hotsheet 0.6.5 → 0.8.0

package/dist/cli.js

@@ -129,12 +129,14 @@ var init_connection = __esm({
 // src/file-settings.ts
 var file_settings_exports = {};
 __export(file_settings_exports, {
+  ensureSecret: () => ensureSecret,
   getBackupDir: () => getBackupDir,
   readFileSettings: () => readFileSettings,
   writeFileSettings: () => writeFileSettings
 });
+import { createHash, randomBytes } from "crypto";
 import { existsSync, readFileSync, writeFileSync } from "fs";
-import { join as join2 } from "path";
+import { join as join2, resolve } from "path";
 function settingsPath(dataDir2) {
   return join2(dataDir2, "settings.json");
 }
@@ -157,6 +159,25 @@ function getBackupDir(dataDir2) {
   const settings = readFileSettings(dataDir2);
   return settings.backupDir || join2(dataDir2, "backups");
 }
+function hashPath(dataDir2) {
+  const absPath = resolve(settingsPath(dataDir2));
+  return createHash("sha256").update(absPath).digest("hex").slice(0, 16);
+}
+function ensureSecret(dataDir2, port2) {
+  const settings = readFileSettings(dataDir2);
+  const currentPathHash = hashPath(dataDir2);
+  if (settings.secret && settings.secretPathHash === currentPathHash) {
+    if (settings.port !== port2) {
+      writeFileSettings(dataDir2, { port: port2 });
+    }
+    return settings.secret;
+  }
+  const random = randomBytes(32).toString("hex");
+  const absPath = resolve(settingsPath(dataDir2));
+  const secret = createHash("sha256").update(absPath + random).digest("hex").slice(0, 32);
+  writeFileSettings(dataDir2, { secret, secretPathHash: currentPathHash, port: port2 });
+  return secret;
+}
 var init_file_settings = __esm({
   "src/file-settings.ts"() {
     "use strict";
@@ -430,15 +451,15 @@ __export(channel_config_exports, {
   unregisterChannel: () => unregisterChannel
 });
 import { existsSync as existsSync6, readFileSync as readFileSync6, writeFileSync as writeFileSync6 } from "fs";
-import { dirname, join as join8, resolve } from "path";
+import { dirname, join as join8, resolve as resolve2 } from "path";
 import { fileURLToPath } from "url";
 function getChannelServerPath() {
   const thisDir = dirname(fileURLToPath(import.meta.url));
-  const distPath = resolve(thisDir, "channel.js");
+  const distPath = resolve2(thisDir, "channel.js");
   if (existsSync6(distPath)) {
     return { command: "node", args: [distPath] };
   }
-  const srcPath = resolve(thisDir, "channel.ts");
+  const srcPath = resolve2(thisDir, "channel.ts");
   if (existsSync6(srcPath)) {
     return { command: "npx", args: ["tsx", srcPath] };
   }
@@ -498,10 +519,17 @@ async function isChannelAlive(dataDir2) {
 async function triggerChannel(dataDir2, serverPort, message) {
   const port2 = getChannelPort(dataDir2);
   if (!port2) return false;
+  let secretHeader = "";
+  try {
+    const { readFileSettings: readFileSettings2 } = await Promise.resolve().then(() => (init_file_settings(), file_settings_exports));
+    const settings = readFileSettings2(dataDir2);
+    if (settings.secret) secretHeader = ` -H "X-Hotsheet-Secret: ${settings.secret}"`;
+  } catch {
+  }
   const doneSignal = `
 
 When you are completely finished (or if there was nothing to do), signal completion by running:
-curl -s -X POST http://localhost:${serverPort}/api/channel/done`;
+curl -s -X POST http://localhost:${serverPort}/api/channel/done${secretHeader}`;
   const content = message ? message + doneSignal : "Process the Hot Sheet worklist. Run /hotsheet to work through the current Up Next items." + doneSignal;
   try {
     const res = await fetch(`http://127.0.0.1:${port2}/trigger`, {
