@very_aq/codex-cli-web 0.0.1

package/server/dist/threadList/threadListServerCache.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createThreadListServerCache = createThreadListServerCache;
+const DEFAULT_THREAD_LIST_SERVER_CACHE_TTL_MS = 30_000;
+function normalizeTtlMs(ttlMs) {
+    if (!Number.isFinite(ttlMs))
+        return DEFAULT_THREAD_LIST_SERVER_CACHE_TTL_MS;
+    return Math.max(0, Math.floor(Number(ttlMs)));
+}
+function cloneThreads(threads) {
+    return [...threads];
+}
+function createThreadListServerCache(options = {}) {
+    const nowMs = typeof options.nowMs === "function" ? options.nowMs : Date.now;
+    const ttlMs = normalizeTtlMs(options.ttlMs);
+    let cacheEntry = null;
+    return {
+        get() {
+            if (!cacheEntry)
+                return null;
+            if (ttlMs <= 0) {
+                cacheEntry = null;
+                return null;
+            }
+            if (nowMs() - cacheEntry.cachedAtMs > ttlMs) {
+                cacheEntry = null;
+                return null;
+            }
+            return cloneThreads(cacheEntry.threads);
+        },
+        set(threads) {
+            cacheEntry = {
+                threads: cloneThreads(threads),
+                cachedAtMs: nowMs(),
+            };
+        },
+        clear() {
+            cacheEntry = null;
+        },
+    };
+}
+//# sourceMappingURL=threadListServerCache.js.map

package/server/dist/threadList/threadListServerCache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threadListServerCache.js","sourceRoot":"","sources":["../../src/threadList/threadListServerCache.ts"],"names":[],"mappings":";;AA2BA,kEA4BC;AAvDD,MAAM,uCAAuC,GAAG,MAAM,CAAC;AAkBvD,SAAS,cAAc,CAAC,KAAyB;IAC/C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,uCAAuC,CAAC;IAC5E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,YAAY,CAAI,OAAY;IACnC,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;AACtB,CAAC;AAED,SAAgB,2BAA2B,CAAI,UAAwC,EAAE;IACvF,MAAM,KAAK,GAAG,OAAO,OAAO,CAAC,KAAK,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;IAC7E,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,UAAU,GAAyC,IAAI,CAAC;IAE5D,OAAO;QACL,GAAG;YACD,IAAI,CAAC,UAAU;gBAAE,OAAO,IAAI,CAAC;YAC7B,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;gBACf,UAAU,GAAG,IAAI,CAAC;gBAClB,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,KAAK,EAAE,GAAG,UAAU,CAAC,UAAU,GAAG,KAAK,EAAE,CAAC;gBAC5C,UAAU,GAAG,IAAI,CAAC;gBAClB,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,YAAY,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QACD,GAAG,CAAC,OAAO;YACT,UAAU,GAAG;gBACX,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC;gBAC9B,UAAU,EAAE,KAAK,EAAE;aACpB,CAAC;QACJ,CAAC;QACD,KAAK;YACH,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/server/dist/tools/cwdSuggest.d.ts

@@ -0,0 +1,11 @@
+export type CwdSuggestErrorCode = "invalid_query" | "path_not_allowed";
+export declare class CwdSuggestError extends Error {
+    readonly code: CwdSuggestErrorCode;
+    constructor(code: CwdSuggestErrorCode, message: string);
+}
+export declare function suggestCwds(opts: {
+    query: string;
+    limit?: number;
+    allowAnyRoot?: boolean;
+    allowedRoots?: string[];
+}): Promise<string[]>;

