clay-server 2.11.0-beta.10 → 2.11.0-beta.12

package/bin/cli.js

@@ -131,8 +131,8 @@ for (var i = 0; i < args.length; i++) {
     console.log("  --remove <path>    Remove a project directory");
     console.log("  --list             List all registered projects");
     console.log("  --headless         Start daemon and exit immediately (implies --yes)");
-    console.log("  --multi-user       Enable multi-user mode (generates setup code)");
-    console.log("  --os-users         Enable OS-level user isolation (Linux only, requires root + --multi-user)");
+    console.log("  --multi-user       Start in multi-user mode (use with --yes for headless)");
+    console.log("  --os-users         Enable OS-level user isolation (Linux, requires root + --multi-user)");
     console.log("  --dangerously-skip-permissions");
     console.log("                     Bypass all permission prompts");
     process.exit(0);
@@ -271,59 +271,8 @@ if (listMode) {
   return;
 }
 
-// --- Handle --multi-user before anything else ---
-if (multiUserMode) {
-  var muResult = enableMultiUser();
-  if (muResult.alreadyEnabled && muResult.hasAdmin) {
-    console.log("");
-    console.log("Multi-user mode is already enabled and an admin account exists.");
-    console.log("No changes made.");
-    console.log("");
-  } else if (muResult.setupCode) {
-    console.log("");
-    console.log("\x1b[33m⚠ Experimental Feature\x1b[0m");
-    console.log("");
-    console.log("  Multi-user mode is experimental and may change in future releases.");
-    console.log("  Sharing access to AI-powered tools may be subject to your provider's");
-    console.log("  terms of service. Please review the applicable usage policies before");
-    console.log("  granting access to other users.");
-    console.log("");
-    console.log("\x1b[32mMulti-user mode enabled.\x1b[0m");
-    console.log("");
-    console.log("Setup code:  \x1b[1m" + muResult.setupCode + "\x1b[0m");
-    console.log("");
-    console.log("Open Clay in your browser and enter this code to create the admin account.");
-    console.log("The code is single-use and will be cleared once the admin is set up.");
-    console.log("");
-  }
-  if (!osUsersMode) {
-    process.exit(0);
-  }
-}
-
-// --- Handle --os-users validation ---
-if (osUsersMode) {
-  if (process.platform !== "linux") {
-    console.error("\x1b[31mError: --os-users requires Linux.\x1b[0m");
-    console.error("OS-level user isolation depends on setfacl, getent, and uid/gid process spawning.");
-    process.exit(1);
-  }
-  if (typeof process.getuid === "function" && process.getuid() !== 0) {
-    console.error("\x1b[31mError: --os-users requires running as root.\x1b[0m");
-    console.error("The daemon must run as root to spawn worker processes as different users.");
-    console.error("Use: sudo clay --multi-user --os-users");
-    process.exit(1);
-  }
-  if (!isMultiUser()) {
-    console.error("\x1b[31mError: --os-users requires --multi-user mode.\x1b[0m");
-    console.error("Enable multi-user mode first: clay --multi-user");
-    process.exit(1);
-  }
-  console.log("\x1b[32mOS-level user isolation enabled.\x1b[0m");
-  console.log("Worker processes will run as mapped Linux users.");
-  console.log("Linux accounts will be auto-provisioned for existing users on startup.");
-  console.log("");
-}
+// --multi-user / --os-users are now handled in the main entry flow (setup wizard or repeat run)
+// Flags are parsed above and applied during forkDaemon()
 
 var cwd = process.cwd();
 
@@ -1310,44 +1259,70 @@ function setup(callback) {
           }
           port = p;
           log(sym.bar);
+          askMode();
+        });
+      });
+    }
 
-          function askPin() {
-            promptPin(function (pin) {
-              if (dangerouslySkipPermissions && !pin) {
-                log(sym.bar);
-                log(sym.warn + "  " + a.yellow + "WARNING: No PIN + skip permissions = anyone with the URL" + a.reset);
-                log(sym.bar + "  " + a.yellow + "can execute any command without approval." + a.reset);
-                log(sym.bar);
-                promptToggle("Continue without PIN?", null, false, function (confirmed) {
-                  if (!confirmed) {
-                    clearUp(6);
-                    log(sym.done + "  PIN protection " + a.dim + "·" + a.reset + " " + a.yellow + "Required for skip permissions" + a.reset);
-                    log(sym.bar);
-                    askPin();
-                    return;
-                  }
-                  afterPin(pin);
-                });
-              } else {
-                afterPin(pin);
-              }
-            });
-          }
+    function askMode() {
+      promptSelect("How will you use Clay?", [
+        { label: "Just me (single user)", value: "single" },
+        { label: "Multiple users", value: "multi" },
+      ], function (mode) {
+        if (mode === "single") {
+          finishSetup(mode, false);
+        } else {
+          askOsUsers(mode);
+        }
+      });
+    }
 
