atris 3.2.0 → 3.11.0

package/commands/context-sync.js

@@ -281,6 +281,11 @@ async function businessLog(slug) {
 }
 
 
+/**
+ * Convert ISO timestamp to human-readable relative time (e.g., "5m ago").
+ * @param {string} isoString - ISO 8601 timestamp
+ * @returns {string|null} Relative time string, or null if no input
+ */
 function _timeSince(isoString) {
   if (!isoString) return null;
   const diff = Date.now() - new Date(isoString).getTime();

package/commands/integrations.js

@@ -10,20 +10,25 @@
  *   atris slack channels    - List Slack channels
  */
 
-const { loadCredentials } = require('../utils/auth');
+const { loadCredentials, ensureValidCredentials } = require('../utils/auth');
 const { apiRequestJson } = require('../utils/api');
 
-function getAuth() {
-  const creds = loadCredentials();
+async function getAuth() {
+  const ensured = await ensureValidCredentials(apiRequestJson);
+  const creds = ensured.error ? null : ensured.credentials;
   if (!creds || !creds.token) {
-    console.error('Not logged in. Run: atris login');
+    if (ensured.error && ensured.error !== 'not_logged_in') {
+      console.error(`Authentication failed: ${ensured.detail || ensured.error}. Run: atris login`);
+    } else {
+      console.error('Not logged in. Run: atris login');
+    }
     process.exit(1);
   }
   return { token: creds.token, email: creds.email || 'unknown' };
 }
 
 async function getAuthToken() {
-  return getAuth().token;
+  return (await getAuth()).token;
 }
 
 // ============================================================================
@@ -31,7 +36,7 @@ async function getAuthToken() {
 // ============================================================================
 
 async function gmailInbox(options = {}) {
-  const { token, email } = getAuth();
+  const { token, email } = await getAuth();
   const limit = options.limit || 10;
 
   console.log('📬 Fetching inbox...\n');
@@ -129,7 +134,7 @@ async function gmailCommand(subcommand, ...args) {
 // ============================================================================
 
 async function calendarToday() {
-  const { token, email } = getAuth();
+  const { token, email } = await getAuth();
 
   console.log('📅 Today\'s events:\n');
 
@@ -224,7 +229,7 @@ async function twitterPost(text) {
 
   if (!result.ok) {
     if (result.status === 400 || result.status === 401) {
-      const { email } = getAuth();
+      const { email } = await getAuth();
       console.error(`Twitter not connected for ${email}.`);
       console.error('Connect at: https://atris.ai/dashboard/settings');
       console.error(`Make sure you're signed in as ${email} on the web.`);
@@ -268,7 +273,7 @@ async function slackChannels() {
 
   if (!result.ok) {
     if (result.status === 400 || result.status === 401) {
-      const { email } = getAuth();
+      const { email } = await getAuth();
       console.error(`Slack not connected for ${email}.`);
       console.error('Connect at: https://atris.ai/dashboard/settings');
       console.error(`Make sure you're signed in as ${email} on the web.`);

package/commands/lifecycle.js

@@ -3,6 +3,10 @@ const path = require('path');
 const { loadCredentials } = require('../utils/auth');
 const { apiRequestJson } = require('../utils/api');
 
+/**
+ * Resolve business slug from CLI arg or local .atris/business.json.
+ * @returns {string|null} The resolved slug, or null if not found.
+ */
 function resolveSlug() {
   let slug = process.argv[3];
   if (!slug || slug.startsWith('-')) {
@@ -18,6 +22,10 @@ function resolveSlug() {
   return slug;
 }
 
+/**
+ * Pause a workspace to save compute (storage only mode).
+ * @returns {Promise<void>}
+ */
 async function sleepAtris() {
   const slug = resolveSlug();
 
@@ -45,6 +53,10 @@ async function sleepAtris() {
   console.log('Compute paused. Storage only — pennies/day.');
 }
 
+/**
+ * Wake a sleeping workspace so agents resume automatically.
+ * @returns {Promise<void>}
+ */
 async function wakeAtris() {
   const slug = resolveSlug();
 

package/commands/plugin.js

@@ -6,6 +6,11 @@ const { findAllSkills, parseFrontmatter } = require('./skill');
 
