clay-server 2.10.0 → 2.11.0-beta.10

package/lib/dm.js

@@ -0,0 +1,135 @@
+var fs = require("fs");
+var path = require("path");
+var config = require("./config");
+
+var DM_DIR = path.join(config.CONFIG_DIR, "dm");
+
+// Ensure dm directory exists
+function ensureDmDir() {
+  fs.mkdirSync(DM_DIR, { recursive: true });
+  config.chmodSafe(DM_DIR, 0o700);
+}
+
+// Generate deterministic DM key from two user IDs (sorted, order-independent)
+function dmKey(userId1, userId2) {
+  return [userId1, userId2].sort().join(":");
+}
+
+// File path for a DM conversation
+function dmFilePath(key) {
+  // Replace : with _ for safe filename
+  return path.join(DM_DIR, key.replace(/:/g, "_") + ".jsonl");
+}
+
+// Load DM history from JSONL file
+function loadHistory(key) {
+  var filePath = dmFilePath(key);
+  if (!fs.existsSync(filePath)) return [];
+  try {
+    var content = fs.readFileSync(filePath, "utf8").trim();
+    if (!content) return [];
+    var lines = content.split("\n");
+    var messages = [];
+    for (var i = 0; i < lines.length; i++) {
+      if (!lines[i].trim()) continue;
+      try {
+        messages.push(JSON.parse(lines[i]));
+      } catch (e) {
+        // skip malformed lines
+      }
+    }
+    return messages;
+  } catch (e) {
+    return [];
+  }
+}
+
+// Append a message to DM JSONL file
+function appendMessage(key, message) {
+  ensureDmDir();
+  var filePath = dmFilePath(key);
+  var line = JSON.stringify(message) + "\n";
+  fs.appendFileSync(filePath, line);
+}
+
+// Open a DM conversation (find or create)
+function openDm(userId1, userId2) {
+  var key = dmKey(userId1, userId2);
+  var history = loadHistory(key);
+  return { dmKey: key, messages: history };
+}
+
+// Send a DM message
+function sendMessage(key, fromUserId, text) {
+  var message = {
+    type: "dm_message",
+    ts: Date.now(),
+    from: fromUserId,
+    text: text,
+  };
+  appendMessage(key, message);
+  return message;
+}
+
+// Get list of all DM conversations for a user
+// Returns: [{ dmKey, otherUserId, lastMessage, lastTs }]
+function getDmList(userId) {
+  ensureDmDir();
+  var files;
+  try {
+    files = fs.readdirSync(DM_DIR).filter(function (f) {
+      return f.endsWith(".jsonl");
+    });
+  } catch (e) {
+    return [];
+  }
+
+  var dms = [];
+  for (var i = 0; i < files.length; i++) {
+    // Reconstruct dmKey from filename (replace _ back to :)
+    var key = files[i].replace(".jsonl", "").replace(/_/g, ":");
+    var parts = key.split(":");
+    if (parts.length !== 2) continue;
+
+    // Check if this user is a participant
+    var idx = parts.indexOf(userId);
+    if (idx === -1) continue;
+
+    var otherUserId = parts[idx === 0 ? 1 : 0];
+
+    // Get last message
+    var messages = loadHistory(key);
+    var lastMessage = messages.length > 0 ? messages[messages.length - 1] : null;
+
+    dms.push({
+      dmKey: key,
+      otherUserId: otherUserId,
+      lastMessage: lastMessage ? lastMessage.text : null,
+      lastTs: lastMessage ? lastMessage.ts : 0,
+      messageCount: messages.length,
+    });
+  }
+
+  // Sort by most recent activity
+  dms.sort(function (a, b) {
+    return b.lastTs - a.lastTs;
+  });
+
+  return dms;
+}
+
+// Extension point: check if a user is a mate (AI persona)
+// Returns false for now - will be implemented when Mates feature is added
+function isMate(userId) {
+  return false;
+}
+
+module.exports = {
+  dmKey: dmKey,
+  openDm: openDm,
+  sendMessage: sendMessage,
+  getDmList: getDmList,
+  loadHistory: loadHistory,
+  isMate: isMate,
+  DM_DIR: DM_DIR,
+};

package/lib/os-users.js

@@ -0,0 +1,301 @@
+// os-users.js — Shared utility for resolving Linux OS user information.
+// Used by sdk-bridge.js (worker spawning), terminal-manager.js, and project.js (file ops).
+
+var fs = require("fs");
+var { execSync } = require("child_process");
+
+/**
+ * Resolve Linux user info from username via getent passwd.
+ * Returns { uid, gid, home, user, shell } or throws on failure.