@@ -524,7 +552,7 @@ var init_channel_config = __esm({
 // src/cli.ts
 import { mkdirSync as mkdirSync6 } from "fs";
 import { tmpdir } from "os";
-import { join as join12, resolve as resolve2 } from "path";
+import { join as join12, resolve as resolve3 } from "path";
 
 // src/backup.ts
 init_connection();
@@ -967,7 +995,7 @@ async function getTickets(filters = {}) {
     paramIdx++;
   }
   if (filters.search !== void 0 && filters.search !== "") {
-    conditions.push(`(title ILIKE $${paramIdx} OR details ILIKE $${paramIdx} OR ticket_number ILIKE $${paramIdx})`);
+    conditions.push(`(title ILIKE $${paramIdx} OR details ILIKE $${paramIdx} OR ticket_number ILIKE $${paramIdx} OR tags ILIKE $${paramIdx})`);
     values.push(`%${filters.search}%`);
     paramIdx++;
   }
@@ -1185,6 +1213,16 @@ async function queryTickets(logic, conditions, sortBy, sortDir, requiredTag) {
 function normalizeTag(input) {
   return input.replace(/[^a-zA-Z0-9]+/g, " ").trim().toLowerCase();
 }
+function extractBracketTags(input) {
+  const tags = [];
+  const cleaned = input.replace(/\[([^\]]*)\]/g, (_match, content) => {
+    const tag = normalizeTag(content);
+    if (tag && !tags.includes(tag)) tags.push(tag);
+    return " ";
+  });
+  const title = cleaned.replace(/\s+/g, " ").trim();
+  return { title, tags };
+}
 async function getAllTags() {
   const db2 = await getDb();
   const result = await db2.query(`SELECT DISTINCT tags FROM tickets WHERE tags != '[]' AND status != 'deleted'`);
@@ -1316,6 +1354,7 @@ async function cleanupAttachments() {
 
 // src/cli.ts
 init_connection();
+init_file_settings();
 
 // src/lock.ts
 import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync as rmSync4, writeFileSync as writeFileSync3 } from "fs";
@@ -2344,6 +2383,7 @@ async function seedDemoData(scenario) {
 init_gitignore();
 
 // src/server.ts
+init_file_settings();
 import { serve } from "@hono/node-server";
 import { exec } from "child_process";
 import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
@@ -2357,9 +2397,10 @@ import { Hono } from "hono";
 import { basename, extname, join as join9, relative as relative2 } from "path";
 
 // src/skills.ts
+init_file_settings();
 import { existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { join as join6, relative } from "path";
-var SKILL_VERSION = 3;
+var SKILL_VERSION = 4;
 var skillPort;
 var skillDataDir;
 var skillCategories = DEFAULT_CATEGORIES;
@@ -2398,7 +2439,10 @@ function updateFile(path, content) {
   return true;
 }
 function ticketSkillBody(skill) {
-  return [
+  const settings = readFileSettings(skillDataDir);
+  const secret = settings.secret || "";
+  const secretLine = secret ? `  -H "X-Hotsheet-Secret: ${secret}" \\` : "";
+  const lines = [
     `Create a new Hot Sheet **${skill.label}** ticket. ${skill.description}.`,
     "",
     "**Parsing the input:**",
@@ -2408,16 +2452,25 @@ function ticketSkillBody(skill) {
     "**Create the ticket** by running:",
     "```bash",
     `curl -s -X POST http://localhost:${skillPort}/api/tickets \\`,
-    '  -H "Content-Type: application/json" \\',
+    '  -H "Content-Type: application/json" \\'
+  ];
+  if (secretLine) lines.push(secretLine);
+  lines.push(
     `  -d '{"title": "<TITLE>", "defaults": {"category": "${skill.category}", "up_next": <true|false>}}'`,
     "```",
     "",
+    `If the request fails (connection refused or 403), re-read \`.hotsheet/settings.json\` for the current \`port\` and \`secret\` values \u2014 you may be connecting to the wrong Hot Sheet instance.`,
+    "",
     "Report the created ticket number and title to the user."
