@zzusp/ccsm 1.0.0 → 1.0.1

package/server/lib/safe-remove.test.ts

@@ -0,0 +1,73 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+// safeRemove 是 deleteSessions 与 deleteOrphan 共用的"路径校验 + 实际 rm"唯一入口。
+// 这里把 claude-paths.ts mock 到一个独立 tmp root（通过 process.env.CCSM_TEST_ROOT 桥接，
+// 与 delete.test.ts 同套路），校验它只删 root 子树内的东西、逃出去的一律抛错。
+
+let fakeRoot: string;
+
+vi.mock('./claude-paths.ts', () => {
+  return {
+    isUnderClaudeRoot(target: string): boolean {
+      const root = process.env.CCSM_TEST_ROOT!;
+      const resolved = path.resolve(target);
+      return resolved === root || resolved.startsWith(root + path.sep);
+    },
+  };
+});
+
+beforeEach(() => {
+  fakeRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'ccsm-safe-remove-test-'));
+  process.env.CCSM_TEST_ROOT = fakeRoot;
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+  delete process.env.CCSM_TEST_ROOT;
+  fs.rmSync(fakeRoot, { recursive: true, force: true });
+});
+
+describe('safeRemove', () => {
+  it('删 root 子树内的文件，返回 true', async () => {
+    const { safeRemove } = await import('./safe-remove.ts');
+    const f = path.join(fakeRoot, 'a.jsonl');
+    fs.writeFileSync(f, 'x');
+
+    expect(safeRemove(f)).toBe(true);
+    expect(fs.existsSync(f)).toBe(false);
+  });
+
+  it('删 root 子树内的目录（recursive），返回 true', async () => {
+    const { safeRemove } = await import('./safe-remove.ts');
+    const dir = path.join(fakeRoot, 'file-history', 'sid-1');
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(path.join(dir, 'nested.txt'), 'y');
+
+    expect(safeRemove(dir)).toBe(true);
+    expect(fs.existsSync(dir)).toBe(false);
+  });
+
+  it('目标不存在返回 false（幂等，不抛）', async () => {
+    const { safeRemove } = await import('./safe-remove.ts');
+    expect(safeRemove(path.join(fakeRoot, 'missing'))).toBe(false);
+  });
+
+  it('逃出 ~/.claude 子树的目标一律抛错，且不删任何东西', async () => {
+    const { safeRemove } = await import('./safe-remove.ts');
+    // 在 fakeRoot 之外铺一个文件，确认它不会被删
+    const outside = fs.mkdtempSync(path.join(os.tmpdir(), 'ccsm-safe-remove-outside-'));
+    const victim = path.join(outside, 'do-not-delete.txt');
+    fs.writeFileSync(victim, 'keep me');
+    try {
+      expect(() => safeRemove(victim)).toThrow(/outside ~\/\.claude/);
+      expect(fs.existsSync(victim)).toBe(true);
+      // 兄弟目录（同前缀但非子树）也必须拒绝
+      expect(() => safeRemove(fakeRoot + '_evil')).toThrow(/outside ~\/\.claude/);
+    } finally {
+      fs.rmSync(outside, { recursive: true, force: true });
+    }
+  });
+});

package/server/lib/safe-remove.ts

@@ -0,0 +1,25 @@
+import fs from 'node:fs';
+import { isUnderClaudeRoot } from './claude-paths.ts';
+
+/**
+ * ~/.claude/ 下所有删除的唯一入口：先过 isUnderClaudeRoot 路径校验，再真正 rm。
+ *
+ * deleteSessions（5 处级联）和 deleteOrphan（孤儿目录）共用这一份"路径校验 + 实际 rm"，
+ * 把"目标必须落在 ~/.claude 子树内"这条安全网集中到一处——以后改删除约束
+ * （加路径校验、改 rm 行为、加新防护）只改这里，不会两边各写一份、改一边漏一边。
+ *
+ * 文件和目录都走 recursive: true（对文件无副作用），所以单一入口能覆盖两种形态。
+ *
+ * @returns 是否真的删了东西（目标不存在 → false）
+ * @throws 目标逃出 ~/.claude 子树 —— 最后一道兜底，绝不 silently 删 root 外的东西。
+ *         调用方应在更早处用 isUnderClaudeRoot 做 graceful 预检并给出跳过原因，
+ *         走到这里抛错说明前置校验漏了，是 bug 不是正常流程。
+ */
+export function safeRemove(target: string): boolean {
+  if (!isUnderClaudeRoot(target)) {
+    throw new Error(`refuse to remove path outside ~/.claude: ${target}`);
+  }
+  if (!fs.existsSync(target)) return false;
+  fs.rmSync(target, { recursive: true, force: true });
+  return true;
+}

