clay-server 2.33.1 → 2.34.0-beta.1

package/lib/os-users.js

@@ -3,14 +3,19 @@
 
 var fs = require("fs");
 var path = require("path");
-var { execSync } = require("child_process");
+var execFileSync = require("child_process").execFileSync;
+
+function isSafeLinuxUsername(username) {
+  return typeof username === "string" && /^[a-z_][a-z0-9_-]*[$]?$/.test(username);
+}
 
 /**
  * Resolve Linux user info from username via getent passwd.
  * Returns { uid, gid, home, user, shell } or throws on failure.
  */
 function resolveOsUserInfo(username) {
-  var output = execSync("getent passwd " + username, { encoding: "utf8", timeout: 5000 }).trim();
+  if (!isSafeLinuxUsername(username)) throw new Error("Invalid Linux username");
+  var output = execFileSync("getent", ["passwd", username], { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
   // getent passwd format: username:x:uid:gid:gecos:home:shell
   var parts = output.split(":");
   if (parts.length < 7) throw new Error("Unexpected getent output for user " + username);
@@ -74,7 +79,7 @@ function fsAsUser(op, args, osUserInfo) {
       "var buf = fs.readFileSync(f);",
       "process.stdout.write(buf.toString('base64'));",
     ].join(" ");
-    var binOutput = execSync(process.execPath + " -e " + JSON.stringify(script), {
+    var binOutput = execFileSync(process.execPath, ["-e", script], {
       encoding: "utf8",
       timeout: 10000,
       uid: osUserInfo.uid,
@@ -94,7 +99,7 @@ function fsAsUser(op, args, osUserInfo) {
     throw new Error("Unknown fsAsUser operation: " + op);
   }
 
-  var output = execSync(process.execPath + " -e " + JSON.stringify(script), {
+  var output = execFileSync(process.execPath, ["-e", script], {
     encoding: "utf8",
     timeout: 10000,
     uid: osUserInfo.uid,
@@ -151,7 +156,7 @@ function getAclInstallCommand() {
  */
 function checkAclSupport() {
   try {
-    execSync("which setfacl", { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+    execFileSync("which", ["setfacl"], { encoding: "utf8", timeout: 5000, stdio: "pipe" });
     return { available: true };
   } catch (e) {
     return { available: false, installCmd: getAclInstallCommand() };
@@ -182,16 +187,22 @@ function grantProjectAccess(projectPath, linuxUser) {
     console.log("[os-users] Skipping ACL for home directory: " + projectPath);
     return;
   }
+  if (!isSafeLinuxUsername(linuxUser)) {
+    console.error("[os-users] Invalid Linux username for ACL grant: " + linuxUser);
+    return;
+  }
   try {
     // Recursive ACL for existing files
-    execSync("setfacl -R -m u:" + linuxUser + ":rwX " + JSON.stringify(projectPath), {
+    execFileSync("setfacl", ["-R", "-m", "u:" + linuxUser + ":rwX", projectPath], {
       encoding: "utf8",
       timeout: 30000,
+      stdio: "pipe",
     });
     // Default ACL so new files also inherit access
-    execSync("setfacl -R -d -m u:" + linuxUser + ":rwX " + JSON.stringify(projectPath), {
+    execFileSync("setfacl", ["-R", "-d", "-m", "u:" + linuxUser + ":rwX", projectPath], {
       encoding: "utf8",
       timeout: 30000,
+      stdio: "pipe",
     });
     console.log("[os-users] Granted ACL access for " + linuxUser + " on " + projectPath);
   } catch (e) {
@@ -214,14 +225,20 @@ function revokeProjectAccess(projectPath, linuxUser) {
     console.log("[os-users] Skipping ACL revoke for home directory: " + projectPath);
     return;
   }
+  if (!isSafeLinuxUsername(linuxUser)) {
+    console.error("[os-users] Invalid Linux username for ACL revoke: " + linuxUser);
+    return;
+  }
   try {
-    execSync("setfacl -R -x u:" + linuxUser + " " + JSON.stringify(projectPath), {
+    execFileSync("setfacl", ["-R", "-x", "u:" + linuxUser, projectPath], {
       encoding: "utf8",
       timeout: 30000,
+      stdio: "pipe",
     });
-    execSync("setfacl -R -d -x u:" + linuxUser + " " + JSON.stringify(projectPath), {
+    execFileSync("setfacl", ["-R", "-d", "-x", "u:" + linuxUser, projectPath], {
       encoding: "utf8",
       timeout: 30000,
+      stdio: "pipe",
     });
     console.log("[os-users] Revoked ACL access for " + linuxUser + " on " + projectPath);
   } catch (e) {
@@ -260,10 +277,11 @@ function toLinuxUsername(clayUsername) {
  */
 function ensureLinger(username) {
   try {
-    var uid = execSync("id -u " + username, { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
+    if (!isSafeLinuxUsername(username)) throw new Error("Invalid Linux username");
+    var uid = execFileSync("id", ["-u", username], { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
     var lingerFile = "/var/lib/systemd/linger/" + username;
     if (fs.existsSync(lingerFile)) return;
-    execSync("loginctl enable-linger " + username, {
+    execFileSync("loginctl", ["enable-linger", username], {
       encoding: "utf8",
       timeout: 10000,
       stdio: "pipe",
@@ -279,7 +297,8 @@ function ensureLinger(username) {
  */
 function linuxUserExists(username) {
   try {
-    execSync("id " + username, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+    if (!isSafeLinuxUsername(username)) return false;
+    execFileSync("id", [username], { encoding: "utf8", timeout: 5000, stdio: "pipe" });
     return true;
   } catch (e) {
     return false;
@@ -288,7 +307,8 @@ function linuxUserExists(username) {
 
