codehost 0.15.0 → 0.17.0

package/src/cli/tunnel.ts

@@ -8,7 +8,6 @@ import {
   encodeFrame,
   encodeJson,
   payloadJson,
-  payloadText,
   wsMessageFrames,
 } from "../shared/protocol";
 
@@ -33,6 +32,19 @@ interface HttpStream {
   body: Uint8Array[];
 }
 
+/** A tunneled request offered to the daemon's local routes before proxying. */
+export interface LocalRequest {
+  method: string;
+  /** Raw tunneled path incl. query (no /vs/<peerId> stripping applied). */
+  path: string;
+  headers: Headers;
+  body?: Uint8Array;
+}
+
+/** Serve `/__codehost/*` requests in-daemon (provisioning, plugins). Return
+ *  null/undefined to fall through to the local-server proxy. */
+export type LocalHandler = (req: LocalRequest) => Promise<Response> | null | undefined;
+
 /**
  * Bridges one WebRTC data channel to a local `code serve-web` instance.
  * Multiplexes concurrent HTTP requests and WebSocket connections by streamId.
@@ -54,6 +66,9 @@ export class Tunnel {
      * doesn't know it, so we strip `/vs/<peerId>` before proxying.
      */
     private stripPrefix?: string,
+    /** Serves `/__codehost/*` requests locally (provisioning, plugins) instead
+     *  of forwarding to the local server. Wired only for `serve` (not `expose`). */
+    private onLocal?: LocalHandler,
   ) {
     this.origin = `http://127.0.0.1:${vscodePort}`;
     this.wsOrigin = `ws://127.0.0.1:${vscodePort}`;
@@ -134,12 +149,15 @@ export class Tunnel {
     const body = hasBody ? concat(stream.body) : undefined;
 
     try {
-      const res = await fetch(this.origin + this.localPath(path), {
-        method,
-        headers: reqHeaders,
-        body: body as BodyInit | undefined,
-        redirect: "manual",
-      });
+      const local = this.onLocal?.({ method, path, headers: reqHeaders, body });
+      const res = local
+        ? await local
+        : await fetch(this.origin + this.localPath(path), {
+            method,
+            headers: reqHeaders,
+            body: body as BodyInit | undefined,
+            redirect: "manual",
+          });
 
       const resHeaders: Record<string, string> = {};
       res.headers.forEach((v, k) => {

package/src/cli/vscode-install.ts

@@ -49,10 +49,17 @@ export async function resolveCodeBinary(opts: { force?: boolean } = {}): Promise
     return override;
   }
 
-  // Prefer a user-owned `code` on PATH — but only if it actually runs. A broken
-  // or stub `code` should fall through to a managed install/upgrade.
+  // Prefer a user-owned `code` on PATH — but only if it actually runs AND can
+  // `serve-web`. The desktop app's bin/code wrapper passes --version yet treats
+  // `serve-web` as a file path ("Ignoring option 'host': not supported") and
+  // exits 0 without ever listening — so probe the subcommand, not just the
+  // binary (observed on macOS VS Code 1.123: serve started, then "VS Code
+  // server exited (code 0) before becoming ready").
   const system = Bun.which("code");
-  if (system && runsOk(system)) return system;
+  if (system && runsOk(system)) {
+    if (supportsServeWeb(system)) return system;
+    console.warn(`[codehost] system code (${system}) can't serve-web — using a managed VS Code CLI instead`);
+  }
 
   return ensureManagedBinary(opts.force ?? false);
 }
@@ -119,6 +126,16 @@ function runsOk(bin: string): boolean {
   return r.status === 0;
 }
 
+/** True if `<bin> serve-web --help` is a real subcommand: clean exit, no
+ *  desktop-wrapper "Ignoring option" complaints, and help text that actually
+ *  mentions serve-web. (Run with --help so nothing starts listening.) */
+function supportsServeWeb(bin: string): boolean {
+  const r = spawnSync(bin, ["serve-web", "--help"], { encoding: "utf8", timeout: 10_000 });
+  if (r.status !== 0) return false;
+  const out = `${r.stdout ?? ""}${r.stderr ?? ""}`;
+  return !/ignoring option/i.test(out) && /serve-web/i.test(out);
+}
+
 function isMusl(): boolean {
   if (existsSync("/etc/alpine-release")) return true;
   // `ldd --version` mentions "musl" on musl systems; ignore failures.