-  ].join("\n");
+  );
+  return lines.join("\n");
 }
 function mainSkillBody() {
   const worklistRel = relative(process.cwd(), join6(skillDataDir, "worklist.md"));
+  const settingsRel = relative(process.cwd(), join6(skillDataDir, "settings.json"));
   return [
+    `Base directory for this skill: ${join6(process.cwd(), ".claude", "skills", "hotsheet")}`,
+    "",
     `Read \`${worklistRel}\` and work through the tickets in priority order.`,
     "",
     "For each ticket:",
@@ -2425,7 +2478,9 @@ function mainSkillBody() {
     "2. Implement the work described",
     "3. When complete, mark it done via the Hot Sheet UI",
     "",
-    "Work through them in order of priority, where reasonable."
+    "Work through them in order of priority, where reasonable.",
+    "",
+    `If API calls fail (connection refused or 403), re-read \`${settingsRel}\` for the current \`port\` and \`secret\` values \u2014 you may be connecting to the wrong Hot Sheet instance.`
   ].join("\n");
 }
 var HOTSHEET_ALLOW_PATTERNS = [
@@ -2606,6 +2661,7 @@ function consumeSkillsCreatedFlag() {
 // src/sync/markdown.ts
 import { writeFileSync as writeFileSync5 } from "fs";
 import { join as join7 } from "path";
+init_file_settings();
 var dataDir;
 var port;
 var worklistTimeout = null;
@@ -2642,7 +2698,7 @@ function parseTicketNotes(raw) {
   if (raw.trim()) return [{ text: raw, created_at: "" }];
   return [];
 }
-async function formatTicket(ticket) {
+async function formatTicket(ticket, autoContext) {
   const attachments = await getAttachments(ticket.id);
   const lines = [];
   lines.push(`TICKET ${ticket.ticket_number}:`);
@@ -2651,16 +2707,24 @@ async function formatTicket(ticket) {
   lines.push(`- Priority: ${ticket.priority}`);
   lines.push(`- Status: ${ticket.status.replace("_", " ")}`);
   lines.push(`- Title: ${ticket.title}`);
+  let ticketTags = [];
   try {
     const tags = JSON.parse(ticket.tags);
     if (Array.isArray(tags) && tags.length > 0) {
+      ticketTags = tags;
       const display = tags.map((t) => t.replace(/\b\w/g, (c) => c.toUpperCase()));
       lines.push(`- Tags: ${display.join(", ")}`);
     }
   } catch {
   }
-  if (ticket.details.trim()) {
-    const detailLines = ticket.details.split("\n");
+  const contextParts = [];
+  const catContext = autoContext.find((ac) => ac.type === "category" && ac.key === ticket.category);
+  if (catContext) contextParts.push(catContext.text);
+  const tagContexts = autoContext.filter((ac) => ac.type === "tag" && ticketTags.some((t) => t.toLowerCase() === ac.key.toLowerCase())).sort((a, b) => a.key.localeCompare(b.key));
+  for (const tc of tagContexts) contextParts.push(tc.text);
+  const fullDetails = contextParts.length > 0 ? contextParts.join("\n\n") + (ticket.details.trim() ? "\n\n" + ticket.details : "") : ticket.details;
+  if (fullDetails.trim()) {
+    const detailLines = fullDetails.split("\n");
     lines.push(`- Details: ${detailLines[0]}`);
     for (let i = 1; i < detailLines.length; i++) {
       lines.push(`  ${detailLines[i]}`);
@@ -2682,6 +2746,17 @@ async function formatTicket(ticket) {
   }
   return lines.join("\n");
 }
+async function loadAutoContext() {
+  try {
+    const settings = await getSettings();
+    if (settings.auto_context) {
+      const parsed = JSON.parse(settings.auto_context);
+      if (Array.isArray(parsed)) return parsed;
+    }
+  } catch {
+  }
+  return [];
+}
 async function formatCategoryDescriptions(usedCategories) {
   const allCategories = await getCategories();
   const descMap = Object.fromEntries(allCategories.map((c) => [c.id, c.description]));
@@ -2702,18 +2777,21 @@ async function syncWorklist() {
     sections.push("");
     sections.push("## Workflow");
     sections.push("");
+    const settings = readFileSettings(dataDir);
+    const secret = settings.secret || "";
+    const secretHeader = secret ? ` -H "X-Hotsheet-Secret: ${secret}"` : "";