-          function afterPin(pin) {
-            if (process.platform === "darwin") {
-              promptToggle("Keep awake", "Prevent system sleep while relay is running", false, function (keepAwake) {
-                callback(pin, keepAwake);
-              });
-            } else {
-              callback(pin, false);
-            }
+    function askOsUsers(mode) {
+      // Only offer OS user isolation on Linux
+      if (process.platform !== "linux") {
+        finishSetup(mode, false);
+        return;
+      }
+      log(sym.bar);
+      promptToggle("Enable OS-level user isolation?", "Run each user's sessions as a separate Linux account", false, function (wantOsUsers) {
+        if (wantOsUsers) {
+          var isRoot = typeof process.getuid === "function" && process.getuid() === 0;
+          if (!isRoot) {
+            // Save config so sudo clay can pick it up
+            var partialConfig = {
+              port: port,
+              host: host,
+              mode: "multi",
+              osUsers: true,
+              setupCompleted: true,
+              dangerouslySkipPermissions: dangerouslySkipPermissions,
+            };
+            saveConfig(partialConfig);
+            log(sym.bar);
+            log(sym.warn + "  " + a.yellow + "OS user isolation requires root." + a.reset);
+            log(sym.bar + "  Run:");
+            log(sym.bar + "    " + a.bold + "sudo clay" + a.reset);
+            log(sym.end);
+            log("");
+            process.exit(0);
+            return;
           }
+        }
+        finishSetup(mode, wantOsUsers);
+      });
+    }
 
-          askPin();
+    function finishSetup(mode, wantOsUsers) {
+      if (process.platform === "darwin") {
+        log(sym.bar);
+        promptToggle("Keep awake", "Prevent system sleep while relay is running", false, function (keepAwake) {
+          callback(mode, keepAwake, wantOsUsers);
         });
-      });
+      } else {
+        callback(mode, false, wantOsUsers);
+      }
     }
+
     askPort();
   });
 }
@@ -1355,7 +1330,7 @@ function setup(callback) {
 // ==============================
 // Fork the daemon process
 // ==============================
-async function forkDaemon(pin, keepAwake, extraProjects, addCwd) {
+async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   var ip = getLocalIP();
   var hasTls = false;
 
@@ -1434,12 +1409,14 @@ async function forkDaemon(pin, keepAwake, extraProjects, addCwd) {
     pid: null,
     port: port,
     host: host,
-    pinHash: pin ? generateAuthToken(pin) : null,
+    pinHash: mode === "multi" && cliPin ? generateAuthToken(cliPin) : null,
     tls: hasTls,
     debug: debugMode,
     keepAwake: keepAwake,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
-    osUsers: osUsersMode,
+    osUsers: wantOsUsers || osUsersMode,
+    mode: mode || "single",
+    setupCompleted: true,
     projects: allProjects,
   };
 
@@ -1481,6 +1458,18 @@ async function forkDaemon(pin, keepAwake, extraProjects, addCwd) {
     return;
   }
 
+  // Enable multi-user mode if requested
+  if (config.mode === "multi") {
+    var muResult = enableMultiUser();
+    if (muResult.setupCode) {
+      log("");
+      log(sym.done + "  " + a.green + "Multi-user mode enabled." + a.reset);
+      log(sym.bar + "  Setup code:  " + a.bold + muResult.setupCode + a.reset);
+      log(sym.bar + "  Open Clay in your browser and enter this code to create the admin account.");
+      log("");
+    }
+  }
+
   // Headless mode — print status and exit immediately
   if (headlessMode) {
     var protocol = config.tls ? "https" : "http";
@@ -1499,7 +1488,7 @@ async function forkDaemon(pin, keepAwake, extraProjects, addCwd) {
 // ==============================
 // Dev mode — foreground daemon with file watching
 // ==============================
-async function devMode(pin, keepAwake, existingPinHash) {
+async function devMode(mode, keepAwake, existingPinHash) {
   var ip = getLocalIP();
   var hasTls = false;
 
