hotsheet 0.6.4 → 0.7.0

package/dist/cli.js

@@ -129,12 +129,14 @@ var init_connection = __esm({
 // src/file-settings.ts
 var file_settings_exports = {};
 __export(file_settings_exports, {
+  ensureSecret: () => ensureSecret,
   getBackupDir: () => getBackupDir,
   readFileSettings: () => readFileSettings,
   writeFileSettings: () => writeFileSettings
 });
+import { createHash, randomBytes } from "crypto";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { join as join2 } from "path";
+import { join as join2, resolve } from "path";
 function settingsPath(dataDir2) {
   return join2(dataDir2, "settings.json");
 }
@@ -157,6 +159,25 @@ function getBackupDir(dataDir2) {
   const settings = readFileSettings(dataDir2);
   return settings.backupDir || join2(dataDir2, "backups");
 }
+function hashPath(dataDir2) {
+  const absPath = resolve(settingsPath(dataDir2));
+  return createHash("sha256").update(absPath).digest("hex").slice(0, 16);
+}
+function ensureSecret(dataDir2, port2) {
+  const settings = readFileSettings(dataDir2);
+  const currentPathHash = hashPath(dataDir2);
+  if (settings.secret && settings.secretPathHash === currentPathHash) {
+    if (settings.port !== port2) {
+      writeFileSettings(dataDir2, { port: port2 });
+    }
+    return settings.secret;
+  }
+  const random = randomBytes(32).toString("hex");
+  const absPath = resolve(settingsPath(dataDir2));
+  const secret = createHash("sha256").update(absPath + random).digest("hex").slice(0, 32);
+  writeFileSettings(dataDir2, { secret, secretPathHash: currentPathHash, port: port2 });
+  return secret;
+}
 var init_file_settings = __esm({
   "src/file-settings.ts"() {
     "use strict";
@@ -430,15 +451,15 @@ __export(channel_config_exports, {
   unregisterChannel: () => unregisterChannel
 });
 import { existsSync as existsSync6, readFileSync as readFileSync6, writeFileSync as writeFileSync6 } from "fs";
-import { dirname, join as join8, resolve } from "path";
+import { dirname, join as join8, resolve as resolve2 } from "path";
 import { fileURLToPath } from "url";
 function getChannelServerPath() {
   const thisDir = dirname(fileURLToPath(import.meta.url));
-  const distPath = resolve(thisDir, "channel.js");
+  const distPath = resolve2(thisDir, "channel.js");
   if (existsSync6(distPath)) {
     return { command: "node", args: [distPath] };
   }
-  const srcPath = resolve(thisDir, "channel.ts");
+  const srcPath = resolve2(thisDir, "channel.ts");
   if (existsSync6(srcPath)) {
     return { command: "npx", args: ["tsx", srcPath] };
   }
@@ -524,7 +545,7 @@ var init_channel_config = __esm({
 // src/cli.ts
 import { mkdirSync as mkdirSync6 } from "fs";
 import { tmpdir } from "os";
-import { join as join12, resolve as resolve2 } from "path";
+import { join as join12, resolve as resolve3 } from "path";
 
 // src/backup.ts
 init_connection();
@@ -865,6 +886,10 @@ async function createTicket(title, defaults) {
     cols.push("details");
     vals.push(defaults.details);
   }
+  if (defaults?.tags !== void 0 && defaults.tags !== "" && defaults.tags !== "[]") {
+    cols.push("tags");
+    vals.push(defaults.tags);
+  }
   const placeholders = vals.map((_, i) => `$${i + 1}`).join(", ");
   const result = await db2.query(
     `INSERT INTO tickets (${cols.join(", ")}) VALUES (${placeholders}) RETURNING *`,
@@ -963,7 +988,7 @@ async function getTickets(filters = {}) {
     paramIdx++;
   }
   if (filters.search !== void 0 && filters.search !== "") {
-    conditions.push(`(title ILIKE $${paramIdx} OR details ILIKE $${paramIdx} OR ticket_number ILIKE $${paramIdx})`);