package/src/cli/workspaces.test.ts

@@ -0,0 +1,65 @@
+import { describe, expect, test } from "bun:test";
+import { mkdirSync, mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { DEFAULT_LAYOUT } from "../shared/repo";
+import { enumerateWorkspaces } from "./workspaces";
+
+function makeRoot(): string {
+  return mkdtempSync(join(tmpdir(), "codehost-ws-"));
+}
+
+/** Create a checkout dir; .git is a dir by default, a file when `worktree`. */
+function checkout(root: string, rel: string, worktree = false): void {
+  const dir = join(root, rel);
+  mkdirSync(dir, { recursive: true });
+  if (worktree) writeFileSync(join(dir, ".git"), "gitdir: elsewhere");
+  else mkdirSync(join(dir, ".git"));
+}
+
+describe("enumerateWorkspaces", () => {
+  test("walks the default layout and reports repo identity + branch", () => {
+    const root = makeRoot();
+    checkout(root, "snomiao/codehost/tree/main");
+    checkout(root, "symval/symval/tree/dev", true); // worktree-style .git file
+    mkdirSync(join(root, "snomiao/empty/tree/main"), { recursive: true }); // no .git
+
+    const found = enumerateWorkspaces(root, DEFAULT_LAYOUT);
+    expect(found).toHaveLength(2);
+    expect(found).toContainEqual({
+      path: join(root, "snomiao/codehost/tree/main"),
+      repo: "github.com/snomiao/codehost",
+      branch: "main",
+    });
+    expect(found).toContainEqual({
+      path: join(root, "symval/symval/tree/dev"),
+      repo: "github.com/symval/symval",
+      branch: "dev",
+    });
+  });
+
+  test("literal segments must exist; placeholders match one level", () => {
+    const root = makeRoot();
+    checkout(root, "ws/snomiao/codehost"); // layout ws/{owner}/{repo}
+    checkout(root, "other/snomiao/codehost"); // doesn't match the literal "ws"
+
+    const found = enumerateWorkspaces(root, "ws/{owner}/{repo}");
+    expect(found).toHaveLength(1);
+    expect(found[0].repo).toBe("github.com/snomiao/codehost");
+    expect(found[0].branch).toBeUndefined();
+  });
+
+  test("skips dot-directories and tolerates a missing root", () => {
+    const root = makeRoot();
+    checkout(root, ".hidden/codehost/tree/main");
+    expect(enumerateWorkspaces(root, DEFAULT_LAYOUT)).toHaveLength(0);
+    expect(enumerateWorkspaces(join(root, "nope"), DEFAULT_LAYOUT)).toHaveLength(0);
+  });
+
+  test("uses the given git host in repo identity", () => {
+    const root = makeRoot();
+    checkout(root, "group/proj/tree/main");
+    const found = enumerateWorkspaces(root, DEFAULT_LAYOUT, "gitlab.com");
+    expect(found[0].repo).toBe("gitlab.com/group/proj");
+  });
+});