package/server/dist/tools/cwdSuggest.js

@@ -0,0 +1,128 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CwdSuggestError = void 0;
+exports.suggestCwds = suggestCwds;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const env_1 = require("../env");
+// 目录建议接口的可预期错误类型（客户端可据此展示更友好的提示）。
+class CwdSuggestError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "CwdSuggestError";
+        this.code = code;
+    }
+}
+exports.CwdSuggestError = CwdSuggestError;
+// 判断 candidate 是否位于 root 目录之下（含 root 本身）。
+function isPathWithinRoot(root, candidate) {
+    const rel = path_1.default.relative(root, candidate);
+    if (!rel)
+        return true;
+    if (rel.startsWith(".."))
+        return false;
+    if (path_1.default.isAbsolute(rel))
+        return false;
+    return true;
+}
+// 统一限制返回数量，避免 readdir 结果过大影响响应时间。
+function normalizeLimit(raw) {
+    const n = typeof raw === "number" ? raw : typeof raw === "string" ? Number(raw) : NaN;
+    if (!Number.isFinite(n))
+        return 50;
+    const limit = Math.floor(n);
+    if (limit <= 0)
+        return 50;
+    return Math.min(100, limit);
+}
+// 将用户输入解析为“要列举的目录(listDir) + 目录名匹配前缀(namePrefix)”。
+function parseQuery(query) {
+    const trimmed = query.trim();
+    const normalized = trimmed.replace(/[\\/]+/g, path_1.default.sep);
+    const endsWithSep = normalized.endsWith(path_1.default.sep);
+    const listDirRaw = endsWithSep ? normalized : path_1.default.dirname(normalized);
+    const namePrefix = endsWithSep ? "" : path_1.default.basename(normalized);
+    return { listDir: listDirRaw, namePrefix };
+}
+// 在可能存在权限/平台差异时，realpath 失败则回退到 resolve，以确保逻辑可继续执行。
+async function resolveRealpathOrFallback(candidate) {
+    return fs_1.default.promises.realpath(candidate).catch(() => path_1.default.resolve(candidate));
+}
+// 校验 listDir 真实路径是否位于允许范围内：
+// - allowAnyRoot=true：admin 不限制；
+// - 提供 allowedRoots：按调用方传入范围（通常是管理员分配目录）；
+// - 未提供 allowedRoots：回退到 CODEX_ALLOWED_CWD_ROOTS 全局边界。
+async function ensureListDirAllowed(listDir, opts) {
+    const resolved = path_1.default.resolve(listDir);
+    const real = await resolveRealpathOrFallback(resolved);
+    if (opts.allowAnyRoot)
+        return real;
+    // 上层显式传入 allowedRoots 时，优先按该范围校验（例如用户分配目录）。
+    const allowedRoots = (opts.allowedRoots ?? []).filter(Boolean);
+    if (allowedRoots.length) {
+        const allowedRootsReal = await Promise.all(allowedRoots.map((root) => resolveRealpathOrFallback(root)));
+        const allowed = allowedRootsReal.some((root) => isPathWithinRoot(root, real));
+        if (!allowed)
+            throw new CwdSuggestError("path_not_allowed", "path not allowed");
+        return real;
+    }
+    // 未提供 allowedRoots 时，退化为全局边界校验，保持独立调用场景安全。
+    const globalRoots = (0, env_1.getCodexAllowedCwdRoots)().filter(Boolean);
+    if (!globalRoots.length)
+        throw new CwdSuggestError("path_not_allowed", "path not allowed");
+    const globalRootsReal = await Promise.all(globalRoots.map((root) => resolveRealpathOrFallback(root)));
+    const withinGlobal = globalRootsReal.some((root) => isPathWithinRoot(root, real));
+    if (!withinGlobal)
+        throw new CwdSuggestError("path_not_allowed", "path not allowed");
+    return real;
+}
+// 列举 listDir 下满足“目录 + namePrefix 前缀匹配”的子目录，按字典序排序后返回。
+async function listDirectorySuggestions(listDir, namePrefix, limit) {
+    let dirents;
+    try {
+        dirents = await fs_1.default.promises.readdir(listDir, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const d of dirents) {
+        if (!d.isDirectory())
+            continue;
+        if (namePrefix && !d.name.startsWith(namePrefix))
+            continue;
+        out.push(path_1.default.join(listDir, d.name));
+        if (out.length >= limit)
+            break;
+    }
+    out.sort((a, b) => a.localeCompare(b));
+    return out;
+}
+// 返回用于“工作区添加/切换”的服务器目录建议列表（右模糊：前缀匹配）。
+async function suggestCwds(opts) {
+    const rawQuery = String(opts.query ?? "").trim();
+    if (!rawQuery)
+        return [];
+    if (rawQuery.includes("\0"))
+        throw new CwdSuggestError("invalid_query", "invalid query");
+    const { listDir, namePrefix } = parseQuery(rawQuery);
+    const baseCwd = path_1.default.resolve((0, env_1.getCodexCwd)());
+    const resolvedListDir = path_1.default.isAbsolute(listDir) ? path_1.default.resolve(listDir) : path_1.default.resolve(baseCwd, listDir);
+    let st;
+    try {
+        st = await fs_1.default.promises.stat(resolvedListDir);
+    }
+    catch {
+        return [];
+    }
+    if (!st.isDirectory())
+        return [];
+    const allowedListDir = await ensureListDirAllowed(resolvedListDir, { allowAnyRoot: Boolean(opts.allowAnyRoot), allowedRoots: opts.allowedRoots });
+    const limit = normalizeLimit(opts.limit);
+    return listDirectorySuggestions(allowedListDir, namePrefix, limit);
+}
+//# sourceMappingURL=cwdSuggest.js.map

