ai-cli-online 2.5.0 → 2.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cli-online",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "AI-Cli Online - Web Terminal for Claude Code via xterm.js + tmux",
   "license": "MIT",
   "bin": {

package/server/dist/db.d.ts

@@ -4,4 +4,10 @@ export declare function getDraft(sessionName: string): string;
 export declare function saveDraft(sessionName: string, content: string): void;
 export declare function deleteDraft(sessionName: string): void;
 export declare function cleanupOldDrafts(maxAgeDays?: number): number;
+export declare function getAnnotation(sessionName: string, filePath: string): {
+    content: string;
+    updatedAt: number;
+} | null;
+export declare function saveAnnotation(sessionName: string, filePath: string, content: string, updatedAt: number): void;
+export declare function cleanupOldAnnotations(maxAgeDays?: number): number;
 export declare function closeDb(): void;

package/server/dist/db.js

@@ -26,6 +26,23 @@ db.exec(`
     PRIMARY KEY (token_hash, key)
   )
 `);
+db.exec(`
+  CREATE TABLE IF NOT EXISTS annotations (
+    session_name TEXT NOT NULL,
+    file_path TEXT NOT NULL,
+    content TEXT NOT NULL DEFAULT '{}',
+    updated_at INTEGER NOT NULL,
+    PRIMARY KEY (session_name, file_path)
+  )
+`);
+// --- Annotations statements ---
+const stmtAnnGet = db.prepare('SELECT content, updated_at FROM annotations WHERE session_name = ? AND file_path = ?');
+const stmtAnnUpsert = db.prepare(`
+  INSERT INTO annotations (session_name, file_path, content, updated_at) VALUES (?, ?, ?, ?)
+  ON CONFLICT(session_name, file_path) DO UPDATE SET content = excluded.content, updated_at = excluded.updated_at
+`);
+const stmtAnnDelete = db.prepare('DELETE FROM annotations WHERE session_name = ? AND file_path = ?');
+const stmtAnnCleanup = db.prepare('DELETE FROM annotations WHERE updated_at < ?');
 // --- Drafts statements ---
 const stmtGet = db.prepare('SELECT content FROM drafts WHERE session_name = ?');
 const stmtUpsert = db.prepare(`
@@ -68,6 +85,24 @@ export function cleanupOldDrafts(maxAgeDays = 7) {
     const result = stmtCleanup.run(cutoff);
     return result.changes;
 }
+// --- Annotation functions ---
+export function getAnnotation(sessionName, filePath) {
+    const row = stmtAnnGet.get(sessionName, filePath);
+    return row ? { content: row.content, updatedAt: row.updated_at } : null;
+}
+export function saveAnnotation(sessionName, filePath, content, updatedAt) {
+    if (!content || content === '{}' || content === '{"additions":[],"deletions":[]}') {
+        stmtAnnDelete.run(sessionName, filePath);
+    }
+    else {
+        stmtAnnUpsert.run(sessionName, filePath, content, updatedAt);
+    }
+}
+export function cleanupOldAnnotations(maxAgeDays = 7) {
+    const cutoff = Date.now() - maxAgeDays * 24 * 60 * 60 * 1000;
+    const result = stmtAnnCleanup.run(cutoff);
+    return result.changes;
+}
 export function closeDb() {
     db.close();
 }

package/server/dist/files.d.ts

@@ -17,3 +17,5 @@ export declare function listFiles(dirPath: string): Promise<ListFilesResult>;
  * We resolve the path and ensure it's an absolute path that exists.
  */
 export declare function validatePath(requested: string, baseCwd: string): Promise<string | null>;
+/** Validate a path that may not exist yet (for touch/mkdir). Uses realpath on baseCwd only. */
+export declare function validateNewPath(requested: string, baseCwd: string): Promise<string | null>;

package/server/dist/files.js

@@ -59,3 +59,17 @@ export async function validatePath(requested, baseCwd) {
         return null;
     }
 }
+/** Validate a path that may not exist yet (for touch/mkdir). Uses realpath on baseCwd only. */
+export async function validateNewPath(requested, baseCwd) {
+    try {
+        const realBase = await realpath(baseCwd);
+        const resolved = resolve(realBase, requested);
+        if (resolved !== realBase && !resolved.startsWith(realBase + '/')) {
+            return null;
+        }
+        return resolved;
+    }
+    catch {
+        return null;
+    }
+}

