@venturewild/workspace 0.6.4 → 0.6.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.6.4",
+  "version": "0.6.6",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/index.mjs

@@ -37,7 +37,7 @@ import { ActivityBus } from './activity.mjs';
 import { createWorkspacePresence } from './workspace-presence.mjs';
 import { loadIdentity, saveIdentity, markOnboarded, TONES } from './agent-identity.mjs';
 import { probeAgentReadiness } from './agent-readiness.mjs';
-import { AutoUpdater, npmInstall, recordUpdate, loadUpdateSettings, PACKAGE_NAME } from './auto-update.mjs';
+import { AutoUpdater, npmInstall, recordUpdate, loadUpdateSettings, PACKAGE_NAME, fetchLatestVersion, isNewer } from './auto-update.mjs';
 import {
   consentStatus,
   revokeConsent,
@@ -1404,22 +1404,77 @@ export async function createServer(overrides = {}) {
     return c.json({ agent: agentTag(activeAgent), ...verdict });
   });
 
-  // Auto-update status (Phase 2) — what's running, the channel, on/off, and the
-  // last update outcome (the "updated to vX" note the UI can surface). Read-only;
-  // the toggle/apply levers are the CLI + the operator channel.
-  app.get('/api/update/status', (c) => {
+  // Auto-update status (Phase 2 + the in-app update UX) — what's running, the
+  // channel, on/off, the last update outcome, AND whether a newer version is
+  // published (powers the "update ready" nudge + the ⋯More control + the
+  // check-on-open). The latest-version lookup is cached (60s) so an auto-check on
+  // open/focus is cheap; ?fresh=1 bypasses it (the manual "check again"). Read
+  // (chat)-gated. The latest fetch is degrade-never (null on any failure).
+  let _latestCache = { at: 0, channel: null, latest: null };
+  const LATEST_TTL_MS = 60_000;
+  // `fallback` serves the last-good value for this channel when a fetch fails —
+  // good for the STATUS display (don't flap to null). `apply` passes fallback:false
+  // so it only proceeds on a freshly-confirmed version (never installs off stale).
+  async function latestVersionCached(channel, { fresh = false, fallback = true } = {}) {
+    const t = Date.now();
+    if (!fresh && _latestCache.latest != null && _latestCache.channel === channel
+        && t - _latestCache.at < LATEST_TTL_MS) return _latestCache.latest;
+    const impl = overrides.latestVersionImpl || fetchLatestVersion;
+    let latest = null;
+    try { latest = await impl(channel, { packageName: PACKAGE_NAME }); } catch { latest = null; }
+    if (latest) { _latestCache = { at: t, channel, latest }; return latest; }
+    return fallback && _latestCache.channel === channel ? _latestCache.latest : null;
+  }
+  const updateRequestFile = () => path.join(globalDir(), 'update-request.json');
+  app.get('/api/update/status', async (c) => {
     const forbidden = require(c, 'chat');
     if (forbidden) return forbidden;
     const s = loadUpdateSettings(globalDir());
+    const fresh = c.req.query('fresh') === '1';
+    const latest = await latestVersionCached(s.channel, { fresh });
     return c.json({
       current: APP_VERSION,
+      latest: latest || null,
+      available: isNewer(latest, APP_VERSION),
       enabled: s.enabled,
       channel: s.channel,
       lastCheckAt: s.lastCheckAt || null,
       lastUpdate: s.lastUpdate || null,
+      applying: existsSync(updateRequestFile()),
     });
   });
 
+  // Apply an update from the UI (the one-tap nudge / ⋯More control). chatWrite-
+  // gated (owner action). We do NOT install in-process — the always-on supervisor
+  // owns install + restart + health-gated rollback. We drop an `update-request`
+  // signal the supervisor consumes on its next tick (the SAME out-of-band channel
+  // as the support `restart-server` action). If no supervisor owns this server (a
+  // bare foreground run), the file just waits until always-on next runs — the
+  // client polls /api/health and times out honestly. Returns immediately; the
+  // client then watches /api/health for the version to change and reloads.
+  app.post('/api/update/apply', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const s = loadUpdateSettings(globalDir());
+    const latest = await latestVersionCached(s.channel, { fresh: true, fallback: false });
+    if (!latest) return c.json({ ok: false, error: 'registry_unreachable', current: APP_VERSION });
+    if (!isNewer(latest, APP_VERSION)) {
+      return c.json({ ok: true, updated: false, current: APP_VERSION, latest });
+    }
+    try {
+      mkdirSync(globalDir(), { recursive: true });
+      writeFileSync(
+        updateRequestFile(),
+        JSON.stringify({ requestedAt: Date.now(), from: APP_VERSION, to: latest }, null, 2),
+        { mode: 0o600 },
+      );
+    } catch (e) {
+      return c.json({ ok: false, error: 'signal_failed', message: String(e?.message || e) }, 500);
+    }
+    log('[update]', `apply requested ${APP_VERSION} → ${latest} (${s.channel})`);
+    return c.json({ ok: true, requested: true, current: APP_VERSION, latest });
+  });
+
   // Support consent + audit (Phase 3, Pillar E) — the user's view of the
   // out-of-band support channel: is support allowed (tier/expiry), was it acting
   // recently, and a feed of everything it did (the daemon writes the audit; this

package/server/src/supervisor.mjs

@@ -191,6 +191,10 @@ export class WorkspaceSupervisor {
     // out-of-band even when :5173 is wedged. We kill the child; the next tick
     // respawns it from disk (new code loads). Safe: absent file = no-op.
     this.restartRequestFile = path.join(globalDir, 'restart-request.json');
+    // The in-app "Update now" (and the support update-now) drops this file; we
+    // consume it on the next tick and run a FORCED update check (install +
+    // restart + health-gated rollback via the AutoUpdater). Absent file = no-op.
+    this.updateRequestFile = path.join(globalDir, 'update-request.json');
     this.child = null;
     this.backoff = backoffStartMs;
     this.lastSpawn = 0;
@@ -268,6 +272,21 @@ export class WorkspaceSupervisor {
     return true;
   }
 
+  /**
+   * Consume a pending "update now" request (the in-app nudge / ⋯More control, or
+   * the support update-now). Read-then-delete makes "present" mean "unhandled" —
+   * idempotent across ticks. Mirrors consumeRestartRequest().
+   */
+  consumeUpdateRequest() {
+    try {
+      fs.readFileSync(this.updateRequestFile); // throws if absent
+    } catch {
+      return false;
+    }
+    try { fs.unlinkSync(this.updateRequestFile); } catch { /* best-effort */ }
+    return true;
+  }
+
   /** One supervision step. Returns its decision (exposed for tests). */
   async tick() {
     // Phase 3.2: a consented support restart request takes priority — kill the
@@ -277,6 +296,16 @@ export class WorkspaceSupervisor {
       this.restartChild();
       return 'restart-requested';
     }
+    // An in-app / support "update now" request: run a FORCED update check + apply
+    // (install + restart + health-gated rollback, via the AutoUpdater). Only when
+    // the updater is already built — otherwise leave the file for a later tick so
+    // an early-boot request isn't silently dropped. The `&&` short-circuit means
+    // consumeUpdateRequest() (which deletes the file) only runs once we can act.
+    if (this.autoUpdater && this.consumeUpdateRequest()) {
+      this.log('update-now requested — running forced update check');
+      this.runUpdateTick({ force: true });
+      return 'update-requested';
+    }
     // Part-8 backstop: if disk moved ahead of our own code (any update path),
     // schedule a supervisor self-restart. Side-effect only — never changes the
     // tick decision below (server/daemon healing proceeds as usual meanwhile).