codehost 0.17.0 → 0.18.1

package/CHANGELOG.md

@@ -1,3 +1,18 @@
+## [0.18.1](https://github.com/snomiao/codehost/compare/v0.18.0...v0.18.1) (2026-06-11)
+
+
+### Bug Fixes
+
+* **signaling:** abort connect attempts stuck in CONNECTING; guard tunnel stream enqueue ([b3ae0d1](https://github.com/snomiao/codehost/commit/b3ae0d11299a195b8d09e42355cd14a3b09b8d2f))
+
+# [0.18.0](https://github.com/snomiao/codehost/compare/v0.17.0...v0.18.0) (2026-06-11)
+
+
+### Features
+
+* **cli:** ~/ws as the default workspace root + loud y/N confirm for serving $HOME ([aee5a20](https://github.com/snomiao/codehost/commit/aee5a207a930058472f5b2042a56904051e079a7))
+* **provision:** batteries-included roots — setup auto-scaffolds .codehost/, scaffold detaches fresh clones ([625d958](https://github.com/snomiao/codehost/commit/625d9587d97b59da0bb595aa456a56d3bf920ac4))
+
 # [0.17.0](https://github.com/snomiao/codehost/compare/v0.16.0...v0.17.0) (2026-06-11)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codehost",
-  "version": "0.17.0",
+  "version": "0.18.1",
   "type": "module",
   "repository": {
     "type": "git",

package/src/cli/commands/serve.ts

@@ -1,10 +1,11 @@
-import { hostname } from "node:os";
+import { mkdirSync } from "node:fs";
+import { homedir, hostname } from "node:os";
 import { resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import type { PeerMeta } from "../../shared/signaling";
 import { DEFAULT_LAYOUT, GITHUB_HOST, toPosixPath } from "../../shared/repo";
 import { TOKEN_REQUIREMENTS, validateToken } from "../../shared/token";
-import { ensureHostId } from "../config";
+import { defaultRoot, ensureHostId } from "../config";
 import { launchServeDaemon } from "../daemonize";
 import { announceConnect } from "../open-url";
 import { agentYesPlugin } from "../plugins/agent-yes";
@@ -23,8 +24,43 @@ import { enumerateWorkspaces } from "../workspaces";
 
 export const DEFAULT_SIGNAL_URL = "wss://signal.codehost.dev";
 
+/** Warn + interactively confirm a risky root (default No). Non-TTY contexts
+ *  (the oxmgr-daemonized child, CI) can't answer — there the human already
+ *  confirmed at launch time, so warn loudly and proceed. */
+export async function confirmRiskyRoot(dir: string): Promise<boolean> {
+  const warning = rootWarning(dir);
+  if (!warning) return true;
+  console.warn(`[codehost] warning: ${warning}`);
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return true;
+  process.stdout.write("[codehost] serve it anyway? [y/N] ");
+  const line = await new Promise<string>((res) => {
+    process.stdin.resume();
+    process.stdin.once("data", (d) => {
+      process.stdin.pause();
+      res(String(d));
+    });
+  });
+  return /^y(es)?$/i.test(line.trim());
+}
+
+/** Warning for serving a risky workspace root, or null if fine. $HOME (and the
+ *  filesystem root) expose everything you own over the room, collide the
+ *  provisioning `.codehost/` with the machine-level `~/.codehost`, and make
+ *  workspace enumeration walk your whole home. Allowed if you insist — but
+ *  say so loudly and point at a dedicated dir like ~/ws. */
+export function rootWarning(dir: string): string | null {
+  const norm = resolve(dir);
+  if (norm === resolve(homedir())) {
+    return "serving your HOME directory as the workspace root — everything in it is reachable through this room. A dedicated dir is safer: codehost serve ~/ws";
+  }
+  if (norm === resolve("/")) {
+    return "serving the filesystem root — the entire machine is reachable through this room. A dedicated dir is safer, e.g. ~/ws";
+  }
+  return null;
+}
+
 interface ServeArgs {
-  dir: string;
+  dir?: string;
   token: string;
   name?: string;
   signal: string;
@@ -39,9 +75,8 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
   builder: (y) =>
     y
       .positional("dir", {
-        describe: "Directory to serve (defaults to cwd)",
+        describe: "Workspace root to serve (default: the remembered root, else ~/ws)",
         type: "string",
-        default: ".",
       })
       .option("token", {
         alias: "t",
@@ -77,7 +112,17 @@ export const serveCommand: CommandModule<{}, ServeArgs> = {
       process.exit(1);
     }
 
