clay-server 2.13.0-beta.3 → 2.13.0-beta.5

package/bin/cli.js

@@ -32,6 +32,7 @@ if (_isDev || process.argv.includes("--debug")) {
   console.clear = function() {};
 }
 
+var crypto = require("crypto");
 var { loadConfig, saveConfig, configPath, socketPath, logPath, ensureConfigDir, isDaemonAlive, isDaemonAliveAsync, generateSlug, clearStaleConfig, loadClayrc, saveClayrc, readCrashInfo } = require("../lib/config");
 var { sendIPCCommand } = require("../lib/ipc");
 var { generateAuthToken } = require("../lib/server");
@@ -2450,6 +2451,9 @@ function showSettingsMenu(config, ip) {
     } else {
       items.push({ label: "Enable multi-user mode", value: "multi_user" });
     }
+    if (muEnabled && hasAdmin()) {
+      items.push({ label: "Recover admin password", value: "recover_admin" });
+    }
     if (process.platform === "darwin") {
       items.push({ label: isAwake ? "Disable keep awake" : "Enable keep awake", value: "awake" });
     }
@@ -2744,6 +2748,48 @@ function showSettingsMenu(config, ip) {
         });
         break;
 
+      case "recover_admin": {
+        var recoveryUrlPath = crypto.randomBytes(16).toString("hex");
+        var recoveryPassword = crypto.randomBytes(8).toString("base64url");
+        sendIPCCommand(socketPath(), { cmd: "enable_recovery", urlPath: recoveryUrlPath, password: recoveryPassword }).then(function (res) {
+          if (!res.ok) {
+            log(sym.bar + "  " + a.red + "Failed to enable recovery mode." + a.reset);
+            log(sym.bar);
+            showSettingsMenu(config, ip);
+            return;
+          }
+          var protocol = config.tls ? "https" : "http";
+          var recoveryUrl = protocol + "://" + ip + ":" + config.port + "/recover/" + recoveryUrlPath;
+          log(sym.bar);
+          log(sym.bar + "  " + a.yellow + sym.warn + " Admin Password Recovery" + a.reset);
+          log(sym.bar);
+          log(sym.bar + "  " + a.dim + "Recovery URL:" + a.reset);
+          log(sym.bar + "  " + a.bold + recoveryUrl + a.reset);
+          log(sym.bar);
+          log(sym.bar + "  " + a.dim + "Recovery password:" + a.reset);
+          log(sym.bar + "  " + a.bold + recoveryPassword + a.reset);
+          log(sym.bar);
+          log(sym.bar + "  " + a.dim + "Open the URL in a browser and enter the password above." + a.reset);
+          log(sym.bar + "  " + a.dim + "This link is single-use and will expire when the PIN is reset." + a.reset);
+          log(sym.bar);
+          promptSelect("Done?", [
+            { label: "Disable recovery link", value: "disable" },
+            { label: "Back (keep link active)", value: "back" },
+          ], function (rc) {
+            if (rc === "disable") {
+              sendIPCCommand(socketPath(), { cmd: "disable_recovery" }).then(function () {
+                log(sym.done + "  " + a.dim + "Recovery link disabled." + a.reset);
+                log("");
+                showSettingsMenu(config, ip);
+              });
+            } else {
+              showSettingsMenu(config, ip);
+            }
+          });
+        });
+        break;
+      }
+
       case "back":
         showMainMenu(config, ip);
         break;