+    conditions.push(`(title ILIKE $${paramIdx} OR details ILIKE $${paramIdx} OR ticket_number ILIKE $${paramIdx} OR tags ILIKE $${paramIdx})`);
     values.push(`%${filters.search}%`);
     paramIdx++;
   }
@@ -1098,7 +1123,7 @@ function ordinalValue(field, value) {
   if (field === "status") return STATUS_RANK[value] ?? null;
   return null;
 }
-async function queryTickets(logic, conditions, sortBy, sortDir) {
+async function queryTickets(logic, conditions, sortBy, sortDir, requiredTag) {
   const db2 = await getDb();
   const where = [];
   const values = [];
@@ -1145,6 +1170,11 @@ async function queryTickets(logic, conditions, sortBy, sortDir) {
         break;
     }
   }
+  if (requiredTag) {
+    where[0] += ` AND tags ILIKE $${paramIdx}`;
+    values.push(`%${requiredTag}%`);
+    paramIdx++;
+  }
   const joiner = logic === "any" ? " OR " : " AND ";
   const userConditions = where.slice(1);
   let whereClause = where[0];
@@ -1173,6 +1203,19 @@ async function queryTickets(logic, conditions, sortBy, sortDir) {
   );
   return result.rows;
 }
+function normalizeTag(input) {
+  return input.replace(/[^a-zA-Z0-9]+/g, " ").trim().toLowerCase();
+}
+function extractBracketTags(input) {
+  const tags = [];
+  const cleaned = input.replace(/\[([^\]]*)\]/g, (_match, content) => {
+    const tag = normalizeTag(content);
+    if (tag && !tags.includes(tag)) tags.push(tag);
+    return " ";
+  });
+  const title = cleaned.replace(/\s+/g, " ").trim();
+  return { title, tags };
+}
 async function getAllTags() {
   const db2 = await getDb();
   const result = await db2.query(`SELECT DISTINCT tags FROM tickets WHERE tags != '[]' AND status != 'deleted'`);
@@ -1182,7 +1225,10 @@ async function getAllTags() {
       const parsed = JSON.parse(row.tags);
       if (Array.isArray(parsed)) {
         for (const tag of parsed) {
-          if (typeof tag === "string" && tag.trim()) tagSet.add(tag.trim());
+          if (typeof tag === "string" && tag.trim()) {
+            const norm = normalizeTag(tag);
+            if (norm) tagSet.add(norm);
+          }
         }
       }
     } catch {
@@ -1301,6 +1347,7 @@ async function cleanupAttachments() {
 
 // src/cli.ts
 init_connection();
+init_file_settings();
 
 // src/lock.ts
 import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync as rmSync4, writeFileSync as writeFileSync3 } from "fs";
@@ -1360,7 +1407,8 @@ var DEMO_SCENARIOS = [
   { id: 5, label: "Batch operations \u2014 multi-select toolbar" },
   { id: 6, label: "Detail panel \u2014 bottom orientation with tags and notes" },
   { id: 7, label: "Column view \u2014 kanban board by status" },
-  { id: 8, label: "Dashboard \u2014 stats and charts" }
+  { id: 8, label: "Dashboard \u2014 stats and charts" },
+  { id: 9, label: "Claude Channel \u2014 AI integration with custom commands" }
 ];
 function daysAgo(days) {
   const d = /* @__PURE__ */ new Date();
@@ -2144,6 +2192,104 @@ for (let i = 0; i < 30; i++) {
     verified_ago: verified
   });
 }
+var SCENARIO_9 = [
+  {
+    title: "Fix race condition in WebSocket message ordering",
+    details: "Messages arriving during reconnect can be delivered out of order. Need to add sequence numbers and a reorder buffer on the client side.\n\nReproduction: disconnect WiFi briefly during a burst of real-time updates, then reconnect \u2014 events appear in wrong order.",
+    category: "bug",
+    priority: "highest",
+    status: "started",
+    up_next: true,
+    tags: ["websocket", "real-time"],
+    notes: notesJson([
+      { text: "Investigating \u2014 the issue is in the reconnect handler. When the socket reconnects, buffered server-side messages are flushed immediately without checking the client sequence counter.", days_ago: 0.1 }
