clay-server 2.13.0-beta.2 → 2.13.0-beta.4

package/lib/server.js

@@ -402,6 +402,91 @@ function createServer(opts) {
   var getRemovedProjects = opts.getRemovedProjects || function () { return []; };
 
   var authToken = pinHash || null;
+
+  // --- Admin password recovery (in-memory, one-time) ---
+  var recovery = null; // { urlPath, password }
+
+  function setRecovery(urlPath, password) {
+    recovery = { urlPath: urlPath, password: password };
+  }
+
+  function clearRecovery() {
+    recovery = null;
+  }
+
+  function recoveryPageHtml() {
+    return '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">'
+      + '<title>Admin Password Recovery</title>'
+      + '<style>'
+      + '*{margin:0;padding:0;box-sizing:border-box}'
+      + 'body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0a0a0a;color:#e5e5e5;display:flex;align-items:center;justify-content:center;min-height:100vh}'
+      + '.card{background:#171717;border:1px solid #262626;border-radius:12px;padding:32px;width:100%;max-width:380px}'
+      + 'h1{font-size:18px;font-weight:600;margin-bottom:4px}'
+      + '.sub{font-size:13px;color:#737373;margin-bottom:24px}'
+      + 'label{display:block;font-size:13px;color:#a3a3a3;margin-bottom:6px}'
+      + 'input{width:100%;padding:10px 12px;background:#0a0a0a;border:1px solid #333;border-radius:8px;color:#e5e5e5;font-size:14px;outline:none;margin-bottom:16px}'
+      + 'input:focus{border-color:#7c3aed}'
+      + 'button{width:100%;padding:10px;background:#7c3aed;color:#fff;border:none;border-radius:8px;font-size:14px;font-weight:500;cursor:pointer}'
+      + 'button:hover{background:#6d28d9}'
+      + 'button:disabled{opacity:.5;cursor:not-allowed}'
+      + '.error{color:#ef4444;font-size:13px;margin-bottom:12px;display:none}'
+      + '.success{text-align:center;color:#22c55e;font-size:15px}'
+      + '.hidden{display:none}'
+      + '</style></head><body>'
+      + '<div class="card">'
+      + '<div id="step-verify">'
+      + '<h1>Admin Recovery</h1>'
+      + '<p class="sub">Enter the recovery password shown in your terminal.</p>'
+      + '<div id="err-verify" class="error"></div>'
+      + '<label for="recovery-pw">Recovery password</label>'
+      + '<input id="recovery-pw" type="text" autocomplete="off" spellcheck="false" autofocus>'
+      + '<button id="btn-verify">Verify</button>'
+      + '</div>'
+      + '<div id="step-reset" class="hidden">'
+      + '<h1>Reset Admin PIN</h1>'
+      + '<p class="sub">Enter a new 6-digit PIN for the admin account.</p>'
+      + '<div id="err-reset" class="error"></div>'
+      + '<label for="new-pin">New PIN</label>'
+      + '<input id="new-pin" type="password" maxlength="6" pattern="\\d{6}" inputmode="numeric" placeholder="6 digits">'
+      + '<label for="confirm-pin">Confirm PIN</label>'
+      + '<input id="confirm-pin" type="password" maxlength="6" pattern="\\d{6}" inputmode="numeric" placeholder="6 digits">'
+      + '<button id="btn-reset">Reset PIN</button>'
+      + '</div>'
+      + '<div id="step-done" class="hidden">'
+      + '<p class="success">PIN has been reset successfully. You can now log in with your new PIN.</p>'
+      + '</div>'
+      + '</div>'
+      + '<script>'
+      + 'var pw="";\n'
+      + 'document.getElementById("btn-verify").onclick=function(){\n'
+      + '  var el=document.getElementById("recovery-pw");\n'
+      + '  pw=el.value.trim();\n'
+      + '  if(!pw)return;\n'
+      + '  this.disabled=true;\n'
+      + '  fetch(location.pathname,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({step:"verify",password:pw})})\n'
+      + '  .then(function(r){return r.json()}).then(function(d){\n'
+      + '    if(d.ok){document.getElementById("step-verify").classList.add("hidden");document.getElementById("step-reset").classList.remove("hidden");document.getElementById("new-pin").focus()}\n'
+      + '    else{var e=document.getElementById("err-verify");e.textContent=d.error||"Invalid password";e.style.display="block";document.getElementById("btn-verify").disabled=false}\n'
+      + '  }).catch(function(){document.getElementById("btn-verify").disabled=false})\n'
+      + '};\n'
+      + 'document.getElementById("recovery-pw").addEventListener("keydown",function(e){if(e.key==="Enter")document.getElementById("btn-verify").click()});\n'
+      + 'document.getElementById("btn-reset").onclick=function(){\n'
+      + '  var pin=document.getElementById("new-pin").value;\n'
+      + '  var confirm=document.getElementById("confirm-pin").value;\n'
+      + '  var errEl=document.getElementById("err-reset");\n'
+      + '  if(!/^\\d{6}$/.test(pin)){errEl.textContent="PIN must be exactly 6 digits";errEl.style.display="block";return}\n'
+      + '  if(pin!==confirm){errEl.textContent="PINs do not match";errEl.style.display="block";return}\n'
+      + '  this.disabled=true;errEl.style.display="none";\n'
+      + '  fetch(location.pathname,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({step:"reset",password:pw,pin:pin})})\n'
+      + '  .then(function(r){return r.json()}).then(function(d){\n'
+      + '    if(d.ok){document.getElementById("step-reset").classList.add("hidden");document.getElementById("step-done").classList.remove("hidden")}\n'
+      + '    else{errEl.textContent=d.error||"Failed";errEl.style.display="block";document.getElementById("btn-reset").disabled=false}\n'
+      + '  }).catch(function(){document.getElementById("btn-reset").disabled=false})\n'
+      + '};\n'
+      + 'document.getElementById("confirm-pin").addEventListener("keydown",function(e){if(e.key==="Enter")document.getElementById("btn-reset").click()});\n'
+      + '</script></body></html>';
+  }
+
   var realVersion = require("../package.json").version;
   var currentVersion = debug ? "0.0.9" : realVersion;
 