-    const dir = resolve(process.cwd(), argv.dir);
+    // Explicit dir > remembered root (config.json) > ~/ws. Bare `codehost
+    // serve` should land somewhere sane, never accidentally on $HOME/cwd.
+    const dir = argv.dir ? resolve(process.cwd(), argv.dir) : defaultRoot();
+    if (!argv.dir) {
+      mkdirSync(dir, { recursive: true });
+      console.log(`[codehost] no dir given — serving workspace root ${dir}`);
+    }
+    if (!(await confirmRiskyRoot(dir))) {
+      console.error("[codehost] aborted");
+      process.exit(1);
+    }
     const host = hostname();
 
     // `-d`: re-launch this same `serve` (without -d) under oxmgr, then exit.

package/src/cli/commands/setup.ts

@@ -1,16 +1,19 @@
+import { mkdirSync } from "node:fs";
 import { hostname } from "node:os";
 import { resolve } from "node:path";
 import type { CommandModule } from "yargs";
 import { generateToken, validateToken, TOKEN_REQUIREMENTS } from "../../shared/token";
-import { readConfig, writeConfig } from "../config";
+import { defaultRoot, readConfig, writeConfig } from "../config";
 import { launchServeDaemon } from "../daemonize";
 import { isGitRepo } from "../git";
+import { scaffoldCodehost } from "../init";
+import { confirmRiskyRoot } from "./serve";
 import { resolveCodeBinary } from "../vscode-install";
 import { announceConnect } from "../open-url";
 import { DEFAULT_SIGNAL_URL } from "./serve";
 
 interface SetupArgs {
-  dir: string;
+  dir?: string;
   token?: string;
   newToken: boolean;
   name?: string;
@@ -23,7 +26,10 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
   describe: "One-shot: pick a token, ensure VS Code, and start a daemonized server",
   builder: (y) =>
     y
-      .positional("dir", { describe: "Directory to serve (defaults to cwd)", type: "string", default: "." })
+      .positional("dir", {
+        describe: "Directory to serve (default: a git cwd serves itself, else the remembered root / ~/ws)",
+        type: "string",
+      })
       .option("token", {
         alias: "t",
         describe: "Room token (generated + saved if omitted)",
@@ -38,7 +44,23 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
       .option("signal", { describe: "Signaling server URL", type: "string", default: DEFAULT_SIGNAL_URL })
       .option("port", { describe: "Fixed port for the local VS Code server", type: "number" }) as any,
   handler: async (argv) => {
-    const dir = resolve(process.cwd(), argv.dir);
+    // Explicit dir > a git cwd (serve THIS repo) > remembered root > ~/ws —
+    // so a bare `codehost setup` (e.g. from the installer) lands on a sane
+    // workspace root instead of whatever directory it happened to run in.
+    let dir: string;
+    if (argv.dir) {
+      dir = resolve(process.cwd(), argv.dir);
+    } else if (isGitRepo(process.cwd())) {
+      dir = process.cwd();
+    } else {
+      dir = defaultRoot();
+      mkdirSync(dir, { recursive: true });
+      console.log(`[codehost] no dir given — using workspace root ${dir}`);
+    }
+    if (!(await confirmRiskyRoot(dir))) {
+      console.error("[codehost] aborted");
+      process.exit(1);
+    }
     const host = hostname();
 
     // 1. Resolve the room token: validate an explicit one, otherwise reuse the
@@ -53,10 +75,24 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
     const codeBin = await resolveCodeBinary();
     console.log(`[codehost] using VS Code: ${codeBin}`);
 