 // --- Recursive Copy Helper ---
 
+/**
+ * Recursively copy a directory, skipping .DS_Store and .git.
+ * @param {string} src - Source directory path
+ * @param {string} dest - Destination directory path
+ */
 function copyRecursive(src, dest) {
   fs.mkdirSync(dest, { recursive: true });
   const entries = fs.readdirSync(src);
@@ -23,6 +28,12 @@ function copyRecursive(src, dest) {
 
 // --- Generate plugin.json manifest ---
 
+/**
+ * Generate plugin.json manifest from discovered skills.
+ * @param {Array} skills - Array of skill objects
+ * @param {string} projectDir - Project root directory
+ * @returns {Object} Plugin manifest object
+ */
 function generateManifest(skills, projectDir) {
   let pkg = {};
   const pkgPath = path.join(projectDir, 'package.json');
@@ -44,6 +55,10 @@ function generateManifest(skills, projectDir) {
 
 // --- Generate /atris-setup command ---
 
+/**
+ * Generate the /atris-setup skill markdown for workspace bootstrapping.
+ * @returns {string} Skill markdown content
+ */
 function generateSetupCommand() {
   return `---
 description: Set up Atris authentication and connect integrations (Gmail, Calendar, Slack, Notion, Drive)
@@ -113,6 +128,11 @@ Tell the user which integrations are connected and which still need setup. They
 
 // --- Generate README.md ---
 
+/**
+ * Generate README.md for the plugin package.
+ * @param {Array} skills - Array of discovered skills
+ * @returns {string} README markdown content
+ */
 function generateREADME(skills) {
   const skillList = skills.map(s => {
     const fm = s.frontmatter || {};
@@ -149,6 +169,10 @@ ${skillList}
 
 // --- BUILD subcommand ---
 
+/**
+ * Build the plugin package from atris/skills into dist/.
+ * @param {...string} args - CLI arguments
+ */
 function buildPlugin(...args) {
   const projectDir = process.cwd();
   const atrisDir = path.join(projectDir, 'atris');

package/commands/pull.js

@@ -9,6 +9,8 @@ const { parseJournalSections, mergeSections, reconstructJournal } = require('../
 const { loadBusinesses } = require('./business');
 const { loadManifest, saveManifest, computeFileHash, buildManifest, computeLocalHashes, threeWayCompare } = require('../lib/manifest');
 const { normalizeWikiOnlyPrefix } = require('../lib/wiki');
+const { emitSyncEvent, startTimer } = require('../lib/sync-telemetry');
+const { resolveSafeOutputDir } = require('../lib/workspace-safety');
 
 function pruneEmptyParentDirs(filePath, stopDir) {
   let current = path.dirname(filePath);
@@ -114,6 +116,7 @@ async function pullAtris() {
 
 
 async function pullBusiness(slug) {
+  const elapsedMs = startTimer();
   const creds = loadCredentials();
   if (!creds || !creds.token) {
     console.error('Not logged in. Run: atris login');
@@ -161,22 +164,44 @@ async function pullBusiness(slug) {
   }
   const timeoutMs = timeoutSec * 1000;
 
-  // Determine output directory
+  // Determine output directory.
+  //
+  // We only reuse the current working directory when we can prove it's the
+  // correct workspace for THIS business — i.e. it has a `.atris/business.json`
+  // whose slug matches `slug`. Any other signal (a stray `atris/` folder, a
+  // business.json for a different business, etc.) is NOT enough: pulling
+  // atris-labs-1 on top of a pallet workspace would mix two businesses into
+  // one directory and write pallet's manifest over atris-labs-1's (or vice
+  // versa), causing the next sync to do strange things.
+  //
+  // Fallback: create a fresh ./{slug}/ subdir. Always safe — even if cwd is
+  // $HOME or /tmp, we land in a dedicated subfolder.
   const intoIdx = process.argv.indexOf('--into');
   let outputDir;
   if (intoIdx !== -1 && process.argv[intoIdx + 1]) {
     outputDir = path.resolve(process.argv[intoIdx + 1]);
-  } else if (fs.existsSync(path.join(process.cwd(), '.atris', 'business.json'))) {
-    // Inside a pulled workspace — pull into current dir (no nesting)
-    outputDir = process.cwd();
-  } else if (fs.existsSync(path.join(process.cwd(), 'atris')) && fs.statSync(path.join(process.cwd(), 'atris')).isDirectory()) {
-    // Inside an atris init'd workspace — merge business into current dir
-    outputDir = process.cwd();
   } else {
-    // Default: ./{slug}/ in current directory
-    outputDir = path.join(process.cwd(), slug);
+    const bizFile = path.join(process.cwd(), '.atris', 'business.json');
+    let cwdMatchesSlug = false;
+    if (fs.existsSync(bizFile)) {
+      try {
+        const biz = JSON.parse(fs.readFileSync(bizFile, 'utf8'));
+        const cwdSlug = biz.slug || biz.name;
+        cwdMatchesSlug = cwdSlug === slug;
+      } catch {
+        // Corrupt business.json — ignore, treat as no match.
+      }
+    }
+    outputDir = cwdMatchesSlug ? process.cwd() : path.join(process.cwd(), slug);
   }
 
