hotsheet 0.7.0 → 0.8.0

package/dist/cli.js

@@ -519,10 +519,17 @@ async function isChannelAlive(dataDir2) {
 async function triggerChannel(dataDir2, serverPort, message) {
   const port2 = getChannelPort(dataDir2);
   if (!port2) return false;
+  let secretHeader = "";
+  try {
+    const { readFileSettings: readFileSettings2 } = await Promise.resolve().then(() => (init_file_settings(), file_settings_exports));
+    const settings = readFileSettings2(dataDir2);
+    if (settings.secret) secretHeader = ` -H "X-Hotsheet-Secret: ${settings.secret}"`;
+  } catch {
+  }
   const doneSignal = `
 
 When you are completely finished (or if there was nothing to do), signal completion by running:
-curl -s -X POST http://localhost:${serverPort}/api/channel/done`;
+curl -s -X POST http://localhost:${serverPort}/api/channel/done${secretHeader}`;
   const content = message ? message + doneSignal : "Process the Hot Sheet worklist. Run /hotsheet to work through the current Up Next items." + doneSignal;
   try {
     const res = await fetch(`http://127.0.0.1:${port2}/trigger`, {
@@ -3837,7 +3844,7 @@ pageRoutes.get("/", (c) => {
                 /* @__PURE__ */ jsx("div", { id: "detail-attachments", className: "detail-attachments" }),
                 /* @__PURE__ */ jsx("label", { className: "btn btn-sm upload-btn", children: [
                   "Attach File",
-                  /* @__PURE__ */ jsx("input", { type: "file", id: "detail-file-input", style: "display:none" })
+                  /* @__PURE__ */ jsx("input", { type: "file", id: "detail-file-input", style: "display:none", multiple: true })
                 ] })
               ] }),
               /* @__PURE__ */ jsx("div", { className: "detail-field detail-field-full", id: "detail-notes-section", children: [
@@ -3862,7 +3869,7 @@ pageRoutes.get("/", (c) => {
             /* @__PURE__ */ jsx("kbd", { children: "Enter" }),
             " new ticket"
           ] }),
-          /* @__PURE__ */ jsx("span", { children: [
+          /* @__PURE__ */ jsx("span", { "data-hint": "category", children: [
             /* @__PURE__ */ jsx("kbd", { children: [
               "\u2318",
               "I/B/F/R/K/G"
@@ -3958,7 +3965,10 @@ pageRoutes.get("/", (c) => {
         /* @__PURE__ */ jsx("div", { className: "settings-tab-panel active", "data-panel": "general", children: [
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
             /* @__PURE__ */ jsx("label", { children: "App name" }),
-            /* @__PURE__ */ jsx("input", { type: "text", id: "settings-app-name", placeholder: "Hot Sheet" }),
+            /* @__PURE__ */ jsx("div", { className: "settings-app-name-row", children: [
+              /* @__PURE__ */ jsx("button", { className: "app-icon-picker-btn", id: "app-icon-picker-btn", title: "Change app icon", children: /* @__PURE__ */ jsx("img", { id: "app-icon-preview", src: "/static/assets/icon-default.png", width: "28", height: "28" }) }),
+              /* @__PURE__ */ jsx("input", { type: "text", id: "settings-app-name", placeholder: "Hot Sheet" })
+            ] }),
             /* @__PURE__ */ jsx("span", { className: "settings-hint", id: "settings-app-name-hint", children: "Custom name shown in the title bar. Leave empty for default." })
           ] }),
           /* @__PURE__ */ jsx("div", { className: "settings-field", children: [
@@ -4098,15 +4108,32 @@ async function startServer(port2, dataDir2, options) {
     return new Response(content, { headers: { "Content-Type": mimeTypes[ext || ""] || "application/octet-stream", "Cache-Control": "max-age=86400" } });
   });
   app.use("/api/*", async (c, next) => {
+    const settings = readFileSettings(dataDir2);
+    const expectedSecret = settings.secret;
+    if (!expectedSecret) {
+      await next();
+      return;
+    }
     const headerSecret = c.req.header("X-Hotsheet-Secret");
+    const method = c.req.method;
+    const isMutation = method === "POST" || method === "PATCH" || method === "PUT" || method === "DELETE";
     if (headerSecret) {
-      const settings = readFileSettings(dataDir2);
-      if (settings.secret && headerSecret !== settings.secret) {
+      if (headerSecret !== expectedSecret) {
         return c.json({
           error: "Secret mismatch \u2014 you may be connecting to the wrong Hot Sheet instance.",
           recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files (e.g. .claude/skills/hotsheet/SKILL.md) for updated instructions."
         }, 403);
       }
+    } else if (isMutation) {
+      const origin = c.req.header("Origin");
+      const referer = c.req.header("Referer");
+      const isBrowser = !!(origin || referer);
+      if (!isBrowser) {
+        return c.json({
+          error: "Missing X-Hotsheet-Secret header. Read .hotsheet/settings.json for the correct port and secret.",
+          recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files for updated instructions."
+        }, 403);
+      }
     }
     await next();
   });