package/lib/daemon.js

@@ -793,7 +793,7 @@ var relay = createServer({
     if (!config.osUsers || !linuxUser) return;
     deactivateLinuxUser(linuxUser);
   },
-  onCreateWorktree: function (parentSlug, branchName, baseBranch) {
+  onCreateWorktree: function (parentSlug, branchName, dirName, baseBranch) {
     // Find the parent project
     var parent = null;
     for (var j = 0; j < config.projects.length; j++) {
@@ -801,10 +801,10 @@ var relay = createServer({
     }
     if (!parent) return { ok: false, error: "Parent project not found" };
     if (isWorktree(parent.path)) return { ok: false, error: "Cannot create worktrees from a worktree project" };
-    var result = createWorktree(parent.path, branchName, baseBranch);
+    var result = createWorktree(parent.path, branchName, dirName, baseBranch);
     if (!result.ok) return result;
     // Register the new worktree as ephemeral project
-    var wtSlug = parentSlug + "--" + branchName;
+    var wtSlug = parentSlug + "--" + dirName;
     var wtMeta = { parentSlug: parentSlug, branch: branchName, accessible: true };
     relay.addProject(result.path, wtSlug, branchName, parent.icon, parent.ownerId, wtMeta);
     if (!worktreeRegistry[parentSlug]) worktreeRegistry[parentSlug] = [];
@@ -1124,6 +1124,19 @@ var ipc = createIPCServer(socketPath(), function (msg) {
       return { ok: true };
     }
 
+    case "enable_recovery": {
+      if (!msg.urlPath || !msg.password) return { ok: false, error: "missing urlPath or password" };
+      relay.setRecovery(msg.urlPath, msg.password);
+      console.log("[daemon] Admin recovery mode enabled");
+      return { ok: true };
+    }
+
+    case "disable_recovery": {
+      relay.clearRecovery();
+      console.log("[daemon] Admin recovery mode disabled");
+      return { ok: true };
+    }
+
     case "shutdown":
       console.log("[daemon] Shutdown requested via IPC");
       gracefulShutdown();

package/lib/notes.js

@@ -67,7 +67,7 @@ function createNotesManager(opts) {
   function update(id, changes) {
     for (var i = 0; i < notes.length; i++) {
       if (notes[i].id === id) {
-        var allowed = ["text", "x", "y", "w", "h", "color", "minimized", "hidden", "zIndex"];
+        var allowed = ["text", "x", "y", "w", "h", "color", "minimized", "hidden", "zIndex", "opacity"];
         for (var j = 0; j < allowed.length; j++) {
           var key = allowed[j];
           if (changes[key] !== undefined) {

package/lib/project.js

@@ -626,13 +626,12 @@ function createProjectContext(opts) {
         console.log("[loop-registry] Schedule triggered: " + record.name + " → linked task " + loopId);
       }
 
-      // Verify the loop directory and files exist
+      // Verify the loop directory and PROMPT.md exist
       var recDir = path.join(cwd, ".claude", "loops", loopId);
       try {
         fs.accessSync(path.join(recDir, "PROMPT.md"));
-        fs.accessSync(path.join(recDir, "JUDGE.md"));
       } catch (e) {
-        console.error("[loop-registry] Loop files missing for " + loopId);
+        console.error("[loop-registry] PROMPT.md missing for " + loopId);
         return;
       }
       // Set the loopId and start
@@ -675,8 +674,7 @@ function createProjectContext(opts) {
     try {
       judgeText = fs.readFileSync(judgePath, "utf8");
     } catch (e) {
-      send({ type: "loop_error", text: "Missing JUDGE.md in " + dir });
-      return;
+      judgeText = null;
     }
 
     var baseCommit;
@@ -700,7 +698,7 @@ function createProjectContext(opts) {
     loopState.promptText = promptText;
     loopState.judgeText = judgeText;
     loopState.iteration = 0;
-    loopState.maxIterations = loopConfig.maxIterations || loopOpts.maxIterations || 20;
+    loopState.maxIterations = judgeText ? (loopConfig.maxIterations || loopOpts.maxIterations || 20) : 1;
     loopState.baseCommit = baseCommit;
     loopState.currentSessionId = null;
     loopState.judgeSessionId = null;
@@ -747,7 +745,11 @@ function createProjectContext(opts) {
       sessionId: session.localId,
     });
 
+    var coderCompleted = false;
     session.onQueryComplete = function(completedSession) {
+      if (coderCompleted) return;
+      coderCompleted = true;
+      if (coderWatchdog) { clearTimeout(coderWatchdog); coderWatchdog = null; }
       console.log("[ralph-loop] Coder #" + loopState.iteration + " onQueryComplete fired, history length: " + completedSession.history.length);
       if (!loopState.active) { console.log("[ralph-loop] Coder: loopState.active is false, skipping"); return; }
       // Check if session ended with error
@@ -774,9 +776,33 @@ function createProjectContext(opts) {
         setTimeout(function() { runNextIteration(); }, 2000);
         return;
       }
-      runJudge();
+      if (loopState.judgeText) {
+        runJudge();
+      } else {
+        finishLoop("pass");
+      }
     };
 