@@ -457,6 +542,70 @@ function createServer(opts) {
     setSecurityHeaders(res);
     var fullUrl = req.url.split("?")[0];
 
+    // --- Admin password recovery ---
+    if (recovery && fullUrl === "/recover/" + recovery.urlPath) {
+      if (req.method === "GET") {
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(recoveryPageHtml());
+        return;
+      }
+      if (req.method === "POST") {
+        var ip = req.socket.remoteAddress || "";
+        var remaining = checkPinRateLimit(ip);
+        if (remaining !== null) {
+          res.writeHead(429, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ ok: false, locked: true, retryAfter: remaining }));
+          return;
+        }
+        var body = "";
+        req.on("data", function (chunk) { body += chunk; });
+        req.on("end", function () {
+          try {
+            var data = JSON.parse(body);
+            if (data.step === "verify") {
+              if (!data.password || data.password !== recovery.password) {
+                recordPinFailure(ip);
+                res.writeHead(401, { "Content-Type": "application/json" });
+                res.end('{"error":"Invalid recovery password"}');
+                return;
+              }
+              clearPinFailures(ip);
+              res.writeHead(200, { "Content-Type": "application/json" });
+              res.end('{"ok":true}');
+            } else if (data.step === "reset") {
+              if (!data.password || data.password !== recovery.password) {
+                res.writeHead(401, { "Content-Type": "application/json" });
+                res.end('{"error":"Invalid recovery password"}');
+                return;
+              }
+              if (!data.pin || !/^\d{6}$/.test(data.pin)) {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end('{"error":"PIN must be exactly 6 digits"}');
+                return;
+              }
+              var admin = users.findAdmin();
+              if (!admin) {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end('{"error":"No admin account found"}');
+                return;
+              }
+              users.updateUserPin(admin.id, data.pin);
+              recovery = null;
+              res.writeHead(200, { "Content-Type": "application/json" });
+              res.end('{"ok":true}');
+            } else {
+              res.writeHead(400, { "Content-Type": "application/json" });
+              res.end('{"error":"Invalid step"}');
+            }
+          } catch (e) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end('{"error":"Invalid request"}');
+          }
+        });
+        return;
+      }
+    }
+
     // Global auth endpoint
     if (req.method === "POST" && req.url === "/auth") {
       var ip = req.socket.remoteAddress || "";
@@ -1238,6 +1387,42 @@ function createServer(opts) {
       return;
     }
 
