shared-things-server 1.0.5 → 2.0.0

package/README.md

@@ -59,7 +59,7 @@ shared-things init
 ### After Setup
 
 ```bash
-shared-things install   # Start daemon (auto-runs on login)
+shared-things start     # Start daemon (auto-runs on login)
 shared-things status    # Check sync status
 shared-things logs -f   # Follow sync logs
 ```
@@ -69,13 +69,16 @@ shared-things logs -f   # Follow sync logs
 | Command | Description |
 |---------|-------------|
 | `init` | Setup wizard |
-| `install` | Install launchd daemon (auto-starts on login) |
-| `uninstall` | Remove launchd daemon |
+| `start` | Start launchd daemon (auto-starts on login) |
+| `stop` | Stop launchd daemon |
 | `status` | Show sync status & last sync time |
 | `sync` | Force immediate sync |
 | `logs [-f]` | Show logs (`-f` to follow) |
-| `reset [--server]` | Reset local state (`--server` clears server too) |
-| `purge` | Remove all local config |
+| `conflicts [--all]` | Show conflict history |
+| `repair` | Diagnose state issues (no auto-fix) |
+| `reset --local` | Clear local state |
+| `reset --server` | Clear server data for this user |
+| `doctor` | Comprehensive health check |
 
 ## Server Setup
 
@@ -143,9 +146,8 @@ things.yourdomain.com {
 
 | Synced | Not Synced |
 |--------|------------|
-| Todo title, notes, due date, tags | Completed todos |
-| Headings | Checklist items |
-| | Areas |
+| Todo title, notes, due date, tags, status | Checklist items |
+|  | Headings, Areas |
 
 > **Note:** The project must exist in each user's Things app. Only items within that project sync.
 

package/dist/cli.js

@@ -1,17 +1,23 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import { Command } from "commander";
-import { input, confirm } from "@inquirer/prompts";
+import { spawn } from "child_process";
+import * as fs2 from "fs";
+import * as os2 from "os";
+import * as path2 from "path";
+import cors from "@fastify/cors";
+import { confirm, input } from "@inquirer/prompts";
 import chalk from "chalk";
+import { Command } from "commander";
+import Fastify from "fastify";
 import updateNotifier from "update-notifier";
 
 // src/db.ts
-import Database from "better-sqlite3";
-import * as path from "path";
-import * as os from "os";
-import * as fs from "fs";
 import * as crypto from "crypto";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import Database from "better-sqlite3";
 var DATA_DIR = process.env.DATA_DIR || path.join(os.homedir(), ".shared-things-server");
 var DB_PATH = path.join(DATA_DIR, "data.db");
 function initDatabase() {
@@ -20,8 +26,9 @@ function initDatabase() {
   }
   const db = new Database(DB_PATH);
   db.pragma("journal_mode = WAL");
+  db.pragma("foreign_keys = ON");
+  migrateDatabase(db);
   db.exec(`
-    -- Users table
     CREATE TABLE IF NOT EXISTS users (
       id TEXT PRIMARY KEY,
       name TEXT NOT NULL,
@@ -29,49 +36,111 @@ function initDatabase() {
       created_at TEXT NOT NULL DEFAULT (datetime('now'))
     );
 
-    -- Headings table
-    CREATE TABLE IF NOT EXISTS headings (
-      id TEXT PRIMARY KEY,
-      things_id TEXT NOT NULL UNIQUE,
-      title TEXT NOT NULL,
-      position INTEGER NOT NULL DEFAULT 0,
-      updated_at TEXT NOT NULL DEFAULT (datetime('now')),
-      updated_by TEXT NOT NULL REFERENCES users(id),
-      created_at TEXT NOT NULL DEFAULT (datetime('now'))
-    );
-
-    -- Todos table
     CREATE TABLE IF NOT EXISTS todos (
       id TEXT PRIMARY KEY,
-      things_id TEXT NOT NULL UNIQUE,
       title TEXT NOT NULL,
       notes TEXT NOT NULL DEFAULT '',
       due_date TEXT,
       tags TEXT NOT NULL DEFAULT '[]',
       status TEXT NOT NULL DEFAULT 'open' CHECK (status IN ('open', 'completed', 'canceled')),
-      heading_id TEXT REFERENCES headings(id) ON DELETE SET NULL,
       position INTEGER NOT NULL DEFAULT 0,
-      updated_at TEXT NOT NULL DEFAULT (datetime('now')),
-      updated_by TEXT NOT NULL REFERENCES users(id),
-      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+      edited_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      created_by TEXT NOT NULL REFERENCES users(id),
+      updated_by TEXT NOT NULL REFERENCES users(id)
     );
 
