heyiam 0.3.7 → 0.3.10

package/dist/public/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>app</title>
-    <script type="module" crossorigin src="/assets/index-BDh4ne9u.js"></script>
+    <script type="module" crossorigin src="/assets/index-DU5On5Al.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-ByoBtx7P.css">
   </head>
   <body>

package/dist/render/build-render-data.js

@@ -105,5 +105,6 @@ export function buildProjectRenderData(opts) {
         allSessions: opts.allSessionCards,
         sessionBaseUrl: opts.sessionBaseUrl,
         sessionSuffix: opts.sessionSuffix,
+        ...(opts.hideSessionDates ? { hideSessionDates: true } : {}),
     };
 }

package/dist/render/liquid.js

@@ -110,7 +110,20 @@ export function renderProject(data, extras, templateName) {
         const slug = typeof existingSlug === 'string' && existingSlug !== ''
             ? existingSlug
             : (slugByToken.get(id) ?? '');
-        return { ...rest, slug, rawLog: [] };
+        const merged = { ...rest, slug, rawLog: [] };
+        // When dates are hidden, strip every timestamp from the session so
+        // nothing leaks through the page source. The chart and overlay treat
+        // a missing `date` as "ordinal mode" — no axis labels, no gap markers.
+        if (data.hideSessionDates) {
+            delete merged.date;
+            delete merged.endTime;
+            const children = merged.children;
+            if (Array.isArray(children)) {
+                for (const c of children)
+                    delete c.date;
+            }
+        }
+        return merged;
     });
     // Encode JSON safe for single-quoted HTML attributes
     const sessionsJson = JSON.stringify(chartSessions).replace(/'/g, ''');

package/dist/render/templates/bauhaus/project.liquid

@@ -218,7 +218,7 @@
           <tr>
             <th scope="col">#</th>
             <th scope="col">Session</th>
-            <th scope="col">Date</th>
+            {% unless hideSessionDates %}<th scope="col">Date</th>{% endunless %}
             <th scope="col">Duration</th>
             <th scope="col">LOC</th>
             <th scope="col">Source</th>
@@ -230,7 +230,7 @@
           <tr>
             <td><span class="session-num">{{ forloop.index }}</span></td>
             <td><a href="{{ sessionBaseUrl }}/{{ s.slug }}{{ sessionSuffix }}" class="session-title-link">{{ s.title }}</a></td>
-            <td>{{ s.recordedAt | formatDateShort }}</td>
+            {% unless hideSessionDates %}<td>{{ s.recordedAt | formatDateShort }}</td>{% endunless %}
             <td>{{ s.durationMinutes | formatDuration }}</td>
             <td>{{ s.locChanged | localeNumber }}</td>
             <td>{% if s.sourceTool %}<span class="session-source-badge badge-{{ s.sourceTool | downcase | replace: ' ', '-' }}">{{ s.sourceTool }}</span>{% endif %}</td>

package/dist/render/templates/editorial/project.liquid

@@ -90,7 +90,7 @@
   {% if sessionsJson %}
   <section class="ed-card-section" aria-label="Agent work timeline">
     <h2 class="ed-section-title">Work Timeline</h2>
-    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
   </section>
   {% endif %}
 

