clay-server 2.11.0-beta.9 → 2.11.0

package/lib/daemon.js

@@ -38,6 +38,20 @@ try {
   process.exit(1);
 }
 
+// --- OS users mode: check required system dependencies ---
+if (config.osUsers) {
+  var { execSync: checkExec } = require("child_process");
+  var missing = [];
+  try { checkExec("which setfacl", { stdio: "ignore" }); } catch (e) { missing.push("acl (setfacl)"); }
+  try { checkExec("which git", { stdio: "ignore" }); } catch (e) { missing.push("git"); }
+  try { checkExec("which useradd", { stdio: "ignore" }); } catch (e) { missing.push("useradd"); }
+  if (missing.length > 0) {
+    console.error("[daemon] OS users mode requires missing system packages: " + missing.join(", "));
+    console.error("[daemon] Install with:  sudo apt install " + missing.map(function (m) { return m.split(" ")[0]; }).join(" "));
+    process.exit(78); // EX_CONFIG
+  }
+}
+
 // --- TLS ---
 var tlsOptions = null;
 if (config.tls) {
@@ -82,6 +96,18 @@ var lanIp = (function () {
   return null;
 })();
 
+// --- Helper: get removed projects filtered by existing paths and userId ---
+function getFilteredRemovedProjects(userId) {
+  if (!config.removedProjects || config.removedProjects.length === 0) return [];
+  return config.removedProjects.filter(function (rp) {
+    // In single-user mode (no userId), show entries with no userId
+    // In multi-user mode, only show entries belonging to this user
+    if (userId && rp.userId && rp.userId !== userId) return false;
+    if (!userId && rp.userId) return false;
+    return fs.existsSync(rp.path);
+  });
+}
+
 // --- Create multi-project server ---
 var listenHost = config.host || "0.0.0.0";
 