-    -- Deleted items tracking (for sync)
     CREATE TABLE IF NOT EXISTS deleted_items (
       id TEXT PRIMARY KEY,
-      things_id TEXT NOT NULL,
-      item_type TEXT NOT NULL CHECK (item_type IN ('todo', 'heading')),
-      deleted_at TEXT NOT NULL DEFAULT (datetime('now')),
+      server_id TEXT NOT NULL,
+      deleted_at TEXT NOT NULL,
+      recorded_at TEXT NOT NULL DEFAULT (datetime('now')),
       deleted_by TEXT NOT NULL REFERENCES users(id)
     );
 
-    -- Indexes
     CREATE INDEX IF NOT EXISTS idx_todos_updated ON todos(updated_at);
-    CREATE INDEX IF NOT EXISTS idx_headings_updated ON headings(updated_at);
-    CREATE INDEX IF NOT EXISTS idx_deleted_at ON deleted_items(deleted_at);
+    CREATE INDEX IF NOT EXISTS idx_deleted_recorded ON deleted_items(recorded_at);
   `);
   return db;
 }
+function migrateDatabase(db) {
+  db.pragma("foreign_keys = OFF");
+  const hasTodos = db.prepare(
+    `SELECT name FROM sqlite_master WHERE type='table' AND name='todos'`
+  ).get();
+  if (hasTodos) {
+    const columns = db.prepare(`PRAGMA table_info(todos)`).all();
+    const hasThingsId = columns.some((col) => col.name === "things_id");
+    const hasEditedAt = columns.some((col) => col.name === "edited_at");
+    if (hasThingsId || !hasEditedAt) {
+      db.exec(`
+        CREATE TABLE IF NOT EXISTS todos_new (
+          id TEXT PRIMARY KEY,
+          title TEXT NOT NULL,
+          notes TEXT NOT NULL DEFAULT '',
+          due_date TEXT,
+          tags TEXT NOT NULL DEFAULT '[]',
+          status TEXT NOT NULL DEFAULT 'open' CHECK (status IN ('open', 'completed', 'canceled')),
+          position INTEGER NOT NULL DEFAULT 0,
+          edited_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          created_by TEXT NOT NULL,
+          updated_by TEXT NOT NULL
+        );
+      `);
+      db.exec(`
+        INSERT INTO todos_new (id, title, notes, due_date, tags, status, position, edited_at, updated_at, created_by, updated_by)
+        SELECT id, title, notes, due_date, tags, status, position, updated_at, updated_at, updated_by, updated_by
+        FROM todos;
+      `);
+      db.exec(`
+        DROP TABLE todos;
+        ALTER TABLE todos_new RENAME TO todos;
+      `);
+    }
+  }
+  const hasDeleted = db.prepare(
+    `SELECT name FROM sqlite_master WHERE type='table' AND name='deleted_items'`
+  ).get();
+  if (hasDeleted) {
+    const columns = db.prepare(`PRAGMA table_info(deleted_items)`).all();
+    const hasServerId = columns.some((col) => col.name === "server_id");
+    const hasRecordedAt = columns.some((col) => col.name === "recorded_at");
+    if (!hasServerId) {
+      db.exec(`
+        CREATE TABLE IF NOT EXISTS deleted_items_new (
+          id TEXT PRIMARY KEY,
+          server_id TEXT NOT NULL,
+          deleted_at TEXT NOT NULL,
+          recorded_at TEXT NOT NULL,
+          deleted_by TEXT NOT NULL
+        );
+      `);
+      db.exec(`
+        INSERT INTO deleted_items_new (id, server_id, deleted_at, recorded_at, deleted_by)
+        SELECT id, things_id, deleted_at, deleted_at, deleted_by
+        FROM deleted_items
+        WHERE item_type = 'todo';
+      `);
+      db.exec(`
+        DROP TABLE deleted_items;
+        ALTER TABLE deleted_items_new RENAME TO deleted_items;
+      `);
+    } else if (!hasRecordedAt) {
+      db.exec(`
+        ALTER TABLE deleted_items ADD COLUMN recorded_at TEXT;
+        UPDATE deleted_items SET recorded_at = deleted_at WHERE recorded_at IS NULL;
+      `);
+    }
+  }
+  const hasHeadings = db.prepare(
+    `SELECT name FROM sqlite_master WHERE type='table' AND name='headings'`
+  ).get();
+  if (hasHeadings) {
+    db.exec(`DROP TABLE headings;`);
+  }
+  db.pragma("foreign_keys = ON");
+}
 function userExists(db, name) {
   const row = db.prepare(`SELECT 1 FROM users WHERE name = ?`).get(name);
   return !!row;
@@ -91,201 +160,188 @@ function createUser(db, name) {
 }
 function getUserByApiKey(db, apiKey) {
   const apiKeyHash = crypto.createHash("sha256").update(apiKey).digest("hex");
