@zzusp/ccsm 1.0.0 → 1.0.2

package/server/lib/system-tags.ts

@@ -1,20 +1,20 @@
-// Matches text that is purely system-injected wrapper content — local command
-// stdout/stderr replays, runtime system-reminder blocks, and caveat banners.
-// Slash-command invocations (`<command-name>` / `<command-message>` /
-// `<command-args>`) are user-driven and excluded — their `<command-args>` body
-// carries the user's actual prompt.
-export const SYSTEM_TAG_RE = /^\s*<(local-command|system-reminder|caveat)/i;
-
-// Slash-command records carry the user's actual prompt (if any) inside
-// <command-args>BODY</command-args>. Returns the trimmed args body when
-// meaningful; returns '' when the record is just a metadata invocation
-// (/clear, /model, /login with empty args, or legacy shapes that lack a
-// <command-args> tag entirely) so callers can skip the message. Returns the
-// input unchanged for non-slash-command text. `claude resume` applies the
-// same skip when picking its picker labels — without it, titles for older
-// sessions fall on raw XML wrapper text.
-export function pickTitleText(text: string): string {
-  if (!/^\s*<command-(?:name|message|args)>/.test(text)) return text;
-  const m = text.match(/<command-args>([\s\S]*?)<\/command-args>/);
-  return (m?.[1] ?? '').trim();
-}
+// Matches text that is purely system-injected wrapper content — local command
+// stdout/stderr replays, runtime system-reminder blocks, and caveat banners.
+// Slash-command invocations (`<command-name>` / `<command-message>` /
+// `<command-args>`) are user-driven and excluded — their `<command-args>` body
+// carries the user's actual prompt.
+export const SYSTEM_TAG_RE = /^\s*<(local-command|system-reminder|caveat)/i;
+
+// Slash-command records carry the user's actual prompt (if any) inside
+// <command-args>BODY</command-args>. Returns the trimmed args body when
+// meaningful; returns '' when the record is just a metadata invocation
+// (/clear, /model, /login with empty args, or legacy shapes that lack a
+// <command-args> tag entirely) so callers can skip the message. Returns the
+// input unchanged for non-slash-command text. `claude resume` applies the
+// same skip when picking its picker labels — without it, titles for older
+// sessions fall on raw XML wrapper text.
+export function pickTitleText(text: string): string {
+  if (!/^\s*<command-(?:name|message|args)>/.test(text)) return text;
+  const m = text.match(/<command-args>([\s\S]*?)<\/command-args>/);
+  return (m?.[1] ?? '').trim();
+}

package/server/lib/update.ts

@@ -0,0 +1,67 @@
+import { spawn } from 'node:child_process';
+import type { VersionUpdateResult } from '../../shared/types.ts';
+import { getCurrentVersion, PACKAGE_NAME } from './version.ts';
+
+const MAX_OUTPUT = 64_000;
+
+/**
+ * Run `npm install -g <PACKAGE_NAME>@latest` to self-update the global CLI.
+ *
+ * Fixed args, no user input → safe. Windows needs `shell:true` to invoke `npm.cmd`
+ * (Node refuses to spawn `.cmd` without a shell since CVE-2024-27980). A non-zero
+ * exit still resolves (ok:false) so the caller can surface npm's output instead of
+ * swallowing it. The running process keeps serving the OLD code until restarted.
+ */
+export function runSelfUpdate(targetVersion: string | null): Promise<VersionUpdateResult> {
+  const fromVersion = getCurrentVersion();
+  const isWin = process.platform === 'win32';
+
+  return new Promise((resolve) => {
+    let output = '';
+    const append = (buf: Buffer) => {
+      output += buf.toString();
+      if (output.length > MAX_OUTPUT) output = output.slice(-MAX_OUTPUT);
+    };
+
+    let child: ReturnType<typeof spawn>;
+    try {
+      child = spawn('npm', ['install', '-g', `${PACKAGE_NAME}@latest`], {
+        shell: isWin,
+        windowsHide: true,
+      });
+    } catch (err) {
+      resolve({
+        ok: false,
+        fromVersion,
+        toVersion: null,
+        output: (err as Error).message,
+        restartRequired: false,
+      });
+      return;
+    }
+
+    child.stdout?.on('data', append);
+    child.stderr?.on('data', append);
+
+    child.on('error', (err) => {
+      resolve({
+        ok: false,
+        fromVersion,
+        toVersion: null,
+        output: `${output}\n${err.message}`.trim(),
+        restartRequired: false,
+      });
+    });
+
+    child.on('close', (code) => {
+      const ok = code === 0;
+      resolve({
+        ok,
+        fromVersion,
+        toVersion: ok ? targetVersion : null,
+        output: output.trim() || (ok ? 'updated' : `npm exited with code ${code}`),
+        restartRequired: ok,
+      });
+    });
+  });
+}