-    // 3. Start the WebRTC + VS Code server under oxmgr. A git repo is a single
+    // 3. Batteries included: a workspace root gets its `.codehost/` scaffold
+    //    (config.yaml + clone/worktree setup hook) so /gh/<owner>/<repo> links
+    //    provision on demand out of the box. Existing files are never touched;
+    //    no new trust — the room token already grants code execution.
+    const root = !isGitRepo(dir);
+    if (root) {
+      const written = scaffoldCodehost(dir);
+      if (written.length > 0) {
+        console.log(`[codehost] scaffolded ${dir}/.codehost (config.yaml + setup hook — edit freely)`);
+      }
+      // Remember an explicitly chosen root so future bare runs reuse it.
+      if (argv.dir) writeConfig({ ...readConfig(), root: dir });
+    }
+
+    // 4. Start the WebRTC + VS Code server under oxmgr. A git repo is a single
     //    workspace (`dev`); anything else is treated as a root (`serve`).
     const { ok, name } = await launchServeDaemon({
-      command: isGitRepo(dir) ? "dev" : "serve",
+      command: root ? "serve" : "dev",
       dir,
       token,
       signal: argv.signal,
@@ -66,7 +102,7 @@ export const setupCommand: CommandModule<{}, SetupArgs> = {
     });
     if (!ok) process.exit(1);
 
-    // 4. Tell the user how to connect, and open the browser straight at the
+    // 5. Tell the user how to connect, and open the browser straight at the
     //    token-carrying URL so VS Code loads without typing the token in.
     console.log("");
     console.log(`[codehost] ✓ server "${name}" is live, serving ${dir}`);

package/src/cli/config.ts

@@ -15,6 +15,9 @@ export interface CliConfig {
    *  this machine advertises it, so the web UI can group peers by host and
    *  history entries survive daemon restarts (peerIds are per-process). */
   hostId?: string;
+  /** Workspace root remembered from an explicit `codehost setup <dir>` —
+   *  reused when serve/setup run with no dir. Absent -> ~/ws. */
+  root?: string;
 }
 
 export function readConfig(file: string = CONFIG_FILE): CliConfig {
@@ -30,6 +33,12 @@ export function writeConfig(config: CliConfig, file: string = CONFIG_FILE): void
   writeFileSync(file, JSON.stringify(config, null, 2));
 }
 
+/** The workspace root to use when no dir was given: the remembered root from
+ *  config, else ~/ws (created on demand by the caller). Never $HOME itself. */
+export function defaultRoot(file: string = CONFIG_FILE): string {
+  return readConfig(file).root || join(homedir(), "ws");
+}
+
 /** This machine's persistent hostId, minting + saving it on first call. */
 export function ensureHostId(file: string = CONFIG_FILE): string {
   const config = readConfig(file);

package/src/cli/init.test.ts

@@ -23,11 +23,11 @@ describe("scaffoldCodehost", () => {
     expect(existsSync(join(home, ".codehost", "setup.ps1"))).toBe(true);
   });
 
-  test("config.yaml is valid YAML with a workspace template", () => {
+  test("config.yaml is valid YAML with a prefix-free workspace template", () => {
     const home = mkHome();
     scaffoldCodehost(home);
     const cfg = parseYaml(readFileSync(join(home, ".codehost", "config.yaml"), "utf8"));
-    expect(cfg.workspace).toBe("ws/{owner}/{repo}/tree/{branch}");
+    expect(cfg.workspace).toBe("{owner}/{repo}/tree/{branch}");
   });
 
   test("setup.sh keeps shell vars literal (no JS interpolation leaked)", () => {
@@ -37,6 +37,8 @@ describe("scaffoldCodehost", () => {
     expect(sh).toContain("$CODEHOST_WS");
     expect(sh).toContain("${ws%/tree/$CODEHOST_BRANCH}");
     expect(sh).toContain("git -C \"$repo\" worktree add");
+    // Fresh clones detach so the default branch is worktree-able too.
+    expect(sh).toContain('git -C "$repo" switch --detach');
   });
 
   test("idempotent: a second run writes nothing; --force overwrites", () => {

package/src/cli/init.ts

@@ -7,9 +7,9 @@ import { join } from "node:path";
 
 const CONFIG_YAML = `# codehost workspace config — see docs/provisioning.md
 
-# Where /gh/<owner>/<repo>/tree/<branch> lands, relative to this home dir.
-# Default (if omitted): {owner}/{repo}/tree/{branch}
-workspace: "ws/{owner}/{repo}/tree/{branch}"
+# Where /gh/<owner>/<repo>/tree/<branch> lands, relative to this served root
+# (serve a dedicated workspace dir like ~/ws — never \$HOME itself).
+workspace: "{owner}/{repo}/tree/{branch}"
 