package/server/lib/scan.ts

@@ -141,6 +141,7 @@ export async function listSessionsForProject(projectId: string): Promise<Session
     let firstAt: string | null = null;
     let lastAt: string | null = null;
     let messageCount = 0;
+    let lastTurnIncomplete = false;
 
     if (fs.existsSync(jsonlPath)) {
       const meta = await parseJsonlMeta(jsonlPath);
@@ -149,6 +150,7 @@ export async function listSessionsForProject(projectId: string): Promise<Session
       firstAt = meta.firstAt;
       lastAt = meta.lastAt;
       messageCount = meta.messageCount;
+      lastTurnIncomplete = meta.lastTurnIncomplete;
     }
 
     const livePid = activeMap.get(id) ?? null;
@@ -175,9 +177,110 @@ export async function listSessionsForProject(projectId: string): Promise<Session
       isLivePid: livePid !== null,
       isRecentlyActive,
       livePid,
+      // "Working" narrows "live" to actively-processing: a live PID, fresh file
+      // activity, and an unfinished last turn. The live-PID gate keeps a session
+      // that crashed mid-turn (file frozen with a trailing `user` record) from
+      // reading as "working".
+      isWorking: livePid !== null && isRecentlyActive && lastTurnIncomplete,
     });
   }
 
   out.sort((a, b) => (b.lastAt ?? '').localeCompare(a.lastAt ?? ''));
   return out;
 }
+
+export interface DiskScanSession {
+  id: string;
+  title: string;
+  customTitle: string | null;
+  lastAt: string | null;
+  relatedBytes: RelatedBytes;
+}
+
+export interface DiskScanProject {
+  id: string;
+  decodedCwd: string;
+  cwdResolved: boolean;
+  totalBytes: number;
+  sessionCount: number;
+  sessions: DiskScanSession[];
+}
+
+/**
+ * 磁盘视图（disk-usage + cleanup-suggestions）专用的单遍扫描：逐会话算
+ * relatedBytes + 解析一次 jsonl meta，项目 totalBytes = 其会话之和。
+ *
+ * 刻意不做 live-PID / recently-active 探测：两个磁盘视图都不展示这些，而
+ * `listSessionsForProject` 会按项目各建一次 active map（Windows 下 = 一次
+ * `tasklist` spawn，~400-700ms），被这两个接口按项目数放大成几十次 tasklist，
+ * 是磁盘页加载慢的主因。size/meta 原语与 `listSessionsForProject` 复用，只去掉
+ * active map 与「listProjects + listSessionsForProject」之间重复的 size 遍历。
+ */
+export async function scanProjectsForDisk(): Promise<DiskScanProject[]> {
+  if (!fs.existsSync(PATHS.projects)) return [];
+
+  const projectIds = fs
+    .readdirSync(PATHS.projects, { withFileTypes: true })
+    .filter((ent) => ent.isDirectory())
+    .map((ent) => ent.name);
+
+  const result: DiskScanProject[] = [];
+  for (const projectId of projectIds) {
+    const projectDir = path.join(PATHS.projects, projectId);
+    const ids = listSessionIdsInProject(projectDir);
+
+    const scanned = await Promise.all(ids.map((id) => scanDiskSession(projectDir, id)));
+
+    let totalBytes = 0;
+    let sampleCwd: string | null = null;
+    const sessions: DiskScanSession[] = [];
+    for (const { session, cwdFromMessages } of scanned) {
+      const r = session.relatedBytes;
+      totalBytes += r.jsonl + r.subdir + r.fileHistory + r.sessionEnv;
+      if (!sampleCwd && cwdFromMessages) sampleCwd = cwdFromMessages;
+      sessions.push(session);
+    }
+
+    const { decoded, resolved } = decodeProjectId(projectId, sampleCwd);
+    result.push({
+      id: projectId,
+      decodedCwd: decoded,
+      cwdResolved: resolved,
+      totalBytes,
+      sessionCount: ids.length,
+      sessions,
+    });
+  }
+
+  return result;
+}
+
+async function scanDiskSession(
+  projectDir: string,
+  id: string,
+): Promise<{ session: DiskScanSession; cwdFromMessages: string | null }> {
+  const jsonlPath = path.join(projectDir, `${id}${JSONL_EXT}`);
+  const relatedBytes: RelatedBytes = {
+    jsonl: fileSize(jsonlPath),
+    subdir: dirSize(path.join(projectDir, id)),
+    fileHistory: dirSize(path.join(PATHS.fileHistory, id)),
+    sessionEnv: dirSize(path.join(PATHS.sessionEnv, id)),
+  };
+
+  let title = '(no jsonl)';
+  let customTitle: string | null = null;
+  let lastAt: string | null = null;
+  let cwdFromMessages: string | null = null;
+  if (fs.existsSync(jsonlPath)) {
+    const meta = await parseJsonlMeta(jsonlPath);
+    title = meta.title;
+    customTitle = meta.customTitle;
+    lastAt = meta.lastAt;
+    cwdFromMessages = meta.cwdFromMessages;
+  }
+
+  return {
+    session: { id, title, customTitle, lastAt, relatedBytes },
+    cwdFromMessages,
+  };
+}

