clay-server 2.34.0-beta.7 → 2.34.0-beta.9

package/lib/os-users.js

@@ -4,6 +4,11 @@
 var fs = require("fs");
 var path = require("path");
 var execFileSync = require("child_process").execFileSync;
+var _aclGrantCache = Object.create(null);
+
+function aclCacheKey(projectPath, linuxUser) {
+  return path.resolve(projectPath) + "::" + linuxUser;
+}
 
 function isSafeLinuxUsername(username) {
   return typeof username === "string" && /^[a-z_][a-z0-9_-]*[$]?$/.test(username);
@@ -191,6 +196,10 @@ function grantProjectAccess(projectPath, linuxUser) {
     console.error("[os-users] Invalid Linux username for ACL grant: " + linuxUser);
     return;
   }
+  var cacheKey = aclCacheKey(projectPath, linuxUser);
+  if (_aclGrantCache[cacheKey]) {
+    return;
+  }
   try {
     // Recursive ACL for existing files
     execFileSync("setfacl", ["-R", "-m", "u:" + linuxUser + ":rwX", projectPath], {
@@ -204,8 +213,10 @@ function grantProjectAccess(projectPath, linuxUser) {
       timeout: 30000,
       stdio: "pipe",
     });
+    _aclGrantCache[cacheKey] = true;
     console.log("[os-users] Granted ACL access for " + linuxUser + " on " + projectPath);
   } catch (e) {
+    delete _aclGrantCache[cacheKey];
     var errMsg = (e.stderr || e.message || "").toString();
     if (errMsg.indexOf("not found") !== -1 || errMsg.indexOf("ENOENT") !== -1) {
       var cmd = getAclInstallCommand();
@@ -229,6 +240,7 @@ function revokeProjectAccess(projectPath, linuxUser) {
     console.error("[os-users] Invalid Linux username for ACL revoke: " + linuxUser);
     return;
   }
+  var cacheKey = aclCacheKey(projectPath, linuxUser);
   try {
     execFileSync("setfacl", ["-R", "-x", "u:" + linuxUser, projectPath], {
       encoding: "utf8",
@@ -240,6 +252,7 @@ function revokeProjectAccess(projectPath, linuxUser) {
       timeout: 30000,
       stdio: "pipe",
     });
+    delete _aclGrantCache[cacheKey];
     console.log("[os-users] Revoked ACL access for " + linuxUser + " on " + projectPath);
   } catch (e) {
     var errMsg = (e.stderr || e.message || "").toString();

package/lib/project-connection.js

@@ -82,16 +82,7 @@ function attachConnection(ctx) {
       setTimeout(function() { _loop.resumeLoop(); }, 500);
     }
 
-    // Auto-assign owner if project has none and a user connects (e.g. IPC-added projects)
     var projectOwnerId = getProjectOwnerId();
-    if (!projectOwnerId && ws._clayUser && ws._clayUser.id && !isMate) {
-      setProjectOwnerId(ws._clayUser.id);
-      projectOwnerId = ws._clayUser.id;
-      if (opts.onProjectOwnerChanged) {
-        opts.onProjectOwnerChanged(slug, projectOwnerId);
-      }
-      console.log("[project] Auto-assigned owner for " + slug + ": " + projectOwnerId);
-    }
 
     // Send cached state
     var _userId = ws._clayUser ? ws._clayUser.id : null;

