loopat 0.1.3 → 0.1.5

package/README.md

@@ -2,6 +2,12 @@
 
 > **Self-hosted AI workspace built around context management — works solo, scales to teams**
 
+<p align="center">
+  <a href="https://www.npmjs.com/package/loopat"><img src="https://img.shields.io/npm/v/loopat?logo=npm&color=cb3837" alt="npm version"></a>
+  <a href="https://github.com/simpx/loopat/pkgs/container/loopat"><img src="https://img.shields.io/badge/ghcr.io-simpx%2Floopat-2496ED?logo=docker&logoColor=white" alt="GHCR image"></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache--2.0-green" alt="License"></a>
+</p>
+
 <p align="center">
   <img src="docs/screenshot.png" alt="loopat — Loop view with chat, workdir, terminal, and team DM" width="100%">
 </p>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loopat",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Self-hosted AI workspace built around context management — works solo, scales to teams",
   "license": "Apache-2.0",
   "homepage": "https://github.com/simpx/loopat",

package/server/src/config.ts

@@ -210,6 +210,11 @@ export type PersonalConfigDisk = {
   shell?: string
   /** Optional. Missing = "fresh" (user hasn't started or dismissed yet). */
   onboarding?: OnboardingState
+  /** Authoritative kn/notes remotes — the personal repo is self-describing.
+   *  host config.json's knowledge/notes are a display mirror; these are what a
+   *  loop actually connects to (with the user's vault key). */
+  knowledge?: RemoteSpec
+  notes?: RemoteSpec
 }
 
 export type PersonalConfig = {
@@ -224,6 +229,9 @@ export type PersonalConfig = {
   vaultEnvs: Record<string, string>
   shell?: string
   onboarding?: OnboardingState
+  /** Authoritative kn/notes remotes (self-describing personal repo). */
+  knowledge?: RemoteSpec
+  notes?: RemoteSpec
 }
 
 /**
@@ -443,6 +451,8 @@ export async function loadPersonalConfig(
     vaultEnvs,
     ...(disk.shell ? { shell: disk.shell } : {}),
     ...(disk.onboarding ? { onboarding: disk.onboarding } : {}),
+    ...(disk.knowledge ? { knowledge: disk.knowledge } : {}),
+    ...(disk.notes ? { notes: disk.notes } : {}),
   }
   personalCache.set(cacheKey, { cfg, configMtimeMs, envsDirMtimeMs })
   return cfg

package/server/src/index.ts

@@ -1416,23 +1416,23 @@ function syncDirFor(resource: string, name?: string): string | null {
   return null
 }
 
-app.get("/api/sync/knowledge/status", requireAuth, async (c) => c.json(await inspectRepoSync(workspaceKnowledgeDir())))
+app.get("/api/sync/knowledge/status", requireAuth, async (c) => c.json(await inspectRepoSync(workspaceKnowledgeDir(), c.get("userId") as string)))
 app.post("/api/sync/knowledge/pull", requireAuth, async (c) => {
-  const r = await pullRepoFromRemote(workspaceKnowledgeDir())
+  const r = await pullRepoFromRemote(workspaceKnowledgeDir(), c.get("userId") as string)
   return r.ok ? c.json(r) : c.json({ error: r.error }, 400)
 })
 app.post("/api/sync/knowledge/push", requireAuth, async (c) => {
-  const r = await pushRepoToRemote(workspaceKnowledgeDir())
+  const r = await pushRepoToRemote(workspaceKnowledgeDir(), c.get("userId") as string)
   return r.ok ? c.json(r) : c.json({ error: r.error }, 400)
 })
 
-app.get("/api/sync/notes/status", requireAuth, async (c) => c.json(await inspectRepoSync(workspaceNotesDir())))
+app.get("/api/sync/notes/status", requireAuth, async (c) => c.json(await inspectRepoSync(workspaceNotesDir(), c.get("userId") as string)))
 app.post("/api/sync/notes/pull", requireAuth, async (c) => {
-  const r = await pullRepoFromRemote(workspaceNotesDir())
+  const r = await pullRepoFromRemote(workspaceNotesDir(), c.get("userId") as string)
   return r.ok ? c.json(r) : c.json({ error: r.error }, 400)
 })
 app.post("/api/sync/notes/push", requireAuth, async (c) => {
-  const r = await pushRepoToRemote(workspaceNotesDir())
+  const r = await pushRepoToRemote(workspaceNotesDir(), c.get("userId") as string)
   return r.ok ? c.json(r) : c.json({ error: r.error }, 400)
 })
 