@@ -94,7 +120,8 @@ var relay = createServer({
   dangerouslySkipPermissions: config.dangerouslySkipPermissions || false,
   osUsers: config.osUsers || false,
   lanHost: lanIp ? lanIp + ":" + config.port : null,
-  onAddProject: function (absPath) {
+  getRemovedProjects: function (userId) { return getFilteredRemovedProjects(userId); },
+  onAddProject: function (absPath, wsUser) {
     // Check if already registered
     for (var j = 0; j < config.projects.length; j++) {
       if (config.projects[j].path === absPath) {
@@ -104,7 +131,17 @@ var relay = createServer({
     var slugs = config.projects.map(function (p) { return p.slug; });
     var slug = generateSlug(absPath, slugs);
     relay.addProject(absPath, slug);
-    config.projects.push({ path: absPath, slug: slug, addedAt: Date.now() });
+    var projectEntry = { path: absPath, slug: slug, addedAt: Date.now() };
+    // Non-admin users own their projects and they default to private
+    if (wsUser && wsUser.id && wsUser.role !== "admin") {
+      projectEntry.ownerId = wsUser.id;
+      projectEntry.visibility = "private";
+    }
+    config.projects.push(projectEntry);
+    // Remove from removedProjects if present
+    if (config.removedProjects) {
+      config.removedProjects = config.removedProjects.filter(function (rp) { return rp.path !== absPath; });
+    }
     saveConfig(config);
     try { syncClayrc(config.projects); } catch (e) {}
     console.log("[daemon] Added project (web):", slug, "→", absPath);
@@ -127,6 +164,7 @@ var relay = createServer({
     return { ok: true, slug: slug };
   },
   onCreateProject: function (projectName, wsUser) {
+    console.log("[daemon] onCreateProject wsUser:", JSON.stringify(wsUser ? { id: wsUser.id, role: wsUser.role, username: wsUser.username, linuxUser: wsUser.linuxUser } : null));
     var os = require("os");
     var { execSync } = require("child_process");
     var baseDir;
@@ -152,8 +190,9 @@ var relay = createServer({
             uidGid = { uid: parseInt(passwdLine[0], 10), gid: parseInt(passwdLine[1], 10) };
           } catch (e) {}
           if (uidGid) {
-            execSync("git init", { cwd: targetDir, uid: uidGid.uid, gid: uidGid.gid });
+            fs.chmodSync(targetDir, 0o700);
             execSync("chown -R " + linuxUser + ":" + linuxUser + " " + JSON.stringify(targetDir));
+            execSync("git init", { cwd: targetDir, uid: uidGid.uid, gid: uidGid.gid, env: { PATH: "/usr/local/bin:/usr/bin:/bin" } });
           } else {
             execSync("git init", { cwd: targetDir });
           }
@@ -169,17 +208,25 @@ var relay = createServer({
     }
     // Register project
     var projectEntry = { path: targetDir, slug: slug, addedAt: Date.now() };
-    if (config.osUsers && wsUser) {
-      projectEntry.ownerId = wsUser.id;
+    if (wsUser && wsUser.id) {
+      if (config.osUsers || wsUser.role !== "admin") {
+        projectEntry.ownerId = wsUser.id;
+      }
+      if (wsUser.role !== "admin") {
+        projectEntry.visibility = "private";
+      }
     }
     relay.addProject(targetDir, slug);
     config.projects.push(projectEntry);
     saveConfig(config);
     try { syncClayrc(config.projects); } catch (e) {}
-    console.log("[daemon] Created project:", slug, "→", targetDir);
+    console.log("[daemon] Created project:", slug, "→", targetDir, "entry:", JSON.stringify({ ownerId: projectEntry.ownerId, visibility: projectEntry.visibility }));
     // OS users mode: grant ACL
     if (config.osUsers && wsUser && wsUser.linuxUser) {
+      console.log("[daemon] Granting ACL:", targetDir, "→", wsUser.linuxUser);
       grantProjectAccess(targetDir, wsUser.linuxUser);
+    } else if (config.osUsers) {
+      console.log("[daemon] Skipping ACL grant: osUsers=true but linuxUser=", wsUser && wsUser.linuxUser);
     }
     relay.broadcastAll({
       type: "projects_updated",
@@ -227,14 +274,22 @@ var relay = createServer({
         callback({ ok: false, error: errMsg });
         return;
       }
-      // chown if osUsers
+      // chown and restrict permissions if osUsers
       if (config.osUsers && wsUser && wsUser.linuxUser) {
-        try { execSync("chown -R " + wsUser.linuxUser + ":" + wsUser.linuxUser + " " + JSON.stringify(targetDir)); } catch (e) {}
+        try {
+          fs.chmodSync(targetDir, 0o700);
+          execSync("chown -R " + wsUser.linuxUser + ":" + wsUser.linuxUser + " " + JSON.stringify(targetDir));
+        } catch (e) {}
       }
       // Register project
       var projectEntry = { path: targetDir, slug: slug, addedAt: Date.now() };
-      if (config.osUsers && wsUser) {
-        projectEntry.ownerId = wsUser.id;
+      if (wsUser && wsUser.id) {
+        if (config.osUsers || wsUser.role !== "admin") {
+          projectEntry.ownerId = wsUser.id;
+        }
+        if (wsUser.role !== "admin") {
+          projectEntry.visibility = "private";
+        }
       }
       relay.addProject(targetDir, slug);
       config.projects.push(projectEntry);
@@ -257,22 +312,30 @@ var relay = createServer({
       callback({ ok: false, error: "Failed to start git clone: " + err.message });
     });
   },
-  onRemoveProject: function (slug) {
-    var found = false;
+  onRemoveProject: function (slug, userId) {
+    var found = null;
     for (var j = 0; j < config.projects.length; j++) {
-      if (config.projects[j].slug === slug) { found = true; break; }
+      if (config.projects[j].slug === slug) { found = config.projects[j]; break; }
     }
     if (!found) return { ok: false, error: "Project not found" };
-    // Find path before removing so we can clean up .clayrc
-    var removedPath = null;
-    for (var rj = 0; rj < config.projects.length; rj++) {
-      if (config.projects[rj].slug === slug) { removedPath = config.projects[rj].path; break; }
+    // Save to removedProjects for re-add functionality
+    if (!config.removedProjects) config.removedProjects = [];
+    config.removedProjects.push({
+      path: found.path,
+      title: found.title || null,
+      icon: found.icon || null,
+      userId: userId || null,
+      removedAt: Date.now(),
+    });
+    // Cap at 20 entries (oldest first)
+    if (config.removedProjects.length > 20) {
+      config.removedProjects = config.removedProjects.slice(config.removedProjects.length - 20);
     }
     relay.removeProject(slug);
     config.projects = config.projects.filter(function (p) { return p.slug !== slug; });
     saveConfig(config);
     // Remove from .clayrc so it doesn't appear in restore prompt
-    if (removedPath) { try { removeFromClayrc(removedPath); } catch (e) {} }
+    if (found.path) { try { removeFromClayrc(found.path); } catch (e) {} }
     try { syncClayrc(config.projects); } catch (e) {}
     console.log("[daemon] Removed project (web):", slug);
     relay.broadcastAll({
@@ -356,6 +419,7 @@ var relay = createServer({
     return { ok: true };
   },
   onProjectOwnerChanged: function (slug, ownerId) {
+    console.log("[daemon] onProjectOwnerChanged:", slug, "→", ownerId);
     var oldOwnerId = null;
     var projectIdx = -1;
     for (var oi = 0; oi < config.projects.length; oi++) {
@@ -386,6 +450,7 @@ var relay = createServer({
       // Grant new owner
       if (ownerId) {
         var newOwner = usersModule.findUserById(ownerId);
+        console.log("[daemon] Owner grant ACL:", ownerId, "linuxUser:", newOwner && newOwner.linuxUser, "path:", projectPath);
         if (newOwner && newOwner.linuxUser) {
           grantProjectAccess(projectPath, newOwner.linuxUser);
         }
@@ -669,6 +734,7 @@ var relay = createServer({
           slug: slug,
           visibility: config.projects[i].visibility || "public",
           allowedUsers: config.projects[i].allowedUsers || [],
+          ownerId: config.projects[i].ownerId || null,
         };
       }
     }
@@ -1052,25 +1118,31 @@ if (config.keepAwake && process.platform === "darwin") {
 