+    // Watchdog: if onQueryComplete hasn't fired after 10 minutes, force error and retry
+    var coderWatchdog = setTimeout(function() {
+      if (!coderCompleted && loopState.active && !loopState.stopping) {
+        console.error("[ralph-loop] Coder #" + loopState.iteration + " watchdog triggered — onQueryComplete never fired");
+        coderCompleted = true;
+        loopState.results.push({
+          iteration: loopState.iteration,
+          verdict: "error",
+          summary: "Coder session timed out (no completion signal)",
+        });
+        send({
+          type: "loop_verdict",
+          iteration: loopState.iteration,
+          verdict: "error",
+          summary: "Coder session timed out, retrying...",
+        });
+        setTimeout(function() { runNextIteration(); }, 2000);
+      }
+    }, 10 * 60 * 1000);
+
     var userMsg = { type: "user_message", text: loopState.promptText };
     session.history.push(userMsg);
     sm.appendToSessionFile(session, userMsg);
@@ -835,7 +861,11 @@ function createProjectContext(opts) {
       sessionId: judgeSession.localId,
     });
 
+    var judgeCompleted = false;
     judgeSession.onQueryComplete = function(completedSession) {
+      if (judgeCompleted) return;
+      judgeCompleted = true;
+      if (judgeWatchdog) { clearTimeout(judgeWatchdog); judgeWatchdog = null; }
       console.log("[ralph-loop] Judge #" + loopState.iteration + " onQueryComplete fired, history length: " + completedSession.history.length);
       var verdict = parseJudgeVerdict(completedSession);
       console.log("[ralph-loop] Judge verdict: " + (verdict.pass ? "PASS" : "FAIL") + " - " + verdict.explanation);
@@ -860,6 +890,26 @@ function createProjectContext(opts) {
       }
     };
 
+    // Watchdog: judge should complete quickly (no tool use), 3 minutes is generous
+    var judgeWatchdog = setTimeout(function() {
+      if (!judgeCompleted && loopState.active && !loopState.stopping) {
+        console.error("[ralph-loop] Judge #" + loopState.iteration + " watchdog triggered — onQueryComplete never fired");
+        judgeCompleted = true;
+        loopState.results.push({
+          iteration: loopState.iteration,
+          verdict: "error",
+          summary: "Judge session timed out (no completion signal)",
+        });
+        send({
+          type: "loop_verdict",
+          iteration: loopState.iteration,
+          verdict: "error",
+          summary: "Judge session timed out, retrying...",
+        });
+        setTimeout(function() { runNextIteration(); }, 2000);
+      }
+    }, 3 * 60 * 1000);
+
     var userMsg = { type: "user_message", text: judgePrompt };
     judgeSession.history.push(userMsg);
     sm.appendToSessionFile(judgeSession, userMsg);
@@ -1461,6 +1511,13 @@ function createProjectContext(opts) {
     }
 
     if (msg.type === "delete_session") {
+      if (ws._clayUser) {
+        var sdPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!sdPerms.sessionDelete) {
+          sendTo(ws, { type: "error", text: "You do not have permission to delete sessions" });
+          return;
+        }
+      }
       if (msg.id && sm.sessions.has(msg.id)) {
         sm.deleteSession(msg.id, ws);
       }
@@ -1781,7 +1838,8 @@ function createProjectContext(opts) {
               session.messageUUIDs = session.messageUUIDs.slice(0, targetIdx);
             }
 
-            session.lastRewindUuid = msg.uuid;
+            var kept = session.messageUUIDs;
+            session.lastRewindUuid = kept.length > 0 ? kept[kept.length - 1].uuid : null;
           }
 
           if (session.abortController) {
@@ -1893,6 +1951,7 @@ function createProjectContext(opts) {
       var pending = session.pendingPermissions[requestId];
       if (!pending) return;
       delete session.pendingPermissions[requestId];
+      onProcessingChanged(); // update cross-project permission badge
 
