clay-server 2.24.4-beta.1 → 2.25.0-beta.1

package/lib/project.js

@@ -90,6 +90,18 @@ function safePath(base, requested) {
   }
 }
 
+// Resolve an absolute path without requiring it to be within cwd.
+// Used as fallback in OS user mode where ACL enforces access at the OS level.
+function safeAbsPath(requested) {
+  if (!requested) return null;
+  var resolved = path.resolve(requested);
+  try {
+    return fs.realpathSync(resolved);
+  } catch (e) {
+    return null;
+  }
+}
+
 /**
  * Create a project context — per-project state and handlers.
  * opts: { cwd, slug, title, pushModule, debug, dangerouslySkipPermissions, currentVersion }
@@ -1758,7 +1770,8 @@ function createProjectContext(opts) {
     }
 
     if (msg.type === "push_subscribe") {
-      if (pushModule && msg.subscription) pushModule.addSubscription(msg.subscription, msg.replaceEndpoint);
+      var _pushUserId = ws._clayUser ? ws._clayUser.id : null;
+      if (pushModule && msg.subscription) pushModule.addSubscription(msg.subscription, msg.replaceEndpoint, _pushUserId);
       return;
     }
 
@@ -2832,6 +2845,10 @@ function createProjectContext(opts) {
     }
     if (msg.type === "fs_list") {
       var fsDir = safePath(cwd, msg.path || ".");
+      // In OS user mode, fall back to absolute path resolution (ACL enforces access)
+      if (!fsDir && getOsUserInfoForWs(ws)) {
+        fsDir = safeAbsPath(msg.path);
+      }
       if (!fsDir) {
         sendTo(ws, { type: "fs_list_result", path: msg.path, entries: [], error: "Access denied" });
         return;
@@ -2874,6 +2891,9 @@ function createProjectContext(opts) {
 
     if (msg.type === "fs_read") {
       var fsFile = safePath(cwd, msg.path);
+      if (!fsFile && getOsUserInfoForWs(ws)) {
+        fsFile = safeAbsPath(msg.path);
+      }
       if (!fsFile) {
         sendTo(ws, { type: "fs_read_result", path: msg.path, error: "Access denied" });
         return;
@@ -2920,6 +2940,9 @@ function createProjectContext(opts) {
     // --- File write ---
     if (msg.type === "fs_write") {
       var fsWriteFile = safePath(cwd, msg.path);
+      if (!fsWriteFile && getOsUserInfoForWs(ws)) {
+        fsWriteFile = safeAbsPath(msg.path);
+      }
       if (!fsWriteFile) {
         sendTo(ws, { type: "fs_write_result", path: msg.path, ok: false, error: "Access denied" });
         return;
@@ -3749,6 +3772,11 @@ function createProjectContext(opts) {
     // Keep any pending scheduled message alive when user sends a regular message
 
     var userMsg = { type: "user_message", text: msg.text || "" };
+    // Attach sender info for multi-user attribution (backward-compatible: old clients ignore these)
+    if (ws._clayUser) {
+      userMsg.from = ws._clayUser.id;
+      userMsg.fromName = ws._clayUser.displayName || ws._clayUser.username || "";
+    }
     var savedImagePaths = [];
     if (msg.images && msg.images.length > 0) {
       userMsg.imageCount = msg.images.length;
@@ -5361,6 +5389,9 @@ function createProjectContext(opts) {
       var reqFilePath = params.get("path");
       if (!reqFilePath) { res.writeHead(400); res.end("Missing path"); return true; }
       var absFile = safePath(cwd, reqFilePath);
+      if (!absFile && getOsUserInfoForReq(req)) {
+        absFile = safeAbsPath(reqFilePath);
+      }
       if (!absFile) { res.writeHead(403); res.end("Access denied"); return true; }
       var fileExt = path.extname(absFile).toLowerCase();
       if (!IMAGE_EXTS.has(fileExt)) { res.writeHead(403); res.end("Only image files"); return true; }

package/lib/public/app.js

@@ -2865,10 +2865,11 @@ import { initDebate, handleDebatePreparing, handleDebateStarted, handleDebateRes
   // AskUserQuestion, PermissionRequest, Plan, Todo, Thinking, Tool items -> modules/tools.js
 