-  const row = db.prepare(`
-    SELECT id, name FROM users WHERE api_key_hash = ?
-  `).get(apiKeyHash);
+  const row = db.prepare(`SELECT id, name FROM users WHERE api_key_hash = ?`).get(apiKeyHash);
   return row || null;
 }
 function listUsers(db) {
-  return db.prepare(`
-    SELECT id, name, created_at as createdAt FROM users
-  `).all();
-}
-function getAllHeadings(db) {
-  return db.prepare(`
-    SELECT
-      id, things_id as thingsId, title, position,
-      updated_at as updatedAt, updated_by as updatedBy, created_at as createdAt
-    FROM headings
-    ORDER BY position
-  `).all();
+  return db.prepare(`SELECT id, name, created_at as createdAt FROM users`).all();
 }
-function getHeadingsSince(db, since) {
-  return db.prepare(`
-    SELECT
-      id, things_id as thingsId, title, position,
-      updated_at as updatedAt, updated_by as updatedBy, created_at as createdAt
-    FROM headings
-    WHERE updated_at > ?
+function getAllTodos(db) {
+  const rows = db.prepare(
+    `
+    SELECT id, title, notes, due_date, tags, status, position,
+           edited_at, updated_at, updated_by
+    FROM todos
     ORDER BY position
-  `).all(since);
-}
-function upsertHeading(db, thingsId, title, position, userId) {
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const existing = db.prepare(`SELECT id FROM headings WHERE things_id = ?`).get(thingsId);
-  if (existing) {
-    db.prepare(`
-      UPDATE headings
-      SET title = ?, position = ?, updated_at = ?, updated_by = ?
-      WHERE things_id = ?
-    `).run(title, position, now, userId, thingsId);
-    return existing.id;
-  } else {
-    const id = crypto.randomUUID();
-    db.prepare(`
-      INSERT INTO headings (id, things_id, title, position, updated_at, updated_by, created_at)
-      VALUES (?, ?, ?, ?, ?, ?, ?)
-    `).run(id, thingsId, title, position, now, userId, now);
-    return id;
-  }
-}
-function deleteHeading(db, thingsId, userId) {
-  const existing = db.prepare(`SELECT id FROM headings WHERE things_id = ?`).get(thingsId);
-  if (!existing) return false;
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const deleteId = crypto.randomUUID();
-  db.prepare(`
-    INSERT INTO deleted_items (id, things_id, item_type, deleted_at, deleted_by)
-    VALUES (?, ?, 'heading', ?, ?)
-  `).run(deleteId, thingsId, now, userId);
-  db.prepare(`DELETE FROM headings WHERE things_id = ?`).run(thingsId);
-  return true;
+  `
+  ).all();
+  return rows.map((row) => ({
+    id: row.id,
+    title: row.title,
+    notes: row.notes,
+    dueDate: row.due_date,
+    tags: JSON.parse(row.tags),
+    status: row.status,
+    position: row.position,
+    editedAt: row.edited_at,
+    updatedAt: row.updated_at
+  }));
 }
-function getAllTodos(db) {
-  const rows = db.prepare(`
-    SELECT
-      id, things_id as thingsId, title, notes, due_date as dueDate,
-      tags, status, heading_id as headingId, position,
-      updated_at as updatedAt, updated_by as updatedBy, created_at as createdAt
+function getAllTodosWithMeta(db) {
+  const rows = db.prepare(
+    `
+    SELECT id, title, notes, due_date, tags, status, position,
+           edited_at, updated_at, updated_by
     FROM todos
     ORDER BY position
-  `).all();
+  `
+  ).all();
   return rows.map((row) => ({
-    ...row,
-    tags: JSON.parse(row.tags)
+    id: row.id,
+    title: row.title,
+    notes: row.notes,
+    dueDate: row.due_date,
+    tags: JSON.parse(row.tags),
+    status: row.status,
+    position: row.position,
+    editedAt: row.edited_at,
+    updatedAt: row.updated_at,
+    updatedBy: row.updated_by
   }));
 }
 function getTodosSince(db, since) {
-  const rows = db.prepare(`
-    SELECT
-      id, things_id as thingsId, title, notes, due_date as dueDate,
-      tags, status, heading_id as headingId, position,
-      updated_at as updatedAt, updated_by as updatedBy, created_at as createdAt
+  const rows = db.prepare(
+    `
+    SELECT id, title, notes, due_date, tags, status, position,
+           edited_at, updated_at, updated_by