package/dist/render/templates/glacier/project.liquid

@@ -131,7 +131,7 @@
             {% assign labelY = barY | minus: 7 %}
             <rect x="{{ barX }}" y="{{ barY }}" width="{{ barWidth }}" height="{{ barH }}" class="chart-bar" aria-label="{{ s.title }}: {{ s.locChanged }} LOC"/>
             <text x="{{ labelX }}" y="{{ labelY }}" class="chart-value" text-anchor="middle">{{ s.locChanged }}</text>
-            <text x="{{ labelX }}" y="180" class="chart-label" text-anchor="middle">{{ s.recordedAt | formatDateShort }}</text>
+            <text x="{{ labelX }}" y="180" class="chart-label" text-anchor="middle">{% if hideSessionDates %}#{{ forloop.index }}{% else %}{{ s.recordedAt | formatDateShort }}{% endif %}</text>
           {% endfor %}
         </svg>
       </div>
@@ -223,7 +223,7 @@
             <tr>
               <th scope="col">#</th>
               <th scope="col">Title</th>
-              <th scope="col">Date</th>
+              {% unless hideSessionDates %}<th scope="col">Date</th>{% endunless %}
               <th scope="col">Duration</th>
               <th scope="col">LOC</th>
               <th scope="col">Source</th>
@@ -235,7 +235,7 @@
             <tr>
               <td>{{ forloop.index }}</td>
               <td><a href="{{ sessionBaseUrl }}/{{ s.slug }}{{ sessionSuffix }}" class="session-title-link">{{ s.title }}</a></td>
-              <td>{{ s.recordedAt | formatDateShort }}</td>
+              {% unless hideSessionDates %}<td>{{ s.recordedAt | formatDateShort }}</td>{% endunless %}
               <td>{{ s.durationMinutes | formatDuration }}</td>
               <td>{{ s.locChanged | localeNumber }}</td>
               <td>{% if s.sourceTool %}<span class="session-source-badge">{{ s.sourceTool }}</span>{% endif %}</td>

package/dist/render/templates/kinetic/project.liquid

@@ -107,7 +107,7 @@
     <div class="section-tag">Agent work</div>
     <h2 class="section-title">Work timeline</h2>
     <div class="timeline-container">
-      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
     </div>
   </section>
   {% endif %}

package/dist/render/templates/minimal/project.liquid

@@ -55,7 +55,7 @@
     {% if sessionsJson %}
     <div class="mn-section">
       <h2 class="mn-section-heading">Work Timeline</h2>
-      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
     </div>
     <hr class="mn-rule" />
     {% endif %}

package/dist/render/templates/paper/project.liquid

@@ -100,7 +100,7 @@
             <tr>
               <th scope="col">#</th>
               <th scope="col">Title</th>
-              <th scope="col">Date</th>
+              {% unless hideSessionDates %}<th scope="col">Date</th>{% endunless %}
               <th scope="col" class="text-right">Duration</th>
               <th scope="col" class="text-right">LOC</th>
               <th scope="col">Source</th>
@@ -114,7 +114,7 @@
             <tr>
               <td>{{ forloop.index }}</td>
               <td>{{ s.title }}</td>
-              <td>{{ s.recordedAt | formatDateShort }}</td>
+              {% unless hideSessionDates %}<td>{{ s.recordedAt | formatDateShort }}</td>{% endunless %}
               <td class="text-right">{{ s.durationMinutes | formatDuration }}</td>
               <td class="text-right">{{ s.locChanged | localeNumber }}</td>
               <td>{{ s.sourceTool }}</td>

package/dist/render/templates/partials/_work-timeline.liquid

@@ -3,5 +3,5 @@
     <h3 class="section-header__title">Work timeline</h3>
     <span class="section-header__meta">sessions over time</span>
   </div>
-  <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+  <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
 </div>

package/dist/render/templates/project.liquid

@@ -94,7 +94,7 @@
       <h3 class="section-header__title">Work timeline</h3>
       <span class="section-header__meta">sessions over time</span>
     </div>
-    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
   </div>
 
   {%- comment -%} Growth Chart mount point {%- endcomment -%}

package/dist/render/templates/radar/project.liquid

@@ -103,7 +103,7 @@
   <section class="radar-section" aria-label="Work timeline">
     <div class="radar-label">Work Timeline</div>
     <div class="chart-card">
-      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+      <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
     </div>
   </section>
   {% endif %}

package/dist/render/templates/showcase/project.liquid

@@ -90,7 +90,7 @@
             <h3>Work Timeline</h3>
             <span class="sc-section-label">sessions over time</span>
           </div>
-          <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+          <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
         </div>
       </section>
 

package/dist/render/templates/terminal/project.liquid

@@ -69,7 +69,7 @@
   {% if sessionsJson %}
   <div class="term-section">
     <div class="term-comment"># work timeline</div>
-    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'></div>
+    <div data-work-timeline data-sessions='{{ sessionsJson | raw }}'{% if hideSessionDates %} data-hide-dates="1"{% endif %}></div>
   </div>
   {% endif %}
 