package/server/dist/index.js

@@ -8,14 +8,15 @@ import rateLimit from 'express-rate-limit';
 import multer from 'multer';
 import { config } from 'dotenv';
 import { existsSync, readFileSync, createReadStream } from 'fs';
-import { copyFile, unlink, stat, mkdir, readFile, writeFile } from 'fs/promises';
+import { spawn } from 'child_process';
+import { copyFile, unlink, stat, mkdir, readFile, writeFile, rm } from 'fs/promises';
 import { join, dirname, basename, extname } from 'path';
 import { fileURLToPath } from 'url';
 import { createHash } from 'crypto';
 import { setupWebSocket, getActiveSessionNames, clearWsIntervals } from './websocket.js';
 import { isTmuxAvailable, listSessions, buildSessionName, killSession, isValidSessionId, cleanupStaleSessions, getCwd, getPaneCommand } from './tmux.js';
-import { listFiles, validatePath, MAX_DOWNLOAD_SIZE, MAX_UPLOAD_SIZE } from './files.js';
-import { getDraft, saveDraft as saveDraftDb, deleteDraft, cleanupOldDrafts, getSetting, saveSetting, closeDb } from './db.js';
+import { listFiles, validatePath, validateNewPath, MAX_DOWNLOAD_SIZE, MAX_UPLOAD_SIZE } from './files.js';
+import { getDraft, saveDraft as saveDraftDb, deleteDraft, cleanupOldDrafts, getSetting, saveSetting, getAnnotation, saveAnnotation, cleanupOldAnnotations, closeDb } from './db.js';
 import { safeTokenCompare } from './auth.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 config();
@@ -58,7 +59,7 @@ async function main() {
                 defaultSrc: ["'self'"],
                 scriptSrc: ["'self'", "https://cdn.jsdelivr.net", "https://unpkg.com"],
                 styleSrc: ["'self'", "'unsafe-inline'"],
-                imgSrc: ["'self'", "https:", "data:"],
+                imgSrc: ["'self'", "https:", "data:", "blob:"],
                 connectSrc: ["'self'", "wss:", "ws:"],
             },
         },
@@ -178,13 +179,24 @@ async function main() {
         try {
             const cwd = await getCwd(sessionName);
             const subPath = req.query.path || '';
-            const targetDir = subPath ? await validatePath(subPath, cwd) : cwd;
+            let targetDir = null;
+            if (subPath) {
+                targetDir = await validatePath(subPath, cwd);
+                // Fallback: allow absolute paths under HOME (e.g., ~/.claude/commands)
+                if (!targetDir) {
+                    const home = process.env.HOME || '/root';
+                    targetDir = await validatePath(subPath, home);
+                }
+            }
+            else {
+                targetDir = cwd;
+            }
             if (!targetDir) {
                 res.status(400).json({ error: 'Invalid path' });
                 return;
             }
             const { files, truncated } = await listFiles(targetDir);
-            res.json({ cwd: targetDir, files, truncated });
+            res.json({ cwd: targetDir, home: process.env.HOME || '/root', files, truncated });
         }
         catch (err) {
             console.error(`[api:files] ${sessionName}:`, err);
@@ -266,6 +278,36 @@ async function main() {
             res.status(404).json({ error: 'File not found' });
         }
     });
+    // Download CWD as tar.gz
+    app.get('/api/sessions/:sessionId/download-cwd', async (req, res) => {
+        const sessionName = resolveSession(req, res);
+        if (!sessionName)
+            return;
+        try {
+            const cwd = await getCwd(sessionName);
+            const dirName = basename(cwd);
+            res.setHeader('Content-Type', 'application/gzip');
+            res.setHeader('Content-Disposition', `attachment; filename="${encodeURIComponent(dirName)}.tar.gz"`);
+            const tar = spawn('tar', ['czf', '-', '-C', cwd, '.'], { stdio: ['ignore', 'pipe', 'pipe'] });
+            tar.stdout.pipe(res);
+            tar.stderr.on('data', (data) => console.error(`[tar stderr] ${data}`));
+            tar.on('error', (err) => {
+                console.error('[api:download-cwd] tar error:', err);
+                if (!res.headersSent)
+                    res.status(500).json({ error: 'Failed to create archive' });
+            });
+            tar.on('close', (code) => {
+                if (code !== 0 && !res.headersSent) {
+                    res.status(500).json({ error: 'Archive creation failed' });
+                }
+            });
+        }
+        catch (err) {
+            console.error(`[api:download-cwd] ${sessionName}:`, err);
+            if (!res.headersSent)
+                res.status(500).json({ error: 'Failed to download' });
+        }
+    });
     // --- Draft API ---
     // Get draft for a session
     app.get('/api/sessions/:sessionId/draft', (req, res) => {
@@ -288,6 +330,37 @@ async function main() {
         saveDraftDb(sessionName, content);
         res.json({ ok: true });
     });
+    // --- Annotations API ---
+    // Get annotation for a file
+    app.get('/api/sessions/:sessionId/annotations', (req, res) => {
+        const sessionName = resolveSession(req, res);
+        if (!sessionName)
+            return;
+        const filePath = req.query.path;
+        if (!filePath) {
+            res.status(400).json({ error: 'path query parameter required' });