package/lib/project-sessions.js

@@ -39,7 +39,7 @@ function formatAskUserAnswerAsMessage(input, answers) {
  *   sm, sdk, tm, clients,
  *   send, sendTo, sendToAdmins, sendToSession, sendToSessionOthers,
  *   opts, usersModule, userPresence, matesModule, pushModule,
- *   getSessionForWs, getLinuxUserForSession, getOsUserInfoForWs,
+ *   getSessionForWs, getLinuxUserForSession, ensureProjectAccessForSession, getOsUserInfoForWs,
  *   hydrateImageRefs, onProcessingChanged, broadcastPresence,
  *   adapter, getProjectList, getProjectCount, getScheduleCount,
  *   moveScheduleToProject, moveAllSchedulesToProject, getHubSchedules,
@@ -70,6 +70,7 @@ function attachSessions(ctx) {
   var pushModule = ctx.pushModule;
   var getSessionForWs = ctx.getSessionForWs;
   var getLinuxUserForSession = ctx.getLinuxUserForSession;
+  var ensureProjectAccessForSession = ctx.ensureProjectAccessForSession;
   var getOsUserInfoForWs = ctx.getOsUserInfoForWs;
   var hydrateImageRefs = ctx.hydrateImageRefs;
   var onProcessingChanged = ctx.onProcessingChanged;
@@ -803,7 +804,7 @@ function attachSessions(ctx) {
           session.sentToolResults = {};
           sendToSession(session.localId, { type: "status", status: "processing" });
           if (!session.queryInstance && !session.worker) {
-            sdk.startQuery(session, answerText, undefined, getLinuxUserForSession(session));
+            sdk.startQuery(session, answerText, undefined, ensureProjectAccessForSession(session));
           } else {
             sdk.pushMessage(session, answerText);
           }
@@ -932,7 +933,7 @@ function attachSessions(ctx) {
             newSession.sentToolResults = {};
             sendToSession(newSession.localId, { type: "status", status: "processing" });
             newSession.acceptEditsAfterStart = true;
-            sdk.startQuery(newSession, planPrompt, undefined, getLinuxUserForSession(newSession));
+            sdk.startQuery(newSession, planPrompt, undefined, ensureProjectAccessForSession(newSession));
           } catch (e) {
             console.error("[project] Error starting plan execution:", e);
             sendTo(ws, { type: "error", text: "Failed to start plan execution: " + (e.message || e) });
@@ -963,7 +964,7 @@ function attachSessions(ctx) {
               session.sentToolResults = {};
               sendToSession(session.localId, { type: "status", status: "processing" });
               if (!session.queryInstance && !session.worker) {
-                sdk.startQuery(session, feedback, undefined, getLinuxUserForSession(session));
+                sdk.startQuery(session, feedback, undefined, ensureProjectAccessForSession(session));
               } else {
                 sdk.pushMessage(session, feedback);
               }

package/lib/project-user-message.js

@@ -13,7 +13,7 @@ var fs = require("fs");
  *   send, sendTo, sendToSession, sendToSessionOthers,
  *   clients, opts,
  *   usersModule, matesModule,
- *   getSessionForWs, getLinuxUserForSession, getOsUserInfoForWs,
+ *   getSessionForWs, getLinuxUserForSession, ensureProjectAccessForSession, getOsUserInfoForWs,
  *   hydrateImageRefs, saveImageFile, imagesDir,
  *   onProcessingChanged, onSessionDone,
  *   _loop              - { handleLoopMessage: fn(ws, msg) }
@@ -49,6 +49,7 @@ function attachUserMessage(ctx) {
 
   var getSessionForWs = ctx.getSessionForWs;
   var getLinuxUserForSession = ctx.getLinuxUserForSession;
+  var ensureProjectAccessForSession = ctx.ensureProjectAccessForSession;
   var getOsUserInfoForWs = ctx.getOsUserInfoForWs;
 
   var hydrateImageRefs = ctx.hydrateImageRefs;
@@ -281,7 +282,7 @@ function attachUserMessage(ctx) {
       nowSession.isProcessing = true;
       onProcessingChanged();
       sendToSession(nowSession.localId, { type: "status", status: "processing" });
-      sdk.startQuery(nowSession, schedText, null, getLinuxUserForSession(nowSession));
+      sdk.startQuery(nowSession, schedText, null, ensureProjectAccessForSession(nowSession));
       sm.broadcastSessionList();
       return true;
     }
@@ -484,7 +485,7 @@ function attachUserMessage(ctx) {
           // No active query (or worker idle between queries): start a new query
           session._queryStartTs = Date.now();
           console.log("[PERF] project.js: startQuery called, localId=" + session.localId + " t=0ms");
-          sdk.startQuery(session, finalText, msg.images, getLinuxUserForSession(session));
+          sdk.startQuery(session, finalText, msg.images, ensureProjectAccessForSession(session));
         } else {
           sdk.pushMessage(session, finalText, msg.images);
         }

