceFor(c).dataDir })`.
+ */
+export function createChatSessions({ dataDir } = {}) {
+  const dir = path.join(dataDir, 'sessions');
+  const indexFile = path.join(dir, 'index.json');
+  const msgFile = (id) => path.join(dir, `${id}.json`);
+  // The Claude resume file for a session: Main → legacy un-suffixed; others suffixed.
+  const resumeFile = (id) =>
+    id === MAIN_SESSION_ID
+      ? path.join(dataDir, 'chat-session.json')
+      : path.join(dataDir, `chat-session-${id}.json`);
+
+  function readIndex() {
+    const v = readJsonSafe(indexFile, null);
+    const arr = v && Array.isArray(v.sessions) ? v.sessions : [];
+    return arr.map(sanitizeRec).filter(Boolean);
+  }
+
+  function writeIndex(sessions) {
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      const tmp = `${indexFile}.${process.pid}.tmp`;
+      fs.writeFileSync(tmp, JSON.stringify({ sessions }, null, 2));
+      fs.renameSync(tmp, indexFile);
+    } catch {
+      /* read-only fs — degrade to not-persisted (client localStorage still works) */
+    }
+  }
+
+  /** All sessions, most-recently-active first. */
+  function list() {
+    return readIndex().sort((a, b) => b.lastActivityAt - a.lastActivityAt);
+  }
+
+  function findIndex(sessions, id) {
+    return sessions.findIndex((s) => s.id === id);
+  }
+
+  /** Idempotently ensure the Main session exists (maps to the legacy null thread). */
+  function ensureMain(account = 'local') {
+    const sessions = readIndex();
+    if (findIndex(sessions, MAIN_SESSION_ID) >= 0) return;
+    sessions.push(
+      sanitizeRec({
+        id: MAIN_SESSION_ID,
+        title: 'Main',
+        account,
+        createdAt: nowMs(),
+        lastActivityAt: nowMs(),
+      }),
+    );
+    writeIndex(sessions);
+  }
+
+  /** Create a new session. Returns the record. */
+  function create({ title, account } = {}) {
+    const sessions = readIndex();
+    // Soft cap: evict the oldest non-Main session that has no stored messages.
+    if (sessions.length >= MAX_SESSIONS) {
+      const victim = [...sessions]
+        .filter((s) => s.id !== MAIN_SESSION_ID && !fs.existsSync(msgFile(s.id)))
+        .sort((a, b) => a.lastActivityAt - b.lastActivityAt)[0];
+      if (victim) sessions.splice(findIndex(sessions, victim.id), 1);
+    }
+    const stamp = nextStamp(sessions);
+    const rec = sanitizeRec({
+      id: nanoid(10),
+      title: title || null,
+      account: account || 'local',
+      createdAt: stamp,
+      lastActivityAt: stamp,
+    });
+    sessions.push(rec);
+    writeIndex(sessions);
+    return rec;
+  }
+
+  function getMessages(id) {
+    const safe = safeId(id);
+    if (!safe) return [];
+    const v = readJsonSafe(msgFile(safe), null);
+    return v && Array.isArray(v.messages) ? v.messages : [];
+  }
+
+  /**
+   * Replace a session's messages (capped). Upserts the registry record (so a PUT
+   * is self-sufficient even if create raced). Returns { ok, count } — ok:false on
+   * a bad id or an oversized body.
+   */
+  function putMessages(id, messages, { account } = {}) {
+    const safe = safeId(id);
+    if (!safe || !Array.isArray(messages)) return { ok: false, count: 0 };
+    const capped = messages.slice(-MAX_MESSAGES);
+    const body = JSON.stringify({ messages: capped });
+    if (Buffer.byteLength(body, 'utf8') > MAX_BYTES) return { ok: false, count: 0, error: 'too_large' };
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      const tmp = `${msgFile(safe)}.${process.pid}.tmp`;
+      fs.writeFileSync(tmp, body);
+      fs.renameSync(tmp, msgFile(safe));
+    } catch {
+      return { ok: false, count: 0, error: 'write_failed' };
+    }
+    // Upsert + touch the registry record.