+  // Auto-relocate if the resolved outputDir is dangerous ($HOME, /, /Users,
+  // system dirs, reserved home folders). Non-technical users shouldn't have
+  // to know about mkdir/cd — atris picks a safe subdir and tells them.
+  // Paired with the manifest-scoped sweep below, this makes it impossible
+  // for a stray cwd to cause atris to delete user files.
+  ({ dir: outputDir } = resolveSafeOutputDir(outputDir, { slug, op: 'pull into' }));
+
   // Resolve business ID — always refresh from API to avoid stale workspace_id
   let businessId, workspaceId, businessName, resolvedSlug;
   const businesses = loadBusinesses();
@@ -223,6 +248,11 @@ async function pullBusiness(slug) {
     process.exit(1);
   }
 
+  // Telemetry helper — captures wall-clock time including wake.
+  let _coldWake = false;
+  const emit = (outcome, extras = {}) =>
+    emitSyncEvent(creds.token, businessId, workspaceId, 'pull', outcome, elapsedMs(), extras);
+
   // Auto-wake the EC2 computer if --auto-wake is set.
   // Without this, pull silently serves stale data from agent_files cache when
   // the computer is asleep — the bug that confused us all night.
@@ -232,6 +262,7 @@ async function pullBusiness(slug) {
     const computerStatus = statusResult.ok && statusResult.data ? statusResult.data.status : 'unknown';
     if (computerStatus !== 'running' || !(statusResult.data && statusResult.data.endpoint)) {
       process.stdout.write('  Waking EC2 computer... ');
+      _coldWake = true;
       await apiRequestJson(`/business/${businessId}/ai-computer/wake`, { method: 'POST', token: creds.token });
       const wakeStart = Date.now();
       while (Date.now() - wakeStart < 90000) {
@@ -355,20 +386,30 @@ async function pullBusiness(slug) {
 
   if (!result.ok) {
     const msg = result.errorMessage || result.error || `HTTP ${result.status}`;
+    let outcome = 'status_unknown';
     if (result.status === 0 || (typeof msg === 'string' && msg.toLowerCase().includes('timeout'))) {
       console.error(`\n  Workspace timed out (large workspaces can take 60s+). Try: atris pull ${slug} --timeout=600`);
+      outcome = 'hang';
     } else if (result.status === 502) {
       console.error(`\n  Computer didn't respond in time. It may be waking up or the workspace is large.`);
       console.error(`  Try again in 30s, or use: atris pull ${slug} --only=team/,context/`);
+      outcome = 'cold_wake';
     } else if (result.status === 409) {
       console.error(`\n  Computer is sleeping. Wake it first, then pull again.`);
+      outcome = 'cold_wake';
     } else if (result.status === 403) {
       console.error(`\n  Access denied. You're not a member of "${slug}".`);
+      outcome = 'access_denied';
     } else if (result.status === 404) {
       console.error(`\n  Business "${slug}" not found.`);
+      outcome = 'status_unknown';
+    } else if (result.status === 429) {
+      console.error(`\n  Pull failed: ${msg}`);
+      outcome = 'rate_limited';
     } else {
       console.error(`\n  Pull failed: ${msg}`);
     }
+    await emit(outcome, { error_detail: `${result.status}: ${msg}`.slice(0, 500) });
     process.exit(1);
   }
 