 function getLinuxUserHome(username) {
   try {
-    var line = execSync("getent passwd " + username, { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
+    if (!isSafeLinuxUsername(username)) return "/home/" + (username || "");
+    var line = execFileSync("getent", ["passwd", username], { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
     var parts = line.split(":");
     return parts[5] || "/home/" + username;
   } catch (e) {
@@ -298,7 +318,8 @@ function getLinuxUserHome(username) {
 
 function getLinuxUserUid(username) {
   try {
-    var uid = execSync("id -u " + username, { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
+    if (!isSafeLinuxUsername(username)) return null;
+    var uid = execFileSync("id", ["-u", username], { encoding: "utf8", timeout: 5000, stdio: "pipe" }).trim();
     return parseInt(uid, 10);
   } catch (e) {
     return null;
@@ -312,11 +333,13 @@ function getLinuxUserUid(username) {
  */
 function installClaudeCli(linuxName) {
   try {
+    if (!isSafeLinuxUsername(linuxName)) throw new Error("Invalid Linux username");
     // Download and run the Claude CLI install script as the target user
-    execSync(
-      "su - " + linuxName + " -c \"curl -fsSL https://claude.ai/install.sh | bash\"",
-      { encoding: "utf8", timeout: 60000, stdio: "pipe" }
-    );
+    execFileSync("su", ["-", linuxName, "-c", "curl -fsSL https://claude.ai/install.sh | bash"], {
+      encoding: "utf8",
+      timeout: 60000,
+      stdio: "pipe",
+    });
     console.log("[os-users] Claude CLI installed for " + linuxName);
   } catch (e) {
     var msg = (e.stderr || e.message || "").trim();
@@ -326,24 +349,19 @@ function installClaudeCli(linuxName) {
 