+    const sessions = readIndex();
+    const stamp = nextStamp(sessions);
+    const i = findIndex(sessions, safe);
+    if (i >= 0) {
+      sessions[i] = { ...sessions[i], lastActivityAt: stamp };
+    } else {
+      sessions.push(
+        sanitizeRec({
+          id: safe,
+          title: safe === MAIN_SESSION_ID ? 'Main' : null,
+          account: account || 'local',
+          createdAt: stamp,
+          lastActivityAt: stamp,
+        }),
+      );
+    }
+    writeIndex(sessions);
+    return { ok: true, count: capped.length };
+  }
+
+  function rename(id, title) {
+    const safe = safeId(id);
+    if (!safe) return null;
+    const sessions = readIndex();
+    const i = findIndex(sessions, safe);
+    if (i < 0) return null;
+    sessions[i] = {
+      ...sessions[i],
+      title: typeof title === 'string' && title.trim() ? title.trim().slice(0, TITLE_CAP) : null,
+    };
+    writeIndex(sessions);
+    return sessions[i];
+  }
+
+  /** Remove a session (never Main). Also unlinks its messages + Claude resume file. */
+  function remove(id) {
+    const safe = safeId(id);
+    if (!safe || safe === MAIN_SESSION_ID) return false;
+    const sessions = readIndex();
+    const i = findIndex(sessions, safe);
+    if (i < 0) return false;
+    sessions.splice(i, 1);
+    writeIndex(sessions);
+    for (const f of [msgFile(safe), resumeFile(safe)]) {
+      try { fs.unlinkSync(f); } catch { /* already gone / read-only */ }
+    }
+    return true;
+  }
+
+  /** Bump lastActivityAt (used when a turn finishes, even from another device). */
+  function touch(id, { account } = {}) {
+    const safe = safeId(id);
+    if (!safe) return;
+    const sessions = readIndex();
+    const stamp = nextStamp(sessions);
+    const i = findIndex(sessions, safe);
+    if (i >= 0) {
+      sessions[i] = { ...sessions[i], lastActivityAt: stamp };
+    } else {
+      sessions.push(
+        sanitizeRec({
+          id: safe,
+          title: safe === MAIN_SESSION_ID ? 'Main' : null,
+          account: account || 'local',
+          createdAt: stamp,
+          lastActivityAt: stamp,
+        }),
+      );
+    }
+    writeIndex(sessions);
+  }
+
+  return { dir, list, ensureMain, create, getMessages, putMessages, rename, remove, touch };
+}

package/server/src/index.mjs

@@ -34,6 +34,8 @@ import { PairingStore } from './pairing.mjs';
 import { verifyGoogleVouch, emailMatches } from './google-vouch.mjs';
 import { listDir, readFile, fullTree, workspaceSummary, safeResolve } from './fs.mjs';
 import { browseDir, browseRoots, listDrives } from './lobby-browse.mjs';
+import { createChatSessions, MAIN_SESSION_ID } from './chat-sessions.mjs';
+import { createSessionRails } from './session-rails.mjs';
 import { InboxWatcher } from './inbox.mjs';
 import { ActivityBus } from './activity.mjs';
 import { createWorkspacePresence } from './workspace-presence.mjs';
@@ -424,6 +426,9 @@ export async function createServer(overrides = {}) {
   // cache. `canvas` above still owns the workspace-SHARED agent content (blocks +
   // agent theme). Person-scoped state stores are built lazily + cached per personKey.
   const canvasRails = overrides.canvasRails || createCanvasRails(config, config.account);
+  // Cross-host shared chat sessions client (Phase 2). Inert without an account /
+  // bmo-sync URL; only used for SHARED workspaces (local ones stay per-host).