package/server/lib/update.ts

@@ -0,0 +1,67 @@
+import { spawn } from 'node:child_process';
+import type { VersionUpdateResult } from '../../shared/types.ts';
+import { getCurrentVersion, PACKAGE_NAME } from './version.ts';
+
+const MAX_OUTPUT = 64_000;
+
+/**
+ * Run `npm install -g <PACKAGE_NAME>@latest` to self-update the global CLI.
+ *
+ * Fixed args, no user input → safe. Windows needs `shell:true` to invoke `npm.cmd`
+ * (Node refuses to spawn `.cmd` without a shell since CVE-2024-27980). A non-zero
+ * exit still resolves (ok:false) so the caller can surface npm's output instead of
+ * swallowing it. The running process keeps serving the OLD code until restarted.
+ */
+export function runSelfUpdate(targetVersion: string | null): Promise<VersionUpdateResult> {
+  const fromVersion = getCurrentVersion();
+  const isWin = process.platform === 'win32';
+
+  return new Promise((resolve) => {
+    let output = '';
+    const append = (buf: Buffer) => {
+      output += buf.toString();
+      if (output.length > MAX_OUTPUT) output = output.slice(-MAX_OUTPUT);
+    };
+
+    let child: ReturnType<typeof spawn>;
+    try {
+      child = spawn('npm', ['install', '-g', `${PACKAGE_NAME}@latest`], {
+        shell: isWin,
+        windowsHide: true,
+      });
+    } catch (err) {
+      resolve({
+        ok: false,
+        fromVersion,
+        toVersion: null,
+        output: (err as Error).message,
+        restartRequired: false,
+      });
+      return;
+    }
+
+    child.stdout?.on('data', append);
+    child.stderr?.on('data', append);
+
+    child.on('error', (err) => {
+      resolve({
+        ok: false,
+        fromVersion,
+        toVersion: null,
+        output: `${output}\n${err.message}`.trim(),
+        restartRequired: false,
+      });
+    });
+
+    child.on('close', (code) => {
+      const ok = code === 0;
+      resolve({
+        ok,
+        fromVersion,
+        toVersion: ok ? targetVersion : null,
+        output: output.trim() || (ok ? 'updated' : `npm exited with code ${code}`),
+        restartRequired: ok,
+      });
+    });
+  });
+}