   // Append PATH export to the user's shell config if not already present
   try {
-    var home = "/home/" + linuxName;
-    var rcFile;
-    if (fs.existsSync(home + "/.zshrc")) {
-      rcFile = "~/.zshrc";
+    var userInfo = resolveOsUserInfo(linuxName);
+    var home = userInfo.home || ("/home/" + linuxName);
+    var rcPath = fs.existsSync(path.join(home, ".zshrc")) ? path.join(home, ".zshrc") : path.join(home, ".bashrc");
+    var exportLine = 'export PATH="$HOME/.local/bin:$PATH"';
+    var existing = "";
+    try { existing = fs.readFileSync(rcPath, "utf8"); } catch (e2) {}
+    if (existing.indexOf(exportLine) === -1) {
+      var prefix = existing && !/\n$/.test(existing) ? "\n" : "";
+      fs.appendFileSync(rcPath, prefix + exportLine + "\n", "utf8");
+      try { fs.chownSync(rcPath, userInfo.uid, userInfo.gid); } catch (e3) {}
+      console.log("[os-users] PATH export appended to " + rcPath + " for " + linuxName);
     } else {
-      rcFile = "~/.bashrc";
-    }
-
-    // Check if PATH export is already present before appending
-    var checkCmd = "su - " + linuxName + " -c \"grep -qF '/.local/bin' " + rcFile + "\"";
-    try {
-      execSync(checkCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
-      console.log("[os-users] PATH already configured in " + rcFile + " for " + linuxName);
-    } catch (grepErr) {
-      // grep returned non-zero, meaning the line is not present; append it
-      var appendCmd = "su - " + linuxName + " -c 'echo \"export PATH=\\\"\\$HOME/.local/bin:\\$PATH\\\"\" >> " + rcFile + "'";
-      execSync(appendCmd, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
-      console.log("[os-users] PATH export appended to " + rcFile + " for " + linuxName);
+      console.log("[os-users] PATH already configured in " + rcPath + " for " + linuxName);
     }
   } catch (e) {
     var rcMsg = (e.stderr || e.message || "").trim();
@@ -368,7 +386,7 @@ function provisionLinuxUser(clayUsername) {
   }
 
   try {
-    execSync("useradd -m -s /bin/bash " + linuxName, {
+    execFileSync("useradd", ["-m", "-s", "/bin/bash", linuxName], {
       encoding: "utf8",
       timeout: 15000,
       stdio: "pipe",
@@ -453,7 +471,8 @@ function grantAllUsersAccess(projectPath, usersModule) {
  */
 function deactivateLinuxUser(linuxUsername) {
   try {
-    execSync("usermod -L " + linuxUsername, { encoding: "utf8", timeout: 5000, stdio: "pipe" });
+    if (!isSafeLinuxUsername(linuxUsername)) throw new Error("Invalid Linux username");
+    execFileSync("usermod", ["-L", linuxUsername], { encoding: "utf8", timeout: 5000, stdio: "pipe" });
     console.log("[os-users] Deactivated Linux user: " + linuxUsername);
     return { ok: true };
   } catch (e) {
@@ -493,4 +512,5 @@ module.exports = {
   isHomeDirectory: isHomeDirectory,
   getLinuxUserHome: getLinuxUserHome,
   getLinuxUserUid: getLinuxUserUid,
+  isSafeLinuxUsername: isSafeLinuxUsername,
 };

package/lib/project-http.js

@@ -163,8 +163,8 @@ function attachHTTP(ctx) {
               var _osUM = require("./os-users");
               var _uid = _osUM.getLinuxUserUid(req._clayUser.linuxUser);
               if (_uid != null) {
-                require("child_process").execSync("chown " + _uid + " " + JSON.stringify(destPath));
-                require("child_process").execSync("chown " + _uid + " " + JSON.stringify(tmpDir));
+                execFileSync("chown", [String(_uid), destPath]);
+                execFileSync("chown", [String(_uid), tmpDir]);
               }
             } catch (e2) {}
           }
@@ -639,9 +639,8 @@ function attachHTTP(ctx) {
 
     // Git dirty check
     if (req.method === "GET" && urlPath === "/api/git-dirty") {
-      var execSync = require("child_process").execSync;
       try {
-        var out = execSync("git status --porcelain", { cwd: cwd, encoding: "utf8", timeout: 5000 });
+        var out = execFileSync("git", ["status", "--porcelain"], { cwd: cwd, encoding: "utf8", timeout: 5000 });
         var lines = out.trim().split("\n").filter(function (line) {
           return line.trim().length > 0 && !line.startsWith("??");
         });

package/lib/project-image.js

@@ -1,6 +1,7 @@
 var fs = require("fs");
 var path = require("path");
 var crypto = require("crypto");
+var execFileSync = require("child_process").execFileSync;
 