package/server/lib/version.test.ts

@@ -0,0 +1,39 @@
+import { describe, expect, it } from 'vitest';
+import { compareSemver } from './version.ts';
+
+// compareSemver 是 hasUpdate 判定的唯一依据：latest 比 current 新才提示更新。
+// 这里钉死「更新/不更新/相等」三类边界，外加 `v` 前缀与 pre-release 排序。
+
+describe('compareSemver', () => {
+  it('newer patch / minor / major → positive', () => {
+    expect(compareSemver('1.0.1', '1.0.0')).toBeGreaterThan(0);
+    expect(compareSemver('1.1.0', '1.0.9')).toBeGreaterThan(0);
+    expect(compareSemver('2.0.0', '1.9.9')).toBeGreaterThan(0);
+  });
+
+  it('older → negative', () => {
+    expect(compareSemver('1.0.0', '1.0.1')).toBeLessThan(0);
+    expect(compareSemver('1.0.9', '1.1.0')).toBeLessThan(0);
+  });
+
+  it('equal → 0, regardless of leading v', () => {
+    expect(compareSemver('1.2.3', '1.2.3')).toBe(0);
+    expect(compareSemver('v1.2.3', '1.2.3')).toBe(0);
+    expect(compareSemver('1.2.3', 'v1.2.3')).toBe(0);
+  });
+
+  it('plain release outranks a pre-release of the same core', () => {
+    expect(compareSemver('1.2.0', '1.2.0-rc.1')).toBeGreaterThan(0);
+    expect(compareSemver('1.2.0-rc.1', '1.2.0')).toBeLessThan(0);
+  });
+
+  it('does not flag an update for the same version (the v1.0.0 baseline)', () => {
+    // current == latest must yield hasUpdate=false in the route.
+    expect(compareSemver('1.0.0', '1.0.0') > 0).toBe(false);
+  });
+
+  it('treats missing patch as 0 (1.2 == 1.2.0)', () => {
+    expect(compareSemver('1.2', '1.2.0')).toBe(0);
+    expect(compareSemver('1.3', '1.2.0')).toBeGreaterThan(0);
+  });
+});