package/src/cli/workspaces.ts

@@ -0,0 +1,80 @@
+import { existsSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { GITHUB_HOST, toPosixPath } from "../shared/repo";
+import type { WorkspaceInfo } from "../shared/signaling";
+
+// Enumerate the checkouts that exist under a root daemon's home by walking the
+// workspace layout template (e.g. "{owner}/{repo}/tree/{branch}") one segment
+// at a time: a literal segment must exist, a placeholder segment matches one
+// directory level. A leaf only counts as a workspace when it holds a `.git`
+// (directory, or file for a worktree). Feeds PeerMeta.workspaces.
+
+/** Cap the advertised list (meta rides the signaling room broadcast). */
+const MAX_WORKSPACES = 200;
+/** Cap the intermediate walk so a huge home dir can't blow up enumeration. */
+const MAX_FRONTIER = 1000;
+
+export function enumerateWorkspaces(rootDir: string, layout: string, host = GITHUB_HOST): WorkspaceInfo[] {
+  let frontier = [{ dir: rootDir, vars: {} as Record<string, string> }];
+  for (const seg of layout.split("/").filter(Boolean)) {
+    const names = [...seg.matchAll(/\{(\w+)\}/g)].map((m) => m[1]);
+    const next: typeof frontier = [];
+    for (const f of frontier) {
+      if (next.length >= MAX_FRONTIER) break;
+      if (names.length === 0) {
+        const dir = join(f.dir, seg);
+        if (isDir(dir)) next.push({ dir, vars: f.vars });
+        continue;
+      }
+      const re = segmentPattern(seg);
+      for (const name of listDirs(f.dir)) {
+        if (next.length >= MAX_FRONTIER) break;
+        if (name.startsWith(".")) continue;
+        const m = re.exec(name);
+        if (!m) continue;
+        const vars = { ...f.vars };
+        names.forEach((n, i) => (vars[n] = m[i + 1]));
+        next.push({ dir: join(f.dir, name), vars });
+      }
+    }
+    frontier = next;
+    if (frontier.length === 0) return [];
+  }
+
+  const out: WorkspaceInfo[] = [];
+  for (const f of frontier) {
+    if (out.length >= MAX_WORKSPACES) break;
+    if (!existsSync(join(f.dir, ".git"))) continue;
+    const { owner, repo, branch } = f.vars;
+    out.push({
+      path: toPosixPath(f.dir),
+      ...(owner && repo ? { repo: `${host}/${owner}/${repo}` } : {}),
+      ...(branch ? { branch } : {}),
+    });
+  }
+  return out;
+}
+
+/** A layout segment as a matcher: literals exact, `{name}`s capture. */
+function segmentPattern(seg: string): RegExp {
+  const escaped = seg.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return new RegExp(`^${escaped.replace(/\\\{\w+\\\}/g, "([^/]+)")}$`);
+}
+
+function isDir(p: string): boolean {
+  try {
+    return statSync(p).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+function listDirs(p: string): string[] {
+  try {
+    return readdirSync(p, { withFileTypes: true })
+      .filter((e) => e.isDirectory() || e.isSymbolicLink())
+      .map((e) => e.name);
+  } catch {
+    return [];
+  }
+}