     sections.push(`The Hot Sheet API is available at http://localhost:${port}/api. **You MUST update ticket status** as you work \u2014 this is required, not optional.`);
     sections.push("");
     sections.push('- **BEFORE starting work on a ticket**, set its status to "started":');
-    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json" -d '{"status": "started"}'\``);
+    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json"${secretHeader} -d '{"status": "started"}'\``);
     sections.push("");
     sections.push('- **AFTER completing work on a ticket**, set its status to "completed" and **include notes** describing what was done:');
-    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json" -d '{"status": "completed", "notes": "Describe the specific changes made"}'\``);
+    sections.push(`  \`curl -s -X PATCH http://localhost:${port}/api/tickets/{id} -H "Content-Type: application/json"${secretHeader} -d '{"status": "completed", "notes": "Describe the specific changes made"}'\``);
     sections.push("");
     sections.push("**IMPORTANT:**");
     sections.push('- Update status for EVERY ticket \u2014 "started" when you begin, "completed" when you finish.');
     sections.push('- The "notes" field is REQUIRED when completing a ticket. Describe the specific work done.');
-    sections.push("- If an API call fails (e.g. connection refused, error response), log a visible warning to the user and continue your work. Do NOT silently skip status updates.");
+    sections.push("- If an API call fails (e.g. connection refused, 403 secret mismatch, or error response), **re-read `.hotsheet/settings.json`** to get the correct `port` and `secret` values \u2014 you may be connecting to the wrong Hot Sheet instance. Log a visible warning to the user and continue your work. Do NOT silently skip status updates.");
     sections.push('- Do NOT set tickets to "verified" \u2014 that status is reserved for human review.');
     sections.push("");
     sections.push("## Creating Tickets");
@@ -2727,7 +2805,7 @@ async function syncWorklist() {
     sections.push("To create a ticket:");
     const allCats = await getCategories();
     const catIds = allCats.map((c) => c.id).join("|");
-    sections.push(`  \`curl -s -X POST http://localhost:${port}/api/tickets -H "Content-Type: application/json" -d '{"title": "Title", "defaults": {"category": "${catIds}", "up_next": false}}'\``);
+    sections.push(`  \`curl -s -X POST http://localhost:${port}/api/tickets -H "Content-Type: application/json"${secretHeader} -d '{"title": "Title", "defaults": {"category": "${catIds}", "up_next": false}}'\``);
     sections.push("");
     sections.push('You can also include `"details"` in the defaults object for longer descriptions.');
     sections.push("Set `up_next: true` only for items that should be prioritized immediately.");
@@ -2735,11 +2813,12 @@ async function syncWorklist() {
     if (tickets.length === 0) {
       sections.push("No items in the Up Next list.");
     } else {
+      const autoContext = await loadAutoContext();
       for (const ticket of tickets) {
         categories.add(ticket.category);
         sections.push("---");
         sections.push("");
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2764,12 +2843,13 @@ async function syncOpenTickets() {
     sections.push("");
     const started = tickets.filter((t) => t.status === "started");
     const notStarted = tickets.filter((t) => t.status === "not_started");
+    const autoContext = await loadAutoContext();
     if (started.length > 0) {
       sections.push(`## Started (${started.length})`);
       sections.push("");
       for (const ticket of started) {
         categories.add(ticket.category);
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2779,7 +2859,7 @@ async function syncOpenTickets() {
       sections.push("");
       for (const ticket of notStarted) {
         categories.add(ticket.category);
-        const formatted = await formatTicket(ticket);