package/server/dist/tools/cwdSuggest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwdSuggest.js","sourceRoot":"","sources":["../../src/tools/cwdSuggest.ts"],"names":[],"mappings":";;;;;;AA0GA,kCAoBC;AA9HD,4CAAoB;AACpB,gDAAwB;AACxB,gCAA8D;AAK9D,kCAAkC;AAClC,MAAa,eAAgB,SAAQ,KAAK;IACxB,IAAI,CAAsB;IAE1C,YAAY,IAAyB,EAAE,OAAe;QACpD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AARD,0CAQC;AAOD,0CAA0C;AAC1C,SAAS,gBAAgB,CAAC,IAAY,EAAE,SAAiB;IACvD,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,cAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,kCAAkC;AAClC,SAAS,cAAc,CAAC,GAAY;IAClC,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACtF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,mDAAmD;AACnD,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,cAAI,CAAC,GAAG,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AAC7C,CAAC;AAED,oDAAoD;AACpD,KAAK,UAAU,yBAAyB,CAAC,SAAiB;IACxD,OAAO,YAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,cAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,4BAA4B;AAC5B,iCAAiC;AACjC,0CAA0C;AAC1C,uDAAuD;AACvD,KAAK,UAAU,oBAAoB,CAAC,OAAe,EAAE,IAAwD;IAC3G,MAAM,QAAQ,GAAG,cAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAEvD,IAAI,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAEnC,4CAA4C;IAC5C,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxG,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,eAAe,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2CAA2C;IAC3C,MAAM,WAAW,GAAG,IAAA,6BAAuB,GAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,IAAI,CAAC,WAAW,CAAC,MAAM;QAAE,MAAM,IAAI,eAAe,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;IAC3F,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtG,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,eAAe,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;IAErF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sDAAsD;AACtD,KAAK,UAAU,wBAAwB,CAAC,OAAe,EAAE,UAAkB,EAAE,KAAa;IACxF,IAAI,OAAoB,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,YAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE;YAAE,SAAS;QAC/B,IAAI,UAAU,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,SAAS;QAC3D,GAAG,CAAC,IAAI,CAAC,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACrC,IAAI,GAAG,CAAC,MAAM,IAAI,KAAK;YAAE,MAAM;IACjC,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,sCAAsC;AAC/B,KAAK,UAAU,WAAW,CAAC,IAAwF;IACxH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzB,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,eAAe,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;IAEzF,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,cAAI,CAAC,OAAO,CAAC,IAAA,iBAAW,GAAE,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,cAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,cAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,cAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAE1G,IAAI,EAAY,CAAC;IACjB,IAAI,CAAC;QACH,EAAE,GAAG,MAAM,YAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,cAAc,GAAG,MAAM,oBAAoB,CAAC,eAAe,EAAE,EAAE,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IAClJ,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,OAAO,wBAAwB,CAAC,cAAc,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;AACrE,CAAC"}

package/server/dist/workspace/accessControl.d.ts

@@ -0,0 +1,16 @@
+import type { UserRole } from "../auth/userTypes";
+export type UserAccessInfo = {
+    username: string;
+    role: UserRole;
+    workspaces: string[];
+};
+export type AllowedRoots = {
+    allowAnyRoot: boolean;
+    roots: string[];
+};
+export declare function isPathWithinRoot(root: string, candidate: string): boolean;
+export declare function resolveAllowedRootsForUser(user: Pick<UserAccessInfo, "role" | "workspaces"> | null | undefined): AllowedRoots;
+export declare function assertCwdAllowedForUser(opts: {
+    cwd: string;
+    user: Pick<UserAccessInfo, "role" | "workspaces">;
+}): Promise<string>;