 /**
  * Attach image handling to a project context.
@@ -65,12 +66,12 @@ function attachImage(ctx) {
             var osUsersMod = require("./os-users");
             var uid = osUsersMod.getLinuxUserUid(ownerLinuxUser);
             if (uid != null) {
-              require("child_process").execSync("chown " + uid + " " + JSON.stringify(filePath));
+              execFileSync("chown", [String(uid), filePath]);
               // Also fix parent dirs if root-owned
               try {
                 var dirStat = fs.statSync(imagesDir);
                 if (dirStat.uid !== uid) {
-                  require("child_process").execSync("chown " + uid + " " + JSON.stringify(imagesDir));
+                  execFileSync("chown", [String(uid), imagesDir]);
                 }
               } catch (e2) {}
             }

package/lib/project-mate-datastore.js

@@ -0,0 +1,218 @@
+var z = require("zod");
+var datastore = require("./mate-datastore");
+
+function attachMateDatastore(ctx) {
+  var cwd = ctx.cwd;
+  var isMate = ctx.isMate;
+  var send = ctx.send;
+  var sendTo = ctx.sendTo;
+
+  function ensureProjectDatastore() {
+    if (!isMate) {
+      return { ok: false, code: "MATE_DATASTORE_NOT_ALLOWED", message: "Mate datastore is only available in Mate sessions." };
+    }
+    try {
+      return datastore.ensureMateDatastore({ mateDir: cwd });
+    } catch (e) {
+      return { ok: false, code: "MATE_DATASTORE_UNAVAILABLE", message: e.message || "Mate datastore is unavailable." };
+    }
+  }
+
+  function getDatastoreWarning(handle) {
+    if (!handle || !handle.warning) return null;
+    return handle.warning;
+  }
+
+  function normalizeParams(input) {
+    if (!input) return [];
+    if (Array.isArray(input.params)) return input.params;
+    return [];
+  }
+
+  function normalizeToolResult(result, requestId) {
+    var payload = result || { ok: false, code: "MATE_DATASTORE_UNAVAILABLE", message: "Mate datastore is unavailable." };
+    if (typeof requestId !== "undefined") payload.requestId = requestId;
+    return payload;
+  }
+
+  function callToolInternal(toolName, input) {
+    var handle = ensureProjectDatastore();
+    if (!handle || handle.ok === false) {
+      return normalizeToolResult(handle, input && input.requestId);
+    }
+
+    var warning = getDatastoreWarning(handle);
+    var params = normalizeParams(input);
+
+    if (toolName === "clay_db_query") {
+      var queryResult = datastore.runQuery(handle, input.sql, params, { maxRows: 200, maxBytes: 1024 * 1024, includeSizeInfo: true });
+      if (warning && queryResult.ok && !queryResult.warning) queryResult.warning = warning;
+      return normalizeToolResult(queryResult, input && input.requestId);
+    }
+
+    if (toolName === "clay_db_exec") {
+      var execResult = datastore.runExec(handle, input.sql, params, { maxBytes: 1024 * 1024, includeSizeInfo: true });
+      if (warning && execResult.ok && !execResult.warning) execResult.warning = warning;
+      if (execResult.ok) {
+        broadcastDbChange({ tool: toolName, sql: input.sql, changes: execResult.changes || 0 });
+      }
+      return normalizeToolResult(execResult, input && input.requestId);
+    }
+
+    if (toolName === "clay_db_tables") {
+      var tablesResult = datastore.listSchemaObjects(handle);
+      if (warning && tablesResult.ok && !tablesResult.warning) tablesResult.warning = warning;
+      return normalizeToolResult(tablesResult, input && input.requestId);
+    }
+
+    if (toolName === "clay_db_describe") {
+      var describeResult = datastore.describeTable(handle, input.table);
+      if (warning && describeResult.ok && !describeResult.warning) describeResult.warning = warning;
+      return normalizeToolResult(describeResult, input && input.requestId);
+    }
+
+    return normalizeToolResult({ ok: false, code: "MATE_DATASTORE_NOT_ALLOWED", message: "Unknown datastore tool: " + toolName }, input && input.requestId);
+  }
+
+  function broadcastDbChange(details) {
+    var payload = {
+      type: "mate_db_change",
+      details: details || {},
+    };
+    send(payload);
+  }
+
