clay-server 2.27.0-beta.8 → 2.27.0

package/lib/sessions.js

@@ -19,6 +19,7 @@ function createSessionManager(opts) {
   var slashCommands = null;     // shared across sessions
   var skillNames = null;        // Claude-only skills to filter from slash menu
   var singleUserUnread = {};    // sessionLocalId -> unread count (single-user mode)
+  var permissionRequestIndex = {}; // requestId -> sessionLocalId (O(1) lookup)
 
   // --- Session persistence (centralized in ~/.clay/sessions/{encoded-cwd}/) ---
   var sessionsBase = path.join(config.CONFIG_DIR, "sessions");
@@ -521,11 +522,15 @@ function createSessionManager(opts) {
           if (ws.readyState === 1) ws.send(ioData);
         }
         // Track unread: increment on "done" for clients not viewing this session
+        // Only count if session has no owner (my session) or owner matches this client
         if (obj.type === "done" && ws._clayActiveSession !== session.localId) {
-          if (!ws._clayUnread) ws._clayUnread = {};
-          ws._clayUnread[session.localId] = (ws._clayUnread[session.localId] || 0) + 1;
-          if (ws.readyState === 1) {
-            ws.send(JSON.stringify({ type: "session_unread", id: session.localId, count: ws._clayUnread[session.localId] }));
+          var _isMySession = !session.ownerId || (ws._clayUser && ws._clayUser.id === session.ownerId);
+          if (_isMySession) {
+            if (!ws._clayUnread) ws._clayUnread = {};
+            ws._clayUnread[session.localId] = (ws._clayUnread[session.localId] || 0) + 1;
+            if (ws.readyState === 1) {
+              ws.send(JSON.stringify({ type: "session_unread", id: session.localId, count: ws._clayUnread[session.localId] }));
+            }
           }
         }
       });
@@ -664,6 +669,7 @@ function createSessionManager(opts) {
           historyIndex: i,
           snippet: snippet,
           role: entry.type === "user_message" ? "user" : "assistant",
+          ts: entry._ts || null,
         });
       }
     }
@@ -773,6 +779,7 @@ function createSessionManager(opts) {
       saveSessionFile(session);
       return { ok: true };
     },
+    permissionRequestIndex: permissionRequestIndex,
   };
 }
 