+    ]),
+    days_ago: 3,
+    updated_ago: 0.1
+  },
+  {
+    title: "Add rate limiting to public API endpoints",
+    details: "Implement token bucket rate limiting for all /api/v2/ endpoints. 100 requests per minute per API key, with burst allowance of 20.",
+    category: "feature",
+    priority: "high",
+    status: "not_started",
+    up_next: true,
+    tags: ["api", "security"],
+    notes: "",
+    days_ago: 2,
+    updated_ago: 2
+  },
+  {
+    title: "Migrate user preferences to new schema",
+    details: "The preferences table needs to be migrated from the old key-value format to the new typed JSON column. Write a migration script that preserves existing user settings.",
+    category: "task",
+    priority: "default",
+    status: "not_started",
+    up_next: true,
+    tags: ["database", "migration"],
+    notes: "",
+    days_ago: 4,
+    updated_ago: 4
+  },
+  {
+    title: "Investigate slow query on orders dashboard",
+    details: "The orders dashboard takes 8+ seconds to load for merchants with >10k orders. Need to profile the SQL and add appropriate indexes.",
+    category: "investigation",
+    priority: "high",
+    status: "completed",
+    up_next: false,
+    tags: ["performance", "database"],
+    notes: notesJson([
+      { text: "Root cause: missing composite index on (merchant_id, created_at). The query was doing a full table scan. Added index and query time dropped from 8.2s to 45ms.", days_ago: 1 }
+    ]),
+    days_ago: 5,
+    updated_ago: 1,
+    completed_ago: 1
+  },
+  {
+    title: "Update error handling middleware to use structured logging",
+    details: "Replace console.error calls with structured JSON logging using pino. Include request ID, user context, and stack traces.",
+    category: "task",
+    priority: "default",
+    status: "completed",
+    up_next: false,
+    tags: ["observability", "logging"],
+    notes: notesJson([
+      { text: "Replaced all console.error/warn calls with pino logger. Added request ID propagation via AsyncLocalStorage. Error responses now include a correlationId for support debugging.", days_ago: 2 }
+    ]),
+    days_ago: 7,
+    updated_ago: 2,
+    completed_ago: 2
+  },
+  {
+    title: "Fix CORS headers missing on preflight for webhook endpoints",
+    details: "Third-party integrations sending OPTIONS preflight requests to /webhooks/* get 405 Method Not Allowed.",
+    category: "bug",
+    priority: "default",
+    status: "verified",
+    up_next: false,
+    tags: ["api", "webhooks"],
+    notes: notesJson([
+      { text: "Added CORS preflight handler for webhook routes. Configured allowed origins from the integration settings table.", days_ago: 4 }
+    ]),
+    days_ago: 9,
+    updated_ago: 4,
+    completed_ago: 5,
+    verified_ago: 4
+  },
+  {
+    title: "Design new onboarding flow for team workspaces",
+    details: "The current onboarding drops users into an empty workspace. Design a guided setup that creates sample data and walks through key features.",
+    category: "feature",
+    priority: "low",
+    status: "not_started",
+    up_next: false,
+    tags: ["onboarding", "ux"],
+    notes: "",
+    days_ago: 10,
+    updated_ago: 10
+  }
+];
 var SCENARIO_DATA = {
   1: SCENARIO_1,
   2: SCENARIO_2,
@@ -2152,7 +2298,8 @@ var SCENARIO_DATA = {
   5: SCENARIO_5,
   6: SCENARIO_6,
   7: SCENARIO_7,
-  8: SCENARIO_8
+  8: SCENARIO_8,
+  9: SCENARIO_9
 };
 var SCENARIO_3_VIEWS = [
   {
@@ -2174,6 +2321,12 @@ var SCENARIO_3_VIEWS = [
     ]
   }
 ];
+var SCENARIO_9_COMMANDS = [