+  function handleMateDatastoreMessage(ws, msg) {
+    if (msg.type !== "mate_db_tables" && msg.type !== "mate_db_describe" && msg.type !== "mate_db_query" && msg.type !== "mate_db_exec") {
+      return false;
+    }
+
+    if (!isMate) {
+      sendTo(ws, {
+        type: "mate_db_error",
+        requestId: msg.requestId || null,
+        code: "MATE_DATASTORE_NOT_ALLOWED",
+        message: "Mate datastore is only available in Mate sessions.",
+      });
+      return true;
+    }
+
+    if (msg.type === "mate_db_tables") {
+      sendResult(ws, "mate_db_tables_result", callToolInternal("clay_db_tables", msg));
+      return true;
+    }
+
+    if (msg.type === "mate_db_describe") {
+      sendResult(ws, "mate_db_describe_result", callToolInternal("clay_db_describe", msg));
+      return true;
+    }
+
+    if (msg.type === "mate_db_query") {
+      sendResult(ws, "mate_db_query_result", callToolInternal("clay_db_query", msg));
+      return true;
+    }
+
+    if (msg.type === "mate_db_exec") {
+      sendResult(ws, "mate_db_exec_result", callToolInternal("clay_db_exec", msg));
+      return true;
+    }
+
+    return true;
+  }
+
+  function sendResult(ws, type, result) {
+    var payload = result || { ok: false, code: "MATE_DATASTORE_UNAVAILABLE", message: "Mate datastore is unavailable." };
+    payload.type = type;
+    sendTo(ws, payload);
+  }
+
+  function getToolDefinitions() {
+    if (!isMate) return [];
+    return [
+      {
+        name: "clay_db_query",
+        description: "Execute read-only SQL against the current Mate datastore.",
+        inputSchema: {
+          sql: z.string().min(1).describe("SQL query"),
+          params: z.array(z.any()).optional().describe("Positional parameters"),
+        },
+        handler: function (input) {
+          return callToolInternal("clay_db_query", input || {});
+        },
+      },
+      {
+        name: "clay_db_exec",
+        description: "Execute schema or write SQL against the current Mate datastore.",
+        inputSchema: {
+          sql: z.string().min(1).describe("SQL statement"),
+          params: z.array(z.any()).optional().describe("Positional parameters"),
+        },
+        handler: function (input) {
+          return callToolInternal("clay_db_exec", input || {});
+        },
+      },
+      {
+        name: "clay_db_tables",
+        description: "List schema objects in the current Mate datastore.",
+        inputSchema: undefined,
+        handler: function (input) {
+          return callToolInternal("clay_db_tables", input || {});
+        },
+      },
+      {
+        name: "clay_db_describe",
+        description: "Describe a table or view in the current Mate datastore.",
+        inputSchema: {
+          table: z.string().min(1).describe("Table name"),
+        },
+        handler: function (input) {
+          return callToolInternal("clay_db_describe", input || {});
+        },
+      },
+    ];
+  }
+
+  function createMcpServer() {
+    var defs = getToolDefinitions();
+    var registered = {};
+    for (var i = 0; i < defs.length; i++) {
+      registered[defs[i].name] = {
+        description: defs[i].description,
+        inputSchema: defs[i].inputSchema,
+        handler: defs[i].handler,
+      };
+    }
+    return {
+      name: "clay-datastore",
+      version: "1.0.0",
+      instance: {
+        _registeredTools: registered,
+      },
+    };
+  }
+
+  function getSessionToolDefinitions() {
+    if (!isMate) return null;
+    return getToolDefinitions();
+  }
+
+  function callMateTool(session, toolName, input) {
+    return callToolInternal(toolName, input || {});
+  }
+
+  function closeAllDatastores() {
+    datastore.closeAllMateDatastores();
+  }
+
+  return {
+    handleMateDatastoreMessage: handleMateDatastoreMessage,
+    getToolDefinitions: getToolDefinitions,
+    createMcpServer: createMcpServer,
+    getSessionToolDefinitions: getSessionToolDefinitions,
+    callMateTool: callMateTool,
+    ensureProjectDatastore: ensureProjectDatastore,
+    closeAllDatastores: closeAllDatastores,
+  };
+}
+
+module.exports = { attachMateDatastore: attachMateDatastore };