package/server/lib/version.ts

@@ -0,0 +1,117 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import type { VersionInfo } from '../../shared/types.ts';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PKG_PATH = path.resolve(__dirname, '..', '..', 'package.json');
+
+const REPO = 'zzusp/claude-code-session';
+export const REPOSITORY_URL = `https://github.com/${REPO}`;
+export const PACKAGE_NAME = '@zzusp/ccsm';
+const RELEASES_API = `https://api.github.com/repos/${REPO}/releases/latest`;
+
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1h — don't hammer GitHub on every page open
+const FETCH_TIMEOUT_MS = 8000;
+
+let cached: { at: number; info: VersionInfo } | null = null;
+
+/** package.json `version` — the single source of truth, same as `ccsm --version`. */
+export function getCurrentVersion(): string {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(PKG_PATH, 'utf8')) as { version?: string };
+    return typeof pkg.version === 'string' ? pkg.version : '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+
+interface ParsedVersion {
+  nums: [number, number, number];
+  /** Pre-release tag (everything after the first `-`); '' for a plain release. */
+  pre: string;
+}
+
+function parseVersion(v: string): ParsedVersion {
+  const clean = v.trim().replace(/^v/i, '');
+  const dash = clean.indexOf('-');
+  const core = dash < 0 ? clean : clean.slice(0, dash);
+  const pre = dash < 0 ? '' : clean.slice(dash + 1);
+  const parts = core.split('.').map((n) => parseInt(n, 10) || 0);
+  return { nums: [parts[0] ?? 0, parts[1] ?? 0, parts[2] ?? 0], pre };
+}
+
+/** Minimal semver compare: returns >0 if a is newer than b, <0 if older, 0 if equal. */
+export function compareSemver(a: string, b: string): number {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  const [a0, a1, a2] = pa.nums;
+  const [b0, b1, b2] = pb.nums;
+  if (a0 !== b0) return a0 - b0;
+  if (a1 !== b1) return a1 - b1;
+  if (a2 !== b2) return a2 - b2;
+  if (pa.pre === pb.pre) return 0;
+  // A plain release outranks any pre-release of the same core (1.2.0 > 1.2.0-rc.1).
+  if (pa.pre === '') return 1;
+  if (pb.pre === '') return -1;
+  return pa.pre < pb.pre ? -1 : 1;
+}
+
+interface GithubRelease {
+  tag_name?: string;
+  name?: string;
+  body?: string;
+  html_url?: string;
+  published_at?: string;
+}
+
+/**
+ * VersionInfo for the UI. Cached for an hour; pass `force` to bypass.
+ * A failed lookup is never cached — it degrades to current-version-only with
+ * `checkError` set, so a later open retries.
+ */
+export async function getVersionInfo(force = false): Promise<VersionInfo> {
+  const current = getCurrentVersion();
+  if (!force && cached && Date.now() - cached.at < CACHE_TTL_MS) {
+    return { ...cached.info, current };
+  }
+
+  const info: VersionInfo = {
+    current,
+    latest: null,
+    hasUpdate: false,
+    releaseName: null,
+    releaseNotes: null,
+    releaseUrl: null,
+    publishedAt: null,
+    repositoryUrl: REPOSITORY_URL,
+    checkError: null,
+  };
+
+  try {
+    const res = await fetch(RELEASES_API, {
+      headers: {
+        accept: 'application/vnd.github+json',
+        'user-agent': `ccsm/${current}`,
+      },
+      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+      info.checkError = `GitHub API ${res.status}`;
+      return info;
+    }
+    const data = (await res.json()) as GithubRelease;
+    const latest = (data.tag_name ?? '').trim().replace(/^v/i, '') || null;
+    info.latest = latest;
+    info.releaseName = data.name?.trim() || data.tag_name || null;
+    info.releaseNotes = data.body ?? null;
+    info.releaseUrl = data.html_url ?? null;
+    info.publishedAt = data.published_at ?? null;
+    info.hasUpdate = latest !== null && compareSemver(latest, current) > 0;
+    cached = { at: Date.now(), info };
+    return info;
+  } catch (err) {
+    info.checkError = (err as Error).message || 'version check failed';
+    return info;
+  }
+}