+    // Update user permissions (admin only)
+    if (req.method === "PUT" && fullUrl.match(/^\/api\/admin\/users\/[^/]+\/permissions$/)) {
+      if (!users.isMultiUser()) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end('{"error":"Not found"}');
+        return;
+      }
+      var mu = getMultiUserFromReq(req);
+      if (!mu || mu.role !== "admin") {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end('{"error":"Admin access required"}');
+        return;
+      }
+      var urlParts = fullUrl.split("/");
+      var targetUserId = urlParts[4]; // /api/admin/users/{userId}/permissions
+      var body = "";
+      req.on("data", function(chunk) { body += chunk; });
+      req.on("end", function() {
+        try {
+          var parsed = JSON.parse(body);
+          var result = users.updateUserPermissions(targetUserId, parsed.permissions || {});
+          if (result.error) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: result.error }));
+          } else {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true, permissions: result.permissions }));
+          }
+        } catch (e) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end('{"error":"Invalid request body"}');
+        }
+      });
+      return;
+    }
+
     // Create invite (admin only)
     if (req.method === "POST" && fullUrl === "/api/admin/invites") {
       if (!users.isMultiUser()) {
@@ -1498,6 +1683,11 @@ function createServer(opts) {
         return;
       }
       var projSlug = fullUrl.split("/")[4];
+      if (projSlug.indexOf("--") !== -1) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end('{"error":"Worktree projects inherit parent visibility"}');
+        return;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -1543,6 +1733,11 @@ function createServer(opts) {
         return;
       }
       var projSlug = fullUrl.split("/")[4];
+      if (projSlug.indexOf("--") !== -1) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end('{"error":"Worktree projects inherit parent settings"}');
+        return;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -1590,6 +1785,11 @@ function createServer(opts) {
         return;
       }
       var projSlug = fullUrl.split("/")[4];
+      if (projSlug.indexOf("--") !== -1) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end('{"error":"Worktree projects inherit parent settings"}');
+        return;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -1651,6 +1851,97 @@ function createServer(opts) {
       return;
     }
 
+    // Command palette: cross-project session search
+    if (req.method === "GET" && fullUrl === "/api/palette/search") {
+      var paletteUser = null;
+      if (users.isMultiUser()) {
+        paletteUser = getMultiUserFromReq(req);
+        if (!paletteUser) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end('{"error":"unauthorized"}');
+          return;
+        }
+      }
+      var pqs = req.url.indexOf("?") >= 0 ? req.url.substring(req.url.indexOf("?")) : "";
+      var pQuery = new URLSearchParams(pqs).get("q") || "";
+      var pResults = [];
+      projects.forEach(function (pCtx, pSlug) {
+        var status = pCtx.getStatus();
+        if (status.isMate) return;
+        if (status.isWorktree) return;
+        // Access check
+        if (paletteUser && onGetProjectAccess) {
+          var pAccess = onGetProjectAccess(pSlug);
+          if (pAccess && !pAccess.error && !users.canAccessProject(paletteUser.id, pAccess)) return;
+        }
+        var sm = pCtx.sm;
+        sm.sessions.forEach(function (session) {
+          if (session.hidden) return;
+          // Session access check
+          if (paletteUser) {
+            if (users.isMultiUser()) {
+              var sAccess = onGetProjectAccess ? onGetProjectAccess(pSlug) : null;
+              if (!users.canAccessSession(paletteUser.id, session, sAccess)) return;
+            }
+          } else {
+            // Single-user: skip sessions with ownerId
+            if (session.ownerId) return;
+          }
+          if (!pQuery) {
+            // Recent mode: return all sessions sorted by lastActivity
+            pResults.push({
+              projectSlug: pSlug,
+              projectTitle: status.title || status.project,
+              projectIcon: status.icon || null,
+              sessionId: session.localId,
+              sessionTitle: session.title || "New Session",
+              lastActivity: session.lastActivity || session.createdAt || 0,
+              matchType: null,
+              snippet: null
+            });
+          } else {
+            // Search mode: match title and content
+            var q = pQuery.toLowerCase();
+            var titleMatch = (session.title || "New Session").toLowerCase().indexOf(q) !== -1;
+            var contentSnippet = null;
+            for (var hi = 0; hi < session.history.length; hi++) {
+              var entry = session.history[hi];
+              if ((entry.type === "delta" || entry.type === "user_message") && entry.text) {
+                var lowerText = entry.text.toLowerCase();
+                var matchIdx = lowerText.indexOf(q);
+                if (matchIdx !== -1) {
+                  var snippetStart = Math.max(0, matchIdx - 20);
+                  var snippetEnd = Math.min(entry.text.length, matchIdx + pQuery.length + 20);
+                  contentSnippet = (snippetStart > 0 ? "..." : "") +
+                    entry.text.substring(snippetStart, snippetEnd) +
+                    (snippetEnd < entry.text.length ? "..." : "");
+                  break;
+                }
+              }
+            }
+            if (titleMatch || contentSnippet) {
+              pResults.push({
+                projectSlug: pSlug,
+                projectTitle: status.title || status.project,
+                projectIcon: status.icon || null,
+                sessionId: session.localId,
+                sessionTitle: session.title || "New Session",
+                lastActivity: session.lastActivity || session.createdAt || 0,
+                matchType: titleMatch && contentSnippet ? "both" : titleMatch ? "title" : "content",
+                snippet: contentSnippet
+              });
+            }
+          }
+        });
+      });
+      // Sort by lastActivity descending, limit to 30
+      pResults.sort(function (a, b) { return b.lastActivity - a.lastActivity; });
+      if (pResults.length > 30) pResults = pResults.slice(0, 30);
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ results: pResults }));
+      return;
+    }
+
     // Multi-user info endpoint (who am I?)
     if (req.method === "GET" && fullUrl === "/api/me") {
       if (!users.isMultiUser()) {
@@ -1665,12 +1956,28 @@ function createServer(opts) {
         return;
       }
       var meResp = { multiUser: true, smtpEnabled: smtp.isSmtpConfigured(), emailLoginEnabled: smtp.isEmailLoginEnabled(), user: { id: mu.id, username: mu.username, email: mu.email || null, displayName: mu.displayName, role: mu.role } };
+      meResp.permissions = users.getEffectivePermissions(mu, osUsers);
       if (mu.mustChangePin) meResp.mustChangePin = true;
       res.writeHead(200, { "Content-Type": "application/json" });
       res.end(JSON.stringify(meResp));
       return;
     }
 