   // --- DOM: Messages ---
-  function addUserMessage(text, images, pastes) {
+  function addUserMessage(text, images, pastes, fromUserId, fromUserName) {
     if (!text && (!images || images.length === 0) && (!pastes || pastes.length === 0)) return;
+    var isOtherUser = fromUserId && fromUserId !== myUserId;
     var div = document.createElement("div");
-    div.className = "msg-user";
+    div.className = "msg-user" + (isOtherUser ? " msg-user-other" : "");
     div.dataset.turn = ++turnCounter;
     var bubble = document.createElement("div");
     bubble.className = "bubble";
@@ -2926,14 +2927,27 @@ import { initDebate, handleDebatePreparing, handleDebateStarted, handleDebateRes
 
 
     // Always render avatar + header structure (CSS controls visibility)
-    var _myU = cachedAllUsers.find(function (u) { return u.id === myUserId; });
-    if (!_myU) {
-      try { _myU = JSON.parse(localStorage.getItem("clay_my_user") || "null"); } catch(e) {}
+    var _targetUser;
+    var _displayName;
+    if (isOtherUser) {
+      _targetUser = cachedAllUsers.find(function (u) { return u.id === fromUserId; });
+      _displayName = fromUserName || (_targetUser && (_targetUser.displayName || _targetUser.username)) || "User";
+    } else {
+      _targetUser = cachedAllUsers.find(function (u) { return u.id === myUserId; });
+      if (!_targetUser) {
+        try { _targetUser = JSON.parse(localStorage.getItem("clay_my_user") || "null"); } catch(e) {}
+      }
+      _displayName = document.body.dataset.myDisplayName || "";
+      if (!_displayName) {
+        _displayName = (_targetUser && (_targetUser.displayName || _targetUser.username)) || "Me";
+      }
     }
 
     var avi = document.createElement("img");
-    avi.className = "dm-bubble-avatar dm-bubble-avatar-me";
-    avi.src = document.body.dataset.myAvatarUrl || userAvatarUrl(_myU || { id: myUserId }, 36);
+    avi.className = "dm-bubble-avatar" + (isOtherUser ? " dm-bubble-avatar-other" : " dm-bubble-avatar-me");
+    avi.src = isOtherUser
+      ? userAvatarUrl(_targetUser || { id: fromUserId }, 36)
+      : (document.body.dataset.myAvatarUrl || userAvatarUrl(_targetUser || { id: myUserId }, 36));
     div.appendChild(avi);
 
     var contentWrap = document.createElement("div");
@@ -2941,13 +2955,9 @@ import { initDebate, handleDebatePreparing, handleDebateStarted, handleDebateRes
 
     var header = document.createElement("div");
     header.className = "dm-bubble-header";
-    var myDisplayName = document.body.dataset.myDisplayName || "";
-    if (!myDisplayName) {
-      myDisplayName = (_myU && (_myU.displayName || _myU.username)) || "Me";
-    }
     var nameSpan = document.createElement("span");
     nameSpan.className = "dm-bubble-name";
-    nameSpan.textContent = myDisplayName;
+    nameSpan.textContent = _displayName;
     header.appendChild(nameSpan);
     var timeSpan = document.createElement("span");
     timeSpan.className = "dm-bubble-time";
@@ -4408,9 +4418,9 @@ import { initDebate, handleDebatePreparing, handleDebateStarted, handleDebateRes
           if (msg.planContent) {
             setPlanContent(msg.planContent);
             renderPlanCard(msg.planContent);
-            addUserMessage("Execute the following plan. Do NOT re-enter plan mode — just implement it step by step.", msg.images || null, msg.pastes || null);
+            addUserMessage("Execute the following plan. Do NOT re-enter plan mode — just implement it step by step.", msg.images || null, msg.pastes || null, msg.from, msg.fromName);
           } else {
-            addUserMessage(msg.text, msg.images || null, msg.pastes || null);
+            addUserMessage(msg.text, msg.images || null, msg.pastes || null, msg.from, msg.fromName);
           }
           break;
 