package/dist/routes/context.js

@@ -9,8 +9,8 @@ import { bridgeToAnalyzer, mergeActiveIntervals, sumIntervalMs } from '../bridge
 import { analyzeSession } from '../analyzer.js';
 import { loadEnhancedData, loadProjectEnhanceResult, getUploadedState, } from '../settings.js';
 import { getTemplateCss } from '../render/templates.js';
-import { archiveSessionFiles } from '../archive.js';
-import { getDatabase, openDatabase, getSessionStats as dbGetSessionStats, getSessionCount, getAllSessionMetas, getAllProjectStats, getSessionsByProject, getProjectUuid, } from '../db.js';
+import { archiveSessionFiles, findReadableSessionPath } from '../archive.js';
+import { getDatabase, openDatabase, getSessionStats as dbGetSessionStats, getSessionCount, getAllSessionMetas, getAllProjectStats, getSessionsByProject, getProjectUuid, getSessionRow, updateSessionPath, } from '../db.js';
 import { ensureSessionIndexed, displayNameFromDir } from '../sync.js';
 export { displayNameFromDir };
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -298,11 +298,34 @@ export function createRouteContext(sessionsBasePath, dbPath) {
         };
     }
     async function loadSession(sessionPath, projectName, sessionId) {
-        const parsed = await parseSession(sessionPath);
+        const readablePath = await resolveSessionReadPath(sessionPath, sessionId);
+        const parsed = await parseSession(readablePath);
         const analyzerInput = bridgeToAnalyzer(parsed, { sessionId, projectName });
         const session = analyzeSession(analyzerInput);
         return mergeEnhancedData(session);
     }
+    /**
+     * Returns a path to a readable session file. If the originally-indexed
+     * path still exists, returns it unchanged. Otherwise falls back to the
+     * archive copy and heals the DB cache so future reads skip the lookup.
+     *
+     * This compensates for source tools (notably Claude Code's 30-day
+     * cleanup) deleting session files after we've indexed them.
+     */
+    async function resolveSessionReadPath(originalPath, sessionId) {
+        const row = getSessionRow(db, sessionId);
+        const projectDir = row?.project_dir;
+        if (!projectDir)
+            return originalPath;
+        const readable = await findReadableSessionPath(originalPath, projectDir);
+        if (!readable)
+            return originalPath;
+        if (readable !== originalPath) {
+            updateSessionPath(db, sessionId, readable);
+            console.log(`[loadSession] Healed stale path for ${sessionId} → archive copy`);
+        }
+        return readable;
+    }
     // ── getSessionStats ──────────────────────────────────────
     async function getSessionStats(meta, projectName) {
         try {

package/dist/routes/delete.js

@@ -2,6 +2,7 @@ import { Router } from 'express';
 import { getAuthToken } from '../auth.js';
 import { API_URL, warnIfNonDefaultApiUrl } from '../config.js';
 import { getUploadedState, clearUploadedState, saveUploadedState, loadEnhancedData, saveEnhancedData, } from '../settings.js';
+import { toSlug } from '../format-utils.js';
 function sendError(res, status, error) {
     res.status(status).json({ error });
 }
@@ -139,7 +140,23 @@ export function createDeleteRouter(_ctx) {
             return;
         }
         try {
-            const phoenixRes = await fetch(`${API_URL}/api/sessions/${encodeURIComponent(sessionId)}`, {
+            // Phoenix DELETE /api/sessions/:id expects an integer share ID,
+            // which the CLI never has — POST /api/sessions returns a token,
+            // not the DB row id. So we send the Claude UUID in the path
+            // (Phoenix accepts it as an opaque marker) and the real lookup
+            // key — (project_id, slug) — in query params. The server resolves
+            // by (project_id, slug) when the path :id isn't a valid integer.
+            const uploadedState = getUploadedState(project);
+            const enhanced = loadEnhancedData(sessionId);
+            const slug = toSlug(enhanced?.title ?? sessionId, 80);
+            const serverProjectId = uploadedState?.projectId;
+            const query = new URLSearchParams();
+            if (serverProjectId !== undefined)
+                query.set('project_id', String(serverProjectId));
+            if (slug)
+                query.set('slug', slug);
+            const qs = query.toString();
+            const phoenixRes = await fetch(`${API_URL}/api/sessions/${encodeURIComponent(sessionId)}${qs ? `?${qs}` : ''}`, {
                 method: 'DELETE',
                 headers: { Authorization: `Bearer ${auth.token}` },
             });