@@ -1565,11 +1554,13 @@ async function devMode(pin, keepAwake, existingPinHash) {
     pid: null,
     port: port,
     host: host,
-    pinHash: existingPinHash || (pin ? generateAuthToken(pin) : null),
+    pinHash: existingPinHash || null,
     tls: hasTls,
     debug: true,
     keepAwake: keepAwake || false,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
+    mode: mode || "single",
+    setupCompleted: true,
     projects: allProjects,
   };
 
@@ -2337,6 +2328,11 @@ function showSettingsMenu(config, ip) {
       ? a.green + "Enabled" + a.reset
       : a.dim + "Off" + a.reset;
 
+    var modeLabel = config.mode === "multi" ? "Multi-user" : "Single user";
+    var modeStatus = config.mode === "multi"
+      ? a.clay + modeLabel + a.reset
+      : a.dim + modeLabel + a.reset;
+    log(sym.bar + "  Mode         " + modeStatus);
     log(sym.bar + "  PIN          " + pinStatus);
     log(sym.bar + "  Multi-user   " + muStatus);
     var osUsersStatus = isOsUsers
@@ -2375,6 +2371,7 @@ function showSettingsMenu(config, ip) {
       items.push({ label: isAwake ? "Disable keep awake" : "Enable keep awake", value: "awake" });
     }
     items.push({ label: "View logs", value: "logs" });
+    items.push({ label: "Re-run setup wizard", value: "rerun_setup" });
     items.push({ label: "Back", value: "back" });
 
   promptSelect("Select", items, function (choice) {
@@ -2572,6 +2569,70 @@ function showSettingsMenu(config, ip) {
         });
         break;
 