@@ -379,7 +420,10 @@ async function pullBusiness(slug) {
     // mirror sweep so a genuinely-emptied cloud can clear local files. The
     // sweep itself has a safety guard that refuses to wipe local content
     // when remote reports empty (the snapshot-glitch case), so this is safe.
-    if (!force) return;
+    if (!force) {
+      await emit(_coldWake ? 'cold_wake' : 'success', { files_unchanged: 0 });
+      return;
+    }
   } else {
     console.log(`  Processing ${files.length} files...`);
   }
@@ -543,14 +587,27 @@ async function pullBusiness(slug) {
   }
   if (force) {
     const remotePathSet = new Set(Object.keys(remoteFiles));
+
+    // SAFETY: only sweep files atris previously wrote (recorded in the
+    // manifest). Local-only files that were never on cloud are the user's
+    // own — atris didn't put them there, atris doesn't delete them. This
+    // makes it impossible for a stray cwd (e.g. $HOME) to cause atris to
+    // wipe ~/Library, ~/Downloads, etc.
+    //
+    // If there's no prior manifest (first pull), there's nothing to sweep —
+    // threeWayCompare already handled newRemote/conflicts/newLocal, and we
+    // have no basis for claiming ownership of any local-only file.
+    const managedPaths = manifest && manifest.files ? Object.keys(manifest.files) : [];
+    const sweepCandidates = managedPaths.filter(isInScope).filter((p) => localFiles[p]);
     const inScopeLocal = Object.keys(localFiles).filter(isInScope);
+
     if (remotePathSet.size === 0 && inScopeLocal.length > 0) {
       console.log('');
       console.log('  ⚠ Cloud reported zero files but local has in-scope content. Refusing to sweep.');
       console.log('    This usually means the snapshot endpoint glitched. Try again,');
       console.log('    or run `atris align --hard` if you really want to nuke local.');
     } else {
-      for (const p of inScopeLocal) {
+      for (const p of sweepCandidates) {
         if (remotePathSet.has(p)) continue;
         if (SERVER_HIDDEN_BASENAMES.has(basename(p))) continue;
         const localPath = path.join(outputDir, p.replace(/^\//, ''));
@@ -702,6 +759,24 @@ async function pullBusiness(slug) {
     }
   }
 
+  // Telemetry — only count files where content actually came over the wire
+  // (smart-pull skips unchanged files and just sends a hash). Counting all
+  // remoteFiles here would dwarf the real signal once smart-pull steady-state
+  // is normal (< 1% of files transferred per pull).
+  let bytesTransferred = 0;
+  let filesTransferred = 0;
+  for (const filePath of Object.keys(remoteContent)) {
+    const f = remoteFiles[filePath];
+    if (f && typeof f.size === 'number') bytesTransferred += f.size;
+    filesTransferred++;
+  }
+  const totalRemote = Object.keys(remoteFiles).length;
+  await emit(_coldWake ? 'cold_wake' : 'success', {
+    files_pushed: filesTransferred,
+    files_unchanged: Math.max(0, totalRemote - filesTransferred),
+    bytes_transferred: bytesTransferred,
+    bytes_changed: bytesTransferred,
+  });
 }
 
 

package/commands/push.js

@@ -6,9 +6,13 @@ const { apiRequestJson } = require('../utils/api');
 const { loadBusinesses, saveBusinesses } = require('./business');
 const { loadManifest, saveManifest, buildManifest, computeLocalHashes } = require('../lib/manifest');
 const { normalizeWikiOnlyPrefix } = require('../lib/wiki');
+const { emitSyncEvent, startTimer } = require('../lib/sync-telemetry');
+const { assertSafeWorkspaceRoot } = require('../lib/workspace-safety');
 
 async function pushAtris() {
+  const elapsedMs = startTimer();
   let slug = process.argv[3];
+  let _coldWake = false;
 
   // Auto-detect business from .atris/business.json in current dir
   if (!slug || slug.startsWith('-')) {
@@ -80,6 +84,9 @@ async function pushAtris() {
 
   if (!fs.existsSync(sourceDir)) { console.error(`Source not found: ${sourceDir}`); process.exit(1); }
 
+  // Refuse to walk/upload dangerous paths ($HOME, /, /Users, system dirs).
+  assertSafeWorkspaceRoot(sourceDir, { slug, op: 'push from' });
+
   // Resolve business — always refresh from API
   let businessId, workspaceId, businessName, resolvedSlug;
   const businesses = loadBusinesses();
@@ -105,6 +112,11 @@ async function pushAtris() {
 
   if (!workspaceId) { console.error(`Business "${slug}" has no workspace.`); process.exit(1); }
 