+  { name: "Commit Changes", prompt: "Make a commit for the recently completed tickets.", icon: "git-commit-horizontal", color: "#6b7280" },
+  { name: "Run Tests", prompt: "Run the test suite and report any failures.", icon: "test-tubes", color: "#3b82f6" },
+  { name: "Code Review", prompt: "Review the recent changes for code quality and potential issues.", icon: "search-code", color: "#8b5cf6" },
+  { name: "Deploy Staging", prompt: "Deploy the current branch to the staging environment.", icon: "rocket", color: "#f97316" }
+];
 async function seedDemoData(scenario) {
   const db2 = await getDb();
   const tickets = SCENARIO_DATA[scenario];
@@ -2210,12 +2363,20 @@ async function seedDemoData(scenario) {
     await backfillSnapshots2();
     await recordDailySnapshot2();
   }
+  if (scenario === 9) {
+    await db2.query(`INSERT INTO settings (key, value) VALUES ('channel_enabled', 'true') ON CONFLICT (key) DO UPDATE SET value = 'true'`);
+    await db2.query(
+      `INSERT INTO settings (key, value) VALUES ('custom_commands', $1) ON CONFLICT (key) DO UPDATE SET value = $1`,
+      [JSON.stringify(SCENARIO_9_COMMANDS)]
+    );
+  }
 }
 
 // src/cli.ts
 init_gitignore();
 
 // src/server.ts
+init_file_settings();
 import { serve } from "@hono/node-server";
 import { exec } from "child_process";
 import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
@@ -2229,9 +2390,10 @@ import { Hono } from "hono";
 import { basename, extname, join as join9, relative as relative2 } from "path";
 
 // src/skills.ts
+init_file_settings();
 import { existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { join as join6, relative } from "path";
-var SKILL_VERSION = 3;
+var SKILL_VERSION = 4;
 var skillPort;
 var skillDataDir;
 var skillCategories = DEFAULT_CATEGORIES;
@@ -2270,7 +2432,10 @@ function updateFile(path, content) {
   return true;
 }
 function ticketSkillBody(skill) {
-  return [
+  const settings = readFileSettings(skillDataDir);
+  const secret = settings.secret || "";
+  const secretLine = secret ? `  -H "X-Hotsheet-Secret: ${secret}" \\` : "";
+  const lines = [
     `Create a new Hot Sheet **${skill.label}** ticket. ${skill.description}.`,
     "",
     "**Parsing the input:**",
@@ -2280,16 +2445,25 @@ function ticketSkillBody(skill) {
     "**Create the ticket** by running:",
     "```bash",
     `curl -s -X POST http://localhost:${skillPort}/api/tickets \\`,
-    '  -H "Content-Type: application/json" \\',
+    '  -H "Content-Type: application/json" \\'
+  ];
+  if (secretLine) lines.push(secretLine);
+  lines.push(
     `  -d '{"title": "<TITLE>", "defaults": {"category": "${skill.category}", "up_next": <true|false>}}'`,
     "```",
     "",
+    `If the request fails (connection refused or 403), re-read \`.hotsheet/settings.json\` for the current \`port\` and \`secret\` values \u2014 you may be connecting to the wrong Hot Sheet instance.`,
+    "",
     "Report the created ticket number and title to the user."
-  ].join("\n");
+  );
+  return lines.join("\n");
 }
 function mainSkillBody() {
   const worklistRel = relative(process.cwd(), join6(skillDataDir, "worklist.md"));
+  const settingsRel = relative(process.cwd(), join6(skillDataDir, "settings.json"));
   return [
+    `Base directory for this skill: ${join6(process.cwd(), ".claude", "skills", "hotsheet")}`,
+    "",
     `Read \`${worklistRel}\` and work through the tickets in priority order.`,
     "",
     "For each ticket:",
@@ -2297,7 +2471,9 @@ function mainSkillBody() {
     "2. Implement the work described",
     "3. When complete, mark it done via the Hot Sheet UI",
     "",
-    "Work through them in order of priority, where reasonable."