+  const sessionRails = overrides.sessionRails || createSessionRails(config, config.account);
   // Shared-workspace membership client (sharing slice — design §4). The account
   // token is kept top-level on config (out of the broadcast `config.account`), so
   // pass it explicitly, mirroring the CLI `wild-workspace workspace …`. Inert (and
@@ -703,6 +708,11 @@ export async function createServer(overrides = {}) {
             saveChatSessionId(workspace.dataDir, threadId, session.sessionId);
           }
         }
+        // Keep the session list's recency honest even when the turn was driven from
+        // another device (the message PUT is client-driven; this is server-side).
+        try {
+          createChatSessions({ dataDir: workspace.dataDir }).touch(threadId || MAIN_SESSION_ID);
+        } catch { /* best-effort — never break a turn on a registry hiccup */ }
         broadcastChat({ type: 'end', messageId: id, code }, workspace.id, threadId);
         activityBus.publish({ type: 'chat-end', messageId: id, code });
       });
@@ -2783,6 +2793,149 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, ...result });
   });
 
+  // --- chat sessions (server-backed, cross-device) ---------------------------
+  // A "session" is a thread made first-class + stored on the host, so every device
+  // that reaches this host (all of one account's devices) sees/switches/continues
+  // the same conversations. Main maps to the legacy null thread. Reads gate on
+  // `chat`, writes on `chatWrite` (viewers get a read-only list). Per-workspace via
+  // workspaceFor(c).dataDir. (Cross-MEMBER sharing rides the rails — Phase 2.)
+  function sessionsFor(c) {
+    return createChatSessions({ dataDir: workspaceFor(c).dataDir });
+  }
+  // A session id → the turn/resume threadId (Main is the legacy null thread).
+  const threadForSession = (id) => (id === MAIN_SESSION_ID ? null : id);
+  const accountLabel = () => config.account?.email || 'local';
+  // The shared-workspace slug for the active workspace, or null (a LOCAL workspace
+  // stays per-host — Phase 1 only). Phase 2 syncs shared sessions over the rails.
+  function sharedSlugFor(c) {
+    const entry = getWorkspace(workspaceFor(c).id, registryEnv);
+    return entry?.kind === 'shared' && entry.shared?.slug ? entry.shared.slug : null;
+  }
+  // The rails session id is namespaced "<slug>::<localId>" (globally unique + tied
+  // to the workspace). Map both directions.
+  const railsId = (slug, lid) => `${slug}::${lid}`;
+  const fromRailsId = (slug, rid) =>
+    rid.startsWith(`${slug}::`) ? rid.slice(slug.length + 2) : rid;
+
+  app.get('/api/sessions', async (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const ws = workspaceFor(c);
+    const store = sessionsFor(c);
+    store.ensureMain(accountLabel());
+    const byId = new Map(store.list().map((s) => [s.id, s]));
+    // Shared workspace → merge in the cross-host sessions (labeled by owner email).