+        const formatted = await formatTicket(ticket, autoContext);
         sections.push(formatted);
         sections.push("");
       }
@@ -2806,8 +2886,8 @@ function notifyChange() {
   changeVersion++;
   const waiters = pollWaiters;
   pollWaiters = [];
-  for (const resolve3 of waiters) {
-    resolve3(changeVersion);
+  for (const resolve4 of waiters) {
+    resolve4(changeVersion);
   }
 }
 apiRoutes.get("/poll", async (c) => {
@@ -2816,11 +2896,11 @@ apiRoutes.get("/poll", async (c) => {
     return c.json({ version: changeVersion });
   }
   const version = await Promise.race([
-    new Promise((resolve3) => {
-      pollWaiters.push(resolve3);
+    new Promise((resolve4) => {
+      pollWaiters.push(resolve4);
     }),
-    new Promise((resolve3) => {
-      setTimeout(() => resolve3(changeVersion), 3e4);
+    new Promise((resolve4) => {
+      setTimeout(() => resolve4(changeVersion), 3e4);
     })
   ]);
   return c.json({ version });
@@ -2846,7 +2926,24 @@ apiRoutes.get("/tickets", async (c) => {
 });
 apiRoutes.post("/tickets", async (c) => {
   const body = await c.req.json();
-  const ticket = await createTicket(body.title || "", body.defaults);
+  let title = body.title || "";
+  const defaults = body.defaults || {};
+  const { title: cleanTitle, tags: bracketTags } = extractBracketTags(title);
+  if (bracketTags.length > 0) {
+    title = cleanTitle || title;
+    let existingTags = [];
+    if (defaults.tags) {
+      try {
+        existingTags = JSON.parse(defaults.tags);
+      } catch {
+      }
+    }
+    for (const tag of bracketTags) {
+      if (!existingTags.some((t) => t.toLowerCase() === tag.toLowerCase())) existingTags.push(tag);
+    }
+    defaults.tags = JSON.stringify(existingTags);
+  }
+  const ticket = await createTicket(title, defaults);
   scheduleAllSync();
   notifyChange();
   return c.json(ticket, 201);
@@ -3747,7 +3844,7 @@ pageRoutes.get("/", (c) => {
                 /* @__PURE__ */ jsx("div", { id: "detail-attachments", className: "detail-attachments" }),
                 /* @__PURE__ */ jsx("label", { className: "btn btn-sm upload-btn", children: [
                   "Attach File",
-                  /* @__PURE__ */ jsx("input", { type: "file", id: "detail-file-input", style: "display:none" })
+                  /* @__PURE__ */ jsx("input", { type: "file", id: "detail-file-input", style: "display:none", multiple: true })
                 ] })
               ] }),
               /* @__PURE__ */ jsx("div", { className: "detail-field detail-field-full", id: "detail-notes-section", children: [
@@ -3772,7 +3869,7 @@ pageRoutes.get("/", (c) => {
             /* @__PURE__ */ jsx("kbd", { children: "Enter" }),
             " new ticket"
           ] }),
-          /* @__PURE__ */ jsx("span", { children: [
+          /* @__PURE__ */ jsx("span", { "data-hint": "category", children: [
             /* @__PURE__ */ jsx("kbd", { children: [
               "\u2318",
               "I/B/F/R/K/G"
@@ -3837,6 +3934,16 @@ pageRoutes.get("/", (c) => {
           ] }),
           /* @__PURE__ */ jsx("span", { children: "Backups" })
         ] }),
+        /* @__PURE__ */ jsx("button", { className: "settings-tab", "data-tab": "context", children: [
+          /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", width: "20", height: "20", viewBox: "0 0 24 24", fill: "none", stroke: "currentColor", strokeWidth: "2", strokeLinecap: "round", strokeLinejoin: "round", children: [
+            /* @__PURE__ */ jsx("path", { d: "M14.5 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V7.5L14.5 2z" }),
+            /* @__PURE__ */ jsx("polyline", { points: "14 2 14 8 20 8" }),
+            /* @__PURE__ */ jsx("line", { x1: "16", x2: "8", y1: "13", y2: "13" }),
+            /* @__PURE__ */ jsx("line", { x1: "16", x2: "8", y1: "17", y2: "17" }),
+            /* @__PURE__ */ jsx("line", { x1: "10", x2: "8", y1: "9", y2: "9" })
+          ] }),
+          /* @__PURE__ */ jsx("span", { children: "Context" })