+ */
+function resolveOsUserInfo(username) {
+  var output = execSync("getent passwd " + username, { encoding: "utf8", timeout: 5000 }).trim();
+  // getent passwd format: username:x:uid:gid:gecos:home:shell
+  var parts = output.split(":");
+  if (parts.length < 7) throw new Error("Unexpected getent output for user " + username);
+  return {
+    uid: parseInt(parts[2], 10),
+    gid: parseInt(parts[3], 10),
+    home: parts[5],
+    user: parts[0],
+    shell: parts[6] || "/bin/bash",
+  };
+}
+
+/**
+ * Run a file system operation as a specific OS user via a helper subprocess.
+ * op: "list", "read", "write", "stat"
+ * args: operation-specific arguments
+ * osUserInfo: { uid, gid } from resolveOsUserInfo
+ * Returns the result object or throws.
+ */
+function fsAsUser(op, args, osUserInfo) {
+  // Build a small inline Node script to run as the target user
+  var script;
+  if (op === "list") {
+    script = [
+      "var fs = require('fs');",
+      "var p = require('path');",
+      "var dir = " + JSON.stringify(args.dir) + ";",
+      "var entries = fs.readdirSync(dir, { withFileTypes: true });",
+      "var result = [];",
+      "for (var i = 0; i < entries.length; i++) {",
+      "  var e = entries[i];",
+      "  var stat;",
+      "  try { stat = fs.statSync(p.join(dir, e.name)); } catch(err) { continue; }",
+      "  result.push({ name: e.name, isDir: e.isDirectory(), size: stat.size, mtime: stat.mtimeMs });",
+      "}",
+      "process.stdout.write(JSON.stringify(result));",
+    ].join("\n");
+  } else if (op === "read") {
+    script = [
+      "var fs = require('fs');",
+      "var f = " + JSON.stringify(args.file) + ";",
+      "var stat = fs.statSync(f);",
+      "var result = { size: stat.size };",
+      "if (" + JSON.stringify(!!args.readContent) + ") {",
+      "  result.content = fs.readFileSync(f, 'utf8');",
+      "}",
+      "process.stdout.write(JSON.stringify(result));",
+    ].join("\n");
+  } else if (op === "stat") {
+    script = [
+      "var fs = require('fs');",
+      "var f = " + JSON.stringify(args.file) + ";",
+      "var stat = fs.statSync(f);",
+      "process.stdout.write(JSON.stringify({ size: stat.size, isDir: stat.isDirectory(), mtime: stat.mtimeMs }));",
+    ].join("\n");
+  } else if (op === "read_binary") {
+    // Read file as base64 for binary content (images, etc.)
+    script = [
+      "var fs = require('fs');",
+      "var f = " + JSON.stringify(args.file) + ";",
+      "var buf = fs.readFileSync(f);",
+      "process.stdout.write(buf.toString('base64'));",
+    ].join("\n");
+    var binOutput = execSync(process.execPath + " -e " + JSON.stringify(script), {
+      encoding: "utf8",
+      timeout: 10000,
+      uid: osUserInfo.uid,
+      gid: osUserInfo.gid,
+      maxBuffer: 50 * 1024 * 1024,
+    });
+    return { buffer: Buffer.from(binOutput.trim(), "base64") };
+  } else if (op === "write") {
+    script = [
+      "var fs = require('fs');",
+      "var f = " + JSON.stringify(args.file) + ";",
+      "var content = " + JSON.stringify(args.content || "") + ";",
+      "fs.writeFileSync(f, content, 'utf8');",
+      "process.stdout.write(JSON.stringify({ ok: true }));",
+    ].join("\n");
+  } else {
+    throw new Error("Unknown fsAsUser operation: " + op);
+  }
+
+  var output = execSync(process.execPath + " -e " + JSON.stringify(script), {
+    encoding: "utf8",
+    timeout: 10000,
+    uid: osUserInfo.uid,
+    gid: osUserInfo.gid,
+  });
+
+  return JSON.parse(output.trim());
+}
+
+/**
+ * Grant a Linux user ACL access (rwX) to a project directory.
+ * Uses setfacl to add recursive + default ACL entries.
+ */
+function grantProjectAccess(projectPath, linuxUser) {
+  try {
+    // Recursive ACL for existing files
+    execSync("setfacl -R -m u:" + linuxUser + ":rwX " + JSON.stringify(projectPath), {
+      encoding: "utf8",
+      timeout: 30000,
+    });
+    // Default ACL so new files also inherit access
+    execSync("setfacl -R -d -m u:" + linuxUser + ":rwX " + JSON.stringify(projectPath), {
+      encoding: "utf8",
+      timeout: 30000,
+    });
+    console.log("[os-users] Granted ACL access for " + linuxUser + " on " + projectPath);
+  } catch (e) {
+    console.error("[os-users] Failed to grant ACL access for " + linuxUser + " on " + projectPath + ": " + (e.message || e));
+  }
+}
+
+/**
+ * Revoke a Linux user's ACL access from a project directory.