+  // Telemetry helper — emits one event with the elapsed wall-clock time.
+  // Awaited (not fire-and-forget) because process.exit kills in-flight requests.
+  const emit = (outcome, extras = {}) =>
+    emitSyncEvent(creds.token, businessId, workspaceId, 'push', outcome, elapsedMs(), extras);
+
   // Auto-wake the EC2 computer if --auto-wake is set, otherwise check status and warn.
   // Without this, push silently routes to agent_files cache when computer is asleep
   // (the silent fallback footgun from tonight's debugging).
@@ -114,6 +126,7 @@ async function pushAtris() {
     const computerStatus = statusResult.ok && statusResult.data ? statusResult.data.status : 'unknown';
     if (computerStatus !== 'running' || !(statusResult.data && statusResult.data.endpoint)) {
       process.stdout.write('  Waking EC2 computer... ');
+      _coldWake = true;
       await apiRequestJson(`/business/${businessId}/ai-computer/wake`, { method: 'POST', token: creds.token });
       const wakeStart = Date.now();
       while (Date.now() - wakeStart < 90000) {
@@ -204,6 +217,7 @@ async function pushAtris() {
         console.log('');
         console.log('    Run `atris pull` first, then push your changes.');
         console.log('    To override (force-push, may clobber cloud edits): atris push --force');
+        await emit('drift', { error_detail: `${driftFiles.length} file(s) drifted` });
         process.exit(1);
       }
       console.log('fresh');
@@ -218,6 +232,7 @@ async function pushAtris() {
       console.log('  ✗ Could not verify cloud freshness. Refusing to push.');
       console.log('    The workspace may be unreachable or the snapshot endpoint is broken.');
       console.log('    To bypass and force-push anyway: atris push --force');
+      await emit('status_unknown', { error_detail: `snapshot status ${snapshotResult.status || 'unknown'}` });
       process.exit(1);
     }
   }
@@ -256,6 +271,7 @@ async function pushAtris() {
 
   if (filesToPush.length === 0 && deletedPaths.length === 0) {
     console.log('\n  Already up to date.\n');
+    await emit('success', { files_unchanged: filteredLocalCount });
     return;
   }
 
@@ -280,13 +296,73 @@ async function pushAtris() {
   let pushed = 0;
   let deleted = 0;
   let skipped = [];
+  // Files we sent that the server did not confirm as written/unchanged.
+  // The /sync endpoint can silently drop files (role-based filters on the
+  // business workspace route, path-rejection inside the warm runner, etc.)
+  // and still return HTTP 200. If we don't cross-check per-file results,
+  // the CLI prints "Pushed" for files that never actually landed — and
+  // the manifest records a hash that makes the next push skip them too,
+  // losing them permanently. `failedToLand` collects those casualties so
+  // we can warn the user AND keep them out of the manifest update.
+  let failedToLand = [];
+  const landedPaths = new Set();
   let result = { ok: true };
 
+  // Server-canonical path format for the /sync endpoint: NO leading slash.
+  // The warm runner's _safe_path rejects `/atris/...` with "Absolute path
+  // outside workspace" (it only accepts paths under `/workspace/...`). All
+  // our internal bookkeeping uses a leading slash (manifest keys, localFiles
+  // keys, snapshot response paths), so we strip only at the wire.
+  const toWirePath = (p) => (p || '').replace(/^\/+/, '');
+  const fromWirePath = (p) => {
+    const s = String(p || '');
+    return s.startsWith('/') ? s : `/${s}`;
+  };
+  const wireFiles = (files) => files.map((f) => ({ path: toWirePath(f.path), content: f.content }));
+
+  // Inspect per-file results from a /sync response. Treat "written" and
+  // "unchanged" as success; everything else (including missing-from-results,
+  // which is how silent server-side drops look) is a failure.
+  const recordSyncResults = (sentFiles, response) => {
+    const resultsArr = response && response.data && Array.isArray(response.data.results)
+      ? response.data.results
+      : null;
+    const seen = new Set();
+    if (resultsArr) {
+      for (const r of resultsArr) {
+        if (!r || !r.path) continue;
+        const status = String(r.status || '').toLowerCase();
+        const canonical = fromWirePath(r.path);
+        if (status === 'written' || status === 'unchanged') {
+          landedPaths.add(canonical);
+          seen.add(canonical);
+        } else {
+          failedToLand.push({ path: canonical, status: status || 'error', error: r.error || '' });
+          seen.add(canonical);
+        }
+      }
+    } else {
+      // No results array in response — old server. Best-effort: assume
+      // everything sent landed. This preserves existing behavior when
+      // talking to a server that doesn't return per-file status.
+      for (const f of sentFiles) {
+        landedPaths.add(f.path);
+        seen.add(f.path);
+      }
+    }
+    // Any file we sent that the server didn't mention = silently dropped.
+    for (const f of sentFiles) {
+      if (!seen.has(f.path)) {
+        failedToLand.push({ path: f.path, status: 'dropped', error: 'server did not confirm write' });
+      }
+    }
+  };
+
   if (filesToPush.length > 0) {
-    // Push files to server
+    // Push files to server (strip leading slash — server requires workspace-relative paths)
     result = await apiRequestJson(
       `/business/${businessId}/workspaces/${workspaceId}/sync`,
-      { method: 'POST', token: creds.token, body: { files: filesToPush }, headers: { 'X-Atris-Actor-Source': 'cli' } }
+      { method: 'POST', token: creds.token, body: { files: wireFiles(filesToPush) }, headers: { 'X-Atris-Actor-Source': 'cli' } }
     );
 