@@ -1454,12 +1454,12 @@ app.get("/api/sync/repos", requireAuth, async (c) => {
 app.get("/api/sync/repos/:name/status", requireAuth, async (c) => {
   const dir = syncDirFor("repos", c.req.param("name"))
   if (!dir) return c.json({ error: "repo not found" }, 404)
-  return c.json(await inspectRepoSync(dir))
+  return c.json(await inspectRepoSync(dir, c.get("userId") as string))
 })
 app.post("/api/sync/repos/:name/pull", requireAuth, async (c) => {
   const dir = syncDirFor("repos", c.req.param("name"))
   if (!dir) return c.json({ error: "repo not found" }, 404)
-  const r = await pullRepoFromRemote(dir)
+  const r = await pullRepoFromRemote(dir, c.get("userId") as string)
   return r.ok ? c.json(r) : c.json({ error: r.error }, 400)
 })
 

package/server/src/loops.ts

@@ -24,6 +24,7 @@ import {
   workspaceOriginsDir,
   workspaceOriginPath,
   personalDir,
+  personalVaultDir,
   uiNotesDir,
   personalMemoryDir,
   workspaceMemoryDir,
@@ -35,7 +36,7 @@ import {
 } from "./paths"
 import type { RepoSpec } from "./config"
 import { existsSync as existsSyncBase } from "node:fs"
-import { loadConfig } from "./config"
+import { loadConfig, loadPersonalConfig } from "./config"
 import { ensurePersonalKeypair } from "./personal-keys"
 import { composeLoopClaudeConfig, writeLoopSettings } from "./compose"
 import { getProvider } from "./git-host"
@@ -316,6 +317,39 @@ async function ensureContextRepo(dir: string, name: string, url?: string): Promi
   }
 }
 
+/**
+ * The personal repo is self-describing: its `.loopat/config.json` declares the
+ * authoritative kn/notes remotes, and a loop connects to them with the user's
+ * OWN key from the selected vault (`vaults/<vault>/mounts/home/.ssh/id`), not
+ * the host's ssh. Called at loop creation, which has the user + vault in hand.
+ *
+ * The startup clone (driven by host config.json) stays as a display mirror;
+ * here the personal-declared url wins and becomes the context repo's origin.
+ *
+ * We only set the origin + fetch with the vault key — we deliberately do NOT
+ * persist a `core.sshCommand`: the same `.git` is mounted into the sandbox,
+ * where that host path is invalid. The sandbox's own git already authenticates
+ * with the vault key via `$HOME/.ssh` (the vault home-mount), so its promote
+ * pushes as the user without any per-repo config.
+ */
+export async function ensureUserContext(user: string, vault: string = "default"): Promise<void> {
+  const cfg = await loadPersonalConfig(user, vault)
+  const sshEnv = { ...process.env, GIT_SSH_COMMAND: sshCommandForUser(user, vault) }
+  const layers: Array<[string, string | undefined]> = [
+    [workspaceKnowledgeDir(), cfg.knowledge?.git],
+    [workspaceNotesDir(), cfg.notes?.git],
+  ]
+  for (const [dir, url] of layers) {
+    if (!url) continue // personal didn't declare one → keep the host/local origin
+    if (!existsSyncBase(join(dir, ".git"))) continue // not initialized yet (startup hasn't run)
+    const has = await execFileP("git", ["-C", dir, "remote", "get-url", "origin"]).then(() => true).catch(() => false)
+    await execFileP("git", ["-C", dir, "remote", has ? "set-url" : "add", "origin", url]).catch(() => {})
+    // validate connectivity + populate origin/* with the user's key (transient,
+    // server-side only).
+    await execFileP("git", ["-C", dir, "fetch", "--quiet", "origin"], { env: sshEnv, timeout: 20_000 }).catch(() => {})
+  }
+}
+
 /**
  * Repos are clone-on-demand — they can be large, so we don't pre-clone the
  * whole set. Instead write a manifest (REPOS.md) listing the full roster, and
@@ -340,7 +374,7 @@ async function writeReposManifest(specs: RepoSpec[]) {
  * Clone a single registered repo if it isn't present yet. Returns whether the
  * repo dir exists afterwards. Used by loop creation and any on-demand path.
  */
-async function ensureRepoCloned(name: string): Promise<boolean> {
+async function ensureRepoCloned(name: string, sshCommand?: string): Promise<boolean> {
   const dir = workspaceRepoDir(name)
   if (existsSyncBase(dir)) return true
   const cfg = await loadConfig()
@@ -348,7 +382,8 @@ async function ensureRepoCloned(name: string): Promise<boolean> {
   if (!spec?.git) return false
   try {
     await mkdir(workspaceReposDir(), { recursive: true })
-    await execFileP("git", ["clone", "--", spec.git, dir])
+    const env = sshCommand ? { ...process.env, GIT_SSH_COMMAND: sshCommand } : process.env
+    await execFileP("git", ["clone", "--", spec.git, dir], { env })
     console.log(`[loopat] cloned on demand ${spec.git} → ${dir}`)
     return true
   } catch (e: any) {
@@ -639,7 +674,9 @@ export async function importPersonalFromRepo(
   // Clone into a tmp dir. ssh uses the deploy key (StrictHostKeyChecking=
   // accept-new, no pre-populated known_hosts on first run); https auths via url.
   const tmp = await mkdtemp(join(tmpdir(), `loopat-import-${userId}-`))
-  const cloneEnv = isHttps ? { ...process.env } : { ...process.env, GIT_SSH_COMMAND: sshCommandForUser(userId) }
+  // Bootstrap: first clone of the personal repo uses the host deploy-key (no
+  // vault key exists yet). Every later op uses the user's vault key.
+  const cloneEnv = isHttps ? { ...process.env } : { ...process.env, GIT_SSH_COMMAND: bootstrapSshCommand(userId) }
   try {
     await execFileP("git", ["clone", "--", repoUrl, tmp], { env: cloneEnv })
   } catch (e: any) {
@@ -714,9 +751,25 @@ export async function importPersonalFromRepo(
   return { ok: true, autoInitialized: true, cryptKey: init.cryptKey }
 }
 