+ */
+function revokeProjectAccess(projectPath, linuxUser) {
+  try {
+    execSync("setfacl -R -x u:" + linuxUser + " " + JSON.stringify(projectPath), {
+      encoding: "utf8",
+      timeout: 30000,
+    });
+    execSync("setfacl -R -d -x u:" + linuxUser + " " + JSON.stringify(projectPath), {
+      encoding: "utf8",
+      timeout: 30000,
+    });
+    console.log("[os-users] Revoked ACL access for " + linuxUser + " on " + projectPath);
+  } catch (e) {
+    console.error("[os-users] Failed to revoke ACL access for " + linuxUser + " on " + projectPath + ": " + (e.message || e));
+  }
+}
+
+/**
+ * Sanitize a Clay username into a valid Linux username.
+ * Prefixes with "clay-", lowercases, replaces invalid chars with hyphens.
+ * Linux usernames: start with [a-z_], then [a-z0-9_-], max 32 chars.
+ */
+function toLinuxUsername(clayUsername) {
+  var sanitized = clayUsername.toLowerCase().replace(/[^a-z0-9_-]/g, "-");
+  // Remove leading hyphens/digits after prefix
+  sanitized = sanitized.replace(/^[-0-9]+/, "");
+  if (!sanitized) sanitized = "user";
+  var name = "clay-" + sanitized;
+  // Truncate to 32 chars (Linux limit)
+  if (name.length > 32) name = name.substring(0, 32);
+  // Remove trailing hyphens
+  name = name.replace(/-+$/, "");
+  return name;
+}
+
+/**
+ * Check if a Linux user already exists.
+ */
+function linuxUserExists(username) {
+  try {
+    execSync("id " + username, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+    return true;
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Provision a Linux user account for a Clay user.
+ * Creates the account via useradd with a home directory.
+ * Returns { ok: true, linuxUser: "clay-xxx" } or { error: "..." }.
+ */
+function provisionLinuxUser(clayUsername) {
+  var linuxName = toLinuxUsername(clayUsername);
+
+  // Handle name collisions by appending a number
+  if (linuxUserExists(linuxName)) {
+    // Check if this is a clay-managed user (reuse it)
+    // Otherwise find an available name
+    console.log("[os-users] Linux user " + linuxName + " already exists, reusing.");
+    return { ok: true, linuxUser: linuxName };
+  }
+
+  try {
+    execSync("useradd -m -s /bin/bash " + linuxName, {
+      encoding: "utf8",
+      timeout: 15000,
+      stdio: "pipe",
+    });
+    console.log("[os-users] Provisioned Linux user: " + linuxName + " (Clay user: " + clayUsername + ")");
+    return { ok: true, linuxUser: linuxName };
+  } catch (e) {
+    var msg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to provision Linux user " + linuxName + ": " + msg);
+    return { error: "Failed to create Linux user " + linuxName + ": " + msg };
+  }
+}
+
+/**
+ * Provision Linux accounts for all Clay users that don't have one yet.
+ * usersModule: the users.js module (getAllUsers, updateLinuxUser, etc.)
+ * Returns { provisioned: [...], skipped: [...], errors: [...] }.
+ */
+function provisionAllUsers(usersModule) {
+  var users = usersModule.getAllUsers();
+  var result = { provisioned: [], skipped: [], errors: [] };
+
+  for (var i = 0; i < users.length; i++) {
+    var user = users[i];
+    if (user.linuxUser) {
+      // Already mapped, verify the Linux user still exists
+      if (linuxUserExists(user.linuxUser)) {
+        result.skipped.push({ id: user.id, username: user.username, linuxUser: user.linuxUser });
+        continue;
+      }
+      // Linux user was deleted externally, re-provision
+      console.log("[os-users] Linux user " + user.linuxUser + " no longer exists, re-provisioning for " + user.username);
+    }
+
+    var provision = provisionLinuxUser(user.username);
+    if (provision.ok) {
+      // Update the Clay user record with the Linux username
+      var data = usersModule.loadUsers();
+      for (var j = 0; j < data.users.length; j++) {
+        if (data.users[j].id === user.id) {
+          data.users[j].linuxUser = provision.linuxUser;
+          usersModule.saveUsers(data);
+          break;
+        }
+      }
+      result.provisioned.push({ id: user.id, username: user.username, linuxUser: provision.linuxUser });
+    } else {
+      result.errors.push({ id: user.id, username: user.username, error: provision.error });
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Grant ACL access on a project directory to ALL Clay users with linuxUser mappings.
+ * Used when a project becomes public.
+ * usersModule: the users.js module (getAllUsers, etc.)