+    "Work through them in order of priority, where reasonable.",
+    "",
+    `If API calls fail (connection refused or 403), re-read \`${settingsRel}\` for the current \`port\` and \`secret\` values \u2014 you may be connecting to the wrong Hot Sheet instance.`
   ].join("\n");
 }
 var HOTSHEET_ALLOW_PATTERNS = [
@@ -2478,6 +2654,7 @@ function consumeSkillsCreatedFlag() {
 // src/sync/markdown.ts
 import { writeFileSync as writeFileSync5 } from "fs";
 import { join as join7 } from "path";
+init_file_settings();
 var dataDir;
 var port;
 var worklistTimeout = null;
@@ -2514,7 +2691,7 @@ function parseTicketNotes(raw) {
   if (raw.trim()) return [{ text: raw, created_at: "" }];
   return [];
 }
-async function formatTicket(ticket) {
+async function formatTicket(ticket, autoContext) {
   const attachments = await getAttachments(ticket.id);
   const lines = [];
   lines.push(`TICKET ${ticket.ticket_number}:`);
@@ -2523,15 +2700,24 @@ async function formatTicket(ticket) {
   lines.push(`- Priority: ${ticket.priority}`);
   lines.push(`- Status: ${ticket.status.replace("_", " ")}`);
   lines.push(`- Title: ${ticket.title}`);
+  let ticketTags = [];
   try {
     const tags = JSON.parse(ticket.tags);
     if (Array.isArray(tags) && tags.length > 0) {
-      lines.push(`- Tags: ${tags.join(", ")}`);
+      ticketTags = tags;
+      const display = tags.map((t) => t.replace(/\b\w/g, (c) => c.toUpperCase()));
+      lines.push(`- Tags: ${display.join(", ")}`);
     }
   } catch {
   }
-  if (ticket.details.trim()) {
-    const detailLines = ticket.details.split("\n");
+  const contextParts = [];
+  const catContext = autoContext.find((ac) => ac.type === "category" && ac.key === ticket.category);
+  if (catContext) contextParts.push(catContext.text);
+  const tagContexts = autoContext.filter((ac) => ac.type === "tag" && ticketTags.some((t) => t.toLowerCase() === ac.key.toLowerCase())).sort((a, b) => a.key.localeCompare(b.key));
+  for (const tc of tagContexts) contextParts.push(tc.text);
+  const fullDetails = contextParts.length > 0 ? contextParts.join("\n\n") + (ticket.details.trim() ? "\n\n" + ticket.details : "") : ticket.details;
+  if (fullDetails.trim()) {
+    const detailLines = fullDetails.split("\n");
     lines.push(`- Details: ${detailLines[0]}`);
     for (let i = 1; i < detailLines.length; i++) {
       lines.push(`  ${detailLines[i]}`);
@@ -2553,6 +2739,17 @@ async function formatTicket(ticket) {
   }
   return lines.join("\n");
 }
+async function loadAutoContext() {
+  try {
+    const settings = await getSettings();
+    if (settings.auto_context) {
+      const parsed = JSON.parse(settings.auto_context);
+      if (Array.isArray(parsed)) return parsed;
+    }
+  } catch {
+  }
+  return [];
+}
 async function formatCategoryDescriptions(usedCategories) {
   const allCategories = await getCategories();
   const descMap = Object.fromEntries(allCategories.map((c) => [c.id, c.description]));
@@ -2573,18 +2770,21 @@ async function syncWorklist() {
     sections.push("");
     sections.push("## Workflow");
     sections.push("");
+    const settings = readFileSettings(dataDir);
+    const secret = settings.secret || "";
+    const secretHeader = secret ? ` -H "X-Hotsheet-Secret: ${secret}"` : "";
     sections.push(`The Hot Sheet API is available at http://localhost:${port}/api. **You MUST update ticket status** as you work \u2014 this is required, not optional.`);
     sections.push("");
     sections.push('- **BEFORE starting work on a ticket**, set its status to "started":');
-    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json" -d '{"status": "started"}'\``);
+    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json"${secretHeader} -d '{"status": "started"}'\``);
     sections.push("");
     sections.push('- **AFTER completing work on a ticket**, set its status to "completed" and **include notes** describing what was done:');
-    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json" -d '{"status": "completed", "notes": "Describe the specific changes made"}'\``);