package/src/shared/provision.test.ts

@@ -0,0 +1,79 @@
+import { describe, expect, test } from "bun:test";
+import { repoAllowed, resolveWorkspacePath, validateProvisionTarget } from "./provision";
+
+describe("validateProvisionTarget — the injection boundary", () => {
+  test("accepts normal identities", () => {
+    const r = validateProvisionTarget("snomiao", "codehost", "main");
+    expect(r.ok).toBe(true);
+    if (r.ok) expect(r.target).toEqual({ owner: "snomiao", repo: "codehost", branch: "main" });
+  });
+
+  test("accepts branch with slashes and hyphens", () => {
+    const r = validateProvisionTarget("snomiao", "codehost", "feat/some-thing");
+    expect(r.ok).toBe(true);
+  });
+
+  test("empty branch defaults to main", () => {
+    const r = validateProvisionTarget("snomiao", "codehost", "");
+    expect(r.ok && r.target.branch).toBe("main");
+  });
+
+  // The whole point: these must NOT pass.
+  test("rejects path traversal in owner/repo", () => {
+    expect(validateProvisionTarget("..", "codehost", "main").ok).toBe(false);
+    expect(validateProvisionTarget(".", "codehost", "main").ok).toBe(false);
+    expect(validateProvisionTarget("snomiao", "..", "main").ok).toBe(false);
+    expect(validateProvisionTarget("a/b", "codehost", "main").ok).toBe(false); // slash
+    expect(validateProvisionTarget(".ssh", "codehost", "main").ok).toBe(false); // leading dot
+  });
+
+  test("rejects traversal / leading-dash / junk in branch", () => {
+    expect(validateProvisionTarget("o", "r", "a/../../etc").ok).toBe(false);
+    expect(validateProvisionTarget("o", "r", "..").ok).toBe(false);
+    expect(validateProvisionTarget("o", "r", "-x").ok).toBe(false); // option injection
+    expect(validateProvisionTarget("o", "r", "feat/-x").ok).toBe(false);
+    expect(validateProvisionTarget("o", "r", "a b").ok).toBe(false); // whitespace
+    expect(validateProvisionTarget("o", "r", "a;rm -rf").ok).toBe(false); // shell meta
+    expect(validateProvisionTarget("o", "r", "a$(id)").ok).toBe(false);
+    expect(validateProvisionTarget("o", "r", "a`id`").ok).toBe(false);
+  });
+});
+
+describe("resolveWorkspacePath — daemon-authoritative, cannot escape home", () => {
+  test("fills the default layout under home", () => {
+    const t = { owner: "snomiao", repo: "codehost", branch: "main" };
+    expect(resolveWorkspacePath("/Users/sno/ws", "", t)).toBe("/Users/sno/ws/snomiao/codehost/tree/main");
+  });
+
+  test("honors a custom layout template (e.g. config.yaml ws/ home model)", () => {
+    const t = { owner: "snomiao", repo: "codehost", branch: "feat/x" };
+    expect(resolveWorkspacePath("/home/me", "ws/{owner}/{repo}/tree/{branch}", t)).toBe(
+      "/home/me/ws/snomiao/codehost/tree/feat/x",
+    );
+  });
+
+  test("a validated target can never produce a path above home", () => {
+    // Only validated targets reach here; confirm the segments are inert.
+    const v = validateProvisionTarget("snomiao", "codehost", "main");
+    expect(v.ok).toBe(true);
+    if (v.ok) {
+      const p = resolveWorkspacePath("/Users/sno/ws", "{owner}/{repo}/tree/{branch}", v.target);
+      expect(p.startsWith("/Users/sno/ws/")).toBe(true);
+      expect(p.includes("/../")).toBe(false);
+    }
+  });
+});
+
+describe("repoAllowed", () => {
+  test("empty/absent allowlist allows all", () => {
+    expect(repoAllowed("github.com/x/y", undefined)).toBe(true);
+    expect(repoAllowed("github.com/x/y", [])).toBe(true);
+  });
+
+  test("exact + owner wildcard", () => {
+    expect(repoAllowed("github.com/snomiao/codehost", ["github.com/snomiao/codehost"])).toBe(true);
+    expect(repoAllowed("github.com/snomiao/codehost", ["github.com/snomiao/*"])).toBe(true);
+    expect(repoAllowed("github.com/evil/repo", ["github.com/snomiao/*"])).toBe(false);
+    expect(repoAllowed("gitlab.com/snomiao/x", ["github.com/snomiao/*"])).toBe(false);
+  });
+});