package/server/dist/workspace/accessControl.js

@@ -0,0 +1,82 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isPathWithinRoot = isPathWithinRoot;
+exports.resolveAllowedRootsForUser = resolveAllowedRootsForUser;
+exports.assertCwdAllowedForUser = assertCwdAllowedForUser;
+const promises_1 = __importDefault(require("node:fs/promises"));
+const node_path_1 = __importDefault(require("node:path"));
+const env_1 = require("../env");
+const roles_1 = require("../auth/roles");
+// 判断 candidate 是否位于 root 目录之下（含 root 本身）。
+function isPathWithinRoot(root, candidate) {
+    const rel = node_path_1.default.relative(root, candidate);
+    if (!rel)
+        return true;
+    if (rel.startsWith(".."))
+        return false;
+    if (node_path_1.default.isAbsolute(rel))
+        return false;
+    return true;
+}
+function normalizeRoots(roots) {
+    const seen = new Set();
+    const out = [];
+    for (const r of roots) {
+        const resolved = node_path_1.default.resolve(String(r ?? "").trim());
+        if (!resolved)
+            continue;
+        if (seen.has(resolved))
+            continue;
+        seen.add(resolved);
+        out.push(resolved);
+    }
+    return out;
+}
+// 计算用户可访问的根目录：
+// - admin：允许从 `/` 起跳；
+// - member：仅允许访问被管理员分配的 workspaces（不再与 CODEX_ALLOWED_CWD_ROOTS 取交集）。
+function resolveAllowedRootsForUser(user) {
+    const role = user?.role;
+    if ((0, roles_1.isAdminRole)(role)) {
+        return { allowAnyRoot: true, roots: [] };
+    }
+    const assigned = normalizeRoots(user?.workspaces ?? []);
+    return { allowAnyRoot: false, roots: assigned };
+}
+async function resolveRealpathOrFallback(candidate) {
+    return promises_1.default.realpath(candidate).catch(() => node_path_1.default.resolve(candidate));
+}
+// 校验 cwd 是否在用户允许范围内；返回 canonical（尽力 realpath）后的 cwd。
+async function assertCwdAllowedForUser(opts) {
+    const base = node_path_1.default.resolve((0, env_1.getCodexCwd)());
+    const raw = typeof opts.cwd === "string" ? opts.cwd.trim() : "";
+    if (raw.includes("\0"))
+        throw new Error("invalid cwd");
+    // 空 cwd 等价于使用默认 CODEX_CWD，保持与历史行为一致。
+    const resolved = raw ? (node_path_1.default.isAbsolute(raw) ? node_path_1.default.resolve(raw) : node_path_1.default.resolve(base, raw)) : base;
+    let st;
+    try {
+        st = await promises_1.default.stat(resolved);
+    }
+    catch {
+        throw new Error(`cwd not found: ${resolved}`);
+    }
+    if (!st.isDirectory())
+        throw new Error(`cwd is not a directory: ${resolved}`);
+    const candidateReal = await resolveRealpathOrFallback(resolved);
+    const allowed = resolveAllowedRootsForUser(opts.user);
+    if (allowed.allowAnyRoot)
+        return candidateReal;
+    // 非 admin：必须在管理员分配的工作区根目录内。
+    if (!allowed.roots.length)
+        throw new Error(`cwd not allowed: ${candidateReal}`);
+    const allowedRootsReal = await Promise.all(allowed.roots.map((r) => resolveRealpathOrFallback(r)));
+    const ok = allowedRootsReal.some((root) => isPathWithinRoot(root, candidateReal));
+    if (!ok)
+        throw new Error(`cwd not allowed: ${candidateReal}`);
+    return candidateReal;
+}
+//# sourceMappingURL=accessControl.js.map

package/server/dist/workspace/accessControl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessControl.js","sourceRoot":"","sources":["../../src/workspace/accessControl.ts"],"names":[],"mappings":";;;;;AAqBA,4CAMC;AAkBD,gEAQC;AAOD,0DA4BC;AAxFD,gEAAkC;AAClC,0DAA6B;AAC7B,gCAAqC;AACrC,yCAA4C;AAiB5C,0CAA0C;AAC1C,SAAgB,gBAAgB,CAAC,IAAY,EAAE,SAAiB;IAC9D,MAAM,GAAG,GAAG,mBAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,mBAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,KAAe;IACrC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,mBAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxB,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAS;QACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,eAAe;AACf,sBAAsB;AACtB,qEAAqE;AACrE,SAAgB,0BAA0B,CAAC,IAAoE;IAC7G,MAAM,IAAI,GAAG,IAAI,EAAE,IAAI,CAAC;IACxB,IAAI,IAAA,mBAAW,EAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC;IACxD,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED,KAAK,UAAU,yBAAyB,CAAC,SAAiB;IACxD,OAAO,kBAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,qDAAqD;AAC9C,KAAK,UAAU,uBAAuB,CAAC,IAAwE;IACpH,MAAM,IAAI,GAAG,mBAAI,CAAC,OAAO,CAAC,IAAA,iBAAW,GAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAChE,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IAEvD,qCAAqC;IACrC,MAAM,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEnG,IAAI,EAAO,CAAC;IACZ,IAAI,CAAC;QACH,EAAE,GAAG,MAAM,kBAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,kBAAkB,QAAQ,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IAE9E,MAAM,aAAa,GAAG,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,YAAY;QAAE,OAAO,aAAa,CAAC;IAE/C,4BAA4B;IAC5B,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,aAAa,EAAE,CAAC,CAAC;IAEhF,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnG,MAAM,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,aAAa,EAAE,CAAC,CAAC;IAE9D,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/server/dist/workspace/sqliteUserWorkspaceStore.d.ts