+    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json"${secretHeader} -d '{"status": "completed", "notes": "Describe the specific changes made"}'\``);
     sections.push("");
     sections.push("**IMPORTANT:**");
     sections.push('- Update status for EVERY ticket \u2014 "started" when you begin, "completed" when you finish.');
     sections.push('- The "notes" field is REQUIRED when completing a ticket. Describe the specific work done.');
-    sections.push("- If an API call fails (e.g. connection refused, error response), log a visible warning to the user and continue your work. Do NOT silently skip status updates.");
+    sections.push("- If an API call fails (e.g. connection refused, 403 secret mismatch, or error response), **re-read `.hotsheet/settings.json`** to get the correct `port` and `secret` values \u2014 you may be connecting to the wrong Hot Sheet instance. Log a visible warning to the user and continue your work. Do NOT silently skip status updates.");
     sections.push('- Do NOT set tickets to "verified" \u2014 that status is reserved for human review.');
     sections.push("");
     sections.push("## Creating Tickets");
@@ -2598,7 +2798,7 @@ async function syncWorklist() {
     sections.push("To create a ticket:");
     const allCats = await getCategories();
     const catIds = allCats.map((c) => c.id).join("|");
-    sections.push(`  \`curl -s -X POST http://localhost:${port}/api/tickets -H "Content-Type: application/json" -d '{"title": "Title", "defaults": {"category": "${catIds}", "up_next": false}}'\``);
+    sections.push(`  \`curl -s -X POST http://localhost:${port}/api/tickets -H "Content-Type: application/json"${secretHeader} -d '{"title": "Title", "defaults": {"category": "${catIds}", "up_next": false}}'\``);
     sections.push("");
     sections.push('You can also include `"details"` in the defaults object for longer descriptions.');
     sections.push("Set `up_next: true` only for items that should be prioritized immediately.");
@@ -2606,11 +2806,12 @@ async function syncWorklist() {
     if (tickets.length === 0) {
       sections.push("No items in the Up Next list.");
     } else {
+      const autoContext = await loadAutoContext();
       for (const ticket of tickets) {
         categories.add(ticket.category);
         sections.push("---");
         sections.push("");
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2635,12 +2836,13 @@ async function syncOpenTickets() {
     sections.push("");
     const started = tickets.filter((t) => t.status === "started");
     const notStarted = tickets.filter((t) => t.status === "not_started");
+    const autoContext = await loadAutoContext();
     if (started.length > 0) {
       sections.push(`## Started (${started.length})`);
       sections.push("");
       for (const ticket of started) {
         categories.add(ticket.category);
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2650,7 +2852,7 @@ async function syncOpenTickets() {
       sections.push("");
       for (const ticket of notStarted) {
         categories.add(ticket.category);
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2677,8 +2879,8 @@ function notifyChange() {
   changeVersion++;
   const waiters = pollWaiters;
   pollWaiters = [];
-  for (const resolve3 of waiters) {
-    resolve3(changeVersion);
+  for (const resolve4 of waiters) {
+    resolve4(changeVersion);
   }
 }
 apiRoutes.get("/poll", async (c) => {
@@ -2687,11 +2889,11 @@ apiRoutes.get("/poll", async (c) => {
     return c.json({ version: changeVersion });
   }
   const version = await Promise.race([
-    new Promise((resolve3) => {
-      pollWaiters.push(resolve3);
+    new Promise((resolve4) => {
+      pollWaiters.push(resolve4);
     }),
-    new Promise((resolve3) => {
-      setTimeout(() => resolve3(changeVersion), 3e4);
+    new Promise((resolve4) => {
+      setTimeout(() => resolve4(changeVersion), 3e4);
     })
   ]);
   return c.json({ version });
@@ -2717,7 +2919,24 @@ apiRoutes.get("/tickets", async (c) => {
 });
 apiRoutes.post("/tickets", async (c) => {
   const body = await c.req.json();
-  const ticket = await createTicket(body.title || "", body.defaults);