+      case "rerun_setup":
+        log(sym.bar);
+        log(sym.bar + "  " + a.yellow + sym.warn + " Re-run setup wizard?" + a.reset);
+        log(sym.bar);
+        log(sym.bar + "  " + a.dim + "This will shut down the running daemon, reset your setup" + a.reset);
+        log(sym.bar + "  " + a.dim + "preferences (mode, port), and walk you through the wizard again." + a.reset);
+        log(sym.bar + "  " + a.dim + "Your projects and user accounts will be preserved." + a.reset);
+        log(sym.bar);
+        promptSelect("Confirm", [
+          { label: "Re-run setup wizard", value: "confirm" },
+          { label: "Cancel", value: "cancel" },
+        ], function (confirmChoice) {
+          if (confirmChoice === "confirm") {
+            // Clear setupCompleted so setup() runs fresh
+            var cfg = loadConfig() || {};
+            delete cfg.setupCompleted;
+            delete cfg.mode;
+            cfg.pid = null;
+            saveConfig(cfg);
+            // Shut down the daemon
+            sendIPCCommand(socketPath(), { cmd: "shutdown" }).then(function () {
+              clearStaleConfig();
+              // Run the setup wizard, then fork a new daemon
+              setup(function (mode, keepAwake, wantOsUsers) {
+                var rc = loadClayrc();
+                var restorable = (rc.recentProjects || []).filter(function (p) {
+                  return p.path !== cwd && fs.existsSync(p.path);
+                });
+                if (restorable.length > 0) {
+                  promptRestoreProjects(restorable, function (selected) {
+                    forkDaemon(mode, keepAwake, selected, false, wantOsUsers);
+                  });
+                } else {
+                  log(sym.bar);
+                  log(sym.end + "  " + a.dim + "Starting relay..." + a.reset);
+                  log("");
+                  forkDaemon(mode, keepAwake, undefined, true, wantOsUsers);
+                }
+              });
+            }).catch(function () {
+              clearStaleConfig();
+              setup(function (mode, keepAwake, wantOsUsers) {
+                var rc = loadClayrc();
+                var restorable = (rc.recentProjects || []).filter(function (p) {
+                  return p.path !== cwd && fs.existsSync(p.path);
+                });
+                if (restorable.length > 0) {
+                  promptRestoreProjects(restorable, function (selected) {
+                    forkDaemon(mode, keepAwake, selected, false, wantOsUsers);
+                  });
+                } else {
+                  log(sym.bar);
+                  log(sym.end + "  " + a.dim + "Starting relay..." + a.reset);
+                  log("");
+                  forkDaemon(mode, keepAwake, undefined, true, wantOsUsers);
+                }
+              });
+            });
+          } else {
+            showSettingsMenu(config, ip);
+          }
+        });
+        break;
+
       case "logs":
         console.clear();
         log(a.bold + "Daemon logs" + a.reset + " " + a.dim + "(" + logPath() + ")" + a.reset);
@@ -2633,14 +2694,14 @@ var currentVersion = require("../package.json").version;
       if (devConfig.pid) clearStaleConfig();
       devConfig = null;
     }
-    // No config — go through setup (disclaimer, port, PIN, etc.)
+    // No config — go through setup (disclaimer, port, mode, etc.)
     if (!devConfig) {
-      setup(function (pin, keepAwake) {
-        devMode(pin, keepAwake, null);
+      setup(function (mode, keepAwake, wantOsUsers) {
+        devMode(mode, keepAwake, null);
       });
     } else {
-      // Reuse existing PIN hash from previous config
-      await devMode(cliPin || null, devConfig.keepAwake || false, devConfig.pinHash || null);
+      // Reuse existing config (repeat run)
+      await devMode(devConfig.mode || "single", devConfig.keepAwake || false, devConfig.pinHash || null);
     }
     return;
   }
@@ -2717,19 +2778,55 @@ var currentVersion = require("../package.json").version;
       showMainMenu(config || { pid: status.pid, port: status.port, tls: status.tls }, ip);
     }
   } else {
-    // No daemon running — first-time setup
-    if (autoYes) {
-      var pin = cliPin || null;
-      console.log("  " + sym.done + "  Auto-accepted disclaimer");
-      console.log("  " + sym.done + "  PIN: " + (pin ? "Enabled" : "Skipped"));
-      if (dangerouslySkipPermissions) {
-        console.log("  " + sym.warn + "  " + a.yellow + "Skip permissions mode enabled" + (pin ? "" : " (no PIN)") + a.reset);
+    // No daemon running — check for saved config (repeat run)
+    var savedConfig = loadConfig();
+    var isRepeatRun = savedConfig && savedConfig.setupCompleted;
+
+    // --multi-user / --os-users CLI flags set config directly for headless/scripted usage
+    if (multiUserMode) {
+      if (!savedConfig) savedConfig = {};
+      savedConfig.mode = "multi";
+      savedConfig.setupCompleted = true;
+    }
+    if (osUsersMode) {
+      if (!savedConfig) savedConfig = {};
+      savedConfig.osUsers = true;
+      savedConfig.mode = "multi";
+      savedConfig.setupCompleted = true;
+    }
+    isRepeatRun = savedConfig && savedConfig.setupCompleted;
+
+    if (isRepeatRun || autoYes) {
+      // Repeat run or --yes: skip wizard, reuse saved config
+      var savedMode = (savedConfig && savedConfig.mode) || "single";
+      var savedKeepAwake = (savedConfig && savedConfig.keepAwake) || false;
+      var savedOsUsers = (savedConfig && savedConfig.osUsers) || false;
+
+      // os-users requires root
+      if (savedOsUsers && typeof process.getuid === "function" && process.getuid() !== 0) {
+        console.error(a.red + "OS user isolation requires root." + a.reset);
+        console.error("Run:  " + a.bold + "sudo clay" + a.reset);
+        process.exit(1);
+        return;
       }
+
+      if (savedConfig && savedConfig.port) port = savedConfig.port;
+      if (savedConfig && savedConfig.host) host = savedConfig.host;
+      if (savedConfig && savedConfig.dangerouslySkipPermissions) dangerouslySkipPermissions = true;
+
+      if (autoYes) {
+        console.log("  " + sym.done + "  Auto-accepted disclaimer");
+        console.log("  " + sym.done + "  Mode: " + savedMode);
+        if (dangerouslySkipPermissions) {
+          console.log("  " + sym.warn + "  " + a.yellow + "Skip permissions mode enabled" + a.reset);
+        }
+      }
+
       var autoRc = loadClayrc();
       var autoRestorable = (autoRc.recentProjects || []).filter(function (p) {
         return p.path !== cwd && fs.existsSync(p.path);
       });
-      if (autoRestorable.length > 0) {
+      if (autoRestorable.length > 0 && autoYes) {
         console.log("  " + sym.done + "  Restoring " + autoRestorable.length + " previous project(s)");
       }
       // Add cwd if it has history in .clayrc, or if there are no other projects to restore
@@ -2737,9 +2834,10 @@ var currentVersion = require("../package.json").version;
         return p.path === cwd;
       });
       var addCwd = cwdInRc || autoRestorable.length === 0;
-      await forkDaemon(pin, false, autoRestorable.length > 0 ? autoRestorable : undefined, addCwd);
+      await forkDaemon(savedMode, savedKeepAwake, autoRestorable.length > 0 ? autoRestorable : undefined, addCwd, savedOsUsers);
     } else {
-      setup(function (pin, keepAwake) {
+      // First run: interactive wizard
+      setup(function (mode, keepAwake, wantOsUsers) {
         // Check ~/.clayrc for previous projects to restore
         var rc = loadClayrc();
         var restorable = (rc.recentProjects || []).filter(function (p) {
@@ -2748,13 +2846,13 @@ var currentVersion = require("../package.json").version;
 