 // --- Spawn new daemon and graceful restart ---
 function spawnAndRestart() {
-  var { spawn: spawnRestart } = require("child_process");
-  var { logPath: restartLogPath, configPath: restartConfigPath } = require("./config");
-  var daemonScript = path.join(__dirname, "daemon.js");
-  var logFd = fs.openSync(restartLogPath(), "a");
-  var child = spawnRestart(process.execPath, [daemonScript], {
-    detached: true,
-    windowsHide: true,
-    stdio: ["ignore", logFd, logFd],
-    env: Object.assign({}, process.env, {
-      CLAY_CONFIG: restartConfigPath(),
-    }),
-  });
-  child.unref();
-  fs.closeSync(logFd);
-  config.pid = child.pid;
-  saveConfig(config);
-  console.log("[daemon] Spawned new daemon (PID " + child.pid + "), shutting down...");
-  updateHandoff = true;
-  setTimeout(function () { gracefulShutdown(); }, 100);
+  try {
+    var { spawn: spawnRestart } = require("child_process");
+    var { logPath: restartLogPath, configPath: restartConfigPath } = require("./config");
+    var daemonScript = path.join(__dirname, "daemon.js");
+    var logFd = fs.openSync(restartLogPath(), "a");
+    var child = spawnRestart(process.execPath, [daemonScript], {
+      detached: true,
+      windowsHide: true,
+      stdio: ["ignore", logFd, logFd],
+      env: Object.assign({}, process.env, {
+        CLAY_CONFIG: restartConfigPath(),
+      }),
+    });
+    child.unref();
+    fs.closeSync(logFd);
+    config.pid = child.pid;
+    saveConfig(config);
+    console.log("[daemon] Spawned new daemon (PID " + child.pid + "), shutting down...");
+    updateHandoff = true;
+    setTimeout(function () { gracefulShutdown(); }, 100);
+  } catch (e) {
+    console.error("[daemon] Restart failed:", e.message);
+    relay.broadcastAll({ type: "toast", level: "error", message: "Restart failed: " + e.message });
+    relay.broadcastAll({ type: "restart_server_result", ok: false, error: e.message });
+  }
 }
 