+  let title = body.title || "";
+  const defaults = body.defaults || {};
+  const { title: cleanTitle, tags: bracketTags } = extractBracketTags(title);
+  if (bracketTags.length > 0) {
+    title = cleanTitle || title;
+    let existingTags = [];
+    if (defaults.tags) {
+      try {
+        existingTags = JSON.parse(defaults.tags);
+      } catch {
+      }
+    }
+    for (const tag of bracketTags) {
+      if (!existingTags.some((t) => t.toLowerCase() === tag.toLowerCase())) existingTags.push(tag);
+    }
+    defaults.tags = JSON.stringify(existingTags);
+  }
+  const ticket = await createTicket(title, defaults);
   scheduleAllSync();
   notifyChange();
   return c.json(ticket, 201);
@@ -2939,7 +3158,7 @@ apiRoutes.get("/attachments/file/*", async (c) => {
 });
 apiRoutes.post("/tickets/query", async (c) => {
   const body = await c.req.json();
-  const tickets = await queryTickets(body.logic, body.conditions, body.sort_by, body.sort_dir);
+  const tickets = await queryTickets(body.logic, body.conditions, body.sort_by, body.sort_dir, body.required_tag);
   return c.json(tickets);
 });
 apiRoutes.get("/tags", async (c) => {
@@ -3708,6 +3927,16 @@ pageRoutes.get("/", (c) => {
           ] }),
           /* @__PURE__ */ jsx("span", { children: "Backups" })
         ] }),
+        /* @__PURE__ */ jsx("button", { className: "settings-tab", "data-tab": "context", children: [
+          /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", width: "20", height: "20", viewBox: "0 0 24 24", fill: "none", stroke: "currentColor", strokeWidth: "2", strokeLinecap: "round", strokeLinejoin: "round", children: [
+            /* @__PURE__ */ jsx("path", { d: "M14.5 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V7.5L14.5 2z" }),
+            /* @__PURE__ */ jsx("polyline", { points: "14 2 14 8 20 8" }),
+            /* @__PURE__ */ jsx("line", { x1: "16", x2: "8", y1: "13", y2: "13" }),
+            /* @__PURE__ */ jsx("line", { x1: "16", x2: "8", y1: "17", y2: "17" }),
+            /* @__PURE__ */ jsx("line", { x1: "10", x2: "8", y1: "9", y2: "9" })
+          ] }),
+          /* @__PURE__ */ jsx("span", { children: "Context" })
+        ] }),
         /* @__PURE__ */ jsx("button", { className: "settings-tab", "data-tab": "experimental", id: "settings-tab-experimental", style: "display:none", children: [
           /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", width: "20", height: "20", viewBox: "0 0 24 24", fill: "none", stroke: "currentColor", strokeWidth: "2", strokeLinecap: "round", strokeLinejoin: "round", children: [
             /* @__PURE__ */ jsx("path", { d: "M10 2v7.527a2 2 0 0 1-.211.896L4.72 20.55a1 1 0 0 0 .9 1.45h12.76a1 1 0 0 0 .9-1.45l-5.069-10.127A2 2 0 0 1 14 9.527V2" }),
@@ -3739,6 +3968,22 @@ pageRoutes.get("/", (c) => {
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { children: "Auto-clear verified after (days)" }),
             /* @__PURE__ */ jsx("input", { type: "number", id: "settings-verified-days", min: "1", value: "30" })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
+            /* @__PURE__ */ jsx("label", { children: "When Claude needs permission" }),
+            /* @__PURE__ */ jsx("select", { id: "settings-notify-permission", children: [
+              /* @__PURE__ */ jsx("option", { value: "none", children: "Don't notify" }),
+              /* @__PURE__ */ jsx("option", { value: "once", children: "Notify once" }),
+              /* @__PURE__ */ jsx("option", { value: "persistent", selected: true, children: "Notify until focused" })
+            ] })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
+            /* @__PURE__ */ jsx("label", { children: "When Claude finishes work" }),
+            /* @__PURE__ */ jsx("select", { id: "settings-notify-completed", children: [
+              /* @__PURE__ */ jsx("option", { value: "none", children: "Don't notify" }),
+              /* @__PURE__ */ jsx("option", { value: "once", selected: true, children: "Notify once" }),
+              /* @__PURE__ */ jsx("option", { value: "persistent", children: "Notify until focused" })
+            ] })
           ] })