 # Optional: only these repos may auto-provision (a trailing /* is an owner
 # wildcard). Empty/absent = allow all. The room token already grants access, so
@@ -41,6 +41,10 @@ if [ ! -e "$repo/.git" ]; then
   echo "[setup] cloning $url"
   mkdir -p "$(dirname "$repo")"
   git clone "$url" "$repo"
+  # Detach the fresh primary clone so EVERY branch (incl. the default one it
+  # just checked out) can be worktree-added under tree/<branch>. Skipped for
+  # pre-existing clones — they may be someone's live working copy.
+  git -C "$repo" switch --detach
 fi
 
 echo "[setup] adding worktree $ws @ $CODEHOST_BRANCH"
@@ -67,6 +71,8 @@ if (-not (Test-Path (Join-Path $repo ".git"))) {
   Write-Host "[setup] cloning $url"
   New-Item -ItemType Directory -Force -Path (Split-Path $repo) | Out-Null
   git clone $url $repo
+  # Detach so every branch (incl. the default) can be worktree-added.
+  git -C $repo switch --detach
 }
 Write-Host "[setup] adding worktree $ws @ $($env:CODEHOST_BRANCH)"
 New-Item -ItemType Directory -Force -Path (Split-Path $ws) | Out-Null

package/src/shared/signaling-client.ts

@@ -37,6 +37,12 @@ export interface CloseInfo {
  *  open/close cycle becomes a sub-second reconnect storm. */
 const STABLE_MS = 10_000;
 
+/** Abort a connect attempt that hasn't opened by this deadline. Observed in the
+ *  field (Chrome, page-load burst): a socket can sit in CONNECTING for minutes
+ *  and never fire close — so without this, no retry ever runs, even though a
+ *  freshly-created socket to the same room opens instantly. */
+const CONNECT_TIMEOUT_MS = 10_000;
+
 /**
  * Thin WebSocket client for the signaling room. Runs unchanged in the browser
  * and in Bun (both expose a global `WebSocket`). Auto-reconnects with backoff
@@ -71,7 +77,21 @@ export class SignalingClient {
     const ws = new WebSocket(this.roomUrl());
     this.ws = ws;
 
+    // A stuck CONNECTING socket never fires close on its own — abort it so the
+    // normal onclose -> backoff -> retry path takes over.
+    const connectTimer = setTimeout(() => {
+      if (ws.readyState === 0 /* CONNECTING */) {
+        try {
+          ws.close();
+        } catch {
+          // closing an unopened socket may throw in some runtimes — the
+          // onerror/onclose path still runs
+        }
+      }
+    }, CONNECT_TIMEOUT_MS);
+
     ws.onopen = () => {
+      clearTimeout(connectTimer);
       this.openedAt = Date.now();
       // Don't reset the backoff yet — only once the socket proves stable (see
       // STABLE_MS). A handshake-then-drop network never reaches this timer, so
@@ -103,6 +123,7 @@ export class SignalingClient {
     };
 
     ws.onclose = (ev) => {
+      clearTimeout(connectTimer);
       this.clearStableTimer();
       this.stopHeartbeat();
       const ms = this.openedAt ? Date.now() - this.openedAt : 0;

package/src/web/tunnel-client.ts

@@ -129,7 +129,13 @@ export class TunnelClient {
             }),
           );
         },
-        onBody: (b) => controller?.enqueue(b),
+        onBody: (b) => {
+          try {
+            controller?.enqueue(b);
+          } catch {
+            // stream already closed/cancelled (consumer went away mid-body)
+          }
+        },
         onEnd: () => {
           try {
             controller?.close();