package/lib/users-auth.js

@@ -0,0 +1,146 @@
+var crypto = require("crypto");
+
+function attachAuth(deps) {
+  var loadUsers = deps.loadUsers;
+  var saveUsers = deps.saveUsers;
+  var findAdmin = deps.findAdmin;
+
+  // --- Multi-user mode ---
+
+  function isMultiUser() {
+    var data = loadUsers();
+    return !!data.multiUser;
+  }
+
+  function enableMultiUser() {
+    var data = loadUsers();
+    if (data.multiUser) {
+      // Already enabled -- check if admin exists
+      var admin = findAdmin(data);
+      if (admin) {
+        return { alreadyEnabled: true, hasAdmin: true, setupCode: null };
+      }
+      // Multi-user enabled but no admin -- regenerate setup code
+      var code = generateSetupCode();
+      data.setupCode = code;
+      saveUsers(data);
+      return { alreadyEnabled: true, hasAdmin: false, setupCode: code };
+    }
+    var code = generateSetupCode();
+    data.multiUser = true;
+    data.setupCode = code;
+    saveUsers(data);
+    return { alreadyEnabled: false, hasAdmin: false, setupCode: code };
+  }
+
+  function disableMultiUser() {
+    var data = loadUsers();
+    data.multiUser = false;
+    data.setupCode = null;
+    saveUsers(data);
+  }
+
+  // --- Setup code ---
+
+  function generateSetupCode() {
+    var chars = "abcdefghijkmnpqrstuvwxyz23456789"; // no ambiguous chars
+    var code = "";
+    var bytes = crypto.randomBytes(6);
+    for (var i = 0; i < 6; i++) {
+      code += chars[bytes[i] % chars.length];
+    }
+    return code;
+  }
+
+  function getSetupCode() {
+    var data = loadUsers();
+    if (data.setupCode) return data.setupCode;
+    // Defensive: if multi-user is on, no admin, and no code, auto-generate one
+    if (data.multiUser && !findAdmin(data)) {
+      var code = generateSetupCode();
+      data.setupCode = code;
+      saveUsers(data);
+      return code;
+    }
+    return null;
+  }
+
+  function clearSetupCode() {
+    var data = loadUsers();
+    data.setupCode = null;
+    saveUsers(data);
+  }
+
+  function validateSetupCode(code) {
+    var data = loadUsers();
+    if (!data.setupCode) return false;
+    return data.setupCode === code;
+  }
+
+  // --- Pin hashing ---
+
+  function hashPin(pin) {
+    return crypto.createHash("sha256").update("clay-user:" + pin).digest("hex");
+  }
+
+  // Generate a random 6-digit PIN
+  function generatePin() {
+    var digits = "";
+    var bytes = crypto.randomBytes(6);
+    for (var i = 0; i < 6; i++) {
+      digits += (bytes[i] % 10).toString();
+    }
+    return digits;
+  }
+
+  // --- Authentication ---
+
+  function authenticateUser(username, pin) {
+    var data = loadUsers();
+    var user = null;
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].username.toLowerCase() === username.toLowerCase()) {
+        user = data.users[i];
+        break;
+      }
+    }
+    if (!user) return null;
+    var pinH = hashPin(pin);
+    if (user.pinHash !== pinH) return null;
+    return user;
+  }
+
+  // --- Auth tokens ---
+
+  function generateUserAuthToken(userId) {
+    var token = crypto.randomBytes(32).toString("hex");
+    return userId + ":" + token;
+  }
+
+  function parseAuthCookie(cookieValue) {
+    if (!cookieValue) return null;
+    var idx = cookieValue.indexOf(":");
+    if (idx < 0) return null;
+    return {
+      userId: cookieValue.substring(0, idx),
+      token: cookieValue.substring(idx + 1),
+    };
+  }
+
+  return {
+    isMultiUser: isMultiUser,
+    enableMultiUser: enableMultiUser,
+    disableMultiUser: disableMultiUser,
+    generateSetupCode: generateSetupCode,
+    getSetupCode: getSetupCode,
+    clearSetupCode: clearSetupCode,
+    validateSetupCode: validateSetupCode,
+    hashPin: hashPin,
+    generatePin: generatePin,
+    authenticateUser: authenticateUser,
+    generateUserAuthToken: generateUserAuthToken,
+    parseAuthCookie: parseAuthCookie,
+  };
+}
+
+module.exports = { attachAuth: attachAuth };