package/src/shared/provision.ts

@@ -0,0 +1,67 @@
+// Pure provisioning helpers: the security boundary for "open a repo link runs a
+// host setup script". The room token already grants code execution (the editor
+// is a terminal), so script execution is not new trust — the only new surface is
+// a crafted/shared link auto-triggering setup.sh with attacker-chosen
+// owner/repo/branch. That surface is bounded entirely here: validate the
+// identity so it can't traverse out of the home root or inject options, and
+// compute the workspace path **daemon-authoritatively** (never from script
+// output). Kept pure + unit-tested precisely because it's the injection gate.
+
+import { DEFAULT_BRANCH, DEFAULT_LAYOUT } from "./repo";
+
+export interface ProvisionTarget {
+  owner: string;
+  repo: string;
+  branch: string;
+}
+
+export type ValidateResult = { ok: true; target: ProvisionTarget } | { ok: false; reason: string };
+
+// First char must be alphanumeric: rejects "..", ".", leading-dot tricks, and a
+// leading "-" in one stroke (a bare `[A-Za-z0-9._-]+` would match "..").
+const SEGMENT = /^[A-Za-z0-9][A-Za-z0-9._-]*$/;
+// Positive allowlist for a branch ref as a whole: safe path chars only. Excludes
+// whitespace, control chars, and shell metacharacters by construction.
+const BRANCH_CHARS = /^[A-Za-z0-9._/-]+$/;
+
+/** Validate the (owner, repo, branch) identity carried by a repo deep link before
+ *  it is used to build a filesystem path or passed to a setup script. Branch may
+ *  contain "/" (worktree refs) but no empty/`.`/`..` segment and no segment
+ *  starting with "-" (else `git checkout "$BRANCH"` eats it as an option flag —
+ *  option injection survives env-passing because the script interpolates it). An
+ *  empty branch defaults to DEFAULT_BRANCH. */
+export function validateProvisionTarget(owner: string, repo: string, branch: string): ValidateResult {
+  if (!SEGMENT.test(owner)) return { ok: false, reason: `invalid owner: ${owner}` };
+  if (!SEGMENT.test(repo)) return { ok: false, reason: `invalid repo: ${repo}` };
+  const b = (branch || DEFAULT_BRANCH).trim();
+  if (!BRANCH_CHARS.test(b)) return { ok: false, reason: `invalid branch: ${b}` };
+  const segs = b.split("/");
+  if (segs.some((s) => s === "" || s === "." || s === ".." || s.startsWith("-"))) {
+    return { ok: false, reason: `invalid branch: ${b}` };
+  }
+  return { ok: true, target: { owner, repo, branch: b } };
+}
+
+/** Fill a workspace layout template from a *validated* target. POSIX-space (the
+ *  served cwd is already `toPosixPath`'d), so the result is the `?folder=` form.
+ *  Safe against traversal only because `target` passed validateProvisionTarget. */
+export function resolveWorkspacePath(homePosix: string, layout: string, target: ProvisionTarget): string {
+  const rel = (layout || DEFAULT_LAYOUT)
+    .replace(/\{owner\}/g, target.owner)
+    .replace(/\{repo\}/g, target.repo)
+    .replace(/\{branch\}/g, target.branch);
+  return `${homePosix.replace(/\/+$/, "")}/${rel.replace(/^\/+/, "")}`;
+}
+
+/** Whether a repo may be auto-provisioned. An empty/absent allowlist allows all
+ *  (provisioning is already opt-in by the presence of setup.sh); otherwise the
+ *  repo key `<host>/<owner>/<repo>` must match an entry, where a trailing `/*`
+ *  is an owner/prefix wildcard (e.g. `github.com/snomiao/*`). */
+export function repoAllowed(repoKey: string, allowlist: string[] | undefined): boolean {
+  if (!allowlist || allowlist.length === 0) return true;
+  return allowlist.some((rule) => {
+    const r = rule.trim();
+    if (r.endsWith("/*")) return repoKey.startsWith(r.slice(0, -1));
+    return repoKey === r;
+  });
+}

package/src/shared/repo.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, test } from "bun:test";
 import { gitUrlToPath, parseDeepLink, pickRoomMatch, repoKey, resolveDevTarget, resolveRepoTarget, shareableDeepLink, toPosixPath } from "./repo";
-import type { PeerInfo } from "./signaling";
+import type { PeerInfo, WorkspaceInfo } from "./signaling";
 import { parseGitRemote } from "../cli/git";
 
 describe("toPosixPath", () => {
@@ -217,6 +217,115 @@ describe("resolveRepoTarget root selection", () => {
   });
 });
 