+    const slug = sharedSlugFor(c);
+    if (slug && sessionRails.capable) {
+      const r = await sessionRails.listSessions(slug);
+      if (r.ok) {
+        for (const rs of r.sessions) {
+          const lid = fromRailsId(slug, rs.id);
+          const existing = byId.get(lid);
+          byId.set(lid, {
+            id: lid,
+            title: rs.title || existing?.title || (lid === MAIN_SESSION_ID ? 'Main' : null),
+            account: rs.owner_email || existing?.account || 'local',
+            createdAt: (rs.created_at ? rs.created_at * 1000 : existing?.createdAt) || Date.now(),
+            lastActivityAt: (rs.updated_at ? rs.updated_at * 1000 : existing?.lastActivityAt) || 0,
+          });
+        }
+      }
+    }
+    const sessions = [...byId.values()]
+      .sort((a, b) => b.lastActivityAt - a.lastActivityAt)
+      .map((s) => ({ ...s, live: currentTurns.has(turnKey(ws.id, threadForSession(s.id))) }));
+    return c.json({ sessions });
+  });
+
+  app.post('/api/sessions', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const rec = sessionsFor(c).create({
+      title: typeof body.title === 'string' ? body.title : null,
+      account: accountLabel(),
+    });
+    const slug = sharedSlugFor(c);
+    if (slug && sessionRails.capable) {
+      sessionRails.createSession(slug, railsId(slug, rec.id), rec.title).catch(() => {});
+    }
+    auditAction(c, 'sessions.create', `id=${rec.id}`);
+    return c.json({ session: rec });
+  });
+
+  app.get('/api/sessions/:id/messages', async (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const id = c.req.param('id');
+    const slug = sharedSlugFor(c);
+    if (slug && sessionRails.capable) {
+      const r = await sessionRails.pullMessages(slug, railsId(slug, id));
+      if (r.ok && r.messages.length) {
+        const msgs = [];
+        for (const m of r.messages) {
+          try { msgs.push(JSON.parse(m.json)); } catch { /* skip a corrupt row */ }
+        }
+        // refresh the local cache so an offline reload still has it
+        try { sessionsFor(c).putMessages(id, msgs, { account: accountLabel() }); } catch { /* ignore */ }
+        return c.json({ messages: msgs });
+      }
+      // rails empty/unreachable → fall through to the local store
+    }
+    return c.json({ messages: sessionsFor(c).getMessages(id) });
+  });
+
+  app.put('/api/sessions/:id/messages', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const id = c.req.param('id');
+    const body = await c.req.json().catch(() => ({}));
+    const messages = Array.isArray(body.messages) ? body.messages : [];
+    const res = sessionsFor(c).putMessages(id, messages, { account: accountLabel() });
+    if (!res.ok) return c.json({ error: res.error || 'bad_request' }, 400);
+    const slug = sharedSlugFor(c);
+    if (slug && sessionRails.capable) {
+      const payload = messages
+        .slice(-200)
+        .filter((m) => m && m.id != null)
+        .map((m) => ({ id: String(m.id), json: JSON.stringify(m) }));
+      if (payload.length) sessionRails.pushMessages(slug, railsId(slug, id), payload).catch(() => {});
+    }
+    return c.json({ ok: true, count: res.count });
+  });
+
+  app.patch('/api/sessions/:id', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const id = c.req.param('id');
+    const body = await c.req.json().catch(() => ({}));
+    const rec = sessionsFor(c).rename(id, body.title);
+    if (!rec) return c.json({ error: 'not_found' }, 404);
+    const slug = sharedSlugFor(c);
+    if (slug && sessionRails.capable) {
+      sessionRails.createSession(slug, railsId(slug, id), rec.title).catch(() => {});
+    }
+    auditAction(c, 'sessions.rename', `id=${rec.id}`);
+    return c.json({ session: rec });
+  });
+
+  app.delete('/api/sessions/:id', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const id = c.req.param('id');
+    if (id === MAIN_SESSION_ID) return c.json({ error: 'cannot_remove_main' }, 400);
+    const ws = workspaceFor(c);
+    // Stop a live turn for this session before dropping it (mirror the WS cancel).
+    const live = currentTurns.get(turnKey(ws.id, threadForSession(id)));
+    if (live?.session) {
+      try { live.session.close(); } catch { /* best-effort */ }
+      currentTurns.delete(turnKey(ws.id, threadForSession(id)));
+    }
+    const removed = sessionsFor(c).remove(id);
+    auditAction(c, 'sessions.remove', `id=${id} removed=${removed}`);
+    return c.json({ ok: true, removed });
+  });
+
   // The built site, served SAME-ORIGIN through this (already authed) server — no
   // squatted dev port, no mixed-content under the public proxy. The build dir
   // comes from preview.json (written by the agent's launch_preview / record_use).

package/server/src/session-rails.mjs

@@ -0,0 +1,111 @@
+// SessionRails — cross-host SHARED chat sessions on the rails.