package/dist/routes/enhance.js

@@ -5,7 +5,7 @@ import { enhanceProject, refineNarrative } from '../llm/project-enhance.js';
 import { getAnthropicApiKey, saveEnhancedData, loadEnhancedData, deleteEnhancedData, loadFreshProjectEnhanceResult, saveProjectEnhanceResult, loadProjectEnhanceResult, buildProjectFingerprint, getUploadedState, } from '../settings.js';
 import { requireProject } from './context.js';
 import { startSSE } from './sse.js';
-import { invalidatePortfolioPreviewCache } from './preview.js';
+import { invalidatePortfolioPreviewCache, invalidateProjectPreviewCache } from './preview.js';
 export function createEnhanceRouter(ctx) {
     const router = Router();
     // Triage endpoint -- AI selects which sessions are worth showcasing (SSE stream)
@@ -259,7 +259,11 @@ export function createEnhanceRouter(ctx) {
     // Save project enhance result explicitly
     router.post('/api/projects/:project/enhance-save', async (req, res) => {
         const project = String(req.params.project);
-        const { selectedSessionIds, result, title, repoUrl, projectUrl, screenshotBase64 } = req.body;
+        // FIXME(security): screenshotBase64 is accepted with no size cap and no
+        // `data:image/(png|jpeg|jpg|webp);base64,...` shape check. Local-only CLI
+        // so not a privilege issue today, but worth a regex + ~4 MB cap for
+        // defense-in-depth and to keep the cache JSON from ballooning.
+        const { selectedSessionIds, result, title, repoUrl, projectUrl, screenshotBase64, hideSessionDates } = req.body;
         if (!Array.isArray(selectedSessionIds) || !result?.narrative) {
             res.status(400).json({ error: { code: 'INVALID_INPUT', message: 'selectedSessionIds and result are required' } });
             return;
@@ -272,9 +276,12 @@ export function createEnhanceRouter(ctx) {
             const proj = await requireProject(ctx, project, res);
             if (!proj)
                 return;
-            saveProjectEnhanceResult(proj.dirName, selectedSessionIds, result, undefined, { title, repoUrl, projectUrl, screenshotBase64 });
+            saveProjectEnhanceResult(proj.dirName, selectedSessionIds, result, undefined, { title, repoUrl, projectUrl, screenshotBase64, hideSessionDates });
             // Project title/narrative/skills appear in portfolio listing — bust cache.
             invalidatePortfolioPreviewCache();
+            // Per-project render cache is keyed by the URL param the client passed.
+            invalidateProjectPreviewCache(project);
+            invalidateProjectPreviewCache(proj.dirName);
             res.json({ saved: true, enhancedAt: new Date().toISOString() });
         }
         catch (err) {

package/dist/routes/preview.js

@@ -54,6 +54,15 @@ function portfolioCacheKey(templateName) {
 export function invalidatePortfolioPreviewCache() {
     portfolioPreviewCache.clear();
 }
+/**
+ * Drop the per-project render-data cache for `projectParam`. Call after any
+ * mutation that affects the rendered project page (title, URLs, narrative,
+ * screenshot, skills, timeline). Without this, the 30s TTL on
+ * previewDataCache masks the change in the React UI.
+ */
+export function invalidateProjectPreviewCache(projectParam) {
+    previewDataCache.delete(projectParam);
+}
 /** Test helper: read current cache entry without mutating. */
 export function _getPortfolioPreviewCacheEntry(templateName = 'editorial') {
     return portfolioPreviewCache.get(portfolioCacheKey(templateName));
@@ -177,6 +186,12 @@ async function buildProjectPreviewData(ctx, projectParam, queryOverrides) {
         repoUrl: metaRepoUrl,
         projectUrl: metaProjectUrl,
         screenshotUrl: (() => {
+            // Manual uploads land only in the enhance-cache JSON (no disk write),
+            // so check the cache first — mirrors export.ts:resolveScreenshotDataUri.
+            const b64 = cachedAny?.screenshotBase64;
+            if (b64) {
+                return b64.startsWith('data:') ? b64 : `data:image/png;base64,${b64}`;
+            }
             return existsSync(path.join(SCREENSHOTS_DIR, `${slug}.png`))
                 ? `/screenshots/${slug}.png`
                 : undefined;
@@ -193,6 +208,7 @@ async function buildProjectPreviewData(ctx, projectParam, queryOverrides) {
         allSessionCards,
         sessionBaseUrl: `/preview/project/${encodeURIComponent(projectParam)}/session`,
         sessionSuffix: '.html',
+        hideSessionDates: cachedAny?.hideSessionDates,
     });
     const result = { renderData, enhanceResult, projName: projAny.name };
     // Cache the result (template-agnostic data, re-rendered cheaply per template)