-function sshCommandForUser(userId: string): string {
-  const priv = hostDeployKeyPath(userId)
-  return `ssh -i ${priv} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null`
+/**
+ * The ssh command a server-side git op uses to act AS the user — its OWN key
+ * from the selected vault (`vaults/<vault>/mounts/home/.ssh/id`). If the key
+ * isn't there the op simply fails: we deliberately do NOT fall back to the host
+ * deploy-key, so a loop never borrows the host's access. Authorization tracks
+ * the personal repo, not the host (see behavior/02-personal-permissions.md).
+ */
+function sshCommandForUser(userId: string, vault: string = "default"): string {
+  const vaultKey = join(personalVaultDir(userId, vault), "mounts", "home", ".ssh", "id")
+  return `ssh -i ${vaultKey} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null`
+}
+
+/**
+ * Bootstrap ONLY: the first clone/decrypt of the personal repo itself, before
+ * any vault key exists. Uses the host-managed deploy-key — the one credential
+ * the host legitimately holds to unlock a personal repo.
+ */
+function bootstrapSshCommand(userId: string): string {
+  return `ssh -i ${hostDeployKeyPath(userId)} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null`
 }
 
 async function swapPersonalDir(
@@ -1273,13 +1326,16 @@ export async function syncUiNotes(user: string): Promise<PersonalPushResult> {
   const branch = await remoteDefaultBranch(dir)
   const c = await commitLocalChanges(dir, "loopat: edit notes")
   if (!c.ok) return { ok: false, error: c.error }
-  const reb = await rebaseOntoOrigin(dir, branch)
+  const userSsh = sshCommandForUser(user)
+  const reb = await rebaseOntoOrigin(dir, branch, userSsh)
   if (!reb.ok) {
     if ("conflict" in reb) return { ok: false, error: "conflict with remote", conflict: true, files: reb.files }
     return { ok: false, error: reb.error }
   }
   try {
-    await execFileP("git", ["-C", dir, "push", "origin", `HEAD:${branch}`])
+    await execFileP("git", ["-C", dir, "push", "origin", `HEAD:${branch}`], {
+      env: { ...process.env, GIT_SSH_COMMAND: userSsh },
+    })
   } catch (e: any) {
     const stderr = (e?.stderr ?? "").toString().trim()
     return { ok: false, error: `push failed: ${stderr || e?.message || e}`, needsPull: true }
@@ -1300,7 +1356,7 @@ export async function ffUpdateUiNotes(
   const branch = await remoteDefaultBranch(dir)
   try {
     await execFileP("git", ["-C", dir, "fetch", "origin"], {
-      env: { ...process.env, GIT_TERMINAL_PROMPT: "0" }, timeout: 30_000,
+      env: { ...process.env, GIT_TERMINAL_PROMPT: "0", GIT_SSH_COMMAND: sshCommandForUser(user) }, timeout: 30_000,
     })
   } catch (e: any) {
     return { ok: false, error: `fetch failed: ${e?.stderr ?? e?.message ?? e}` }
@@ -1332,7 +1388,7 @@ export async function notesBehind(user: string): Promise<number> {
   const branch = await remoteDefaultBranch(dir)