+//
+// WHY: a session stored on one host is reachable by all of THAT account's devices
+// (one host). For a SHARED workspace, members live on DIFFERENT hosts, so the
+// session list + transcripts ride VW's rails (bmo-sync) — exactly like canvas
+// state. This is a thin client over POST /api/workspace-sessions/{create,list,
+// messages/push,messages/pull} (account-token self-authed + membership-gated; the
+// caller is derived server-side, no IDOR). Local (unshared) workspaces never call
+// this — they're per-host only (chat-sessions.mjs).
+//
+// The rails session id is namespaced "<slug>::<localId>" so it's globally unique
+// and tied to the workspace; the Node caller (index.mjs) does that mapping.
+//
+// degrade-never-throw: every method fails soft so chat keeps working from the
+// local store when the rails are down or the install has no account. Modeled on
+// canvas-rails.mjs.
+
+const DEFAULT_TIMEOUT_MS = 3000;
+
+export class SessionRails {
+  constructor({
+    bmoSyncUrl,
+    accountToken,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+  } = {}) {
+    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
+    this.accountToken = accountToken || null;
+    this.timeoutMs = timeoutMs;
+    this.fetchImpl = fetchImpl;
+    this.capable = Boolean(this.accountToken) && Boolean(this.bmoSyncUrl);
+  }
+
+  async _post(path, body) {
+    if (!this.capable) return null;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.timeoutMs);
+    if (timer.unref) timer.unref();
+    try {
+      const r = await this.fetchImpl(`${this.bmoSyncUrl}${path}`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ account_token: this.accountToken, ...body }),
+        signal: ctrl.signal,
+      });
+      if (!r || !r.ok) return null;
+      return await r.json().catch(() => null);
+    } catch {
+      return null;
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+
+  /** Create-or-touch a shared session. `id` must be the namespaced "<slug>::<localId>". */
+  async createSession(slug, id, title = null) {
+    const resp = await this._post('/api/workspace-sessions/create', { slug, id, title });
+    return Boolean(resp && resp.ok === true);
+  }
+
+  /**
+   * List a shared workspace's sessions.
+   * @returns {Promise<{ok:boolean, sessions:Array}>} each: {id,title,owner_account_id,owner_email,created_at,updated_at}
+   */
+  async listSessions(slug) {
+    const resp = await this._post('/api/workspace-sessions/list', { slug });
+    if (!resp || resp.ok !== true) return { ok: false, sessions: [] };
+    return { ok: true, sessions: Array.isArray(resp.sessions) ? resp.sessions : [] };
+  }
+
+  /**
+   * Push messages (append-with-content-upsert; idempotent per message id).
+   * @param messages Array<{id:string, json:string}> — json = the stringified message object.
+   */
+  async pushMessages(slug, sessionId, messages, title = null) {
+    const resp = await this._post('/api/workspace-sessions/messages/push', {
+      slug,
+      session_id: sessionId,
+      title,
+      messages,
+    });
+    return Boolean(resp && resp.ok === true);
+  }
+
+  /**
+   * Pull a session's messages in stable order.
+   * @returns {Promise<{ok:boolean, messages:Array<{seq:number,json:string}>, maxSeq:number}>}
+   */
+  async pullMessages(slug, sessionId, since = 0) {
+    const resp = await this._post('/api/workspace-sessions/messages/pull', {
+      slug,
+      session_id: sessionId,
+      since,
+    });
+    if (!resp || resp.ok !== true) return { ok: false, messages: [], maxSeq: since };
+    return {
+      ok: true,
+      messages: Array.isArray(resp.messages) ? resp.messages : [],
+      maxSeq: Number(resp.max_seq) || since,
+    };
+  }
+}
+
+/** Build the rails client from server config + account (or inert when not logged in). */
+export function createSessionRails(config, account, fetchImpl) {
+  return new SessionRails({
+    bmoSyncUrl: config?.bmoSyncServerUrl,
+    accountToken: account?.accountToken,
+    fetchImpl,
+  });
+}