package/lib/public/css/mates.css

@@ -732,7 +732,7 @@ body.mate-dm-active #layout.sidebar-collapsed .mate-collapsed-info {
   right: 12px;
   margin-top: 4px;
   padding: 10px 14px;
-  background: var(--bg-primary, #fff);
+  background: var(--bg);
   border: 1px solid var(--border-subtle);
   border-radius: 8px;
   box-shadow: 0 4px 16px rgba(0,0,0,0.15);
@@ -823,7 +823,7 @@ body.mate-dm-active #layout.sidebar-collapsed .mate-collapsed-info {
   justify-content: center;
 }
 .mate-confirm-box {
-  background: var(--bg-primary, #fff);
+  background: var(--bg);
   border: 1px solid var(--border-subtle);
   border-radius: 12px;
   padding: 20px 24px;
@@ -846,7 +846,7 @@ body.mate-dm-active #layout.sidebar-collapsed .mate-collapsed-info {
   border: 1px solid var(--border-subtle);
   font-size: 13px;
   cursor: pointer;
-  background: var(--bg-primary);
+  background: var(--bg);
   color: var(--text);
 }
 .mate-confirm-delete {
@@ -873,7 +873,7 @@ body.mate-dm-active #layout.sidebar-collapsed .mate-collapsed-info {
   background: rgba(0,0,0,0.45);
 }
 .mate-onboarding-card {
-  background: var(--bg-primary, #fff);
+  background: var(--bg);
   border: 1px solid var(--border-subtle);
   border-radius: 16px;
   padding: 32px 36px;

package/lib/public/css/mention.css

@@ -206,10 +206,6 @@
   color: var(--danger, #e74c3c);
   border-color: var(--danger, #e74c3c);
 }
-.mention-stop-btn svg {
-  width: 12px;
-  height: 12px;
-}
 
 .mention-content {
   font-size: 15px;

package/lib/public/css/messages.css

@@ -150,6 +150,21 @@
   text-align: start;
 }
 
+/* Other user's message: left-aligned with flipped bubble */
+.msg-user-other {
+  align-items: flex-start;
+}
+.msg-user-other .bubble {
+  background: var(--bg-elevated, var(--bg-hover));
+  border-radius: 20px 20px 20px 4px;
+}
+.msg-user-other .dm-bubble-avatar-other {
+  display: block;
+}
+.msg-user-other .dm-bubble-header {
+  display: flex;
+}
+
 /* --- User message action bar --- */
 .msg-actions {
   display: flex;

package/lib/public/modules/mention.js

@@ -335,7 +335,7 @@ export function handleMentionStart(msg) {
     var stopBtn = document.createElement("button");
     stopBtn.className = "mention-stop-btn";
     stopBtn.title = "Stop";
-    stopBtn.innerHTML = iconHtml("square");
+    stopBtn.textContent = "Stop";
     stopBtn.addEventListener("click", function () {
       if (ctx.ws && ctx.connected) {
         ctx.ws.send(JSON.stringify({ type: "mention_stop", mateId: msg.mateId }));
@@ -383,7 +383,7 @@ export function handleMentionStart(msg) {
     var stopBtn = document.createElement("button");
     stopBtn.className = "mention-stop-btn";
     stopBtn.title = "Stop";
-    stopBtn.innerHTML = iconHtml("square");
+    stopBtn.textContent = "Stop";
     stopBtn.addEventListener("click", function () {
       if (ctx.ws && ctx.connected) {
         ctx.ws.send(JSON.stringify({ type: "mention_stop", mateId: msg.mateId }));

package/lib/public/sw.js

@@ -110,6 +110,8 @@ self.addEventListener("push", function (event) {
   } else if (data.type === "error") {
     options.requireInteraction = true;
     options.tag = "claude-error";
+  } else if (data.type === "dm") {
+    options.tag = data.tag || "dm";
   }
 
   event.waitUntil(

package/lib/push.js

@@ -80,12 +80,14 @@ function initPush() {
     })(startupEndpoints[si]);
   }
 
-  function addSubscription(sub, replaceEndpoint) {
+  function addSubscription(sub, replaceEndpoint, userId) {
     if (!sub || !sub.endpoint) return;
     // Remove previous subscription from the same client if endpoint changed
     if (replaceEndpoint && replaceEndpoint !== sub.endpoint) {
       subscriptions.delete(replaceEndpoint);
     }
+    // Attach userId for per-user targeting (backward-compatible: old subs without userId still work for broadcast)
+    if (userId) sub._userId = userId;
     // Store immediately, then validate async. Invalid subs get cleaned on first sendPush.
     subscriptions.set(sub.endpoint, sub);
     save();
@@ -119,11 +121,28 @@ function initPush() {
     });
   }
 