   try {
     await execFileP("git", ["-C", dir, "fetch", "origin"], {
-      env: { ...process.env, GIT_TERMINAL_PROMPT: "0" }, timeout: 30_000,
+      env: { ...process.env, GIT_TERMINAL_PROMPT: "0", GIT_SSH_COMMAND: sshCommandForUser(user) }, timeout: 30_000,
     })
   } catch {
     return 0
@@ -1371,7 +1427,7 @@ export type RepoSyncResult =
  * failures are tolerated (offline / auth glitch) — status still reflects
  * last-known remote state.
  */
-export async function inspectRepoSync(dir: string): Promise<RepoSyncStatus> {
+export async function inspectRepoSync(dir: string, user?: string): Promise<RepoSyncStatus> {
   if (!existsSyncBase(dir) || !existsSyncBase(join(dir, ".git"))) {
     return { isGitRepo: false, hasRemote: false, branch: "", ahead: 0, behind: 0, uncommitted: 0 }
   }
@@ -1390,7 +1446,8 @@ export async function inspectRepoSync(dir: string): Promise<RepoSyncStatus> {
 
   if (hasRemote) {
     try {
-      await execFileP("git", ["-C", dir, "fetch", "--quiet", "origin"], { timeout: 15_000 })
+      const env = user ? { ...process.env, GIT_SSH_COMMAND: sshCommandForUser(user) } : process.env
+      await execFileP("git", ["-C", dir, "fetch", "--quiet", "origin"], { env, timeout: 15_000 })
     } catch {}
   }
 
@@ -1420,7 +1477,7 @@ export async function inspectRepoSync(dir: string): Promise<RepoSyncStatus> {
  * changes (we don't auto-stash workspace repos — caller decides) and on
  * any non-ff condition.
  */
-export async function pullRepoFromRemote(dir: string): Promise<RepoSyncResult> {
+export async function pullRepoFromRemote(dir: string, user?: string): Promise<RepoSyncResult> {
   if (!existsSyncBase(join(dir, ".git"))) {
     return { ok: false, error: "not a git repo" }
   }
@@ -1449,7 +1506,8 @@ export async function pullRepoFromRemote(dir: string): Promise<RepoSyncResult> {
   }
 
   try {
-    await execFileP("git", ["-C", dir, "fetch", "origin"], { timeout: 30_000 })
+    const env = user ? { ...process.env, GIT_SSH_COMMAND: sshCommandForUser(user) } : process.env
+    await execFileP("git", ["-C", dir, "fetch", "origin"], { env, timeout: 30_000 })
   } catch (e: any) {
     return { ok: false, error: `fetch failed: ${e?.stderr ?? e?.message ?? e}` }
   }
@@ -1469,7 +1527,7 @@ export async function pullRepoFromRemote(dir: string): Promise<RepoSyncResult> {
  * non-ff by default, which is exactly the abort-on-conflict behavior we
  * want. Caller pulls first if rejected.
  */
-export async function pushRepoToRemote(dir: string): Promise<RepoSyncResult> {
+export async function pushRepoToRemote(dir: string, user?: string): Promise<RepoSyncResult> {
   if (!existsSyncBase(join(dir, ".git"))) {
     return { ok: false, error: "not a git repo" }
   }
@@ -1489,7 +1547,8 @@ export async function pushRepoToRemote(dir: string): Promise<RepoSyncResult> {
   if (!branch) return { ok: false, error: "HEAD is detached" }
 