+    // Skills proxy: permission gate
+    if (fullUrl === "/api/skills" || fullUrl.startsWith("/api/skills/") || fullUrl.startsWith("/api/skills?")) {
+      if (users.isMultiUser()) {
+        var skMu = getMultiUserFromReq(req);
+        if (skMu) {
+          var skPerms = users.getEffectivePermissions(skMu, osUsers);
+          if (!skPerms.skills) {
+            res.writeHead(403, { "Content-Type": "application/json" });
+            res.end('{"error":"Skills access is not permitted"}');
+            return;
+          }
+        }
+      }
+    }
+
     // Skills proxy: leaderboard list
     if (req.method === "GET" && fullUrl === "/api/skills") {
       var qs = req.url.indexOf("?") >= 0 ? req.url.substring(req.url.indexOf("?")) : "";
@@ -1776,17 +2083,32 @@ function createServer(opts) {
       if (projects.size > 0) {
         var targetSlug = null;
         var reqUser = users.isMultiUser() ? getMultiUserFromReq(req) : null;
-        projects.forEach(function (ctx, s) {
-          if (targetSlug) return;
+        // Check for last-visited project cookie
+        var lastProject = parseCookies(req)["clay_last_project"];
+        if (lastProject && projects.has(lastProject)) {
           if (reqUser && onGetProjectAccess) {
-            var access = onGetProjectAccess(s);
-            if (access && !access.error && users.canAccessProject(reqUser.id, access)) {
-              targetSlug = s;
+            var lpAccess = onGetProjectAccess(lastProject);
+            if (lpAccess && !lpAccess.error && users.canAccessProject(reqUser.id, lpAccess)) {
+              targetSlug = lastProject;
             }
           } else {
-            targetSlug = s;
+            targetSlug = lastProject;
           }
-        });
+        }
+        // Fall back to first accessible project
+        if (!targetSlug) {
+          projects.forEach(function (ctx, s) {
+            if (targetSlug) return;
+            if (reqUser && onGetProjectAccess) {
+              var access = onGetProjectAccess(s);
+              if (access && !access.error && users.canAccessProject(reqUser.id, access)) {
+                targetSlug = s;
+              }
+            } else {
+              targetSlug = s;
+            }
+          });
+        }
         if (targetSlug) {
           res.writeHead(302, { "Location": "/p/" + targetSlug + "/" });
           res.end();
@@ -1858,6 +2180,9 @@ function createServer(opts) {
       return;
     }
 