 // --- Graceful shutdown ---

package/lib/os-users.js

@@ -174,6 +174,52 @@ function linuxUserExists(username) {
   }
 }
 
+/**
+ * Install Claude CLI for a Linux user account.
+ * Downloads and runs the install script, then ensures PATH is configured.
+ * Non-fatal: logs errors but does not throw.
+ */
+function installClaudeCli(linuxName) {
+  try {
+    // Download and run the Claude CLI install script as the target user
+    execSync(
+      "su - " + linuxName + " -c \"curl -fsSL https://claude.ai/install.sh | bash\"",
+      { encoding: "utf8", timeout: 60000, stdio: "pipe" }
+    );
+    console.log("[os-users] Claude CLI installed for " + linuxName);
+  } catch (e) {
+    var msg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to install Claude CLI for " + linuxName + ": " + msg);
+    return;
+  }
+
+  // Append PATH export to the user's shell config if not already present
+  try {
+    var home = "/home/" + linuxName;
+    var rcFile;
+    if (fs.existsSync(home + "/.zshrc")) {
+      rcFile = "~/.zshrc";
+    } else {
+      rcFile = "~/.bashrc";
+    }
+
+    // Check if PATH export is already present before appending
+    var checkCmd = "su - " + linuxName + " -c \"grep -qF '/.local/bin' " + rcFile + "\"";
+    try {
+      execSync(checkCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+      console.log("[os-users] PATH already configured in " + rcFile + " for " + linuxName);
+    } catch (grepErr) {
+      // grep returned non-zero, meaning the line is not present; append it
+      var appendCmd = "su - " + linuxName + " -c 'echo \"export PATH=\\\"\\$HOME/.local/bin:\\$PATH\\\"\" >> " + rcFile + "'";
+      execSync(appendCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+      console.log("[os-users] PATH export appended to " + rcFile + " for " + linuxName);
+    }
+  } catch (e) {
+    var rcMsg = (e.stderr || e.message || "").trim();
+    console.error("[os-users] Failed to configure PATH for " + linuxName + ": " + rcMsg);
+  }
+}
+
 /**
  * Provision a Linux user account for a Clay user.
  * Creates the account via useradd with a home directory.
@@ -197,6 +243,7 @@ function provisionLinuxUser(clayUsername) {
       stdio: "pipe",
     });
     console.log("[os-users] Provisioned Linux user: " + linuxName + " (Clay user: " + clayUsername + ")");
+    installClaudeCli(linuxName);
     return { ok: true, linuxUser: linuxName };
   } catch (e) {
     var msg = (e.stderr || e.message || "").trim();
@@ -219,6 +266,12 @@ function provisionAllUsers(usersModule) {
     if (user.linuxUser) {
       // Already mapped, verify the Linux user still exists
       if (linuxUserExists(user.linuxUser)) {
+        // Ensure Claude CLI is installed for existing users
+        var cliPath = "/home/" + user.linuxUser + "/.local/bin/claude";
+        if (!fs.existsSync(cliPath)) {
+          console.log("[os-users] Claude CLI missing for " + user.linuxUser + ", installing...");
+          installClaudeCli(user.linuxUser);
+        }
         result.skipped.push({ id: user.id, username: user.username, linuxUser: user.linuxUser });
         continue;
       }
@@ -282,7 +335,10 @@ function deactivateLinuxUser(linuxUsername) {
 function ensureProjectsDir() {
   var dir = "/var/clay/projects";
   if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true, mode: 0o755 });
+    fs.mkdirSync(dir, { recursive: true, mode: 0o711 });
+  } else {
+    // Tighten permissions if directory already exists (prevent listing by other users)
+    try { fs.chmodSync(dir, 0o711); } catch (e) {}
   }
 }
 