   try {
-    await execFileP("git", ["-C", dir, "push", "origin", `HEAD:${branch}`])
+    const env = user ? { ...process.env, GIT_SSH_COMMAND: sshCommandForUser(user) } : process.env
+    await execFileP("git", ["-C", dir, "push", "origin", `HEAD:${branch}`], { env })
   } catch (e: any) {
     const stderr = (e?.stderr ?? "").toString().trim()
     return { ok: false, error: `push failed: ${stderr || e?.message || e}` }
@@ -1691,14 +1750,15 @@ async function remoteDefaultBranch(dir: string): Promise<string> {
   return "main"
 }
 
-async function remoteStartPoint(repo: string): Promise<string | null> {
+async function remoteStartPoint(repo: string, sshCommand?: string): Promise<string | null> {
   try {
     await execFileP("git", ["-C", repo, "remote", "get-url", "origin"])
   } catch {
     return null
   }
   try {
-    await execFileP("git", ["-C", repo, "fetch", "--quiet", "origin"], { timeout: 15_000 })
+    const env = sshCommand ? { ...process.env, GIT_SSH_COMMAND: sshCommand } : process.env
+    await execFileP("git", ["-C", repo, "fetch", "--quiet", "origin"], { env, timeout: 15_000 })
   } catch {}
   const branch = await remoteDefaultBranch(repo)
   try {
@@ -1794,8 +1854,10 @@ export async function createLoop(opts: {
 
   // workdir = git worktree add (if repo selected) OR plain mkdir
   if (opts.repo) {
+    // clone + fetch as the user (their vault key), not the host's ssh.
+    const userSsh = sshCommandForUser(opts.createdBy, opts.vault ?? "default")
     // clone-on-demand: pull the repo down only now that a loop actually needs it
-    if (!(await ensureRepoCloned(opts.repo))) {
+    if (!(await ensureRepoCloned(opts.repo, userSsh))) {
       throw new Error(`repo "${opts.repo}" not found / clone failed`)
     }
     const repoPath = workspaceRepoDir(opts.repo)
@@ -1804,7 +1866,7 @@ export async function createLoop(opts: {
       // ① pull (docs/context-flow.md): base the workdir branch on origin/main
       // (best-effort fetch) so it starts from latest consensus; fall back to
       // local HEAD when there's no remote / no origin/main.
-      const start = await remoteStartPoint(repoPath)
+      const start = await remoteStartPoint(repoPath, userSsh)
       const wtArgs = ["-C", repoPath, "worktree", "add", "-b", branch, loopWorkdir(id)]
       if (start) wtArgs.push(start)
       await execFileP("git", wtArgs)
@@ -1819,6 +1881,11 @@ export async function createLoop(opts: {
     await mkdir(loopWorkdir(id), { recursive: true })
   }
 
+  // Point the context repos at the personal-declared kn/notes remotes and
+  // connect with the user's vault key (personal repo is self-describing).
+  await ensureUserContext(opts.createdBy, opts.vault ?? "default").catch(
+    (e: any) => console.warn(`[loopat] ensureUserContext(${opts.createdBy}): ${e?.message ?? e}`),
+  )
   await ensureContextMounts(id, effectiveDriver(meta))
   await writeFile(loopMetaPath(id), JSON.stringify(meta, null, 2))
   return meta

package/server/src/podman.ts

@@ -100,7 +100,12 @@ const LABEL_CONFIG_HASH = "loopat.config-hash"
 
 // Image used as the base for every loop container. Built locally from
 // server/templates/sandbox/Containerfile via ensureSandboxImage().
-export const SANDBOX_IMAGE = process.env.LOOPAT_SANDBOX_IMAGE || "loopat-sandbox:latest"
+// Per-workspace image name so multiple LOOPAT_HOMEs on one host don't share
+// (and can't accidentally delete) each other's images. `uninstall` finds them
+// by the loopat.workspace label, not this name — the name only prevents tag
+// collisions. Same-Containerfile builds still share overlay layers, so the
+// per-workspace tags don't multiply disk usage.
+export const SANDBOX_IMAGE = process.env.LOOPAT_SANDBOX_IMAGE || `loopat-sandbox-${WORKSPACE}:latest`
 