@@ -0,0 +1,12 @@
+import type { AuthDb } from "../auth/sqlite/authDb";
+import type { UserWorkspaceStore } from "./userWorkspaceStore";
+/**
+ * SQLite 用户工作目录仓库创建参数。
+ */
+export type CreateSqliteUserWorkspaceStoreOptions = {
+    authDb: AuthDb;
+};
+/**
+ * 基于 SQLite 创建用户工作目录仓库。
+ */
+export declare function createSqliteUserWorkspaceStore(options: CreateSqliteUserWorkspaceStoreOptions): UserWorkspaceStore;

package/server/dist/workspace/sqliteUserWorkspaceStore.js

@@ -0,0 +1,82 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSqliteUserWorkspaceStore = createSqliteUserWorkspaceStore;
+const node_path_1 = __importDefault(require("node:path"));
+/**
+ * 规范化用户名输入。
+ */
+function normalizeUsername(username) {
+    return String(username ?? "").trim();
+}
+/**
+ * 去重并保序地规范化用户工作目录。
+ */
+function normalizeWorkspaceDirs(workspaceDirs) {
+    const seen = new Set();
+    const normalized = [];
+    for (const workspaceDir of workspaceDirs ?? []) {
+        const resolvedWorkspaceDir = node_path_1.default.resolve(String(workspaceDir ?? "").trim());
+        if (!resolvedWorkspaceDir)
+            continue;
+        if (seen.has(resolvedWorkspaceDir))
+            continue;
+        seen.add(resolvedWorkspaceDir);
+        normalized.push(resolvedWorkspaceDir);
+    }
+    return normalized;
+}
+/**
+ * 基于 SQLite 创建用户工作目录仓库。
+ */
+function createSqliteUserWorkspaceStore(options) {
+    const db = options.authDb.db;
+    const runInTransaction = options.authDb.runInTransaction;
+    const listWorkspaceDirsByUsernameStatement = db.prepare(`
+    SELECT workspace_dir
+    FROM auth_user_workspace_dirs
+    WHERE username = ?
+    ORDER BY ord ASC
+  `);
+    const deleteWorkspaceDirsByUsernameStatement = db.prepare(`
+    DELETE FROM auth_user_workspace_dirs
+    WHERE username = ?
+  `);
+    const insertWorkspaceDirStatement = db.prepare(`
+    INSERT OR REPLACE INTO auth_user_workspace_dirs (
+      username, workspace_dir, ord
+    ) VALUES (
+      @username, @workspaceDir, @ord
+    )
+  `);
+    return {
+        async listUserWorkspaceDirs(usernameRaw) {
+            const username = normalizeUsername(usernameRaw);
+            if (!username)
+                return [];
+            const rows = listWorkspaceDirsByUsernameStatement.all(username);
+            return rows.map((row) => row.workspace_dir);
+        },
+        async replaceUserWorkspaceDirs(usernameRaw, workspaceDirs) {
+            const username = normalizeUsername(usernameRaw);
+            if (!username)
+                throw new Error("username is required");
+            const normalizedWorkspaceDirs = normalizeWorkspaceDirs(workspaceDirs);
+            runInTransaction(() => {
+                deleteWorkspaceDirsByUsernameStatement.run(username);
+                for (let index = 0; index < normalizedWorkspaceDirs.length; index += 1) {
+                    const workspaceDir = normalizedWorkspaceDirs[index];
+                    insertWorkspaceDirStatement.run({
+                        username,
+                        workspaceDir,
+                        ord: index,
+                    });
+                }
+            });
+            return normalizedWorkspaceDirs;
+        },
+    };
+}
+//# sourceMappingURL=sqliteUserWorkspaceStore.js.map