package/server/routes/disk-cleanup.ts

@@ -0,0 +1,54 @@
+import { Hono } from 'hono';
+import {
+  computeCleanupSuggestions,
+  deleteOrphan,
+} from '../lib/cleanup-suggestions.ts';
+import { isSafeId } from '../lib/safe-id.ts';
+import type { DiskOrphanDeleteResult, DiskOrphanKind } from '../types.ts';
+
+export const diskCleanupRoute = new Hono();
+
+diskCleanupRoute.get('/suggestions', async (c) => {
+  const data = await computeCleanupSuggestions();
+  return c.json(data);
+});
+
+diskCleanupRoute.delete('/orphan/:kind/:sid', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  const kindParam = c.req.param('kind');
+  const sid = c.req.param('sid');
+  if (!isOrphanKind(kindParam)) {
+    return c.json({ error: 'invalid kind' }, 400);
+  }
+  if (!isSafeId(sid)) {
+    return c.json({ error: 'invalid id' }, 400);
+  }
+  const result = deleteOrphan(kindParam, sid);
+  if (!result.ok) {
+    const status = result.reason === 'orphan no longer exists' ? 404 : 409;
+    return c.json({ error: result.reason }, status);
+  }
+  const payload: DiskOrphanDeleteResult = {
+    sessionId: sid,
+    kind: kindParam,
+    freedBytes: result.freedBytes,
+  };
+  return c.json(payload);
+});
+
+function isOrphanKind(v: string): v is DiskOrphanKind {
+  return v === 'file-history' || v === 'session-env';
+}
+
+function isAcceptableOrigin(origin: string | undefined): boolean {
+  if (!origin) return false;
+  try {
+    const url = new URL(origin);
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
+    return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
+  } catch {
+    return false;
+  }
+}

package/server/routes/disk.ts

@@ -1,9 +1,9 @@
-import { Hono } from 'hono';
-import { computeDiskUsage } from '../lib/disk-usage.ts';
-
-export const diskRoute = new Hono();
-
-diskRoute.get('/', async (c) => {
-  const usage = await computeDiskUsage();
-  return c.json(usage);
-});
+import { Hono } from 'hono';
+import { computeDiskUsage } from '../lib/disk-usage.ts';
+
+export const diskRoute = new Hono();
+
+diskRoute.get('/', async (c) => {
+  const usage = await computeDiskUsage();
+  return c.json(usage);
+});