package/lib/users-permissions.js

@@ -0,0 +1,118 @@
+// --- Per-user RBAC permissions (default values for regular users) ---
+var DEFAULT_PERMISSIONS = {
+  terminal: false,
+  fileBrowser: true,
+  createProject: true,
+  deleteProject: false,
+  skills: true,
+  sessionDelete: false,
+  scheduledTasks: false,
+  projectSettings: false,
+};
+
+var ALL_PERMISSIONS = {
+  terminal: true,
+  fileBrowser: true,
+  createProject: true,
+  deleteProject: true,
+  skills: true,
+  sessionDelete: true,
+  scheduledTasks: true,
+  projectSettings: true,
+};
+
+function attachPermissions(deps) {
+  var loadUsers = deps.loadUsers;
+  var saveUsers = deps.saveUsers;
+  var findUserById = deps.findUserById;
+
+  function getEffectivePermissions(user, osUsersMode) {
+    // OS-mode users with linuxUser are exempt from RBAC (OS handles isolation)
+    if (osUsersMode && user && user.linuxUser) return ALL_PERMISSIONS;
+    // Admin always has full permissions
+    if (user && user.role === "admin") return ALL_PERMISSIONS;
+    // Merge stored permissions with defaults (handles missing keys for forward-compat)
+    var stored = (user && user.permissions) || {};
+    var result = {};
+    var keys = Object.keys(DEFAULT_PERMISSIONS);
+    for (var i = 0; i < keys.length; i++) {
+      var k = keys[i];
+      result[k] = stored[k] !== undefined ? stored[k] : DEFAULT_PERMISSIONS[k];
+    }
+    return result;
+  }
+
+  function updateUserPermissions(userId, permissions) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        // Validate: only allow known permission keys with boolean values
+        var clean = {};
+        var keys = Object.keys(DEFAULT_PERMISSIONS);
+        for (var j = 0; j < keys.length; j++) {
+          var k = keys[j];
+          clean[k] = permissions[k] === true;
+        }
+        data.users[i].permissions = clean;
+        saveUsers(data);
+        return { ok: true, permissions: clean };
+      }
+    }
+    return { error: "User not found" };
+  }
+
+  // --- Project access helpers ---
+
+  function canAccessProject(userId, project) {
+    if (!project) return false;
+    // Public projects are accessible to all authenticated users
+    if (!project.visibility || project.visibility === "public") return true;
+    // Admin always has access
+    var user = findUserById(userId);
+    if (user && user.role === "admin") return true;
+    // Owner always has access to their own project
+    if (project.ownerId && project.ownerId === userId) return true;
+    // Private project -- check allowedUsers
+    var allowed = project.allowedUsers || [];
+    return allowed.indexOf(userId) >= 0;
+  }
+
+  function getAccessibleProjects(userId, projects) {
+    if (!projects) return [];
+    return projects.filter(function (p) {
+      return canAccessProject(userId, p);
+    });
+  }
+
+  // --- Session visibility helpers ---
+
+  function canAccessSession(userId, session, project) {
+    // Must have project access first
+    if (!canAccessProject(userId, project)) return false;
+    // Sessions without ownerId are legacy -- only admin can see them
+    if (!session.ownerId) {
+      var user = findUserById(userId);
+      return !!(user && user.role === "admin");
+    }
+    // Owner can always see their own sessions
+    if (session.ownerId === userId) return true;
+    // Shared sessions are visible to all project members (default)
+    if (!session.sessionVisibility || session.sessionVisibility === "shared") return true;
+    // Private sessions are only visible to the owner
+    return false;
+  }
+
+  return {
+    getEffectivePermissions: getEffectivePermissions,
+    updateUserPermissions: updateUserPermissions,
+    canAccessProject: canAccessProject,
+    getAccessibleProjects: getAccessibleProjects,
+    canAccessSession: canAccessSession,
+  };
+}
+
+module.exports = {
+  DEFAULT_PERMISSIONS: DEFAULT_PERMISSIONS,
+  ALL_PERMISSIONS: ALL_PERMISSIONS,
+  attachPermissions: attachPermissions,
+};