package/server/dist/workspace/sqliteUserWorkspaceStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqliteUserWorkspaceStore.js","sourceRoot":"","sources":["../../src/workspace/sqliteUserWorkspaceStore.ts"],"names":[],"mappings":";;;;;AA4CA,wEAoDC;AAhGD,0DAA6B;AAkB7B;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,aAAuB;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,YAAY,IAAI,aAAa,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,oBAAoB,GAAG,mBAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7E,IAAI,CAAC,oBAAoB;YAAE,SAAS;QACpC,IAAI,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAAE,SAAS;QAC7C,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC/B,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAgB,8BAA8B,CAAC,OAA8C;IAC3F,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;IAC7B,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;IAEzD,MAAM,oCAAoC,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;GAKvD,CAAC,CAAC;IAEH,MAAM,sCAAsC,GAAG,EAAE,CAAC,OAAO,CAAC;;;GAGzD,CAAC,CAAC;IAEH,MAAM,2BAA2B,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;GAM9C,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,CAAC,qBAAqB,CAAC,WAAmB;YAC7C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,oCAAoC,CAAC,GAAG,CAAC,QAAQ,CAAsB,CAAC;YACrF,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,wBAAwB,CAAC,WAAmB,EAAE,aAAuB;YACzE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAEvD,MAAM,uBAAuB,GAAG,sBAAsB,CAAC,aAAa,CAAC,CAAC;YACtE,gBAAgB,CAAC,GAAG,EAAE;gBACpB,sCAAsC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACrD,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,uBAAuB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;oBACvE,MAAM,YAAY,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;oBACpD,2BAA2B,CAAC,GAAG,CAAC;wBAC9B,QAAQ;wBACR,YAAY;wBACZ,GAAG,EAAE,KAAK;qBACX,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,OAAO,uBAAuB,CAAC;QACjC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/server/dist/workspace/threadAccess.d.ts

@@ -0,0 +1,19 @@
+import type { UserRole } from "../auth/userTypes";
+import type { CodexAppServer } from "../codex/codexAppServer";
+type ThreadAccessUser = {
+    username: string;
+    role: UserRole;
+    workspaces: string[];
+};
+/**
+ * 断言当前用户可以访问指定 threadId。
+ * 规则：threadId -> 读取 thread.cwd -> 复用 assertCwdAllowedForUser 校验是否在用户分配 workspaces 内。
+ */
+export declare function assertThreadAllowedForUser(opts: {
+    threadId: string;
+    user: ThreadAccessUser;
+    codex: Pick<CodexAppServer, "readThread">;
+}): Promise<{
+    canonicalCwd: string;
+}>;
+export {};

package/server/dist/workspace/threadAccess.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertThreadAllowedForUser = assertThreadAllowedForUser;
+const roles_1 = require("../auth/roles");
+const accessControl_1 = require("./accessControl");
+/**
+ * 断言当前用户可以访问指定 threadId。
+ * 规则：threadId -> 读取 thread.cwd -> 复用 assertCwdAllowedForUser 校验是否在用户分配 workspaces 内。
+ */
+async function assertThreadAllowedForUser(opts) {
+    // admin 默认允许访问所有线程（更细粒度的隔离需要 codex/app-server 侧支持）。
+    if ((0, roles_1.isAdminRole)(opts.user.role)) {
+        return { canonicalCwd: "" };
+    }
+    const thread = await opts.codex.readThread(opts.threadId, false);
+    const cwd = String(thread?.cwd ?? "").trim();
+    if (!cwd)
+        throw new Error("cwd not allowed");
+    const canonicalCwd = await (0, accessControl_1.assertCwdAllowedForUser)({ cwd, user: opts.user });
+    return { canonicalCwd };
+}
+//# sourceMappingURL=threadAccess.js.map

package/server/dist/workspace/threadAccess.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threadAccess.js","sourceRoot":"","sources":["../../src/workspace/threadAccess.ts"],"names":[],"mappings":";;AAeA,gEAgBC;AA/BD,yCAA4C;AAG5C,mDAA0D;AAQ1D;;;GAGG;AACI,KAAK,UAAU,0BAA0B,CAAC,IAIhD;IACC,oDAAoD;IACpD,IAAI,IAAA,mBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,MAAM,CAAE,MAAc,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtD,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE7C,MAAM,YAAY,GAAG,MAAM,IAAA,uCAAuB,EAAC,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7E,OAAO,EAAE,YAAY,EAAE,CAAC;AAC1B,CAAC"}

package/server/dist/workspace/threadListVisibility.d.ts

@@ -0,0 +1,25 @@
+import type { StoredUser } from "../auth/userTypes";
+import type { UserAccessInfo } from "./accessControl";
+export type ThreadListVisibilityUser = Pick<UserAccessInfo, "role" | "workspaces">;
+export type WorkspaceRoutingSnapshot = {
+    updatedAtMs: number;
+    rootsDesc: string[];
+};
+export declare function normalizeWorkspacePaths(workspaces: string[]): string[];
+export declare function buildWorkspaceRoutingSnapshot(users: Array<Pick<StoredUser, "role" | "workspaces">>): WorkspaceRoutingSnapshot;
+export declare function resolveWorkspaceRootForCwd(snapshot: WorkspaceRoutingSnapshot, cwd: string): string | null;
+export declare function resolveThreadListWorkspaceFilter(requestedCwd: unknown, user: ThreadListVisibilityUser): Promise<string | null>;
+export declare function normalizeThreadCwd(rawThreadCwd: unknown): string;
+export declare function isThreadCwdVisibleToUser(input: {
+    cwd: string;
+    user: ThreadListVisibilityUser;
+    routingSnapshot: WorkspaceRoutingSnapshot | null;
+}): boolean;
+export declare function shouldIncludeThreadForList(input: {
+    thread: {
+        cwd?: unknown;
+    };
+    user: ThreadListVisibilityUser;
+    workspaceFilterCwd: string | null;
+    routingSnapshot: WorkspaceRoutingSnapshot | null;
+}): boolean;