package/dist/routes/project-session-upload.js

@@ -4,7 +4,7 @@
  */
 import { readFileSync } from 'node:fs';
 import { API_URL } from '../config.js';
-import { loadEnhancedData, saveEnhancedData, getDefaultTemplate, isTranscriptIncluded, } from '../settings.js';
+import { loadEnhancedData, saveEnhancedData, getDefaultTemplate, isTranscriptIncluded, getUploadedState, } from '../settings.js';
 import { redactSession, redactText, scanTextSync, formatFindings, stripHomePathsInText } from '../redact.js';
 import { renderSessionHtml } from '../render/index.js';
 import { buildSessionRenderData, buildSessionCard } from '../render/build-render-data.js';
@@ -222,3 +222,65 @@ export async function uploadSelectedSessions(ctx, auth, options) {
     }
     return { uploadedCount, failedSessions, uploadedSessionCards };
 }
+/**
+ * Delete previously-uploaded sessions that are no longer in the user's
+ * selected set. Called before re-uploading so the published portfolio
+ * reflects deselections made through the Manage Sessions modal.
+ *
+ * Identifies each session on the server by (project_id, slug) — the same
+ * fallback contract used by the single-session trash button. Failures
+ * are logged but non-fatal: the upload continues so partial cleanup
+ * doesn't block the user's primary action.
+ */
+export async function demoteRemovedSessions(auth, options) {
+    const { projectDirName, selectedSessionIds, send } = options;
+    const notify = send ?? (() => { });
+    const uploaded = getUploadedState(projectDirName);
+    if (!uploaded || !uploaded.projectId) {
+        return { demotedCount: 0, failed: [] };
+    }
+    const selected = new Set(selectedSessionIds);
+    const removed = (uploaded.uploadedSessions ?? []).filter((id) => !selected.has(id));
+    if (removed.length === 0) {
+        return { demotedCount: 0, failed: [] };
+    }
+    let demotedCount = 0;
+    const failed = [];
+    for (const sessionId of removed) {
+        const enhanced = loadEnhancedData(sessionId);
+        const slug = toSlug(enhanced?.title ?? sessionId, 80);
+        notify({ type: 'session', sessionId, status: 'demoting' });
+        try {
+            const query = new URLSearchParams({
+                project_id: String(uploaded.projectId),
+                slug,
+            });
+            const res = await fetch(`${API_URL}/api/sessions/${encodeURIComponent(sessionId)}?${query.toString()}`, {
+                method: 'DELETE',
+                headers: { Authorization: `Bearer ${auth.token}` },
+            });
+            if (res.status === 204 || res.status === 404) {
+                // 404 = already gone server-side; either way, the local state
+                // should reflect "not uploaded" so the next re-publish doesn't
+                // try to demote it again.
+                if (enhanced?.uploaded) {
+                    saveEnhancedData(sessionId, { ...enhanced, uploaded: false });
+                }
+                demotedCount++;
+                notify({ type: 'session', sessionId, status: 'demoted' });
+            }
+            else {
+                const body = await res.text().catch(() => '');
+                const error = `HTTP ${res.status}: ${body.slice(0, 200)}`;
+                failed.push({ sessionId, error });
+                notify({ type: 'session', sessionId, status: 'demote_failed', error });
+            }
+        }
+        catch (err) {
+            const error = err.message;
+            failed.push({ sessionId, error });
+            notify({ type: 'session', sessionId, status: 'demote_failed', error });
+        }
+    }
+    return { demotedCount, failed };
+}