 // Container name: prefix with workspace to avoid collisions between loopat
 // instances running on the same host with different LOOPAT_HOME. Loop UUIDs
@@ -369,7 +374,7 @@ export async function buildPodmanCreateArgs(opts: ContainerOptions): Promise<str
     "--device", "/dev/fuse",
     // Shared bridge network so the serve container can reach loop
     // containers by name (aardvark-dns). Outbound API calls via NAT.
-    "--network", "loopat",
+    "--network", LOOPAT_NETWORK,
     "--hostname", `loop-${opts.loopId.slice(0, 8)}`,
     // Container cwd at creation; per-exec we override with -w.
     "--workdir", V_LOOP_WORKDIR(opts.loopId),
@@ -554,7 +559,7 @@ export async function ensureSandboxImage(opts?: { onProgress?: (msg: string) =>
 
     // Hash the Containerfile so the base image auto-rebuilds when it changes.
     const hash = await baseContainerfileHash()
-    const hashTag = `loopat-sandbox-${hash}:latest`
+    const hashTag = `loopat-sandbox-${WORKSPACE}-${hash}:latest`
 
     const present = await runPodman(["image", "exists", hashTag], { allowFail: true })
     if (present.code === 0) {
@@ -571,7 +576,7 @@ export async function ensureSandboxImage(opts?: { onProgress?: (msg: string) =>
     const buildDir = join(LOOPAT_INSTALL_DIR, "server", "templates", "sandbox")
     let lastStep = ""
     const r = await runPodman(
-      ["build", "-t", SANDBOX_IMAGE, "-t", hashTag, "-f", containerfile, buildDir],
+      ["build", "-t", SANDBOX_IMAGE, "-t", hashTag, "--label", `${LABEL_WORKSPACE}=${WORKSPACE}`, "-f", containerfile, buildDir],
       {
         onLine: (line) => {
           const m = line.match(/^STEP\s+(\d+)\/(\d+):\s+(.+)/)
@@ -660,7 +665,7 @@ export async function ensureLoopImage(loopId: string, opts?: { onProgress?: (msg
   // after the nested-podman base change shipped).
   const baseHash = await baseContainerfileHash()
   const hash = createHash("sha256").update(`base:${baseHash}\n`).update(content).digest("hex").slice(0, 16)
-  const tag = `loopat-sandbox-${hash}:latest`
+  const tag = `loopat-sandbox-${WORKSPACE}-${hash}:latest`
 
   const existing = _loopImageInFlight.get(tag)
   if (existing) return existing
@@ -717,7 +722,7 @@ export async function ensureLoopImage(loopId: string, opts?: { onProgress?: (msg
       await writeFile(join(buildDir, "Containerfile"), childContainerfile)
 
       const r = await runPodman(
-        ["build", "-t", tag, "-f", join(buildDir, "Containerfile"), buildDir],
+        ["build", "-t", tag, "--label", `${LABEL_WORKSPACE}=${WORKSPACE}`, "-f", join(buildDir, "Containerfile"), buildDir],
         {
           allowFail: true,
           onLine: (line) => {
@@ -823,7 +828,9 @@ export async function getEphemeralHostPort(
   return Number.isFinite(port) && port > 0 ? port : null
 }
 
-const LOOPAT_NETWORK = "loopat"
+// Per-workspace network (+ loopat.workspace label) so parallel LOOPAT_HOMEs
+// stay isolated and `uninstall` removes only its own.
+const LOOPAT_NETWORK = `loopat-${WORKSPACE}`
 const SERVE_CONTAINER = `loopat-${WORKSPACE}-serve`
 
 let _networkReady = false
@@ -835,7 +842,7 @@ export async function ensureLoopatNetwork(): Promise<void> {
   const r = await runPodman(["network", "exists", LOOPAT_NETWORK], { allowFail: true })
   if (r.code !== 0) {
     console.log(`[podman] creating network ${LOOPAT_NETWORK}`)
-    const create = await runPodman(["network", "create", LOOPAT_NETWORK])
+    const create = await runPodman(["network", "create", "--label", `${LABEL_WORKSPACE}=${WORKSPACE}`, LOOPAT_NETWORK])
     if (create.code !== 0) {
       throw new Error(`Failed to create podman network ${LOOPAT_NETWORK}: ${create.stderr}`)
     }