package/server/lib/version.test.ts

@@ -0,0 +1,39 @@
+import { describe, expect, it } from 'vitest';
+import { compareSemver } from './version.ts';
+
+// compareSemver 是 hasUpdate 判定的唯一依据：latest 比 current 新才提示更新。
+// 这里钉死「更新/不更新/相等」三类边界，外加 `v` 前缀与 pre-release 排序。
+
+describe('compareSemver', () => {
+  it('newer patch / minor / major → positive', () => {
+    expect(compareSemver('1.0.1', '1.0.0')).toBeGreaterThan(0);
+    expect(compareSemver('1.1.0', '1.0.9')).toBeGreaterThan(0);
+    expect(compareSemver('2.0.0', '1.9.9')).toBeGreaterThan(0);
+  });
+
+  it('older → negative', () => {
+    expect(compareSemver('1.0.0', '1.0.1')).toBeLessThan(0);
+    expect(compareSemver('1.0.9', '1.1.0')).toBeLessThan(0);
+  });
+
+  it('equal → 0, regardless of leading v', () => {
+    expect(compareSemver('1.2.3', '1.2.3')).toBe(0);
+    expect(compareSemver('v1.2.3', '1.2.3')).toBe(0);
+    expect(compareSemver('1.2.3', 'v1.2.3')).toBe(0);
+  });
+
+  it('plain release outranks a pre-release of the same core', () => {
+    expect(compareSemver('1.2.0', '1.2.0-rc.1')).toBeGreaterThan(0);
+    expect(compareSemver('1.2.0-rc.1', '1.2.0')).toBeLessThan(0);
+  });
+
+  it('does not flag an update for the same version (the v1.0.0 baseline)', () => {
+    // current == latest must yield hasUpdate=false in the route.
+    expect(compareSemver('1.0.0', '1.0.0') > 0).toBe(false);
+  });
+
+  it('treats missing patch as 0 (1.2 == 1.2.0)', () => {
+    expect(compareSemver('1.2', '1.2.0')).toBe(0);
+    expect(compareSemver('1.3', '1.2.0')).toBeGreaterThan(0);
+  });
+});