package/server/dist/workspace/threadListVisibility.js

@@ -0,0 +1,104 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeWorkspacePaths = normalizeWorkspacePaths;
+exports.buildWorkspaceRoutingSnapshot = buildWorkspaceRoutingSnapshot;
+exports.resolveWorkspaceRootForCwd = resolveWorkspaceRootForCwd;
+exports.resolveThreadListWorkspaceFilter = resolveThreadListWorkspaceFilter;
+exports.normalizeThreadCwd = normalizeThreadCwd;
+exports.isThreadCwdVisibleToUser = isThreadCwdVisibleToUser;
+exports.shouldIncludeThreadForList = shouldIncludeThreadForList;
+const node_path_1 = __importDefault(require("node:path"));
+const accessControl_1 = require("./accessControl");
+// WS/HTTP 统一使用绝对路径 + 去重后的 workspace 列表，避免路径比较歧义。
+function normalizeWorkspacePaths(workspaces) {
+    const seen = new Set();
+    const out = [];
+    for (const workspace of workspaces ?? []) {
+        const trimmedWorkspace = String(workspace ?? "").trim();
+        if (!trimmedWorkspace)
+            continue;
+        const resolvedWorkspace = node_path_1.default.resolve(trimmedWorkspace);
+        if (seen.has(resolvedWorkspace))
+            continue;
+        seen.add(resolvedWorkspace);
+        out.push(resolvedWorkspace);
+    }
+    return out;
+}
+// 基于所有 member 用户 workspaces 生成“最具体根目录优先”的路由快照。
+function buildWorkspaceRoutingSnapshot(users) {
+    const roots = new Set();
+    for (const user of users) {
+        if (user.role !== "member")
+            continue;
+        for (const workspace of user.workspaces ?? []) {
+            const trimmedWorkspace = String(workspace ?? "").trim();
+            if (!trimmedWorkspace)
+                continue;
+            roots.add(node_path_1.default.resolve(trimmedWorkspace));
+        }
+    }
+    const rootsDesc = Array.from(roots.values()).sort((leftRoot, rightRoot) => rightRoot.length - leftRoot.length);
+    return { updatedAtMs: Date.now(), rootsDesc };
+}
+// 为某个 cwd 匹配最具体 workspace root（最长前缀优先）。
+function resolveWorkspaceRootForCwd(snapshot, cwd) {
+    const trimmedCwd = String(cwd ?? "").trim();
+    if (!trimmedCwd)
+        return null;
+    const resolvedCwd = node_path_1.default.resolve(trimmedCwd);
+    for (const root of snapshot.rootsDesc) {
+        if ((0, accessControl_1.isPathWithinRoot)(root, resolvedCwd))
+            return root;
+    }
+    return null;
+}
+// 解析 list 请求中的 cwd 过滤参数；空值表示不过滤。
+async function resolveThreadListWorkspaceFilter(requestedCwd, user) {
+    const rawRequestedCwd = typeof requestedCwd === "string" ? requestedCwd.trim() : "";
+    if (!rawRequestedCwd)
+        return null;
+    return (0, accessControl_1.assertCwdAllowedForUser)({ cwd: rawRequestedCwd, user });
+}
+// 规整 thread.cwd，避免空白/相对路径造成过滤误判。
+function normalizeThreadCwd(rawThreadCwd) {
+    const threadCwd = typeof rawThreadCwd === "string" ? rawThreadCwd.trim() : "";
+    if (!threadCwd)
+        return "";
+    return node_path_1.default.resolve(threadCwd);
+}
+// 判断线程 cwd 是否对指定用户可见（admin 全可见，member 按分配工作区可见）。
+function isThreadCwdVisibleToUser(input) {
+    const allowedRoots = (0, accessControl_1.resolveAllowedRootsForUser)(input.user);
+    if (allowedRoots.allowAnyRoot)
+        return true;
+    if (!allowedRoots.roots.length)
+        return false;
+    if (input.routingSnapshot) {
+        const workspaceRoot = resolveWorkspaceRootForCwd(input.routingSnapshot, input.cwd);
+        if (workspaceRoot)
+            return input.user.workspaces.includes(workspaceRoot);
+    }
+    return allowedRoots.roots.some((root) => (0, accessControl_1.isPathWithinRoot)(root, input.cwd));
+}
+// 统一判定某线程是否应进入会话列表（权限 + 可选 workspace 精确过滤）。
+function shouldIncludeThreadForList(input) {
+    const normalizedThreadCwd = normalizeThreadCwd(input.thread.cwd);
+    if (!normalizedThreadCwd)
+        return false;
+    const visible = isThreadCwdVisibleToUser({
+        cwd: normalizedThreadCwd,
+        user: input.user,
+        routingSnapshot: input.routingSnapshot,
+    });
+    if (!visible)
+        return false;
+    if (!input.workspaceFilterCwd)
+        return true;
+    // 工作区语义按“线程 cwd == 选中 workspace cwd”处理，避免前缀误包含。
+    return normalizedThreadCwd === input.workspaceFilterCwd;
+}
+//# sourceMappingURL=threadListVisibility.js.map