package/server/src/uninstall.ts

@@ -1,17 +1,15 @@
 /**
- * `loopat uninstall` — clean removal of everything loopat itself created.
+ * `loopat uninstall` — clean removal of everything THIS workspace created.
  *
- * Boundary (deliberate): we remove ONLY loopat's own resources — the per-loop
- * sandbox containers, the sandbox images, the `loopat` podman network, and the
- * workspace data dir (LOOPAT_HOME). We do NOT touch shared infrastructure the
- * host may use for other things — the podman machine (a Linux VM on macOS) and
- * the npx/bun cache are only PRINTED as hints. Deleting a shared VM out from
- * under the user would be the opposite of a clean uninstall.
+ * Every loopat resource is workspace-scoped: containers, images, and the
+ * network all carry a `loopat.workspace=<ws>` label, and the data dir IS this
+ * workspace's LOOPAT_HOME. So uninstall removes only its own — even when other
+ * LOOPAT_HOMEs exist on the same host, there's no cross-workspace collateral.
  *
- * Containers are found by the `loopat.workspace` label (set at create time in
- * podman.ts), not by guessing name prefixes. Shared images/network are removed
- * only once no loopat container remains anywhere, so a second workspace on the
- * same host isn't collateral.
+ * Shared host infrastructure loopat merely uses — the podman machine (a Linux
+ * VM on macOS) and the npx/bun cache — is only PRINTED as a hint, never
+ * touched. Deleting a shared VM out from under the user would be the opposite
+ * of a clean uninstall.
  *
  * Run via the launcher: `npx loopat uninstall [--yes]`.
  */
@@ -25,12 +23,11 @@ import { LOOPAT_HOME, WORKSPACE } from "./paths"
 
 const execFileP = promisify(execFile)
 
-// Stable external contract values — kept in sync with podman.ts. (These are the
-// network name, container label key, and image repo prefix; they essentially
-// never change, so a local copy avoids pulling the whole podman module in.)
+// The label every loopat container/image/network carries (set at create/build
+// time in podman.ts). Deleting by label is exact — no name-prefix ambiguity
+// (e.g. workspace "foo" vs "foobar").
 const LABEL_WORKSPACE = "loopat.workspace"
-const LOOPAT_NETWORK = "loopat"
-const IMAGE_REF = "loopat-sandbox" // base `loopat-sandbox:latest` + child `loopat-sandbox-<hash>:latest`
+const labelFilter = `label=${LABEL_WORKSPACE}=${WORKSPACE}`
 
 type Run = { code: number; out: string; err: string }
 async function podman(args: string[]): Promise<Run> {
@@ -48,22 +45,18 @@ async function podmanAvailable(): Promise<boolean> {
   return (await podman(["--version"])).code === 0
 }
 
-/** Containers belonging to THIS workspace. */
 async function workspaceContainers(): Promise<string[]> {
-  const r = await podman(["ps", "-aq", "--filter", `label=${LABEL_WORKSPACE}=${WORKSPACE}`])
+  const r = await podman(["ps", "-aq", "--filter", labelFilter])
   return r.code === 0 ? lines(r.out) : []
 }
-
-/** Any loopat container (any workspace) — used to decide if shared resources are still in use. */
-async function anyLoopatContainers(): Promise<string[]> {
-  const r = await podman(["ps", "-aq", "--filter", `label=${LABEL_WORKSPACE}`])
-  return r.code === 0 ? lines(r.out) : []
-}
-
-async function loopatImageIds(): Promise<string[]> {
-  const r = await podman(["images", "--filter", `reference=${IMAGE_REF}*`, "--format", "{{.ID}}"])
+async function workspaceImageIds(): Promise<string[]> {
+  const r = await podman(["images", "--filter", labelFilter, "--format", "{{.ID}}"])
   return r.code === 0 ? [...new Set(lines(r.out))] : []
 }
+async function workspaceNetworks(): Promise<string[]> {
+  const r = await podman(["network", "ls", "--filter", labelFilter, "--format", "{{.Name}}"])
+  return r.code === 0 ? lines(r.out) : []
+}
 