package/server/lib/version.ts

@@ -0,0 +1,117 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import type { VersionInfo } from '../../shared/types.ts';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PKG_PATH = path.resolve(__dirname, '..', '..', 'package.json');
+
+const REPO = 'zzusp/claude-code-session';
+export const REPOSITORY_URL = `https://github.com/${REPO}`;
+export const PACKAGE_NAME = '@zzusp/ccsm';
+const RELEASES_API = `https://api.github.com/repos/${REPO}/releases/latest`;
+
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1h — don't hammer GitHub on every page open
+const FETCH_TIMEOUT_MS = 8000;
+
+let cached: { at: number; info: VersionInfo } | null = null;
+
+/** package.json `version` — the single source of truth, same as `ccsm --version`. */
+export function getCurrentVersion(): string {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(PKG_PATH, 'utf8')) as { version?: string };
+    return typeof pkg.version === 'string' ? pkg.version : '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+
+interface ParsedVersion {
+  nums: [number, number, number];
+  /** Pre-release tag (everything after the first `-`); '' for a plain release. */
+  pre: string;
+}
+
+function parseVersion(v: string): ParsedVersion {
+  const clean = v.trim().replace(/^v/i, '');
+  const dash = clean.indexOf('-');
+  const core = dash < 0 ? clean : clean.slice(0, dash);
+  const pre = dash < 0 ? '' : clean.slice(dash + 1);
+  const parts = core.split('.').map((n) => parseInt(n, 10) || 0);
+  return { nums: [parts[0] ?? 0, parts[1] ?? 0, parts[2] ?? 0], pre };
+}
+
+/** Minimal semver compare: returns >0 if a is newer than b, <0 if older, 0 if equal. */
+export function compareSemver(a: string, b: string): number {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  const [a0, a1, a2] = pa.nums;
+  const [b0, b1, b2] = pb.nums;
+  if (a0 !== b0) return a0 - b0;
+  if (a1 !== b1) return a1 - b1;
+  if (a2 !== b2) return a2 - b2;
+  if (pa.pre === pb.pre) return 0;
+  // A plain release outranks any pre-release of the same core (1.2.0 > 1.2.0-rc.1).
+  if (pa.pre === '') return 1;
+  if (pb.pre === '') return -1;
+  return pa.pre < pb.pre ? -1 : 1;
+}
+
+interface GithubRelease {
+  tag_name?: string;
+  name?: string;
+  body?: string;
+  html_url?: string;
+  published_at?: string;
+}
+
+/**
+ * VersionInfo for the UI. Cached for an hour; pass `force` to bypass.
+ * A failed lookup is never cached — it degrades to current-version-only with
+ * `checkError` set, so a later open retries.
+ */
+export async function getVersionInfo(force = false): Promise<VersionInfo> {
+  const current = getCurrentVersion();
+  if (!force && cached && Date.now() - cached.at < CACHE_TTL_MS) {
+    return { ...cached.info, current };
+  }
+
+  const info: VersionInfo = {
+    current,
+    latest: null,
+    hasUpdate: false,
+    releaseName: null,
+    releaseNotes: null,
+    releaseUrl: null,
+    publishedAt: null,
+    repositoryUrl: REPOSITORY_URL,
+    checkError: null,
+  };
+
+  try {
+    const res = await fetch(RELEASES_API, {
+      headers: {
+        accept: 'application/vnd.github+json',
+        'user-agent': `ccsm/${current}`,
+      },
+      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+      info.checkError = `GitHub API ${res.status}`;
+      return info;
+    }
+    const data = (await res.json()) as GithubRelease;
+    const latest = (data.tag_name ?? '').trim().replace(/^v/i, '') || null;
+    info.latest = latest;
+    info.releaseName = data.name?.trim() || data.tag_name || null;
+    info.releaseNotes = data.body ?? null;
+    info.releaseUrl = data.html_url ?? null;
+    info.publishedAt = data.published_at ?? null;
+    info.hasUpdate = latest !== null && compareSemver(latest, current) > 0;
+    cached = { at: Date.now(), info };
+    return info;
+  } catch (err) {
+    info.checkError = (err as Error).message || 'version check failed';
+    return info;
+  }
+}

package/server/routes/disk-cleanup.ts

@@ -0,0 +1,54 @@
+import { Hono } from 'hono';
+import {
+  computeCleanupSuggestions,
+  deleteOrphan,
+} from '../lib/cleanup-suggestions.ts';
+import { isSafeId } from '../lib/safe-id.ts';
+import type { DiskOrphanDeleteResult, DiskOrphanKind } from '../types.ts';
+
+export const diskCleanupRoute = new Hono();
+
+diskCleanupRoute.get('/suggestions', async (c) => {
+  const data = await computeCleanupSuggestions();
+  return c.json(data);
+});
+
+diskCleanupRoute.delete('/orphan/:kind/:sid', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  const kindParam = c.req.param('kind');
+  const sid = c.req.param('sid');
+  if (!isOrphanKind(kindParam)) {
+    return c.json({ error: 'invalid kind' }, 400);
+  }
+  if (!isSafeId(sid)) {
+    return c.json({ error: 'invalid id' }, 400);
+  }
+  const result = deleteOrphan(kindParam, sid);
+  if (!result.ok) {
+    const status = result.reason === 'orphan no longer exists' ? 404 : 409;
+    return c.json({ error: result.reason }, status);
+  }
+  const payload: DiskOrphanDeleteResult = {
+    sessionId: sid,
+    kind: kindParam,
+    freedBytes: result.freedBytes,
+  };
+  return c.json(payload);
+});
+
+function isOrphanKind(v: string): v is DiskOrphanKind {
+  return v === 'file-history' || v === 'session-env';
+}
+
+function isAcceptableOrigin(origin: string | undefined): boolean {
+  if (!origin) return false;
+  try {
+    const url = new URL(origin);
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
+    return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
+  } catch {
+    return false;
+  }
+}

package/server/routes/sessions.ts

@@ -1,11 +1,60 @@
 import { Hono } from 'hono';
 import { deleteSessions, type DeleteRequestItem } from '../lib/delete.ts';
 import { loadSessionDetail } from '../lib/load-session.ts';
+import { loadModifiedFiles } from '../lib/modified-files.ts';
+import { openFile } from '../lib/open-folder.ts';
 import { renameSession } from '../lib/rename-session.ts';
 import { isSafeId } from '../lib/safe-id.ts';
 
 export const sessionsRoute = new Hono();
 