@@ -296,6 +352,7 @@ module.exports = {
   provisionLinuxUser: provisionLinuxUser,
   provisionAllUsers: provisionAllUsers,
   grantAllUsersAccess: grantAllUsersAccess,
+  installClaudeCli: installClaudeCli,
   deactivateLinuxUser: deactivateLinuxUser,
   ensureProjectsDir: ensureProjectsDir,
 };

package/lib/pages.js

@@ -3,13 +3,21 @@ function pinPageHtml() {
     '<meta charset="UTF-8">' +
     '<meta name="viewport" content="width=device-width,initial-scale=1,viewport-fit=cover">' +
     '<meta name="apple-mobile-web-app-capable" content="yes">' +
+    '<link rel="icon" type="image/png" href="/favicon-banded.png">' +
+    '<link rel="apple-touch-icon" href="/apple-touch-icon.png">' +
     '<title>Clay</title>' +
     '<style>' + authPageStyles + '</style></head><body><div class="c">' +
-    '<h1>Welcome back</h1>' +
+    '<h1 id="greeting"></h1>' +
     '<div class="sub">Enter your PIN to continue</div>' +
     pinBoxesHtml +
     '<div class="err" id="err"></div>' +
     '<script>' +
+    '(function(){' +
+    'var h=document.getElementById("greeting");' +
+    'var visited=localStorage.getItem("clay_visited");' +
+    'if(visited){h.textContent="Welcome back"}' +
+    'else{h.textContent="Welcome to Clay";localStorage.setItem("clay_visited","1")}' +
+    '})();' +
     pinBoxScript +
     'var err=document.getElementById("err");' +
     'function submitPin(){' +
@@ -966,39 +974,33 @@ function multiUserLoginPageHtml() {
     '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
     'btns[1].onclick=doLogin;' +
 
-    // Force PIN change overlay
+    // Force PIN change: reuse the same login screen, switch step1 to "Set new PIN" mode
     'function showChangePinOverlay(){' +
-    'var ov=document.createElement("div");ov.className="c";' +
-    'ov.style.cssText="position:fixed;inset:0;background:var(--bg,#0e0e10);z-index:9999;display:flex;align-items:center;justify-content:center";' +
-    'ov.innerHTML=\'<div style="width:100%;max-width:380px;padding:24px"><h1>Set your new PIN</h1>\'+' +
-    '\'<div class="sub">Your temporary PIN has expired. Please set a new 6-digit PIN to continue.</div>\'+' +
-    '\'<div id="new-pin-boxes" class="pin-boxes">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
-    '\'</div><input type="hidden" id="new-pin">\'+' +
-    '\'<button class="btn" id="save-new-pin" disabled style="margin-top:20px">Save PIN</button>\'+' +
-    '\'<div class="err" id="new-pin-err"></div></div>\';' +
-    'document.body.appendChild(ov);' +
-    'var newPinEl=ov.querySelector("#new-pin");' +
-    'var saveBtn=ov.querySelector("#save-new-pin");' +
-    'var errEl=ov.querySelector("#new-pin-err");' +
-    'initPinBoxes("new-pin-boxes","new-pin",function(){if(!saveBtn.disabled)doSavePin()});' +
-    'var nb=ov.querySelectorAll(".pin-digit");' +
-    'for(var i=0;i<nb.length;i++)nb[i].addEventListener("input",function(){saveBtn.disabled=newPinEl.value.length!==6});' +
-    'function doSavePin(){' +
-    'saveBtn.disabled=true;errEl.textContent="";' +
+    // Hide step dots (no longer a 2-step flow)
+    'var bar=document.querySelector(".steps-bar");if(bar)bar.style.display="none";' +
+    // Hide step 0 (username), show step 1 (PIN) with new labels
+    'steps[0].classList.remove("active");' +
+    'steps[1].classList.add("active");' +
+    'var h1=steps[1].querySelector("h1");if(h1)h1.textContent="Set your new PIN";' +
+    'var sub=steps[1].querySelector(".sub");if(sub)sub.textContent="Your temporary PIN has expired. Please set a new 6-digit PIN to continue.";' +
+    'btns[1].textContent="Save PIN";' +
+    // Re-init PIN boxes for fresh input
+    'resetPin();' +
+    'initPinBoxes("pin-boxes","pin",function(){if(!btns[1].disabled)doSaveNewPin()});' +
+    'var boxes=document.querySelectorAll(".pin-digit");' +
+    'for(var i=0;i<boxes.length;i++)boxes[i].addEventListener("input",function(){btns[1].disabled=pinEl.value.length!==6});' +
+    // Override button handler to save new PIN instead of login
+    'btns[1].onclick=doSaveNewPin;' +
+    'function doSaveNewPin(){' +
+    'btns[1].disabled=true;errs[1].textContent="";' +
     'fetch("/api/user/pin",{method:"PUT",headers:{"Content-Type":"application/json"},' +
-    'body:JSON.stringify({newPin:newPinEl.value})})' +
+    'body:JSON.stringify({newPin:pinEl.value})})' +
     '.then(function(r){return r.json()})' +
     '.then(function(d){' +
     'if(d.ok){location.reload();return}' +
-    'errEl.textContent=d.error||"Failed to save PIN";saveBtn.disabled=false})' +
-    '.catch(function(){errEl.textContent="Connection error";saveBtn.disabled=false})}' +
-    'saveBtn.onclick=doSavePin}' +
+    'errs[1].textContent=d.error||"Failed to save PIN";btns[1].disabled=false})' +
+    '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
+    '}' +
 