+describe("resolveDevTarget advertised workspaces", () => {
+  const root: PeerInfo = {
+    peerId: "root1",
+    role: "server",
+    meta: {
+      name: "mac",
+      host: "mbp",
+      cwd: "/Users/sno",
+      kind: "root",
+      workspaces: [{ path: "/Users/sno/scratch/tool" }],
+    },
+  };
+
+  test("a /host/<host>/<path> link matches a registered workspace on a root daemon", () => {
+    const res = resolveDevTarget([root], { host: "mbp", path: "/Users/sno/scratch/tool" });
+    expect(res?.peerId).toBe("root1");
+    expect(res?.folder).toBe("/Users/sno/scratch/tool");
+    expect(res?.exact).toBe(true);
+  });
+
+  test("host scoping still applies to workspace matches", () => {
+    expect(resolveDevTarget([root], { host: "other", path: "/Users/sno/scratch/tool" })).toBeNull();
+  });
+
+  test("an exact cwd mount still wins (no folder synthesized)", () => {
+    const res = resolveDevTarget([root], { host: "mbp", path: "/Users/sno" });
+    expect(res).toEqual({ peerId: "root1" });
+  });
+});
+
+describe("resolveRepoTarget enumerated workspaces (exact)", () => {
+  const target = { host: "github.com", owner: "snomiao", name: "codehost" };
+  const root = (peerId: string, cwd: string, workspaces?: WorkspaceInfo[]): PeerInfo => ({
+    peerId,
+    role: "server",
+    meta: { name: peerId, host: "Mac", cwd, kind: "root", workspaces },
+  });
+
+  test("an enumerated checkout beats a deeper root's synthesized fallback", () => {
+    const servers = [
+      root("deep", "/Users/sno/ws"),
+      root("listed", "/Users/sno", [
+        { path: "/Users/sno/snomiao/codehost/tree/main", repo: "github.com/snomiao/codehost", branch: "main" },
+      ]),
+    ];
+    const res = resolveRepoTarget(servers, target);
+    expect(res?.peerId).toBe("listed");
+    expect(res?.folder).toBe("/Users/sno/snomiao/codehost/tree/main");
+    expect(res?.exact).toBe(true);
+  });
+
+  test("branch mismatch falls back to the synthesized path", () => {
+    const servers = [
+      root("listed", "/Users/sno/ws", [
+        { path: "/Users/sno/ws/snomiao/codehost/tree/main", repo: "github.com/snomiao/codehost", branch: "main" },
+      ]),
+    ];
+    const res = resolveRepoTarget(servers, { ...target, branch: "dev" });
+    expect(res?.exact).toBeUndefined();
+    expect(res?.folder).toBe("/Users/sno/ws/snomiao/codehost/tree/dev");
+  });
+
+  test("pickRoomMatch ranks an exact enumerated match like a repo daemon", () => {
+    const fallback = { token: "room-a", resolution: { peerId: "x", folder: "/a/b" } };
+    const exact = { token: "room-b", resolution: { peerId: "y", folder: "/c/d", exact: true } };
+    expect(pickRoomMatch([fallback, exact])?.token).toBe("room-b");
+  });
+});
+
+describe("resolveRepoTarget machine preference (history)", () => {
+  const target = { host: "github.com", owner: "snomiao", name: "codehost" };
+  const repoDaemon = (peerId: string, hostId?: string, host = "Mac"): PeerInfo => ({
+    peerId,
+    role: "server",
+    meta: { name: peerId, host, hostId, cwd: "/x", repo: "github.com/snomiao/codehost" },
+  });
+  const root = (peerId: string, cwd: string, hostId?: string, host = "Mac"): PeerInfo => ({
+    peerId,
+    role: "server",
+    meta: { name: peerId, host, hostId, cwd, kind: "root" },
+  });
+
+  test("among equal repo daemons, prefers the history hostId", () => {
+    const servers = [repoDaemon("a", "id-a"), repoDaemon("b", "id-b")];
+    expect(resolveRepoTarget(servers, target, { hostId: "id-b" })?.peerId).toBe("b");
+    expect(resolveRepoTarget(servers, target, { hostId: "id-a" })?.peerId).toBe("a");
+  });
+
+  test("hostname fallback matches entries/daemons without a hostId", () => {
+    const servers = [repoDaemon("a", undefined, "mbp"), repoDaemon("b", undefined, "win")];
+    expect(resolveRepoTarget(servers, target, { host: "win" })?.peerId).toBe("b");
+  });
+
+  test("preferred root beats a deeper root on another machine", () => {
+    const servers = [root("deep", "/Users/sno/ws/x", "id-other"), root("mine", "/Users/sno", "id-mine")];
+    expect(resolveRepoTarget(servers, target, { hostId: "id-mine" })?.peerId).toBe("mine");
+  });
+
+  test("no preference keeps the existing order (deepest root, first repo daemon)", () => {
+    const servers = [root("shallow", "/Users/sno", "id-1"), root("deep", "/Users/sno/ws", "id-2")];
+    expect(resolveRepoTarget(servers, target)?.peerId).toBe("deep");
+  });
+
+  test("a stale preference (machine offline) falls back gracefully", () => {
+    const servers = [repoDaemon("a", "id-a")];
+    expect(resolveRepoTarget(servers, target, { hostId: "gone" })?.peerId).toBe("a");
+  });
+});
+
 describe("gitUrlToPath", () => {
   test("github URLs -> /gh, preserving branch (incl. slashes)", () => {
     expect(gitUrlToPath("https://github.com/snomiao/codehost")).toBe("/gh/snomiao/codehost");