         if (restorable.length > 0) {
           promptRestoreProjects(restorable, function (selected) {
-            forkDaemon(pin, keepAwake, selected, false);
+            forkDaemon(mode, keepAwake, selected, false, wantOsUsers);
           });
         } else {
           log(sym.bar);
           log(sym.end + "  " + a.dim + "Starting relay..." + a.reset);
           log("");
-          forkDaemon(pin, keepAwake, undefined, true);
+          forkDaemon(mode, keepAwake, undefined, true, wantOsUsers);
         }
       });
     }

package/lib/os-users.js

@@ -174,6 +174,52 @@ function linuxUserExists(username) {
   }
 }
 
+/**
+ * Install Claude CLI for a Linux user account.
+ * Downloads and runs the install script, then ensures PATH is configured.
+ * Non-fatal: logs errors but does not throw.
+ */
+function installClaudeCli(linuxName) {
+  try {
+    // Download and run the Claude CLI install script as the target user
+    execSync(
+      "su - " + linuxName + " -c \"curl -fsSL https://claude.ai/install.sh | bash\"",
+      { encoding: "utf8", timeout: 60000, stdio: "pipe" }
+    );
+    console.log("[os-users] Claude CLI installed for " + linuxName);
+  } catch (e) {
+    var msg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to install Claude CLI for " + linuxName + ": " + msg);
+    return;
+  }
+
+  // Append PATH export to the user's shell config if not already present
+  try {
+    var home = "/home/" + linuxName;
+    var rcFile;
+    if (fs.existsSync(home + "/.zshrc")) {
+      rcFile = "~/.zshrc";
+    } else {
+      rcFile = "~/.bashrc";
+    }
+
+    // Check if PATH export is already present before appending
+    var checkCmd = "su - " + linuxName + " -c \"grep -qF '/.local/bin' " + rcFile + "\"";
+    try {
+      execSync(checkCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+      console.log("[os-users] PATH already configured in " + rcFile + " for " + linuxName);
+    } catch (grepErr) {
+      // grep returned non-zero, meaning the line is not present; append it
+      var appendCmd = "su - " + linuxName + " -c 'echo \"export PATH=\\\"\\$HOME/.local/bin:\\$PATH\\\"\" >> " + rcFile + "'";
+      execSync(appendCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+      console.log("[os-users] PATH export appended to " + rcFile + " for " + linuxName);
+    }
+  } catch (e) {
+    var rcMsg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to configure PATH for " + linuxName + ": " + rcMsg);
+  }
+}
+
 /**
  * Provision a Linux user account for a Clay user.
  * Creates the account via useradd with a home directory.
@@ -197,6 +243,7 @@ function provisionLinuxUser(clayUsername) {
       stdio: "pipe",
     });
     console.log("[os-users] Provisioned Linux user: " + linuxName + " (Clay user: " + clayUsername + ")");
+    installClaudeCli(linuxName);
     return { ok: true, linuxUser: linuxName };
   } catch (e) {
     var msg = (e.stderr || e.message || "").trim();
@@ -296,6 +343,7 @@ module.exports = {
   provisionLinuxUser: provisionLinuxUser,
   provisionAllUsers: provisionAllUsers,
   grantAllUsersAccess: grantAllUsersAccess,
+  installClaudeCli: installClaudeCli,
   deactivateLinuxUser: deactivateLinuxUser,
   ensureProjectsDir: ensureProjectsDir,
 };

package/lib/pages.js

@@ -966,39 +966,33 @@ function multiUserLoginPageHtml() {
     '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
     'btns[1].onclick=doLogin;' +
 