       // --- Plan approval: "allow_accept_edits" — approve + switch to acceptEdits mode ---
       if (decision === "allow_accept_edits") {
@@ -2103,6 +2162,15 @@ function createProjectContext(opts) {
     }
 
     // --- Create new empty project ---
+    if (msg.type === "create_project" || msg.type === "clone_project") {
+      if (ws._clayUser) {
+        var cpPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!cpPerms.createProject) {
+          sendTo(ws, { type: "add_project_result", ok: false, error: "You do not have permission to create projects" });
+          return;
+        }
+      }
+    }
     if (msg.type === "create_project") {
       var createName = (msg.name || "").trim();
       if (!createName || !/^[a-zA-Z0-9_-]+$/.test(createName)) {
@@ -2139,13 +2207,14 @@ function createProjectContext(opts) {
     // --- Create worktree from web UI ---
     if (msg.type === "create_worktree") {
       var wtBranch = (msg.branch || "").trim();
+      var wtDirName = (msg.dirName || "").trim() || wtBranch.replace(/\//g, "-");
       var wtBase = (msg.baseBranch || "").trim() || null;
       if (!wtBranch || !/^[a-zA-Z0-9_\/.@-]+$/.test(wtBranch)) {
         sendTo(ws, { type: "create_worktree_result", ok: false, error: "Invalid branch name" });
         return;
       }
       if (typeof onCreateWorktree === "function") {
-        var wtResult = onCreateWorktree(slug, wtBranch, wtBase);
+        var wtResult = onCreateWorktree(slug, wtBranch, wtDirName, wtBase);
         sendTo(ws, { type: "create_worktree_result", ok: wtResult.ok, slug: wtResult.slug, error: wtResult.error });
       } else {
         sendTo(ws, { type: "create_worktree_result", ok: false, error: "Not supported" });
@@ -2167,6 +2236,13 @@ function createProjectContext(opts) {
 
     // --- Remove project from web UI ---
     if (msg.type === "remove_project") {
+      if (ws._clayUser) {
+        var dpPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!dpPerms.deleteProject) {
+          sendTo(ws, { type: "remove_project_result", ok: false, error: "You do not have permission to delete projects" });
+          return;
+        }
+      }
       var removeSlug = msg.slug;
       if (!removeSlug) {
         sendTo(ws, { type: "remove_project_result", ok: false, error: "Missing slug" });
@@ -2310,6 +2386,15 @@ function createProjectContext(opts) {
     }
 
     // --- File browser ---
+    if (msg.type === "fs_list" || msg.type === "fs_read" || msg.type === "fs_write" || msg.type === "fs_delete" || msg.type === "fs_rename" || msg.type === "fs_mkdir" || msg.type === "fs_upload") {
+      if (ws._clayUser) {
+        var fbPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!fbPerms.fileBrowser) {
+          sendTo(ws, { type: msg.type + "_result", error: "File browser access is not permitted" });
+          return;
+        }
+      }
+    }
     if (msg.type === "fs_list") {
       var fsDir = safePath(cwd, msg.path || ".");
       if (!fsDir) {
@@ -2418,6 +2503,20 @@ function createProjectContext(opts) {
       return;
     }
 
+    // --- Project settings permission gate ---
+    if (msg.type === "get_project_env" || msg.type === "set_project_env" ||
+        msg.type === "read_global_claude_md" || msg.type === "write_global_claude_md" ||
+        msg.type === "get_shared_env" || msg.type === "set_shared_env" ||
+        msg.type === "transfer_project_owner") {
+      if (ws._clayUser) {
+        var psPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!psPerms.projectSettings) {
+          sendTo(ws, { type: "error", text: "Project settings access is not permitted" });
+          return;
+        }
+      }
+    }
+
     // --- Project environment variables ---
     if (msg.type === "get_project_env") {
       var envrc = "";
@@ -2735,6 +2834,13 @@ function createProjectContext(opts) {
 