         ] }),
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "categories", children: [
@@ -3761,6 +4006,14 @@ pageRoutes.get("/", (c) => {
           ] }),
           /* @__PURE__ */ jsx("div", { id: "backup-list", className: "backup-list", children: "Loading backups..." })
         ] }),
+        /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "context", children: [
+          /* @__PURE__ */ jsx("div", { className: "settings-section-header", children: [
+            /* @__PURE__ */ jsx("h3", { children: "Auto-Context" }),
+            /* @__PURE__ */ jsx("button", { className: "btn btn-sm", id: "auto-context-add-btn", children: "+ Add" })
+          ] }),
+          /* @__PURE__ */ jsx("span", { className: "settings-hint", style: "margin-bottom:12px;display:block", children: "Automatically prepend instructions to ticket details in the worklist, based on category or tag. Category context appears first, then tag context in alphabetical order." }),
+          /* @__PURE__ */ jsx("div", { id: "auto-context-list" })
+        ] }),
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "experimental", id: "settings-experimental-panel", style: "display:none", children: [
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { className: "settings-checkbox-label", children: [
@@ -3809,10 +4062,10 @@ pageRoutes.get("/", (c) => {
 
 // src/server.ts
 function tryServe(fetch2, port2) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const server = serve({ fetch: fetch2, port: port2 });
     server.on("listening", () => {
-      resolve3(port2);
+      resolve4(port2);
     });
     server.on("error", (err) => {
       reject(err);
@@ -3844,6 +4097,19 @@ async function startServer(port2, dataDir2, options) {
     const mimeTypes = { png: "image/png", jpg: "image/jpeg", svg: "image/svg+xml" };
     return new Response(content, { headers: { "Content-Type": mimeTypes[ext || ""] || "application/octet-stream", "Cache-Control": "max-age=86400" } });
   });
+  app.use("/api/*", async (c, next) => {
+    const headerSecret = c.req.header("X-Hotsheet-Secret");
+    if (headerSecret) {
+      const settings = readFileSettings(dataDir2);
+      if (settings.secret && headerSecret !== settings.secret) {
+        return c.json({
+          error: "Secret mismatch \u2014 you may be connecting to the wrong Hot Sheet instance.",
+          recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files (e.g. .claude/skills/hotsheet/SKILL.md) for updated instructions."
+        }, 403);
+      }
+    }
+    await next();
+  });
   app.route("/api", apiRoutes);
   app.route("/api/backups", backupRoutes);
   app.route("/", pageRoutes);
@@ -3920,10 +4186,10 @@ function isFirstUseToday() {
   return last !== today;
 }
 function fetchLatestVersion() {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const req = get(`https://registry.npmjs.org/${PACKAGE_NAME}/latest`, { timeout: 5e3 }, (res) => {
       if (res.statusCode !== 200) {
-        resolve3(null);
+        resolve4(null);
         return;
       }
       let data = "";
@@ -3932,18 +4198,18 @@ function fetchLatestVersion() {
       });
       res.on("end", () => {
         try {
-          resolve3(JSON.parse(data).version);
+          resolve4(JSON.parse(data).version);
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       });
     });
     req.on("error", () => {
-      resolve3(null);
+      resolve4(null);
     });
     req.on("timeout", () => {
       req.destroy();
-      resolve3(null);
+      resolve4(null);
     });
   });
 }
@@ -4045,7 +4311,7 @@ function parseArgs(argv) {
         }
         break;
       case "--data-dir":
-        dataDir2 = resolve2(args[++i]);
+        dataDir2 = resolve3(args[++i]);
         break;
       case "--check-for-updates":
         forceUpdateCheck = true;
@@ -4103,6 +4369,7 @@ async function main() {
   }
   console.log(`  Data directory: ${dataDir2}`);
   const actualPort = await startServer(port2, dataDir2, { noOpen, strictPort });
+  ensureSecret(dataDir2, actualPort);
   initMarkdownSync(dataDir2, actualPort);
   scheduleAllSync();
   initSkills(actualPort, dataDir2);