 /** TTY confirm. Non-interactive (piped) without --yes → treated as "no". */
 function confirm(question: string): boolean {
@@ -75,62 +68,56 @@ export async function runUninstall(argv: string[]): Promise<void> {
   const yes = argv.includes("--yes") || argv.includes("-y")
   const hasPodman = await podmanAvailable()
   const containers = hasPodman ? await workspaceContainers() : []
+  const images = hasPodman ? await workspaceImageIds() : []
+  const networks = hasPodman ? await workspaceNetworks() : []
   const dataExists = existsSync(LOOPAT_HOME)
 
-  // ── Plan (so the user sees the exact boundary before anything happens) ──
+  // ── Plan (the user sees the exact boundary before anything happens) ──
   console.log(`loopat uninstall — workspace "${WORKSPACE}"`)
   console.log("")
-  console.log("Will remove:")
+  console.log("Will remove (this workspace only):")
   console.log(`  • ${containers.length} sandbox container(s)`)
-  console.log(`  • sandbox images + the "${LOOPAT_NETWORK}" network (if no loopat container remains)`)
+  console.log(`  • ${images.length} sandbox image(s)`)
+  console.log(`  • ${networks.length} network(s)${networks.length ? ` (${networks.join(", ")})` : ""}`)
   console.log(`  • data dir: ${LOOPAT_HOME}${dataExists ? "" : "  (absent)"}`)
   if (!hasPodman) console.log("  • note: podman not found — skipping container/image/network cleanup")
   console.log("")
 
-  if (!yes && !confirm("Proceed? This permanently deletes your workspace data. [y/N] ")) {
+  if (!yes && !confirm("Proceed? This permanently deletes this workspace's data. [y/N] ")) {
     console.log("Aborted — nothing removed.")
     return
   }
 
-  // 1. Our containers (label-scoped).
+  // Every resource below is label-scoped to THIS workspace — no shared-resource
+  // guessing, so other workspaces on the host are never touched.
   if (hasPodman && containers.length) {
     process.stdout.write(`Removing ${containers.length} container(s)… `)
     await podman(["rm", "-f", ...containers])
     console.log("done")
   }
-
-  // 2. Shared images + network — only when no loopat container is left anywhere.
-  if (hasPodman) {
-    const remaining = await anyLoopatContainers()
-    if (remaining.length === 0) {
-      const imgs = await loopatImageIds()
-      if (imgs.length) {
-        process.stdout.write(`Removing ${imgs.length} image(s)… `)
-        await podman(["rmi", "-f", ...imgs])
-        console.log("done")
-      }
-      if ((await podman(["network", "exists", LOOPAT_NETWORK])).code === 0) {
-        process.stdout.write(`Removing network "${LOOPAT_NETWORK}"… `)
-        await podman(["network", "rm", LOOPAT_NETWORK])
-        console.log("done")
-      }
-    } else {
-      console.log(`Keeping shared images/network — ${remaining.length} loopat container(s) from other workspaces still present.`)
-    }
+  if (hasPodman && images.length) {
+    // rmi by image ID removes this workspace's tags; shared overlay layers
+    // stay alive (refcounted) for any other workspace still using them.
+    process.stdout.write(`Removing ${images.length} image(s)… `)
+    await podman(["rmi", "-f", ...images])
+    console.log("done")
+  }
+  for (const net of networks) {
+    process.stdout.write(`Removing network "${net}"… `)
+    await podman(["network", "rm", net])
+    console.log("done")
   }
-
-  // 3. Workspace data.
   if (dataExists) {
     process.stdout.write(`Removing data dir ${LOOPAT_HOME}… `)
     await rm(LOOPAT_HOME, { recursive: true, force: true })
     console.log("done")
   }
 
-  // 4. Second-layer hints — shared infra we deliberately do NOT touch.
+  // Second-layer hints — shared infra we deliberately do NOT touch.
   console.log("")
-  console.log("Done. loopat's own resources are gone.")
+  console.log("Done. This workspace's resources are gone.")
   console.log("")
-  console.log("Left untouched (remove yourself only if loopat was their only user):")
+  console.log("Left untouched (shared host infra — remove yourself only if loopat was their only user):")
   if (process.platform === "darwin") {
     console.log("  • podman machine (Linux VM):  podman machine stop && podman machine rm")
   }