+        ] }),
         /* @__PURE__ */ jsx("button", { className: "settings-tab", "data-tab": "experimental", id: "settings-tab-experimental", style: "display:none", children: [
           /* @__PURE__ */ jsx("svg", { xmlns: "http://www.w3.org/2000/svg", width: "20", height: "20", viewBox: "0 0 24 24", fill: "none", stroke: "currentColor", strokeWidth: "2", strokeLinecap: "round", strokeLinejoin: "round", children: [
             /* @__PURE__ */ jsx("path", { d: "M10 2v7.527a2 2 0 0 1-.211.896L4.72 20.55a1 1 0 0 0 .9 1.45h12.76a1 1 0 0 0 .9-1.45l-5.069-10.127A2 2 0 0 1 14 9.527V2" }),
@@ -3858,7 +3965,10 @@ pageRoutes.get("/", (c) => {
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel active", "data-panel": "general", children: [
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { children: "App name" }),
-            /* @__PURE__ */ jsx("input", { type: "text", id: "settings-app-name", placeholder: "Hot Sheet" }),
+            /* @__PURE__ */ jsx("div", { className: "settings-app-name-row", children: [
+              /* @__PURE__ */ jsx("button", { className: "app-icon-picker-btn", id: "app-icon-picker-btn", title: "Change app icon", children: /* @__PURE__ */ jsx("img", { id: "app-icon-preview", src: "/static/assets/icon-default.png", width: "28", height: "28" }) }),
+              /* @__PURE__ */ jsx("input", { type: "text", id: "settings-app-name", placeholder: "Hot Sheet" })
+            ] }),
             /* @__PURE__ */ jsx("span", { className: "settings-hint", id: "settings-app-name-hint", children: "Custom name shown in the title bar. Leave empty for default." })
           ] }),
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
@@ -3868,6 +3978,22 @@ pageRoutes.get("/", (c) => {
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { children: "Auto-clear verified after (days)" }),
             /* @__PURE__ */ jsx("input", { type: "number", id: "settings-verified-days", min: "1", value: "30" })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
+            /* @__PURE__ */ jsx("label", { children: "When Claude needs permission" }),
+            /* @__PURE__ */ jsx("select", { id: "settings-notify-permission", children: [
+              /* @__PURE__ */ jsx("option", { value: "none", children: "Don't notify" }),
+              /* @__PURE__ */ jsx("option", { value: "once", children: "Notify once" }),
+              /* @__PURE__ */ jsx("option", { value: "persistent", selected: true, children: "Notify until focused" })
+            ] })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
+            /* @__PURE__ */ jsx("label", { children: "When Claude finishes work" }),
+            /* @__PURE__ */ jsx("select", { id: "settings-notify-completed", children: [
+              /* @__PURE__ */ jsx("option", { value: "none", children: "Don't notify" }),
+              /* @__PURE__ */ jsx("option", { value: "once", selected: true, children: "Notify once" }),
+              /* @__PURE__ */ jsx("option", { value: "persistent", children: "Notify until focused" })
+            ] })
           ] })
         ] }),
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "categories", children: [
@@ -3890,6 +4016,14 @@ pageRoutes.get("/", (c) => {
           ] }),
           /* @__PURE__ */ jsx("div", { id: "backup-list", className: "backup-list", children: "Loading backups..." })
         ] }),
+        /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "context", children: [
+          /* @__PURE__ */ jsx("div", { className: "settings-section-header", children: [
+            /* @__PURE__ */ jsx("h3", { children: "Auto-Context" }),
+            /* @__PURE__ */ jsx("button", { className: "btn btn-sm", id: "auto-context-add-btn", children: "+ Add" })
+          ] }),
+          /* @__PURE__ */ jsx("span", { className: "settings-hint", style: "margin-bottom:12px;display:block", children: "Automatically prepend instructions to ticket details in the worklist, based on category or tag. Category context appears first, then tag context in alphabetical order." }),