package/dist/routes/projects.js

@@ -217,7 +217,14 @@ export function createProjectsRouter(ctx) {
                 res.status(400).json({ error: { code: 'NO_CACHE', message: 'Project must be enhanced before managing sessions' } });
                 return;
             }
-            saveProjectEnhanceResult(proj.dirName, selectedSessionIds, cache.result, undefined, { title: cache.title, repoUrl: cache.repoUrl, projectUrl: cache.projectUrl, screenshotBase64: cache.screenshotBase64 });
+            saveProjectEnhanceResult(proj.dirName, selectedSessionIds, cache.result, undefined, {
+                title: cache.title,
+                repoUrl: cache.repoUrl,
+                projectUrl: cache.projectUrl,
+                screenshotBase64: cache.screenshotBase64,
+                template: cache.template,
+                hideSessionDates: cache.hideSessionDates,
+            });
             invalidatePortfolioPreviewCache();
             res.json({ ok: true, selectedSessionIds });
         }

package/dist/routes/publish.js

@@ -12,7 +12,7 @@ import { buildProjectDetail } from './context.js';
 import { captureScreenshot } from '../screenshot.js';
 import { renderProjectHtml } from '../render/index.js';
 import { buildProjectRenderData } from '../render/build-render-data.js';
-import { uploadSelectedSessions } from './project-session-upload.js';
+import { uploadSelectedSessions, demoteRemovedSessions } from './project-session-upload.js';
 import { invalidatePortfolioPreviewCache } from './preview.js';
 import { startSSE } from './sse.js';
 import { displayNameFromDir } from '../sync.js';
@@ -55,7 +55,7 @@ export function createPublishRouter(ctx) {
     // Render project preview HTML
     router.post('/api/projects/:project/render-preview', async (req, res) => {
         try {
-            const { username, slug, title, narrative, repoUrl, projectUrl, screenshotUrl, timeline, skills, totalSessions, totalLoc, totalDurationMinutes, totalAgentDurationMinutes, totalFilesChanged, totalTokens, sessionCards, } = req.body;
+            const { username, slug, title, narrative, repoUrl, projectUrl, screenshotUrl, timeline, skills, totalSessions, totalLoc, totalDurationMinutes, totalAgentDurationMinutes, totalFilesChanged, totalTokens, sessionCards, hideSessionDates, } = req.body;
             const renderData = buildProjectRenderData({
                 username: username || 'preview',
                 slug, title, narrative,
@@ -69,6 +69,7 @@ export function createPublishRouter(ctx) {
                 totalFilesChanged: totalFilesChanged || 0,
                 totalTokens,
                 sessionCards: sessionCards || [],
+                hideSessionDates,
             });
             const templateName = getDefaultTemplate() || 'editorial';
             const html = renderProjectHtml(renderData, undefined, templateName);
@@ -104,7 +105,7 @@ export function createPublishRouter(ctx) {
     });
     // Publish project -- SSE stream with per-session progress
     router.post('/api/projects/:project/upload', async (req, res) => {
-        const { project } = req.params;
+        const project = String(req.params.project);
         const auth = getAuthToken();
         warnIfNonDefaultApiUrl();
         if (!auth) {
@@ -113,11 +114,11 @@ export function createPublishRouter(ctx) {
         }
         const { title: rawTitle, slug: rawSlug, narrative, repoUrl, projectUrl, timeline, skills, totalSessions, totalLoc, totalDurationMinutes, totalAgentDurationMinutes, totalFilesChanged, skippedSessions, selectedSessionIds, screenshotBase64, } = req.body;
         // Ensure slug is the short project name, not the full encoded directory path
-        const shortName = displayNameFromDir(String(project));
+        const shortName = displayNameFromDir(project);