+ */
+function grantAllUsersAccess(projectPath, usersModule) {
+  var allUsers = usersModule.getAllUsers();
+  for (var i = 0; i < allUsers.length; i++) {
+    if (allUsers[i].linuxUser) {
+      grantProjectAccess(projectPath, allUsers[i].linuxUser);
+    }
+  }
+}
+
+/**
+ * Deactivate (lock) a Linux user account.
+ * The account and home directory are preserved, but login is disabled.
+ */
+function deactivateLinuxUser(linuxUsername) {
+  try {
+    execSync("usermod -L " + linuxUsername, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+    console.log("[os-users] Deactivated Linux user: " + linuxUsername);
+    return { ok: true };
+  } catch (e) {
+    var msg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to deactivate Linux user " + linuxUsername + ": " + msg);
+    return { error: "Failed to deactivate Linux user " + linuxUsername + ": " + msg };
+  }
+}
+
+/**
+ * Ensure the shared projects directory exists.
+ */
+function ensureProjectsDir() {
+  var dir = "/var/clay/projects";
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 0o755 });
+  }
+}
+
+module.exports = {
+  resolveOsUserInfo: resolveOsUserInfo,
+  fsAsUser: fsAsUser,
+  grantProjectAccess: grantProjectAccess,
+  revokeProjectAccess: revokeProjectAccess,
+  toLinuxUsername: toLinuxUsername,
+  linuxUserExists: linuxUserExists,
+  provisionLinuxUser: provisionLinuxUser,
+  provisionAllUsers: provisionAllUsers,
+  grantAllUsersAccess: grantAllUsersAccess,
+  deactivateLinuxUser: deactivateLinuxUser,
+  ensureProjectsDir: ensureProjectsDir,
+};

package/lib/pages.js

@@ -954,6 +954,7 @@ function multiUserLoginPageHtml() {
     'body:JSON.stringify({username:usernameEl.value,pin:pinEl.value})})' +
     '.then(function(r){return r.json()})' +
     '.then(function(d){' +
+    'if(d.ok&&d.mustChangePin){showChangePinOverlay();return}' +
     'if(d.ok){location.reload();return}' +
     'if(d.locked){var boxes=document.querySelectorAll(".pin-digit");' +
     'for(var i=0;i<boxes.length;i++)boxes[i].disabled=true;' +
@@ -964,6 +965,41 @@ function multiUserLoginPageHtml() {
     'errs[1].textContent=msg;resetPin()})' +
     '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
     'btns[1].onclick=doLogin;' +
+
+    // Force PIN change overlay
+    'function showChangePinOverlay(){' +
+    'var ov=document.createElement("div");ov.className="c";' +
+    'ov.style.cssText="position:fixed;inset:0;background:var(--bg,#0e0e10);z-index:9999;display:flex;align-items:center;justify-content:center";' +
+    'ov.innerHTML=\'<div style="width:100%;max-width:380px;padding:24px"><h1>Set your new PIN</h1>\'+' +
+    '\'<div class="sub">Your temporary PIN has expired. Please set a new 6-digit PIN to continue.</div>\'+' +
+    '\'<div id="new-pin-boxes" class="pin-boxes">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'</div><input type="hidden" id="new-pin">\'+' +
+    '\'<button class="btn" id="save-new-pin" disabled style="margin-top:20px">Save PIN</button>\'+' +
+    '\'<div class="err" id="new-pin-err"></div></div>\';' +
+    'document.body.appendChild(ov);' +
+    'var newPinEl=ov.querySelector("#new-pin");' +
+    'var saveBtn=ov.querySelector("#save-new-pin");' +
+    'var errEl=ov.querySelector("#new-pin-err");' +
+    'initPinBoxes("new-pin-boxes","new-pin",function(){if(!saveBtn.disabled)doSavePin()});' +
+    'var nb=ov.querySelectorAll(".pin-digit");' +
+    'for(var i=0;i<nb.length;i++)nb[i].addEventListener("input",function(){saveBtn.disabled=newPinEl.value.length!==6});' +
+    'function doSavePin(){' +
+    'saveBtn.disabled=true;errEl.textContent="";' +
+    'fetch("/api/user/pin",{method:"PUT",headers:{"Content-Type":"application/json"},' +
+    'body:JSON.stringify({newPin:newPinEl.value})})' +
+    '.then(function(r){return r.json()})' +
+    '.then(function(d){' +
+    'if(d.ok){location.reload();return}' +
+    'errEl.textContent=d.error||"Failed to save PIN";saveBtn.disabled=false})' +
+    '.catch(function(){errEl.textContent="Connection error";saveBtn.disabled=false})}' +
+    'saveBtn.onclick=doSavePin}' +
+
     '</script></div></body></html>';
 }