package/src/shared/repo.ts

@@ -100,6 +100,16 @@ export function toPosixPath(p: string): string {
   return p.replace(/\\/g, "/");
 }
 
+/** Inverse of `toPosixPath` for the host OS: the VS Code `?folder=` form back to
+ *  a real filesystem path. `/C:/ws` -> `C:\ws` (Windows); a POSIX path is
+ *  returned unchanged (only Windows cwds carry the `/<drive>:/` shape). */
+export function fromPosixPath(p: string): string {
+  const drive = /^\/([A-Za-z]):(\/.*)?$/.exec(p);
+  if (!drive) return p;
+  const rest = (drive[2] ?? "").replace(/\//g, "\\");
+  return `${drive[1]}:${rest || "\\"}`;
+}
+
 /** Fill a layout template from a repo target (default branch -> DEFAULT_BRANCH). */
 export function fillLayout(layout: string, t: RepoTarget): string {
   return layout
@@ -163,26 +173,66 @@ export interface Resolution {
   peerId: string;
   /** Folder to open via ?folder= (root kind); undefined opens the repo as-is. */
   folder?: string;
+  /** The folder is a checkout the daemon *enumerated* (it exists on disk), not
+   *  an optimistic layout-synthesized path — rank it like an exact match. */
+  exact?: boolean;
+}
+
+/** Machine preference (from history) used to break ties between matches. */
+export interface ResolvePrefs {
+  /** Stable machine id — prefer servers advertising it. */
+  hostId?: string;
+  /** Hostname fallback for pre-hostId daemons/entries. */
+  host?: string;
+}
+
+function prefers(meta: PeerMeta | null | undefined, prefer?: ResolvePrefs): boolean {
+  if (!prefer || !meta) return false;
+  if (prefer.hostId && meta.hostId) return meta.hostId === prefer.hostId;
+  return !!prefer.host && meta.host === prefer.host;
 }
 
 /**
  * Pick the best live server for a repo deep link. Prefers an exact `repo`
  * daemon; otherwise falls back to a `root` daemon that can open the subfolder.
- * Among several roots, prefers the **deepest** (longest cwd) — with a nested
- * setup like /Users/sno and /Users/sno/ws both serving, the layout subfolder
- * exists under the deeper one (observed: /gh/snomiao/codehost belongs to
- * /Users/sno/ws/..., not /Users/sno/...). Returns null if nothing matches.
+ * Ties (several repo daemons, or several roots) break toward the machine in
+ * `prefer` — the one history says served this repo last. Among several roots,
+ * then prefers the **deepest** (longest cwd) — with a nested setup like
+ * /Users/sno and /Users/sno/ws both serving, the layout subfolder exists under
+ * the deeper one (observed: /gh/snomiao/codehost belongs to /Users/sno/ws/...,
+ * not /Users/sno/...). Returns null if nothing matches.
  */
-export function resolveRepoTarget(servers: PeerInfo[], target: RepoTarget): Resolution | null {
+export function resolveRepoTarget(
+  servers: PeerInfo[],
+  target: RepoTarget,
+  prefer?: ResolvePrefs,
+): Resolution | null {
   const key = repoKey(target);
-  const repoMatch = servers.find(
+  const repoMatches = servers.filter(
     (s) => s.meta?.kind !== "root" && s.meta?.repo === key && branchOk(s.meta, target),
   );
+  const repoMatch = repoMatches.find((s) => prefers(s.meta, prefer)) ?? repoMatches[0];
   if (repoMatch) return { peerId: repoMatch.peerId };
 