     '</script></div></body></html>';
 }

package/lib/project.js

@@ -108,6 +108,7 @@ function createProjectContext(opts) {
   var moveAllSchedulesToProject = opts.moveAllSchedulesToProject || function () { return { ok: false, error: "Not supported" }; };
   var getScheduleCount = opts.getScheduleCount || function () { return 0; };
   var onProcessingChanged = opts.onProcessingChanged || function () {};
+  var onSessionDone = opts.onSessionDone || function () {};
   var onPresenceChange = opts.onPresenceChange || function () {};
   var updateChannel = opts.updateChannel || "stable";
   var osUsers = opts.osUsers || false;
@@ -176,6 +177,13 @@ function createProjectContext(opts) {
     if (ws.readyState === 1) ws.send(JSON.stringify(obj));
   }
 
+  function sendToAdmins(obj) {
+    var data = JSON.stringify(obj);
+    for (var ws of clients) {
+      if (ws.readyState === 1 && ws._clayUser && ws._clayUser.role === "admin") ws.send(data);
+    }
+  }
+
   function broadcastClientCount() {
     var msg = { type: "client_count", count: clients.size };
     if (usersModule.isMultiUser()) {
@@ -338,6 +346,7 @@ function createProjectContext(opts) {
         fn(ws, filterFn);
       }
     },
+    onSessionDone: onSessionDone,
   });
   var _projMode = typeof opts.onGetProjectDefaultMode === "function" ? opts.onGetProjectDefaultMode(slug) : null;
   var _srvMode = typeof opts.onGetServerDefaultMode === "function" ? opts.onGetServerDefaultMode() : null;
@@ -998,11 +1007,11 @@ function createProjectContext(opts) {
   var tm = createTerminalManager({ cwd: cwd, send: send, sendTo: sendTo });
   var nm = createNotesManager({ cwd: cwd, send: send, sendTo: sendTo });
 
-  // Check for updates in background
+  // Check for updates in background (admin only)
   fetchVersion(updateChannel).then(function (v) {
     if (v && isNewer(v, currentVersion)) {
       latestVersion = v;
-      send({ type: "update_available", version: v });
+      sendToAdmins({ type: "update_available", version: v });
     }
   });
 