+            return;
+        }
+        const result = getAnnotation(sessionName, filePath);
+        res.json(result || { content: null, updatedAt: 0 });
+    });
+    // Save (upsert) annotation for a file
+    app.put('/api/sessions/:sessionId/annotations', (req, res) => {
+        const sessionName = resolveSession(req, res);
+        if (!sessionName)
+            return;
+        const { path: filePath, content, updatedAt } = req.body;
+        if (!filePath || typeof filePath !== 'string') {
+            res.status(400).json({ error: 'path must be a string' });
+            return;
+        }
+        if (typeof content !== 'string') {
+            res.status(400).json({ error: 'content must be a string' });
+            return;
+        }
+        saveAnnotation(sessionName, filePath, content, updatedAt || Date.now());
+        res.json({ ok: true });
+    });
     // --- Pane command API ---
     // Get current pane command (to detect if claude is running)
     app.get('/api/sessions/:sessionId/pane-command', async (req, res) => {
@@ -309,14 +382,20 @@ async function main() {
             return;
         try {
             const { name } = req.body;
-            if (!name || typeof name !== 'string' || name.includes('/') || name.includes('..')) {
+            if (!name || typeof name !== 'string' || name.includes('..')) {
                 res.status(400).json({ error: 'Invalid filename' });
                 return;
             }
             const cwd = await getCwd(sessionName);
-            const fullPath = join(cwd, name);
-            await writeFile(fullPath, '', { flag: 'wx' }); // create exclusively
-            res.json({ ok: true, path: fullPath });
+            const resolved = await validateNewPath(join(cwd, name), cwd);
+            if (!resolved) {
+                res.status(400).json({ error: 'Invalid path' });
+                return;
+            }
+            // Ensure parent directory exists (supports paths like "PLAN/INDEX.md")
+            await mkdir(dirname(resolved), { recursive: true });
+            await writeFile(resolved, '', { flag: 'wx' }); // create exclusively
+            res.json({ ok: true, path: resolved });
         }
         catch (err) {
             if (err && typeof err === 'object' && 'code' in err && err.code === 'EEXIST') {
@@ -329,6 +408,62 @@ async function main() {
             }
         }
     });
+    // --- Mkdir (create directory) API ---
+    app.post('/api/sessions/:sessionId/mkdir', async (req, res) => {
+        const sessionName = resolveSession(req, res);
+        if (!sessionName)
+            return;
+        try {
+            const { path: dirPath } = req.body;
+            if (!dirPath || typeof dirPath !== 'string' || dirPath.includes('..')) {
+                res.status(400).json({ error: 'Invalid path' });
+                return;
+            }
+            const cwd = await getCwd(sessionName);
+            const resolved = await validateNewPath(join(cwd, dirPath), cwd);
+            if (!resolved) {
+                res.status(400).json({ error: 'Invalid path' });
+                return;
+            }
+            await mkdir(resolved, { recursive: true });
+            res.json({ ok: true, path: resolved });
+        }
+        catch (err) {
+            console.error(`[api:mkdir] ${sessionName}:`, err);
+            res.status(500).json({ error: 'Failed to create directory' });
+        }
+    });
+    // --- Delete file/directory API ---
+    app.delete('/api/sessions/:sessionId/rm', async (req, res) => {
+        const sessionName = resolveSession(req, res);
+        if (!sessionName)
+            return;
+        try {
+            const { path: rmPath } = req.body;
+            if (!rmPath || typeof rmPath !== 'string' || rmPath.includes('..')) {
+                res.status(400).json({ error: 'Invalid path' });
+                return;
+            }
+            const cwd = await getCwd(sessionName);
+            const resolved = await validatePath(rmPath, cwd);
+            if (!resolved) {
+                res.status(400).json({ error: 'Invalid path' });
+                return;
+            }
+            const fileStat = await stat(resolved);
+            if (fileStat.isDirectory()) {
+                await rm(resolved, { recursive: true });
+            }
+            else {
+                await unlink(resolved);
+            }
+            res.json({ ok: true });
+        }
+        catch (err) {
+            console.error(`[api:rm] ${sessionName}:`, err);
+            res.status(500).json({ error: 'Failed to delete' });
+        }
+    });
     // --- Settings API ---
     /** Hash token for settings storage (same prefix as tmux session names) */
     function tokenHash(token) {
@@ -530,6 +665,12 @@ async function main() {
             catch (e) {
                 console.error('[cleanup:drafts]', e);
             }
+            try {
+                cleanupOldAnnotations(7);
+            }
+            catch (e) {
+                console.error('[cleanup:annotations]', e);
+            }
         }, CLEANUP_INTERVAL);
         console.log(`Session TTL: ${SESSION_TTL_HOURS}h (cleanup every hour)`);
     }