package/lib/users-preferences.js

@@ -0,0 +1,210 @@
+function attachPreferences(deps) {
+  var loadUsers = deps.loadUsers;
+  var saveUsers = deps.saveUsers;
+
+  // --- DM Favorites ---
+
+  function getDmFavorites(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        return data.users[i].dmFavorites || [];
+      }
+    }
+    return [];
+  }
+
+  function addDmFavorite(userId, targetUserId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].dmFavorites) data.users[i].dmFavorites = [];
+        if (data.users[i].dmFavorites.indexOf(targetUserId) === -1) {
+          data.users[i].dmFavorites.push(targetUserId);
+          saveUsers(data);
+        }
+        return data.users[i].dmFavorites;
+      }
+    }
+    return [];
+  }
+
+  function removeDmFavorite(userId, targetUserId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].dmFavorites) data.users[i].dmFavorites = [];
+        data.users[i].dmFavorites = data.users[i].dmFavorites.filter(function (id) {
+          return id !== targetUserId;
+        });
+        saveUsers(data);
+        return data.users[i].dmFavorites;
+      }
+    }
+    return [];
+  }
+
+  // --- DM Hidden (dismissed from strip) ---
+
+  function getDmHidden(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        return data.users[i].dmHidden || [];
+      }
+    }
+    return [];
+  }
+
+  function addDmHidden(userId, targetUserId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].dmHidden) data.users[i].dmHidden = [];
+        if (data.users[i].dmHidden.indexOf(targetUserId) === -1) {
+          data.users[i].dmHidden.push(targetUserId);
+          saveUsers(data);
+        }
+        return data.users[i].dmHidden;
+      }
+    }
+    return [];
+  }
+
+  function removeDmHidden(userId, targetUserId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].dmHidden) data.users[i].dmHidden = [];
+        data.users[i].dmHidden = data.users[i].dmHidden.filter(function (id) {
+          return id !== targetUserId;
+        });
+        saveUsers(data);
+        return data.users[i].dmHidden;
+      }
+    }
+    return [];
+  }
+
+  // --- Deleted built-in mate keys tracking ---
+
+  function getDeletedBuiltinKeys(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        return data.users[i].deletedBuiltinKeys || [];
+      }
+    }
+    return [];
+  }
+
+  function addDeletedBuiltinKey(userId, key) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].deletedBuiltinKeys) data.users[i].deletedBuiltinKeys = [];
+        if (data.users[i].deletedBuiltinKeys.indexOf(key) === -1) {
+          data.users[i].deletedBuiltinKeys.push(key);
+          saveUsers(data);
+        }
+        return;
+      }
+    }
+  }
+
+  function removeDeletedBuiltinKey(userId, key) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        if (!data.users[i].deletedBuiltinKeys) return;
+        data.users[i].deletedBuiltinKeys = data.users[i].deletedBuiltinKeys.filter(function (k) {
+          return k !== key;
+        });
+        saveUsers(data);
+        return;
+      }
+    }
+  }
+
+  // --- Per-user chat layout setting ---
+
+  function getChatLayout(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        return data.users[i].chatLayout || "channel";
+      }
+    }
+    return "channel";
+  }
+
+  function setChatLayout(userId, layout) {
+    var val = (layout === "bubble") ? "bubble" : "channel";
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        data.users[i].chatLayout = val;
+        saveUsers(data);
+        return { ok: true, chatLayout: val };
+      }
+    }
+    return { error: "User not found" };
+  }
+
+  // --- Per-user auto-continue setting ---
+
+  function getAutoContinue(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        return !!data.users[i].autoContinueOnRateLimit;
+      }
+    }
+    return false;
+  }
+
+  function setAutoContinue(userId, enabled) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        data.users[i].autoContinueOnRateLimit = !!enabled;
+        saveUsers(data);
+        return { ok: true, autoContinueOnRateLimit: !!enabled };
+      }
+    }
+    return { error: "User not found" };
+  }
+
+  // --- Mate onboarding ---
+
+  function setMateOnboarded(userId) {
+    var data = loadUsers();
+    for (var i = 0; i < data.users.length; i++) {
+      if (data.users[i].id === userId) {
+        data.users[i].mateOnboardingShown = true;
+        saveUsers(data);
+        return { ok: true };
+      }
+    }
+    return { error: "User not found" };
+  }
+
+  return {
+    getDmFavorites: getDmFavorites,
+    addDmFavorite: addDmFavorite,
+    removeDmFavorite: removeDmFavorite,
+    getDmHidden: getDmHidden,
+    addDmHidden: addDmHidden,
+    removeDmHidden: removeDmHidden,
+    getDeletedBuiltinKeys: getDeletedBuiltinKeys,
+    addDeletedBuiltinKey: addDeletedBuiltinKey,
+    removeDeletedBuiltinKey: removeDeletedBuiltinKey,
+    getChatLayout: getChatLayout,
+    setChatLayout: setChatLayout,
+    getAutoContinue: getAutoContinue,
+    setAutoContinue: setAutoContinue,
+    setMateOnboarded: setMateOnboarded,
+  };
+}
+
+module.exports = { attachPreferences: attachPreferences };