+  function sendPushToUser(userId, payload) {
+    if (!userId) return;
+    var json = JSON.stringify(payload);
+    subscriptions.forEach(function (sub, endpoint) {
+      if (sub._userId !== userId) return;
+      webpush.sendNotification(sub, json, { vapidDetails: vapidDetails })
+        .then(function () {})
+        .catch(function (err) {
+          if (err.statusCode === 410 || err.statusCode === 404 || err.statusCode === 403) {
+            subscriptions.delete(endpoint);
+            save();
+          }
+        });
+    });
+  }
+
   return {
     publicKey: keys.publicKey,
     addSubscription: addSubscription,
     removeSubscription: removeSubscription,
     sendPush: sendPush,
+    sendPushToUser: sendPushToUser,
   };
 }
 

package/lib/sdk-bridge.js

@@ -955,6 +955,7 @@ function createSDKBridge(opts) {
 
   function cleanupWorker(worker) {
     console.log("[sdk-bridge] cleanupWorker() called, pid=" + (worker.process ? worker.process.pid : "?") + " stack=" + new Error().stack.split("\n").slice(1, 4).join(" | "));
+    if (worker._abortTimeout) { clearTimeout(worker._abortTimeout); worker._abortTimeout = null; }
     if (worker.connection && !worker.connection.destroyed) {
       try { worker.connection.end(); } catch (e) {}
     }
@@ -1069,7 +1070,20 @@ function createSDKBridge(opts) {
     session.pendingElicitations = {};
     session.streamedText = false;
     session.responsePreview = "";
-    session.abortController = { abort: function() { console.log("[sdk-bridge] ABORT sent to worker pid=" + (worker.process ? worker.process.pid : "?")); worker._abortSent = true; worker.send({ type: "abort" }); } };
+    session.abortController = { abort: function() {
+      console.log("[sdk-bridge] ABORT sent to worker pid=" + (worker.process ? worker.process.pid : "?"));
+      worker._abortSent = true;
+      try { worker.send({ type: "abort" }); } catch (e) {}
+      // If the worker doesn't finish within 5s (e.g. subagent stuck), force-kill it.
+      // The worker exit handler will dispatch a fallback query_error and send done.
+      if (worker._abortTimeout) clearTimeout(worker._abortTimeout);
+      worker._abortTimeout = setTimeout(function() {
+        if (worker.process && !worker.process.killed && session.isProcessing) {
+          console.log("[sdk-bridge] Abort timeout: force-killing worker pid=" + (worker.process ? worker.process.pid : "?"));
+          try { worker.process.kill("SIGKILL"); } catch (e) {}
+        }
+      }, 5000);
+    } };
 
     // Build initial user message content
     var content = [];

package/lib/server.js

@@ -1072,7 +1072,8 @@ function createServer(opts) {
         try {
           var parsed = JSON.parse(body);
           var sub = parsed.subscription || parsed;
-          pushModule.addSubscription(sub, parsed.replaceEndpoint);
+          var _httpPushUser = getMultiUserFromReq(req);
+          pushModule.addSubscription(sub, parsed.replaceEndpoint, _httpPushUser ? _httpPushUser.id : null);
           res.writeHead(200, { "Content-Type": "application/json" });
           res.end('{"ok":true}');
         } catch (e) {
@@ -3161,6 +3162,18 @@ function createServer(opts) {
           otherWs.send(JSON.stringify({ type: "dm_message", dmKey: msg.dmKey, message: message }));
         });
       });
+      // Send push notification to target user
+      if (pushModule && pushModule.sendPushToUser) {
+        var senderName = ws._clayUser ? (ws._clayUser.displayName || ws._clayUser.username || "Someone") : "Someone";
+        var preview = (msg.text || "").substring(0, 140);
+        pushModule.sendPushToUser(targetId, {
+          type: "dm",
+          title: senderName,
+          body: preview,
+          tag: "dm-" + msg.dmKey,
+          dmKey: msg.dmKey,
+        });
+      }
       return;
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.24.4-beta.1",
+  "version": "2.25.0-beta.1",
   "description": "Self-hosted Claude Code in your browser. Multi-session, multi-user, push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",