+          /* @__PURE__ */ jsx("div", { id: "auto-context-list" })
+        ] }),
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel", "data-panel": "experimental", id: "settings-experimental-panel", style: "display:none", children: [
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { className: "settings-checkbox-label", children: [
@@ -3938,10 +4072,10 @@ pageRoutes.get("/", (c) => {
 
 // src/server.ts
 function tryServe(fetch2, port2) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const server = serve({ fetch: fetch2, port: port2 });
     server.on("listening", () => {
-      resolve3(port2);
+      resolve4(port2);
     });
     server.on("error", (err) => {
       reject(err);
@@ -3973,6 +4107,36 @@ async function startServer(port2, dataDir2, options) {
     const mimeTypes = { png: "image/png", jpg: "image/jpeg", svg: "image/svg+xml" };
     return new Response(content, { headers: { "Content-Type": mimeTypes[ext || ""] || "application/octet-stream", "Cache-Control": "max-age=86400" } });
   });
+  app.use("/api/*", async (c, next) => {
+    const settings = readFileSettings(dataDir2);
+    const expectedSecret = settings.secret;
+    if (!expectedSecret) {
+      await next();
+      return;
+    }
+    const headerSecret = c.req.header("X-Hotsheet-Secret");
+    const method = c.req.method;
+    const isMutation = method === "POST" || method === "PATCH" || method === "PUT" || method === "DELETE";
+    if (headerSecret) {
+      if (headerSecret !== expectedSecret) {
+        return c.json({
+          error: "Secret mismatch \u2014 you may be connecting to the wrong Hot Sheet instance.",
+          recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files (e.g. .claude/skills/hotsheet/SKILL.md) for updated instructions."
+        }, 403);
+      }
+    } else if (isMutation) {
+      const origin = c.req.header("Origin");
+      const referer = c.req.header("Referer");
+      const isBrowser = !!(origin || referer);
+      if (!isBrowser) {
+        return c.json({
+          error: "Missing X-Hotsheet-Secret header. Read .hotsheet/settings.json for the correct port and secret.",
+          recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files for updated instructions."
+        }, 403);
+      }
+    }
+    await next();
+  });
   app.route("/api", apiRoutes);
   app.route("/api/backups", backupRoutes);
   app.route("/", pageRoutes);
@@ -4049,10 +4213,10 @@ function isFirstUseToday() {
   return last !== today;
 }
 function fetchLatestVersion() {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const req = get(`https://registry.npmjs.org/${PACKAGE_NAME}/latest`, { timeout: 5e3 }, (res) => {
       if (res.statusCode !== 200) {
-        resolve3(null);
+        resolve4(null);
         return;
       }
       let data = "";
@@ -4061,18 +4225,18 @@ function fetchLatestVersion() {
       });
       res.on("end", () => {
         try {
-          resolve3(JSON.parse(data).version);
+          resolve4(JSON.parse(data).version);
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       });
     });
     req.on("error", () => {
-      resolve3(null);
+      resolve4(null);
     });
     req.on("timeout", () => {
       req.destroy();
-      resolve3(null);
+      resolve4(null);
     });
   });
 }
@@ -4174,7 +4338,7 @@ function parseArgs(argv) {
         }
         break;
       case "--data-dir":
-        dataDir2 = resolve2(args[++i]);
+        dataDir2 = resolve3(args[++i]);
         break;
       case "--check-for-updates":
         forceUpdateCheck = true;
@@ -4232,6 +4396,7 @@ async function main() {
   }
   console.log(`  Data directory: ${dataDir2}`);
   const actualPort = await startServer(port2, dataDir2, { noOpen, strictPort });
+  ensureSecret(dataDir2, actualPort);
   initMarkdownSync(dataDir2, actualPort);
   scheduleAllSync();
   initSkills(actualPort, dataDir2);