package/server/dist/websocket.js

@@ -4,16 +4,7 @@ import { validatePath } from './files.js';
 import { createReadStream } from 'fs';
 import { stat as fsStat } from 'fs/promises';
 import { PtySession } from './pty.js';
-/**
- * Binary protocol for hot-path messages (output/input/scrollback).
- * Format: [1-byte type prefix][raw UTF-8 payload]
- * JSON is kept for low-frequency control messages.
- */
-const BIN_TYPE_OUTPUT = 0x01;
-const BIN_TYPE_INPUT = 0x02;
-const BIN_TYPE_SCROLLBACK = 0x03;
-const BIN_TYPE_SCROLLBACK_CONTENT = 0x04;
-const BIN_TYPE_FILE_CHUNK = 0x05;
+import { BIN_TYPE_OUTPUT, BIN_TYPE_INPUT, BIN_TYPE_SCROLLBACK, BIN_TYPE_SCROLLBACK_CONTENT, BIN_TYPE_FILE_CHUNK } from 'ai-cli-online-shared';
 const MAX_STREAM_SIZE = 50 * 1024 * 1024; // 50MB
 const STREAM_CHUNK_SIZE = 64 * 1024; // 64KB highWaterMark
 const STREAM_HIGH_WATER = 1024 * 1024; // 1MB backpressure threshold
@@ -131,6 +122,7 @@ export function setupWebSocket(wss, authToken, defaultCwd, tokenCompare, maxConn
         const rows = 24;
         const rawSessionId = url.searchParams.get('sessionId') || undefined;
         const sessionId = rawSessionId && isValidSessionId(rawSessionId) ? rawSessionId : undefined;
+        const clientCwd = url.searchParams.get('cwd') || undefined;
         if (rawSessionId && !sessionId) {
             console.log(`[WS] Invalid sessionId rejected: ${rawSessionId}`);
             ws.close(4004, 'Invalid sessionId');
@@ -179,7 +171,7 @@ export function setupWebSocket(wss, authToken, defaultCwd, tokenCompare, maxConn
                 // Check or create tmux session
                 const resumed = await hasSession(sessionName);
                 if (!resumed) {
-                    await createSession(sessionName, cols, rows, defaultCwd);
+                    await createSession(sessionName, cols, rows, clientCwd || defaultCwd);
                 }
                 else {
                     // resizeSession, captureScrollback, and configureSession are independent — run in parallel

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cli-online-server",
-  "version": "2.4.0",
+  "version": "2.6.0",
   "description": "CLI-Online Backend Server",
   "main": "dist/index.js",
   "type": "module",

package/shared/dist/types.d.ts

@@ -1,3 +1,12 @@
+/**
+ * Binary protocol type prefixes for hot-path WebSocket messages.
+ * Format: [1-byte type prefix][raw UTF-8 payload]
+ */
+export declare const BIN_TYPE_OUTPUT = 1;
+export declare const BIN_TYPE_INPUT = 2;
+export declare const BIN_TYPE_SCROLLBACK = 3;
+export declare const BIN_TYPE_SCROLLBACK_CONTENT = 4;
+export declare const BIN_TYPE_FILE_CHUNK = 5;
 export interface FileEntry {
     name: string;
     type: 'file' | 'directory';

package/shared/dist/types.js

@@ -1 +1,9 @@
-export {};
+/**
+ * Binary protocol type prefixes for hot-path WebSocket messages.
+ * Format: [1-byte type prefix][raw UTF-8 payload]
+ */
+export const BIN_TYPE_OUTPUT = 0x01;
+export const BIN_TYPE_INPUT = 0x02;
+export const BIN_TYPE_SCROLLBACK = 0x03;
+export const BIN_TYPE_SCROLLBACK_CONTENT = 0x04;
+export const BIN_TYPE_FILE_CHUNK = 0x05;