         const baseSlug = toSlug(shortName);
         const title = rawTitle === rawSlug ? shortName : rawTitle;
         // Get stable project UUID from CLI database
-        const clientProjectId = getProjectUuid(ctx.db, String(project));
+        const clientProjectId = getProjectUuid(ctx.db, project);
         const send = startSSE(res);
         try {
             // Step 1: Upsert project on Phoenix (with slug conflict retry)
@@ -181,6 +182,11 @@ export function createPublishRouter(ctx) {
                         send({ type: 'screenshot', status: 'capturing' });
                         const raw = screenshotBase64.includes(',') ? screenshotBase64.split(',')[1] : screenshotBase64;
                         imageBuffer = Buffer.from(raw, 'base64');
+                        // FIXME(security): ext detection only handles png/jpg, so an SVG
+                        // (allowed by the file picker's `accept="image/*"`) gets uploaded
+                        // to S3 with `Content-Type: image/png` while the bytes are SVG.
+                        // CSP on heyi.am mitigates script execution, but reject SVG here
+                        // (or convert it) instead of relying on downstream defenses.
                         ext = screenshotBase64.startsWith('data:image/jpeg') || screenshotBase64.startsWith('data:image/jpg') ? 'jpg' : 'png';
                     }
                     else if (projectUrl) {
@@ -242,6 +248,17 @@ export function createPublishRouter(ctx) {
             const failedSessions = [];
             let uploadedSessionCards = [];
             if (proj) {
+                // Honor Manage Sessions deselections: remove server-side sessions
+                // that were previously uploaded but are no longer in the
+                // selection. Failures are non-fatal — proceed with the upload.
+                const demoteResult = await demoteRemovedSessions(auth, {
+                    projectDirName: project,
+                    selectedSessionIds,
+                    send,
+                });
+                if (demoteResult.failed.length > 0) {
+                    console.warn(`[upload] ${demoteResult.failed.length} session(s) could not be removed from heyi.am`);
+                }
                 const sessionResult = await uploadSelectedSessions(ctx, auth, {
                     proj,
                     projectData,
@@ -524,6 +541,18 @@ export function createPublishRouter(ctx) {
                         slugMap.set(baseSlug, projectData.slug);
                     }
                     send({ type: 'project', project: title, index: projectIndex, total: filteredProjects.length, status: 'created' });
+                    // Honor Manage Sessions deselections before re-uploading: remove
+                    // server-side sessions that were previously uploaded but aren't
+                    // in the current `selectedSessionIds`. Without this step, the
+                    // bulk-status PATCH below silently re-lists everything.
+                    const demoteResult = await demoteRemovedSessions(auth, {
+                        projectDirName: rawProj.dirName,
+                        selectedSessionIds,
+                        send: (evt) => send({ ...evt, project: title }),
+                    });
+                    if (demoteResult.failed.length > 0) {
+                        console.warn(`[portfolio-upload] ${title}: ${demoteResult.failed.length} session(s) could not be removed from heyi.am`);
+                    }
                     send({ type: 'progress', message: `Uploading ${selectedSessionIds.length} session${selectedSessionIds.length === 1 ? '' : 's'} for ${title}…` });
                     const { uploadedSessionCards } = await uploadSelectedSessions(ctx, auth, {
                         proj: projInfo,