@@ -1022,7 +1031,7 @@ function createProjectContext(opts) {
     var _userId = ws._clayUser ? ws._clayUser.id : null;
     var _filteredProjects = getProjectList(_userId);
     sendTo(ws, { type: "info", cwd: cwd, slug: slug, project: title || project, version: currentVersion, debug: !!debug, dangerouslySkipPermissions: dangerouslySkipPermissions, osUsers: osUsers, lanHost: lanHost, projectCount: _filteredProjects.length, projects: _filteredProjects, projectOwnerId: projectOwnerId });
-    if (latestVersion) {
+    if (latestVersion && ws._clayUser && ws._clayUser.role === "admin") {
       sendTo(ws, { type: "update_available", version: latestVersion });
     }
     if (sm.slashCommands) {
@@ -1203,7 +1212,7 @@ function createProjectContext(opts) {
 
   function handleMessage(ws, msg) {
     // --- DM messages (delegated to server-level handler) ---
-    if (msg.type === "dm_open" || msg.type === "dm_send" || msg.type === "dm_list" || msg.type === "dm_typing") {
+    if (msg.type === "dm_open" || msg.type === "dm_send" || msg.type === "dm_list" || msg.type === "dm_typing" || msg.type === "dm_add_favorite" || msg.type === "dm_remove_favorite") {
       if (typeof opts.onDmMessage === "function") {
         opts.onDmMessage(ws, msg);
       }
@@ -1405,9 +1414,17 @@ function createProjectContext(opts) {
       if (usersModule.isMultiUser() && (!ws._clayUser || ws._clayUser.role !== "admin")) return;
       var newChannel = msg.channel === "beta" ? "beta" : "stable";
       updateChannel = newChannel;
+      latestVersion = null;
       if (typeof opts.onSetUpdateChannel === "function") {
         opts.onSetUpdateChannel(newChannel);
       }
+      // Re-fetch with new channel and broadcast to admin clients
+      fetchVersion(updateChannel).then(function (v) {
+        if (v && isNewer(v, currentVersion)) {
+          latestVersion = v;
+          sendToAdmins({ type: "update_available", version: v });
+        }
+      }).catch(function () {});
       return;
     }
 
@@ -1815,7 +1832,7 @@ function createProjectContext(opts) {
           new Promise(function (resolve) { setTimeout(resolve, 3000); }),
         ]).then(function () {
           try {
-            var newSession = sm.createSession();
+            var newSession = sm.createSession(null, ws);
             // Send the plan as the first user message (with planContent for UI rendering)
             var userMsg = { type: "user_message", text: planPrompt, planContent: clientPlanContent || null };
             newSession.history.push(userMsg);
@@ -1963,7 +1980,7 @@ function createProjectContext(opts) {
         return;
       }
       if (typeof opts.onAddProject === "function") {
-        var result = opts.onAddProject(addAbs);
+        var result = opts.onAddProject(addAbs, ws._clayUser);
         sendTo(ws, { type: "add_project_result", ok: result.ok, slug: result.slug, error: result.error, existing: result.existing });
       } else {
         sendTo(ws, { type: "add_project_result", ok: false, error: "Not supported" });
@@ -2029,8 +2046,10 @@ function createProjectContext(opts) {
         moveAllSchedulesToProject(removeSlug, msg.moveTasksTo);
       }
       if (typeof opts.onRemoveProject === "function") {
-        var removeResult = opts.onRemoveProject(removeSlug);
-        sendTo(ws, { type: "remove_project_result", ok: removeResult.ok, slug: removeSlug, error: removeResult.error });
+        // Send result before removing so the WS is still open
+        sendTo(ws, { type: "remove_project_result", ok: true, slug: removeSlug });
+        var removeUserId = ws._clayUser ? ws._clayUser.id : null;
+        opts.onRemoveProject(removeSlug, removeUserId);
       } else {
         sendTo(ws, { type: "remove_project_result", ok: false, error: "Not supported" });
       }