     // --- Web terminal ---
     if (msg.type === "term_create") {
+      if (ws._clayUser) {
+        var termPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!termPerms.terminal) {
+          sendTo(ws, { type: "term_error", error: "Terminal access is not permitted" });
+          return;
+        }
+      }
       var t = tm.create(msg.cols || 80, msg.rows || 24, getOsUserInfoForWs(ws));
       if (!t) {
         sendTo(ws, { type: "term_error", error: "Cannot create terminal (node-pty not available or limit reached)" });
@@ -2784,6 +2890,20 @@ function createProjectContext(opts) {
       return;
     }
 
+    // --- Scheduled tasks permission gate ---
+    if (msg.type === "loop_start" || msg.type === "loop_stop" || msg.type === "loop_registry_files" ||
+        msg.type === "loop_registry_list" || msg.type === "loop_registry_update" || msg.type === "loop_registry_rename" ||
+        msg.type === "loop_registry_remove" || msg.type === "loop_registry_convert" || msg.type === "loop_registry_toggle" ||
+        msg.type === "loop_registry_rerun" || msg.type === "schedule_create" || msg.type === "schedule_move") {
+      if (ws._clayUser) {
+        var schPerms = usersModule.getEffectivePermissions(ws._clayUser, osUsers);
+        if (!schPerms.scheduledTasks) {
+          sendTo(ws, { type: "error", text: "Scheduled tasks access is not permitted" });
+          return;
+        }
+      }
+    }
+
     if (msg.type === "loop_start") {
       // If this loop has a cron schedule, don't run immediately — just confirm registration
       if (loopState.wizardData && loopState.wizardData.cron) {
@@ -2840,7 +2960,39 @@ function createProjectContext(opts) {
       fs.writeFileSync(tmpLoopJson, JSON.stringify({ maxIterations: maxIter }, null, 2));
       fs.renameSync(tmpLoopJson, loopJsonPath);
 
-      // Assemble prompt for clay-ralph skill (include loop dir path so skill knows where to write)
+      var craftName = (loopState.wizardData && loopState.wizardData.name) || "";
+      var isRalphCraft = recordSource === "ralph";
+
+      // User provided their own PROMPT.md (and optionally JUDGE.md)
+      if (wData.mode === "own" && wData.promptText) {
+        // Write PROMPT.md
+        var promptPath = path.join(lDir, "PROMPT.md");
+        var tmpPrompt = promptPath + ".tmp";
+        fs.writeFileSync(tmpPrompt, wData.promptText);
+        fs.renameSync(tmpPrompt, promptPath);
+
+        if (wData.judgeText) {
+          // Both provided: write JUDGE.md too
+          var judgePath = path.join(lDir, "JUDGE.md");
+          var tmpJudge = judgePath + ".tmp";
+          fs.writeFileSync(tmpJudge, wData.judgeText);
+          fs.renameSync(tmpJudge, judgePath);
+        } else {
+          // No judge: force single iteration
+          var singleJson = loopJsonPath + ".tmp2";
+          fs.writeFileSync(singleJson, JSON.stringify({ maxIterations: 1 }, null, 2));
+          fs.renameSync(singleJson, loopJsonPath);
+        }
+
+        // Go straight to approval (no crafting needed)
+        loopState.phase = "approval";
+        saveLoopState();
+        send({ type: "ralph_phase", phase: "approval", wizardData: loopState.wizardData });
+        send({ type: "ralph_files_status", promptReady: true, judgeReady: !!wData.judgeText, bothReady: !!wData.judgeText });
+        return;
+      }
+
+      // Default: "draft" mode — Clay crafts both PROMPT.md and JUDGE.md
       var craftingPrompt = "Use the /clay-ralph skill to design a Ralph Loop for the following task. " +
         "You MUST invoke the clay-ralph skill — do NOT execute the task yourself. " +
         "Your job is to interview me, then create PROMPT.md and JUDGE.md files " +
@@ -2850,11 +3002,9 @@ function createProjectContext(opts) {
 