package/dist/routes/sessions.js

@@ -2,23 +2,48 @@ import { Router } from 'express';
 import { listSessions, parseSession } from '../parsers/index.js';
 import { bridgeToAnalyzer } from '../bridge.js';
 import { analyzeSession } from '../analyzer.js';
-import { getSessionRow } from '../db.js';
+import { getSessionRow, getAllSessionMetas } from '../db.js';
 import { ensureSessionIndexed } from '../sync.js';
 import { exportSessionContext } from '../context-export.js';
 import { buildTranscriptResponse } from '../transcript.js';
 import { loadEnhancedData } from '../settings.js';
+import { toSlug } from '../format-utils.js';
 import { displayNameFromDir } from './context.js';
 /**
- * Find a session's file path and project name, checking the DB first,
- * then falling back to live discovery (triggers indexing as a side effect).
+ * Resolve an :id param to a real session. Accepts either:
+ *   - A canonical UUID (the path used by SPA links built from session.id)
+ *   - A title-derived slug, optionally with a ".html" suffix (the path
+ *     baked into rendered Liquid HTML — used when a user lands on a
+ *     session URL directly via refresh, bookmark, or modifier-click that
+ *     slipped past the SPA's click interceptor)
+ *
+ * Falls back to live discovery on a UUID miss, mirroring the original
+ * behavior. Slug resolution is DB-only because the slug source-of-truth
+ * is the enhanced title, which lives in the local-state store.
  */
-async function resolveSession(ctx, id) {
-    // Try DB first
+async function resolveSession(ctx, rawId) {
+    const id = rawId.replace(/\.html$/, '');
+    // 1. Try DB by UUID
     const row = getSessionRow(ctx.db, id);
     if (row?.file_path) {
-        return { filePath: row.file_path, projectName: displayNameFromDir(row.project_dir) };
+        return { filePath: row.file_path, projectName: displayNameFromDir(row.project_dir), sessionId: id };
     }
-    // Fallback: discover live sessions and index the match
+    // 2. Try DB by title-derived slug
+    const slugTarget = toSlug(id, 80);
+    if (slugTarget) {
+        const metas = getAllSessionMetas(ctx.db);
+        for (const meta of metas) {
+            if (meta.isSubagent)
+                continue;
+            const enhanced = loadEnhancedData(meta.sessionId);
+            const titleRow = getSessionRow(ctx.db, meta.sessionId);
+            const title = enhanced?.title ?? titleRow?.title ?? meta.sessionId;
+            if (toSlug(title, 80) === slugTarget) {
+                return { filePath: meta.path, projectName: displayNameFromDir(meta.projectDir), sessionId: meta.sessionId };
+            }
+        }
+    }
+    // 3. Fallback: discover live sessions and index the match (UUID only)
     const allSessions = await listSessions(ctx.sessionsBasePath);
     const meta = allSessions.find((s) => s.sessionId === id);
     if (!meta)
@@ -28,7 +53,7 @@ async function resolveSession(ctx, id) {
         await ensureSessionIndexed(ctx.db, meta, projectName);
     }
     catch { /* best effort */ }
-    return { filePath: meta.path, projectName };
+    return { filePath: meta.path, projectName, sessionId: id };
 }
 export function createSessionsRouter(ctx) {
     const router = Router();
@@ -41,7 +66,7 @@ export function createSessionsRouter(ctx) {
                 res.status(404).json({ error: { code: 'SESSION_NOT_FOUND', message: 'Session not found' } });
                 return;
             }
-            const session = await ctx.loadSession(resolved.filePath, resolved.projectName, id);
+            const session = await ctx.loadSession(resolved.filePath, resolved.projectName, resolved.sessionId);
             res.json({ session });
         }
         catch (err) {
@@ -59,12 +84,12 @@ export function createSessionsRouter(ctx) {
                 return;
             }
             const parsed = await parseSession(resolved.filePath);
-            const analyzerInput = bridgeToAnalyzer(parsed, { sessionId: id, projectName: resolved.projectName });
+            const analyzerInput = bridgeToAnalyzer(parsed, { sessionId: resolved.sessionId, projectName: resolved.projectName });
             let session = analyzeSession(analyzerInput);
             const turns = analyzerInput.turns;
             // Merge enhanced data (LLM-generated title, context, developer take,
             // execution steps, Q&A) when available — hybrid output
-            const enhanced = loadEnhancedData(id);
+            const enhanced = loadEnhancedData(resolved.sessionId);
             if (enhanced) {
                 session = {
                     ...session,

package/dist/settings.js

@@ -163,6 +163,8 @@ export function saveProjectEnhanceResult(projectDirName, selectedSessionIds, res
         ...(extras?.repoUrl ? { repoUrl: extras.repoUrl } : {}),
         ...(extras?.projectUrl ? { projectUrl: extras.projectUrl } : {}),
         ...(extras?.screenshotBase64 ? { screenshotBase64: extras.screenshotBase64 } : {}),
+        ...(extras?.template ? { template: extras.template } : {}),
+        ...(extras?.hideSessionDates ? { hideSessionDates: true } : {}),
         result,
     };
     writeFileSync(projectEnhancePath(projectDirName, configDir), JSON.stringify(cache, null, 2), { mode: 0o600 });