     if (!result.ok) {
@@ -298,27 +374,33 @@ async function pushAtris() {
         if (allowed.length > 0) {
           const retry = await apiRequestJson(
             `/business/${businessId}/workspaces/${workspaceId}/sync`,
-            { method: 'POST', token: creds.token, body: { files: allowed }, headers: { 'X-Atris-Actor-Source': 'cli' } }
+            { method: 'POST', token: creds.token, body: { files: wireFiles(allowed) }, headers: { 'X-Atris-Actor-Source': 'cli' } }
           );
           if (retry.ok) {
-            pushed = allowed.length;
+            recordSyncResults(allowed, retry);
+            pushed = landedPaths.size;
           } else {
             console.error(`\n  Push failed: ${retry.errorMessage || retry.error || retry.status}`);
+            await emit('access_denied', { error_detail: `403 retry failed: ${retry.status}` });
             process.exit(1);
           }
         } else {
           console.error('\n  Access denied: you can only push to your team/ folder.');
+          await emit('access_denied');
           process.exit(1);
         }
       } else if (result.status === 409) {
         console.error('\n  Computer is sleeping. Wake it first.');
+        await emit('cold_wake', { error_detail: 'computer sleeping (409)' });
         process.exit(1);
       } else {
         console.error(`\n  Push failed: ${result.errorMessage || result.error || result.status}`);
+        await emit('status_unknown', { error_detail: `sync status ${result.status}` });
         process.exit(1);
       }
     } else {
-      pushed = filesToPush.length;
+      recordSyncResults(filesToPush, result);
+      pushed = landedPaths.size;
     }
   }
 
@@ -333,6 +415,7 @@ async function pushAtris() {
   //   - manifest update only counts confirmed-deleted paths
   const deletedConfirmed = [];
   const deleteFailed = [];
+  let _rateLimitedDeletes = 0;
   for (let i = 0; i < deletedPaths.length; i++) {
     const filePath = deletedPaths[i];
     if (i > 0) {
@@ -345,6 +428,7 @@ async function pushAtris() {
     );
     if (deleteResult.status === 429) {
       // Rate limit — wait 20s, retry once
+      _rateLimitedDeletes++;
       await new Promise((r) => setTimeout(r, 20000));
       deleteResult = await apiRequestJson(
         `/business/${businessId}/workspaces/${workspaceId}/file?path=${encodeURIComponent(filePath)}`,
@@ -369,10 +453,15 @@ async function pushAtris() {
     if (deleteFailed.length > 10) console.log(`    ... +${deleteFailed.length - 10} more`);
   }
 
-  // Display results
+  // Display results — only for files the server confirmed as landed.
+  // A non-technical user seeing "+ atris/ideas/foo.md new file" naturally
+  // assumes foo.md is on cloud. So we only print that line when the server
+  // actually confirmed it via per-file status. Anything else goes into the
+  // loud failure block below.
   console.log('');
   for (const f of filesToPush) {
     if (skipped.includes(f)) continue;
+    if (!landedPaths.has(f.path)) continue;
     const isNew = !baseFiles[f.path];
     console.log(`  ${isNew ? '+' : '\u2191'} ${f.path.replace(/^\//, '')}  ${isNew ? 'new file' : 'updated'}`);
   }
@@ -384,6 +473,26 @@ async function pushAtris() {
     console.log(`  x ${filePath.replace(/^\//, '')}  deleted`);
   }
 