-  const root = servers
+  const roots = servers
     .filter((s) => s.meta?.kind === "root")
-    .sort((a, b) => (b.meta?.cwd.length ?? 0) - (a.meta?.cwd.length ?? 0))[0];
+    .sort(
+      (a, b) =>
+        Number(prefers(b.meta, prefer)) - Number(prefers(a.meta, prefer)) ||
+        (b.meta?.cwd.length ?? 0) - (a.meta?.cwd.length ?? 0),
+    );
+
+  // A root that *enumerated* a matching checkout knows it exists on disk —
+  // rank it exact, ahead of any synthesized fallback.
+  const wantBranch = target.branch || DEFAULT_BRANCH;
+  for (const s of roots) {
+    const ws = s.meta?.workspaces?.find(
+      (w) => w.repo === key && (!w.branch || w.branch === wantBranch),
+    );
+    if (ws) return { peerId: s.peerId, folder: ws.path, exact: true };
+  }
+
+  const root = roots[0];
   if (root && root.meta) {
     const folder = `${trimSlash(root.meta.cwd)}/${fillLayout(root.meta.layout || DEFAULT_LAYOUT, target)}`;
     return { peerId: root.peerId, folder };
@@ -194,13 +244,20 @@ export function resolveRepoTarget(servers: PeerInfo[], target: RepoTarget): Reso
  *  to `target.host` when the link carries one (a bare path is ambiguous across
  *  machines). Compares with leading + trailing slashes stripped: `parseDeepLink`
  *  forces a leading "/" on the path, but a served cwd may lack one (e.g. an
- *  `expose` server's `localhost:<port>`), so a trailing-only trim never matches. */
+ *  `expose` server's `localhost:<port>`), so a trailing-only trim never matches.
+ *  A root daemon whose *advertised workspaces* include the path matches too —
+ *  that's how directories registered with the host daemon resolve. */
 export function resolveDevTarget(servers: PeerInfo[], target: DevTarget): Resolution | null {
   const want = stripEnds(target.path);
-  const hit = servers.find(
-    (s) => s.meta && stripEnds(s.meta.cwd) === want && (!target.host || s.meta.host === target.host),
-  );
-  return hit ? { peerId: hit.peerId } : null;
+  const hostOk = (meta: PeerMeta) => !target.host || meta.host === target.host;
+  const hit = servers.find((s) => s.meta && stripEnds(s.meta.cwd) === want && hostOk(s.meta));
+  if (hit) return { peerId: hit.peerId };
+  for (const s of servers) {
+    if (!s.meta || !hostOk(s.meta)) continue;
+    const ws = s.meta.workspaces?.find((w) => stripEnds(w.path) === want);
+    if (ws) return { peerId: s.peerId, folder: ws.path, exact: true };
+  }
+  return null;
 }
 
 /** A candidate room (its token) plus how the deep link resolved within it. */
@@ -211,14 +268,15 @@ export interface RoomMatch {
 
 /**
  * Rank matches found while searching multiple rooms for a token-less deep link.
- * An *exact* match (a server that genuinely serves this repo/folder — no
- * synthesized `folder`) beats a *root fallback* (a root daemon that would open
- * the repo as a subfolder, which `resolveRepoTarget` returns for ANY repo link).
- * Without this preference, first-responder-wins could pick an unrelated room
- * that merely has a root server. Returns null when there are no matches.
+ * An *exact* match (a server that genuinely serves this repo/folder — a repo
+ * daemon, or a root whose enumerated checkout matched) beats a *root fallback*
+ * (a root daemon that would open the repo as a synthesized subfolder, which
+ * `resolveRepoTarget` returns for ANY repo link). Without this preference,
+ * first-responder-wins could pick an unrelated room that merely has a root
+ * server. Returns null when there are no matches.
  */
 export function pickRoomMatch(matches: RoomMatch[]): RoomMatch | null {
-  return matches.find((m) => !m.resolution.folder) ?? matches[0] ?? null;
+  return matches.find((m) => !m.resolution.folder || m.resolution.exact) ?? matches[0] ?? null;
 }
 
 function branchOk(meta: PeerMeta, target: RepoTarget): boolean {