+    // Set last-visited project cookie for root redirect
+    res.setHeader("Set-Cookie", "clay_last_project=" + slug + "; Path=/; SameSite=Strict; Max-Age=31536000" + (tlsOptions ? "; Secure" : ""));
+
     // Multi-user: check project access for HTTP requests
     if (users.isMultiUser() && onGetProjectAccess) {
       var httpUser = getMultiUserFromReq(req);
@@ -2668,6 +2993,8 @@ function createServer(opts) {
     setProjectTitle: setProjectTitle,
     setProjectIcon: setProjectIcon,
     setAuthToken: setAuthToken,
+    setRecovery: setRecovery,
+    clearRecovery: clearRecovery,
     broadcastAll: broadcastAll,
     destroyAll: destroyAll,
   };

package/lib/sessions.js

@@ -360,6 +360,11 @@ function createSessionManager(opts) {
       targetWs._clayActiveSession = localId;
       // Clear unread for this session (multi-user)
       if (targetWs._clayUnread) targetWs._clayUnread[localId] = 0;
+    } else if (sendEach) {
+      // No specific target: update all connected clients (server-initiated switch)
+      sendEach(function (ws) {
+        ws._clayActiveSession = localId;
+      });
     }
     // Clear unread for single-user mode
     singleUserUnread[localId] = 0;

package/lib/users.js

@@ -6,6 +6,29 @@ var { CONFIG_DIR } = require("./config");
 
 var USERS_FILE = path.join(CONFIG_DIR, "users.json");
 
+// --- Per-user RBAC permissions (default values for regular users) ---
+var DEFAULT_PERMISSIONS = {
+  terminal: false,
+  fileBrowser: false,
+  createProject: true,
+  deleteProject: false,
+  skills: true,
+  sessionDelete: false,
+  scheduledTasks: false,
+  projectSettings: false,
+};
+
+var ALL_PERMISSIONS = {
+  terminal: true,
+  fileBrowser: true,
+  createProject: true,
+  deleteProject: true,
+  skills: true,
+  sessionDelete: true,
+  scheduledTasks: true,
+  projectSettings: true,
+};
+
 // --- Default data ---
 
 function defaultData() {
@@ -223,6 +246,7 @@ function getAllUsers() {
       createdAt: u.createdAt,
       profile: u.profile,
       linuxUser: u.linuxUser || null,
+      permissions: u.permissions || null,
     };
   });
 }
@@ -539,6 +563,43 @@ function removeDmHidden(userId, targetUserId) {
   return [];
 }
 
+// --- RBAC permissions ---
+
+function getEffectivePermissions(user, osUsersMode) {
+  // OS-mode users with linuxUser are exempt from RBAC
+  if (osUsersMode && user && user.linuxUser) return ALL_PERMISSIONS;
+  // Admin always has full permissions
+  if (user && user.role === "admin") return ALL_PERMISSIONS;
+  // Merge stored permissions with defaults (handles missing keys for forward-compat)
+  var stored = (user && user.permissions) || {};
+  var result = {};
+  var keys = Object.keys(DEFAULT_PERMISSIONS);
+  for (var i = 0; i < keys.length; i++) {
+    var k = keys[i];
+    result[k] = stored[k] !== undefined ? stored[k] : DEFAULT_PERMISSIONS[k];
+  }
+  return result;
+}
+
+function updateUserPermissions(userId, permissions) {
+  var data = loadUsers();
+  for (var i = 0; i < data.users.length; i++) {
+    if (data.users[i].id === userId) {
+      // Validate: only allow known permission keys with boolean values
+      var clean = {};
+      var keys = Object.keys(DEFAULT_PERMISSIONS);
+      for (var j = 0; j < keys.length; j++) {
+        var k = keys[j];
+        clean[k] = permissions[k] === true;
+      }
+      data.users[i].permissions = clean;
+      saveUsers(data);
+      return { ok: true, permissions: clean };
+    }
+  }
+  return { error: "User not found" };
+}
+
 // --- Project access helpers ---
 
 function canAccessProject(userId, project) {
@@ -621,6 +682,9 @@ module.exports = {
   updateLinuxUser: updateLinuxUser,
   generatePin: generatePin,
   createUserByAdmin: createUserByAdmin,
+  DEFAULT_PERMISSIONS: DEFAULT_PERMISSIONS,
+  getEffectivePermissions: getEffectivePermissions,
+  updateUserPermissions: updateUserPermissions,
   getDmFavorites: getDmFavorites,
   addDmFavorite: addDmFavorite,
   removeDmFavorite: removeDmFavorite,

package/lib/worktree.js

@@ -75,9 +75,9 @@ function scanWorktrees(projectPath) {
 
 // Create a new worktree inside the parent project directory
 // Returns { ok, path, error }
-function createWorktree(projectPath, branchName, baseBranch) {
+function createWorktree(projectPath, branchName, dirName, baseBranch) {
   var resolvedParent = path.resolve(projectPath);
-  var wtPath = path.join(resolvedParent, branchName);
+  var wtPath = path.join(resolvedParent, dirName || branchName);
   var base = baseBranch || "main";
   // Try creating with -b (new branch)
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.13.0-beta.2",
+  "version": "2.13.0-beta.4",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",