       // Create a new session for crafting
       var craftingSession = sm.createSession();
-      var craftName = (loopState.wizardData && loopState.wizardData.name) || "";
-      var isRalphCraft = recordSource === "ralph";
       craftingSession.title = (isRalphCraft ? "Ralph" : "Task") + (craftName ? " " + craftName : "") + " Crafting";
       craftingSession.ralphCraftingMode = true;
-      craftingSession.loop = { active: true, iteration: 0, role: "crafting", loopId: newLoopId, name: craftName, source: recordSource };
+      craftingSession.loop = { active: true, iteration: 0, role: "crafting", loopId: newLoopId, name: craftName, source: recordSource, startedAt: loopState.startedAt };
       sm.saveSessionFile(craftingSession);
       sm.switchSession(craftingSession.localId);
       loopState.craftingSessionId = craftingSession.localId;
@@ -3047,9 +3197,8 @@ function createProjectContext(opts) {
       var rerunDir = path.join(cwd, ".claude", "loops", rerunRec.id);
       try {
         fs.accessSync(path.join(rerunDir, "PROMPT.md"));
-        fs.accessSync(path.join(rerunDir, "JUDGE.md"));
       } catch (e) {
-        sendTo(ws, { type: "loop_registry_error", text: "Loop files missing for " + rerunRec.id });
+        sendTo(ws, { type: "loop_registry_error", text: "PROMPT.md missing for " + rerunRec.id });
         return;
       }
       loopState.loopId = rerunRec.id;
@@ -3304,6 +3453,18 @@ function createProjectContext(opts) {
       return true;
     }
 
+    // Skills permission gate
+    if (urlPath === "/api/install-skill" || urlPath === "/api/uninstall-skill" || urlPath === "/api/installed-skills") {
+      if (req._clayUser) {
+        var skPerms = usersModule.getEffectivePermissions(req._clayUser, osUsers);
+        if (!skPerms.skills) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end('{"error":"Skills access is not permitted"}');
+          return true;
+        }
+      }
+    }
+
     // Install a skill (background spawn)
     if (req.method === "POST" && urlPath === "/api/install-skill") {
       parseJsonBody(req).then(function (body) {
@@ -3453,20 +3614,24 @@ function createProjectContext(opts) {
             var mdContent = fs.readFileSync(mdPath, "utf8");
             var desc = "";
             // Parse YAML frontmatter for description
+            var version = "";
             if (mdContent.startsWith("---")) {
               var endIdx = mdContent.indexOf("---", 3);
               if (endIdx !== -1) {
                 var frontmatter = mdContent.substring(3, endIdx);
                 var descMatch = frontmatter.match(/^description:\s*(.+)/m);
                 if (descMatch) desc = descMatch[1].trim();
+                var verMatch = frontmatter.match(/version:\s*"?([^"\n]+)"?/m);
+                if (verMatch) version = verMatch[1].trim();
               }
             }
             if (!installed[ent.name]) {
-              installed[ent.name] = { scope: scanDirs[sd].scope, description: desc, path: path.join(scanDirs[sd].dir, ent.name) };
+              installed[ent.name] = { scope: scanDirs[sd].scope, description: desc, version: version, path: path.join(scanDirs[sd].dir, ent.name) };
             } else {
               // project-level adds to existing global entry
               installed[ent.name].scope = "both";
               if (desc && !installed[ent.name].description) installed[ent.name].description = desc;
+              if (version && !installed[ent.name].version) installed[ent.name].version = version;
             }
           } catch (e) {}
         }
@@ -3476,6 +3641,110 @@ function createProjectContext(opts) {
       return true;
     }
 