+  // Loud failure block — files the server silently dropped or rejected.
+  // These did NOT land on cloud even though the HTTP call returned 200.
+  if (failedToLand.length > 0) {
+    console.log('');
+    console.log(`  ⚠ ${failedToLand.length} file(s) did NOT land on cloud (server returned 200 but`);
+    console.log(`     dropped or rejected these files):`);
+    const shown = failedToLand.slice(0, 15);
+    for (const f of shown) {
+      const detail = f.error ? ` — ${f.error}` : ` (${f.status})`;
+      console.log(`    ✗ ${f.path.replace(/^\//, '')}${detail}`);
+    }
+    if (failedToLand.length > shown.length) {
+      console.log(`    ... +${failedToLand.length - shown.length} more`);
+    }
+    console.log('');
+    console.log('  Common causes: path is outside the workspace (e.g. absolute /Users/... path),');
+    console.log('  your role lacks write permission for that folder, or warm runner returned an error.');
+    console.log('  These files will appear as drift on your next push so you can retry.');
+  }
+
   // Summary
   console.log('');
   const parts = [];
@@ -396,16 +505,51 @@ async function pushAtris() {
 
   // Update manifest — mark pushed files with their new hash, drop ONLY confirmed deletes.
   // Failed deletes stay in the manifest so the next push will retry them.
+  //
+  // CRITICAL: only record manifest entries for files the server confirmed as
+  // landed (landedPaths). If we recorded the local hash for a file that the
+  // server silently dropped, the next push would compare local==manifest and
+  // skip it — the file would never land. Keeping it OUT of the manifest means
+  // the next push sees it as new/changed and retries automatically.
   const updatedFiles = { ...baseFiles };
   for (const f of filesToPush) {
-    if (!skipped.includes(f)) {
-      updatedFiles[f.path] = localFiles[f.path];
-    }
+    if (skipped.includes(f)) continue;
+    if (!landedPaths.has(f.path)) continue;
+    updatedFiles[f.path] = localFiles[f.path];
   }
   for (const filePath of deletedConfirmed) {
     delete updatedFiles[filePath];
   }
   saveManifest(resolvedSlug || slug, buildManifest(updatedFiles, null));
+
+  // Telemetry — outcome reflects actual run quality, not just exit-code-zero.
+  // Partial delete failures or rate-limit retries mean the run was NOT a clean win;
+  // labeling them success would poison the RL signal.
+  const bytesChanged = filesToPush.reduce((acc, f) => acc + (f.content ? Buffer.byteLength(f.content, 'utf8') : 0), 0);
+  let finalOutcome;
+  let finalDetail;
+  if (failedToLand.length > 0) {
+    finalOutcome = 'status_unknown';
+    finalDetail = `${failedToLand.length} file(s) silently dropped by server (statuses: ${[...new Set(failedToLand.map(f => f.status))].join(',')})`;
+  } else if (deleteFailed.length > 0) {
+    finalOutcome = 'status_unknown';
+    finalDetail = `${deleteFailed.length} delete(s) failed (statuses: ${[...new Set(deleteFailed.map(f => f.status))].join(',')})`;
+  } else if (_rateLimitedDeletes > 0) {
+    finalOutcome = 'rate_limited';
+    finalDetail = `${_rateLimitedDeletes} delete(s) hit 429 (recovered)`;
+  } else if (_coldWake) {
+    finalOutcome = 'cold_wake';
+  } else {
+    finalOutcome = 'success';
+  }
+  await emit(finalOutcome, {
+    files_pushed: pushed,
+    files_deleted: deleted,
+    files_unchanged: unchangedCount,
+    bytes_changed: bytesChanged,
+    bytes_transferred: bytesChanged,
+    error_detail: finalDetail,
+  });
 }
 
 module.exports = { pushAtris };

package/commands/serve.js

@@ -354,6 +354,7 @@ async function serveAtris(options = {}) {
 
 module.exports = {
   serveAtris,
+  streamSession,
   // exported for testing
   safePath,
   applyOp,