package/server/dist/workspace/threadListVisibility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threadListVisibility.js","sourceRoot":"","sources":["../../src/workspace/threadListVisibility.ts"],"names":[],"mappings":";;;;;AAaA,0DAYC;AAGD,sEAYC;AAGD,gEAQC;AAGD,4EAOC;AAGD,gDAIC;AAGD,4DAeC;AAGD,gEAmBC;AA5GD,0DAA6B;AAG7B,mDAAwG;AASxG,iDAAiD;AACjD,SAAgB,uBAAuB,CAAC,UAAoB;IAC1D,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,SAAS,IAAI,UAAU,IAAI,EAAE,EAAE,CAAC;QACzC,MAAM,gBAAgB,GAAG,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACxD,IAAI,CAAC,gBAAgB;YAAE,SAAS;QAChC,MAAM,iBAAiB,GAAG,mBAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACzD,IAAI,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC;YAAE,SAAS;QAC1C,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC5B,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,+CAA+C;AAC/C,SAAgB,6BAA6B,CAAC,KAAqD;IACjG,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;YAAE,SAAS;QACrC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;YAC9C,MAAM,gBAAgB,GAAG,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACxD,IAAI,CAAC,gBAAgB;gBAAE,SAAS;YAChC,KAAK,CAAC,GAAG,CAAC,mBAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC/G,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,CAAC;AAChD,CAAC;AAED,wCAAwC;AACxC,SAAgB,0BAA0B,CAAC,QAAkC,EAAE,GAAW;IACxF,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,WAAW,GAAG,mBAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7C,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACtC,IAAI,IAAA,gCAAgB,EAAC,IAAI,EAAE,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;IACvD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,iCAAiC;AAC1B,KAAK,UAAU,gCAAgC,CACpD,YAAqB,EACrB,IAA8B;IAE9B,MAAM,eAAe,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACpF,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAClC,OAAO,IAAA,uCAAuB,EAAC,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,iCAAiC;AACjC,SAAgB,kBAAkB,CAAC,YAAqB;IACtD,MAAM,SAAS,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9E,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED,iDAAiD;AACjD,SAAgB,wBAAwB,CAAC,KAIxC;IACC,MAAM,YAAY,GAAG,IAAA,0CAA0B,EAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5D,IAAI,YAAY,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE7C,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG,0BAA0B,CAAC,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;QACnF,IAAI,aAAa;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAA,gCAAgB,EAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,4CAA4C;AAC5C,SAAgB,0BAA0B,CAAC,KAK1C;IACC,MAAM,mBAAmB,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACjE,IAAI,CAAC,mBAAmB;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,OAAO,GAAG,wBAAwB,CAAC;QACvC,GAAG,EAAE,mBAAmB;QACxB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,eAAe,EAAE,KAAK,CAAC,eAAe;KACvC,CAAC,CAAC;IACH,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,IAAI,CAAC,KAAK,CAAC,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAC3C,gDAAgD;IAChD,OAAO,mBAAmB,KAAK,KAAK,CAAC,kBAAkB,CAAC;AAC1D,CAAC"}

package/server/dist/workspace/userWorkspaceRoutes.d.ts

@@ -0,0 +1,7 @@
+import express from "express";
+import type { UserWorkspaceStore } from "./userWorkspaceStore";
+type CreateUserWorkspaceRoutesOptions = {
+    userWorkspaceStore: UserWorkspaceStore;
+};
+export declare function createUserWorkspaceRoutes(opts: CreateUserWorkspaceRoutesOptions): express.Router;
+export {};