package/server/routes/import.ts

@@ -1,87 +1,87 @@
-import { Hono } from 'hono';
-import { commitImport, ImportError, previewImport } from '../lib/import-bundle.ts';
-import type { ImportCollisionPolicy } from '../types.ts';
-
-export const importRoute = new Hono();
-
-const POLICIES: ReadonlySet<ImportCollisionPolicy> = new Set([
-  'skip',
-  'overwrite-if-newer',
-  'keep-both',
-]);
-
-importRoute.post('/preview', async (c) => {
-  if (!isAcceptableOrigin(c.req.header('origin'))) {
-    return c.json({ error: 'origin not allowed' }, 403);
-  }
-  let body: { bundleDir?: unknown; targetCwd?: unknown; collisionPolicy?: unknown };
-  try {
-    body = await c.req.json();
-  } catch {
-    return c.json({ error: 'invalid JSON body' }, 400);
-  }
-  if (typeof body.bundleDir !== 'string' || body.bundleDir.trim() === '') {
-    return c.json({ error: 'bundleDir is required' }, 400);
-  }
-  const targetCwd =
-    typeof body.targetCwd === 'string' && body.targetCwd.trim() !== '' ? body.targetCwd : undefined;
-
-  try {
-    const result = await previewImport({
-      bundleDir: body.bundleDir,
-      targetCwd,
-      collisionPolicy: normalizePolicy(body.collisionPolicy),
-    });
-    return c.json(result);
-  } catch (err) {
-    if (err instanceof ImportError) return c.json({ error: err.message }, 400);
-    throw err;
-  }
-});
-
-importRoute.post('/', async (c) => {
-  if (!isAcceptableOrigin(c.req.header('origin'))) {
-    return c.json({ error: 'origin not allowed' }, 403);
-  }
-  let body: { bundleDir?: unknown; targetCwd?: unknown; collisionPolicy?: unknown };
-  try {
-    body = await c.req.json();
-  } catch {
-    return c.json({ error: 'invalid JSON body' }, 400);
-  }
-  if (typeof body.bundleDir !== 'string' || body.bundleDir.trim() === '') {
-    return c.json({ error: 'bundleDir is required' }, 400);
-  }
-  if (typeof body.targetCwd !== 'string' || body.targetCwd.trim() === '') {
-    return c.json({ error: 'targetCwd is required' }, 400);
-  }
-
-  try {
-    const result = await commitImport({
-      bundleDir: body.bundleDir,
-      targetCwd: body.targetCwd,
-      collisionPolicy: normalizePolicy(body.collisionPolicy),
-    });
-    return c.json(result);
-  } catch (err) {
-    if (err instanceof ImportError) return c.json({ error: err.message }, 400);
-    throw err;
-  }
-});
-
-function normalizePolicy(raw: unknown): ImportCollisionPolicy {
-  return typeof raw === 'string' && POLICIES.has(raw as ImportCollisionPolicy)
-    ? (raw as ImportCollisionPolicy)
-    : 'skip';
-}
-
-function isAcceptableOrigin(origin: string | undefined): boolean {
-  if (!origin) return false;
-  try {
-    const url = new URL(origin);
-    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
-    return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
-  } catch {
-    return false;
-  }
-}
+import { Hono } from 'hono';
+import { commitImport, ImportError, previewImport } from '../lib/import-bundle.ts';
+import type { ImportCollisionPolicy } from '../types.ts';
+
+export const importRoute = new Hono();
+
+const POLICIES: ReadonlySet<ImportCollisionPolicy> = new Set([
+  'skip',
+  'overwrite-if-newer',
+  'keep-both',
+]);
+
+importRoute.post('/preview', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  let body: { bundleDir?: unknown; targetCwd?: unknown; collisionPolicy?: unknown };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ error: 'invalid JSON body' }, 400);
+  }
+  if (typeof body.bundleDir !== 'string' || body.bundleDir.trim() === '') {
+    return c.json({ error: 'bundleDir is required' }, 400);
+  }
+  const targetCwd =
+    typeof body.targetCwd === 'string' && body.targetCwd.trim() !== '' ? body.targetCwd : undefined;
+
+  try {
+    const result = await previewImport({
+      bundleDir: body.bundleDir,
+      targetCwd,
+      collisionPolicy: normalizePolicy(body.collisionPolicy),
+    });
+    return c.json(result);
+  } catch (err) {
+    if (err instanceof ImportError) return c.json({ error: err.message }, 400);
+    throw err;
+  }
+});
+
+importRoute.post('/', async (c) => {
+  if (!isAcceptableOrigin(c.req.header('origin'))) {
+    return c.json({ error: 'origin not allowed' }, 403);
+  }
+  let body: { bundleDir?: unknown; targetCwd?: unknown; collisionPolicy?: unknown };
+  try {
+    body = await c.req.json();
+  } catch {
+    return c.json({ error: 'invalid JSON body' }, 400);
+  }
+  if (typeof body.bundleDir !== 'string' || body.bundleDir.trim() === '') {
+    return c.json({ error: 'bundleDir is required' }, 400);
+  }
+  if (typeof body.targetCwd !== 'string' || body.targetCwd.trim() === '') {
+    return c.json({ error: 'targetCwd is required' }, 400);
+  }
+
+  try {
+    const result = await commitImport({
+      bundleDir: body.bundleDir,
+      targetCwd: body.targetCwd,
+      collisionPolicy: normalizePolicy(body.collisionPolicy),
+    });
+    return c.json(result);
+  } catch (err) {
+    if (err instanceof ImportError) return c.json({ error: err.message }, 400);
+    throw err;
+  }
+});
+
+function normalizePolicy(raw: unknown): ImportCollisionPolicy {
+  return typeof raw === 'string' && POLICIES.has(raw as ImportCollisionPolicy)
+    ? (raw as ImportCollisionPolicy)
+    : 'skip';
+}
+
+function isAcceptableOrigin(origin: string | undefined): boolean {
+  if (!origin) return false;
+  try {
+    const url = new URL(origin);
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
+    return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
+  } catch {
+    return false;
+  }
+}