-    // Force PIN change overlay
+    // Force PIN change: reuse the same login screen, switch step1 to "Set new PIN" mode
     'function showChangePinOverlay(){' +
-    'var ov=document.createElement("div");ov.className="c";' +
-    'ov.style.cssText="position:fixed;inset:0;background:var(--bg,#0e0e10);z-index:9999;display:flex;align-items:center;justify-content:center";' +
-    'ov.innerHTML=\'<div style="width:100%;max-width:380px;padding:24px"><h1>Set your new PIN</h1>\'+' +
-    '\'<div class="sub">Your temporary PIN has expired. Please set a new 6-digit PIN to continue.</div>\'+' +
-    '\'<div id="new-pin-boxes" class="pin-boxes">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'</div><input type="hidden" id="new-pin">\'+' +
-    '\'<button class="btn" id="save-new-pin" disabled style="margin-top:20px">Save PIN</button>\'+' +
-    '\'<div class="err" id="new-pin-err"></div></div>\';' +
-    'document.body.appendChild(ov);' +
-    'var newPinEl=ov.querySelector("#new-pin");' +
-    'var saveBtn=ov.querySelector("#save-new-pin");' +
-    'var errEl=ov.querySelector("#new-pin-err");' +
-    'initPinBoxes("new-pin-boxes","new-pin",function(){if(!saveBtn.disabled)doSavePin()});' +
-    'var nb=ov.querySelectorAll(".pin-digit");' +
-    'for(var i=0;i<nb.length;i++)nb[i].addEventListener("input",function(){saveBtn.disabled=newPinEl.value.length!==6});' +
-    'function doSavePin(){' +
-    'saveBtn.disabled=true;errEl.textContent="";' +
+    // Hide step dots (no longer a 2-step flow)
+    'var bar=document.querySelector(".steps-bar");if(bar)bar.style.display="none";' +
+    // Hide step 0 (username), show step 1 (PIN) with new labels
+    'steps[0].classList.remove("active");' +
+    'steps[1].classList.add("active");' +
+    'var h1=steps[1].querySelector("h1");if(h1)h1.textContent="Set your new PIN";' +
+    'var sub=steps[1].querySelector(".sub");if(sub)sub.textContent="Your temporary PIN has expired. Please set a new 6-digit PIN to continue.";' +
+    'btns[1].textContent="Save PIN";' +
+    // Re-init PIN boxes for fresh input
+    'resetPin();' +
+    'initPinBoxes("pin-boxes","pin",function(){if(!btns[1].disabled)doSaveNewPin()});' +
+    'var boxes=document.querySelectorAll(".pin-digit");' +
+    'for(var i=0;i<boxes.length;i++)boxes[i].addEventListener("input",function(){btns[1].disabled=pinEl.value.length!==6});' +
+    // Override button handler to save new PIN instead of login
+    'btns[1].onclick=doSaveNewPin;' +
+    'function doSaveNewPin(){' +
+    'btns[1].disabled=true;errs[1].textContent="";' +
     'fetch("/api/user/pin",{method:"PUT",headers:{"Content-Type":"application/json"},' +
-    'body:JSON.stringify({newPin:newPinEl.value})})' +
+    'body:JSON.stringify({newPin:pinEl.value})})' +
     '.then(function(r){return r.json()})' +
     '.then(function(d){' +
     'if(d.ok){location.reload();return}' +
-    'errEl.textContent=d.error||"Failed to save PIN";saveBtn.disabled=false})' +
-    '.catch(function(){errEl.textContent="Connection error";saveBtn.disabled=false})}' +
-    'saveBtn.onclick=doSavePin}' +
+    'errs[1].textContent=d.error||"Failed to save PIN";btns[1].disabled=false})' +
+    '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
+    '}' +
 
     '</script></div></body></html>';
 }

package/lib/public/css/messages.css

@@ -1472,7 +1472,7 @@ pre.mermaid-error {
    ========================================================================== */
 
 .auth-required-msg {
-  max-width: var(--content-width);
+  max-width: 420px;
   margin: 12px auto;
   padding: 14px 18px;
   background: color-mix(in srgb, var(--warning) 8%, var(--bg));