+    // Check skill updates (compare installed vs remote versions)
+    if (req.method === "POST" && urlPath === "/api/check-skill-updates") {
+      parseJsonBody(req).then(function (body) {
+        var skills = body.skills; // [{ name, url, scope }]
+        if (!Array.isArray(skills) || skills.length === 0) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end('{"error":"missing skills array"}');
+          return;
+        }
+        // Read installed versions
+        var globalSkillsDir = path.join(os.homedir(), ".claude", "skills");
+        var projectSkillsDir = path.join(cwd, ".claude", "skills");
+        var results = [];
+        var pending = skills.length;
+
+        function parseVersionFromSkillMd(content) {
+          if (!content || !content.startsWith("---")) return "";
+          var endIdx = content.indexOf("---", 3);
+          if (endIdx === -1) return "";
+          var fm = content.substring(3, endIdx);
+          var m = fm.match(/version:\s*"?([^"\n]+)"?/m);
+          return m ? m[1].trim() : "";
+        }
+
+        function getInstalledVersion(name) {
+          var dirs = [path.join(globalSkillsDir, name, "SKILL.md"), path.join(projectSkillsDir, name, "SKILL.md")];
+          for (var d = 0; d < dirs.length; d++) {
+            try {
+              var c = fs.readFileSync(dirs[d], "utf8");
+              var v = parseVersionFromSkillMd(c);
+              if (v) return v;
+            } catch (e) {}
+          }
+          return "";
+        }
+
+        function compareVersions(a, b) {
+          // returns -1 if a < b, 0 if equal, 1 if a > b
+          if (!a && !b) return 0;
+          if (!a) return -1;
+          if (!b) return 1;
+          var pa = a.split(".").map(Number);
+          var pb = b.split(".").map(Number);
+          for (var i = 0; i < Math.max(pa.length, pb.length); i++) {
+            var va = pa[i] || 0;
+            var vb = pb[i] || 0;
+            if (va < vb) return -1;
+            if (va > vb) return 1;
+          }
+          return 0;
+        }
+
+        function finishOne() {
+          pending--;
+          if (pending === 0) {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ results: results }));
+          }
+        }
+
+        for (var si = 0; si < skills.length; si++) {
+          (function (skill) {
+            var installedVer = getInstalledVersion(skill.name);
+            var installed = !!installedVer;
+            // Convert GitHub repo URL to raw SKILL.md URL
+            var rawUrl = "";
+            var ghMatch = skill.url.match(/github\.com\/([^/]+)\/([^/]+)/);
+            if (ghMatch) {
+              rawUrl = "https://raw.githubusercontent.com/" + ghMatch[1] + "/" + ghMatch[2] + "/main/SKILL.md";
+            }
+            if (!rawUrl) {
+              results.push({ name: skill.name, installed: installed, installedVersion: installedVer, remoteVersion: "", status: installed ? "ok" : "missing" });
+              finishOne();
+              return;
+            }
+            // Fetch remote SKILL.md
+            var https = require("https");
+            https.get(rawUrl, function (resp) {
+              var data = "";
+              resp.on("data", function (chunk) { data += chunk; });
+              resp.on("end", function () {
+                var remoteVer = parseVersionFromSkillMd(data);
+                var status = "ok";
+                if (!installed) {
+                  status = "missing";
+                } else if (remoteVer && compareVersions(installedVer, remoteVer) < 0) {
+                  status = "outdated";
+                }
+                results.push({ name: skill.name, installed: installed, installedVersion: installedVer, remoteVersion: remoteVer, status: status });
+                finishOne();
+              });
+            }).on("error", function () {
+              results.push({ name: skill.name, installed: installed, installedVersion: installedVer, remoteVersion: "", status: installed ? "ok" : "missing" });
+              finishOne();
+            });
+          })(skills[si]);
+        }
+      }).catch(function () {
+        res.writeHead(400);
+        res.end("Bad request");
+      });
+      return true;
+    }
+
     // Git dirty check
     if (req.method === "GET" && urlPath === "/api/git-dirty") {
       var execSync = require("child_process").execSync;
@@ -3560,8 +3829,12 @@ function createProjectContext(opts) {
   function getStatus() {
     var sessionCount = sm.sessions.size;
     var hasProcessing = false;
+    var pendingPermCount = 0;
     sm.sessions.forEach(function (s) {
       if (s.isProcessing) hasProcessing = true;
+      if (s.pendingPermissions) {
+        pendingPermCount += Object.keys(s.pendingPermissions).length;
+      }
     });
     var status = {
       slug: slug,
@@ -3572,6 +3845,7 @@ function createProjectContext(opts) {
       clients: clients.size,
       sessions: sessionCount,
       isProcessing: hasProcessing,
+      pendingPermissions: pendingPermCount,
       projectOwnerId: projectOwnerId,
     };
     if (isMate) {