+// 注意：放在 /:projectId/:sessionId 之前——Hono trie 对静态后缀的具体路由优先匹配，
+// 但显式按"更具体的路由先注册"是最稳的写法，避免日后引入其他通配段时被错位拦截。
+sessionsRoute.get('/:projectId/:sessionId/modified-files', async (c) => {
+  const projectId = c.req.param('projectId');
+  const sessionId = c.req.param('sessionId');
+  if (!isSafeId(projectId) || !isSafeId(sessionId)) {
+    return c.json({ error: 'invalid id' }, 400);
+  }
+  const result = await loadModifiedFiles(projectId, sessionId);
+  if (!result) return c.json({ error: 'not found' }, 404);
+  return c.json(result);
+});
+
+sessionsRoute.post('/:projectId/:sessionId/open-file', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  const projectId = c.req.param('projectId');
+  const sessionId = c.req.param('sessionId');
+  if (!isSafeId(projectId) || !isSafeId(sessionId)) {
+    return c.json({ error: 'invalid id' }, 400);
+  }
+  let body: { filePath?: unknown };
+  try {
+    body = (await c.req.json()) as { filePath?: unknown };
+  } catch {
+    return c.json({ error: 'invalid json body' }, 400);
+  }
+  if (typeof body.filePath !== 'string' || body.filePath === '') {
+    return c.json({ error: 'filePath (string) required' }, 400);
+  }
+  // 只允许打开"本会话确实改过的文件"——从 jsonl 重新聚合校验成员资格，
+  // 杜绝客户端传任意路径来打开系统中任意文件。
+  const modified = await loadModifiedFiles(projectId, sessionId);
+  if (!modified) return c.json({ error: 'session not found' }, 404);
+  if (!modified.files.some((f) => f.filePath === body.filePath)) {
+    return c.json({ error: 'file is not part of this session' }, 400);
+  }
+
+  const result = openFile(body.filePath);
+  if (!result.ok) {
+    const status = result.error === 'path not found' ? 404 : 500;
+    return c.json({ error: result.error ?? 'failed to open file' }, status);
+  }
+  return c.json({ ok: true, path: body.filePath });
+});
+
 sessionsRoute.get('/:projectId/:sessionId', async (c) => {
   const projectId = c.req.param('projectId');
   const sessionId = c.req.param('sessionId');

package/server/routes/version.ts

@@ -0,0 +1,34 @@
+import { Hono } from 'hono';
+import { runSelfUpdate } from '../lib/update.ts';
+import { getVersionInfo } from '../lib/version.ts';
+
+export const versionRoute = new Hono();
+
+versionRoute.get('/', async (c) => {
+  const refresh = c.req.query('refresh') === '1';
+  const info = await getVersionInfo(refresh);
+  return c.json(info);
+});
+
+versionRoute.post('/update', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  const info = await getVersionInfo();
+  if (!info.hasUpdate) {
+    return c.json({ error: 'already up to date' }, 400);
+  }
+  const result = await runSelfUpdate(info.latest);
+  return c.json(result);
+});
+
+function isAcceptableOrigin(origin: string | undefined): boolean {
+  if (!origin) return false;
+  try {
+    const url = new URL(origin);
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
+    return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
+  } catch {
+    return false;
+  }
+}

package/shared/constants.ts

@@ -1,2 +1,7 @@
 export const RECENT_ACTIVITY_WINDOW_MIN = 5;
 export const MAX_SESSION_MESSAGES = 5000;
+
+// Claude Code writes this synthetic `user` record when the operator aborts a turn
+// (Esc / Ctrl-C). It means the turn was *stopped*, not that Claude is still
+// working — so the "working" heuristic treats a trailing interrupt as idle.
+export const INTERRUPTED_MARKER_RE = /^\s*\[Request interrupted by user/;