package/lib/public/modules/admin.js

@@ -24,6 +24,27 @@ function showConfirmDialog(message, onConfirm) {
   });
 }
 
+function showConfirmResetPin(name, onConfirm) {
+  var modal = document.createElement("div");
+  modal.className = "admin-modal-overlay";
+  var html = '<div class="admin-modal">' +
+    '<div class="admin-modal-body" style="padding:20px 16px 16px">' +
+    '<p class="admin-modal-desc" style="margin:0;font-size:14px;color:var(--text)">Reset PIN for <strong>' + escapeHtml(name) + '</strong>? A new temporary PIN will be generated and they will need to change it on next login.</p>' +
+    '</div>' +
+    '<div class="admin-modal-footer">' +
+    '<button class="admin-modal-save">Reset PIN</button>' +
+    '<button class="admin-modal-cancel">Cancel</button>' +
+    '</div></div>';
+  modal.innerHTML = html;
+  document.body.appendChild(modal);
+  modal.querySelector(".admin-modal-cancel").addEventListener("click", function () { modal.remove(); });
+  modal.addEventListener("click", function (e) { if (e.target === modal) modal.remove(); });
+  modal.querySelector(".admin-modal-save").addEventListener("click", function () {
+    modal.remove();
+    onConfirm();
+  });
+}
+
 var ctx = null;
 var cachedUsers = [];
 var cachedInvites = [];
@@ -111,8 +132,13 @@ function renderUsersTab(body) {
     html += '</div>';
     html += '<div class="admin-user-meta">' + escapeHtml(u.username) + ' · joined ' + created + '</div>';
     html += '</div>';
-    if (!isMe && u.role !== "admin") {
-      html += '<button class="admin-remove-btn" data-user-id="' + u.id + '" title="Remove user">' + iconHtml("trash-2") + '</button>';
+    if (!isMe) {
+      html += '<div style="display:flex;align-items:center;gap:2px">';
+      html += '<button class="admin-remove-btn admin-reset-pin-btn" data-user-id="' + u.id + '" title="Reset PIN">' + iconHtml("key-round") + '</button>';
+      if (u.role !== "admin") {
+        html += '<button class="admin-remove-btn" data-user-id="' + u.id + '" title="Remove user">' + iconHtml("trash-2") + '</button>';
+      }
+      html += '</div>';
     }
     html += '</div>';
   }
@@ -129,10 +155,32 @@ function renderUsersTab(body) {
     });
   }
 
+  // Bind reset PIN buttons
+  var resetBtns = body.querySelectorAll(".admin-reset-pin-btn");
+  for (var j = 0; j < resetBtns.length; j++) {
+    resetBtns[j].addEventListener("click", function (e) {
+      e.stopPropagation();
+      var userId = this.dataset.userId;
+      var user = cachedUsers.find(function (u) { return u.id === userId; });
+      var name = user ? (user.displayName || user.username) : "this user";
+      showConfirmResetPin(name, function () {
+        apiPost("/api/admin/users/" + userId + "/reset-pin").then(function (data) {
+          if (data.ok) {
+            showTempPinModal({ username: user.username, displayName: user.displayName || user.username }, data.tempPin);
+          } else {
+            showToast(data.error || "Failed to reset PIN");
+          }
+        }).catch(function () {
+          showToast("Failed to reset PIN");
+        });
+      });
+    });
+  }
+
   // Bind remove buttons
-  var removeBtns = body.querySelectorAll(".admin-remove-btn");
-  for (var j = 0; j < removeBtns.length; j++) {
-    removeBtns[j].addEventListener("click", function () {
+  var removeBtns = body.querySelectorAll(".admin-remove-btn:not(.admin-reset-pin-btn)");
+  for (var k = 0; k < removeBtns.length; k++) {
+    removeBtns[k].addEventListener("click", function () {
       var userId = this.dataset.userId;
       var user = cachedUsers.find(function (u) { return u.id === userId; });
       var name = user ? (user.displayName || user.username) : "this user";

package/lib/public/modules/terminal.js

@@ -15,6 +15,106 @@ var resizeObserver = null;
 var toolbarBound = false;
 var termCtxMenu = null;
 