package/lib/project.js

@@ -27,6 +27,7 @@ var { attachSessions } = require("./project-sessions");
 var { attachUserMessage } = require("./project-user-message");
 var { attachConnection } = require("./project-connection");
 var { attachMcp } = require("./project-mcp");
+var { attachMateDatastore } = require("./project-mate-datastore");
 var { createLocalMcp } = require("./mcp-local");
 var { attachEmail: attachEmailModule } = require("./project-email");
 // project-notifications is attached globally in server.js, passed via opts.notificationsModule
@@ -457,6 +458,19 @@ function createProjectContext(opts) {
     },
   });
 
+  // --- Mate datastore (Mate projects only) ---
+  var _mateDatastore = attachMateDatastore({
+    cwd: cwd,
+    slug: slug,
+    isMate: isMate,
+    send: send,
+    sendTo: sendTo,
+    clients: clients,
+    getSessionForWs: getSessionForWs,
+    usersModule: usersModule,
+    getProjectOwnerId: function () { return projectOwnerId; },
+  });
+
   // --- MCP tool servers (created via YOKE adapter) ---
   var mcpServers = (function () {
     var servers = {};
@@ -537,6 +551,15 @@ function createProjectContext(opts) {
       console.error("[project] Failed to create email MCP server:", e.message);
     }
 
+    if (isMate) {
+      try {
+        var datastoreMcp = _mateDatastore.createMcpServer();
+        if (datastoreMcp) servers[datastoreMcp.name || "clay-datastore"] = datastoreMcp;
+      } catch (e) {
+        console.error("[project] Failed to create datastore MCP server:", e.message);
+      }
+    }
+
     return Object.keys(servers).length > 0 ? servers : undefined;
   })();
 
@@ -878,6 +901,9 @@ function createProjectContext(opts) {
     // --- MCP bridge (remote MCP servers via extension) ---
     if (_mcp.handleMcpMessage(ws, msg)) return;
 
+    // --- Mate datastore ---
+    if (_mateDatastore.handleMateDatastoreMessage(ws, msg)) return;
+
     // --- Knowledge file management (delegated to project-knowledge.js) ---
     if (_knowledge.handleKnowledgeMessage(ws, msg)) return;
 
@@ -1298,6 +1324,9 @@ function createProjectContext(opts) {
   function destroy() {
     _loop.stopTimer();
     _email.destroy();
+    if (_mateDatastore && typeof _mateDatastore.closeAllDatastores === "function") {
+      try { _mateDatastore.closeAllDatastores(); } catch (e) {}
+    }
     stopFileWatch();
     stopAllDirWatches();
     // Abort all active sessions and clean up mention sessions

package/lib/public/app.js

@@ -18,6 +18,7 @@ import {
   openMobileSheet, setMobileSheetMateData, refreshMobileChatSheet
 } from './modules/sidebar-mobile.js';
 import { initMateSidebar, showMateSidebar, hideMateSidebar, renderMateSessionList, updateMateSidebarProfile, handleMateSearchResults } from './modules/mate-sidebar.js';
+import { initMateDatastoreUI } from './modules/mate-datastore-ui.js';
 import { initMateKnowledge, requestKnowledgeList, renderKnowledgeList, handleKnowledgeContent, hideKnowledge } from './modules/mate-knowledge.js';
 import { initMateMemory, renderMemoryList, hideMemory } from './modules/mate-memory.js';
 import { initRewind, setRewindMode, showRewindModal, clearPendingRewindUuid, addRewindButton, onRewindComplete, onRewindError } from './modules/rewind.js';
@@ -405,6 +406,7 @@ import { initDebate, handleDebatePreparing, handleDebateStarted, handleDebateRes
   initSidebar(sidebarCtx);
   var wsGetter = function () { return _getWsRef(); };
   initMateSidebar(wsGetter);
+  initMateDatastoreUI(wsGetter);
   initMateKnowledge(wsGetter);
   initMateMemory(wsGetter, { onShow: function () { hideKnowledge(); hideNotes(); } });
   initMateWizard(