package/lib/project.js

@@ -9,7 +9,7 @@ var { createNotesManager } = require("./notes");
 var { fetchLatestVersion, fetchVersion, isNewer } = require("./updater");
 var { execFileSync, spawn } = require("child_process");
 var usersModule = require("./users");
-var { resolveOsUserInfo, fsAsUser } = require("./os-users");
+var { resolveOsUserInfo, fsAsUser, grantProjectAccess } = require("./os-users");
 var crisisSafety = require("./crisis-safety");
 var matesModule = require("./mates");
 var sessionSearch = require("./session-search");
@@ -160,6 +160,7 @@ function createProjectContext(opts) {
   var serverTls = opts.tls || false;
   var serverAuthToken = opts.authToken || null;
   var latestVersion = null;
+  var sessionTitleMigrationScheduled = false;
 
   // --- YOKE adapters (multi-vendor, lazy init) ---
   var _yokeState = yoke.createAdapters({ cwd: cwd, slug: slug });
@@ -187,6 +188,14 @@ function createProjectContext(opts) {
     return user.linuxUser;
   }
 
+  function ensureProjectAccessForSession(session) {
+    var linuxUser = getLinuxUserForSession(session);
+    if (linuxUser) {
+      grantProjectAccess(cwd, linuxUser);
+    }
+    return linuxUser;
+  }
+
   function getLinuxUserForWs(ws) {
     if (!osUsers) return null;
     if (!ws._clayUser || !ws._clayUser.linuxUser) return null;
@@ -799,7 +808,7 @@ function createProjectContext(opts) {
         session.isProcessing = true;
         onProcessingChanged();
         sendToSession(session.localId, { type: "status", status: "processing" });
-        sdk.startQuery(session, text, null, getLinuxUserForSession(session));
+        sdk.startQuery(session, text, null, ensureProjectAccessForSession(session));
         sm.broadcastSessionList();
       }, schedDelay),
     };
@@ -1133,6 +1142,7 @@ function createProjectContext(opts) {
     pushModule: pushModule,
     getSessionForWs: getSessionForWs,
     getLinuxUserForSession: getLinuxUserForSession,
+    ensureProjectAccessForSession: ensureProjectAccessForSession,
     getOsUserInfoForWs: getOsUserInfoForWs,
     hydrateImageRefs: hydrateImageRefs,
     onProcessingChanged: onProcessingChanged,
@@ -1181,6 +1191,7 @@ function createProjectContext(opts) {
     matesModule: matesModule,
     getSessionForWs: getSessionForWs,
     getLinuxUserForSession: getLinuxUserForSession,
+    ensureProjectAccessForSession: ensureProjectAccessForSession,
     getOsUserInfoForWs: getOsUserInfoForWs,
     hydrateImageRefs: hydrateImageRefs,
     saveImageFile: saveImageFile,
@@ -1380,7 +1391,16 @@ function createProjectContext(opts) {
     warmup: function () {
       sdk.warmup();
       sdk.startIdleReaper();
-      sm.migrateSessionTitles(adapter, cwd);
+      if (!osUsers && !sessionTitleMigrationScheduled) {
+        sessionTitleMigrationScheduled = true;
+        setTimeout(function () {
+          try {
+            sm.migrateSessionTitles(adapter, cwd);
+          } catch (e) {
+            console.error("[project] Session title migration failed for " + slug + ":", e && e.message ? e.message : e);
+          }
+        }, 5000);
+      }
     },
   });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.34.0-beta.7",
+  "version": "2.34.0-beta.9",
   "description": "Self-hosted Claude Code in your browser. Multi-session, multi-user, push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",