+// --- Multi-line link provider ---
+// xterm's WebLinksAddon only detects URLs on a single line.
+// This provider reconstructs "logical lines" from wrapped buffer lines
+// and detects URLs that span multiple rows.
+function createMultiLineLinkProvider(xterm) {
+  var URL_RE = /https?:\/\/[^\s'"\]>)}{]+/g;
+
+  function getLogicalLine(buffer, y) {
+    // Walk backward to find the start of the logical line
+    var startY = y;
+    while (startY > 0) {
+      var line = buffer.getLine(startY);
+      if (!line || !line.isWrapped) break;
+      startY--;
+    }
+
+    // Walk forward to collect all wrapped continuation lines
+    var endY = startY;
+    var cols = xterm.cols;
+    while (endY < buffer.length - 1) {
+      var next = buffer.getLine(endY + 1);
+      if (!next || !next.isWrapped) break;
+      endY++;
+    }
+
+    // Build the full logical line text and track row boundaries
+    var text = "";
+    var rowOffsets = []; // { y, startOffset, length }
+    for (var row = startY; row <= endY; row++) {
+      var line = buffer.getLine(row);
+      if (!line) break;
+      var trimRight = (row === endY); // only trim trailing spaces on last row
+      var rowText = line.translateToString(trimRight);
+      rowOffsets.push({ y: row, startOffset: text.length, length: rowText.length });
+      text += rowText;
+    }
+
+    return { text: text, startY: startY, endY: endY, rowOffsets: rowOffsets };
+  }
+
+  function offsetToBufferPos(rowOffsets, offset) {
+    for (var i = 0; i < rowOffsets.length; i++) {
+      var ro = rowOffsets[i];
+      if (offset < ro.startOffset + ro.length) {
+        return { x: offset - ro.startOffset + 1, y: ro.y + 1 }; // 1-based
+      }
+    }
+    // Past end, clamp to last row
+    var last = rowOffsets[rowOffsets.length - 1];
+    return { x: last.length + 1, y: last.y + 1 };
+  }
+
+  return {
+    provideLinks: function (y, callback) {
+      var buffer = xterm.buffer.active;
+      // y is 1-based in provideLinks
+      var bufferY = y - 1;
+      var logical = getLogicalLine(buffer, bufferY);
+
+      // Only process if this logical line spans multiple rows
+      if (logical.startY === logical.endY) {
+        callback(undefined);
+        return;
+      }
+
+      // Only trigger on the first row of the logical line to avoid duplicates
+      if (bufferY !== logical.startY) {
+        callback(undefined);
+        return;
+      }
+
+      var links = [];
+      var match;
+      URL_RE.lastIndex = 0;
+      while ((match = URL_RE.exec(logical.text)) !== null) {
+        var urlStart = match.index;
+        var urlEnd = match.index + match[0].length - 1;
+
+        var startPos = offsetToBufferPos(logical.rowOffsets, urlStart);
+        var endPos = offsetToBufferPos(logical.rowOffsets, urlEnd);
+
+        // Only include if the URL actually spans multiple rows
+        if (startPos.y !== endPos.y) {
+          (function (url) {
+            links.push({
+              range: { start: startPos, end: endPos },
+              text: url,
+              activate: function () {
+                window.open(url, "_blank", "noopener");
+              },
+            });
+          })(match[0]);
+        }
+      }
+
+      callback(links.length > 0 ? links : undefined);
+    },
+  };
+}
+
 // --- Init ---
 export function initTerminal(_ctx) {
   ctx = _ctx;
@@ -225,11 +325,14 @@ function createXtermForTab(tab) {
     xterm.loadAddon(fitAddon);
   }
 
-  // Web links addon: make URLs clickable
+  // Web links addon: make URLs clickable (single-line)
   if (typeof WebLinksAddon !== "undefined") {
     xterm.loadAddon(new WebLinksAddon.WebLinksAddon());
   }
 
+  // Custom multi-line link provider: detect URLs that wrap across lines
+  xterm.registerLinkProvider(createMultiLineLinkProvider(xterm));
+
   // Create a container div for this tab's terminal
   var bodyEl = document.createElement("div");
   bodyEl.className = "terminal-tab-body";

package/lib/server.js

@@ -1118,6 +1118,48 @@ function createServer(opts) {
       return;
     }
 
+    // Reset user PIN (admin only) — generates a new temp PIN
+    if (req.method === "POST" && fullUrl.match(/^\/api\/admin\/users\/[^/]+\/reset-pin$/)) {
+      if (!users.isMultiUser()) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end('{"error":"Not found"}');
+        return;
+      }
+      var mu = getMultiUserFromReq(req);
+      if (!mu || mu.role !== "admin") {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end('{"error":"Admin access required"}');
+        return;
+      }
+      var urlParts = fullUrl.split("/");
+      var targetUserId = urlParts[4]; // /api/admin/users/{userId}/reset-pin
+      var targetUser = users.findUserById(targetUserId);
+      if (!targetUser) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end('{"error":"User not found"}');
+        return;
+      }
+      var newPin = users.generatePin();
+      var pinResult = users.updateUserPin(targetUserId, newPin);
+      if (pinResult.error) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: pinResult.error }));
+        return;
+      }
+      // Mark as must change on next login
+      var data = users.loadUsers();
+      for (var i = 0; i < data.users.length; i++) {
+        if (data.users[i].id === targetUserId) {
+          data.users[i].mustChangePin = true;
+          users.saveUsers(data);
+          break;
+        }
+      }
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ ok: true, tempPin: newPin }));
+      return;
+    }
+
     // Set Linux user mapping (admin only, OS-level multi-user)
     if (req.method === "PUT" && fullUrl.match(/^\/api\/admin\/users\/[^/]+\/linux-user$/)) {
       if (!users.isMultiUser()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.11.0-beta.10",
+  "version": "2.11.0-beta.12",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",