     FROM todos
     WHERE updated_at > ?
     ORDER BY position
-  `).all(since);
+  `
+  ).all(since);
   return rows.map((row) => ({
-    ...row,
-    tags: JSON.parse(row.tags)
+    id: row.id,
+    title: row.title,
+    notes: row.notes,
+    dueDate: row.due_date,
+    tags: JSON.parse(row.tags),
+    status: row.status,
+    position: row.position,
+    editedAt: row.edited_at,
+    updatedAt: row.updated_at
   }));
 }
-function upsertTodoByServerId(db, serverId, data, userId) {
+function getTodoByServerId(db, serverId) {
+  const row = db.prepare(
+    `
+    SELECT id, title, notes, due_date, tags, status, position,
+           edited_at, updated_at, updated_by
+    FROM todos
+    WHERE id = ?
+  `
+  ).get(serverId);
+  if (!row) return null;
+  return {
+    id: row.id,
+    title: row.title,
+    notes: row.notes,
+    dueDate: row.due_date,
+    tags: JSON.parse(row.tags),
+    status: row.status,
+    position: row.position,
+    editedAt: row.edited_at,
+    updatedAt: row.updated_at,
+    updatedBy: row.updated_by
+  };
+}
+function upsertTodo(db, serverId, data, userId) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const tagsJson = JSON.stringify(data.tags);
-  if (serverId) {
-    const existing = db.prepare(`SELECT id FROM todos WHERE id = ?`).get(serverId);
-    if (existing) {
-      db.prepare(`
-        UPDATE todos
-        SET title = ?, notes = ?, due_date = ?, tags = ?, status = ?,
-            heading_id = ?, position = ?, updated_at = ?, updated_by = ?
-        WHERE id = ?
-      `).run(
-        data.title,
-        data.notes,
-        data.dueDate,
-        tagsJson,
-        data.status,
-        data.headingId,
-        data.position,
-        now,
-        userId,
-        serverId
-      );
-      return serverId;
-    }
-  }
-  const existingByThingsId = db.prepare(`SELECT id FROM todos WHERE things_id = ?`).get(data.thingsId);
-  if (existingByThingsId) {
-    db.prepare(`
+  const existing = db.prepare(`SELECT id FROM todos WHERE id = ?`).get(serverId);
+  if (existing) {
+    db.prepare(
+      `
       UPDATE todos
       SET title = ?, notes = ?, due_date = ?, tags = ?, status = ?,
-          heading_id = ?, position = ?, updated_at = ?, updated_by = ?
-      WHERE things_id = ?
-    `).run(
+          position = ?, edited_at = ?, updated_at = ?, updated_by = ?
+      WHERE id = ?
+    `
+    ).run(
       data.title,
       data.notes,
       data.dueDate,
       tagsJson,
       data.status,
-      data.headingId,
       data.position,
+      data.editedAt,
       now,
       userId,
-      data.thingsId
+      serverId
     );
-    return existingByThingsId.id;
+    return;
   }
-  const id = serverId || crypto.randomUUID();
-  db.prepare(`
-    INSERT INTO todos (id, things_id, title, notes, due_date, tags, status, heading_id, position, updated_at, updated_by, created_at)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `).run(
-    id,
-    data.thingsId,
+  db.prepare(
+    `
+    INSERT INTO todos (id, title, notes, due_date, tags, status, position, edited_at, updated_at, created_by, updated_by)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `
+  ).run(
+    serverId,
     data.title,
     data.notes,
     data.dueDate,
     tagsJson,
     data.status,
-    data.headingId,
     data.position,
+    data.editedAt,
     now,
     userId,
-    now
+    userId
   );
-  return id;
 }
-function deleteTodoByServerId(db, serverId, userId) {
-  const existing = db.prepare(`SELECT id, things_id FROM todos WHERE id = ?`).get(serverId);
+function deleteTodoByServerId(db, serverId) {
+  const existing = db.prepare(`SELECT id FROM todos WHERE id = ?`).get(serverId);
   if (!existing) return false;
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const deleteId = crypto.randomUUID();
-  db.prepare(`
-    INSERT INTO deleted_items (id, things_id, item_type, deleted_at, deleted_by)
-    VALUES (?, ?, 'todo', ?, ?)
-  `).run(deleteId, serverId, now, userId);
   db.prepare(`DELETE FROM todos WHERE id = ?`).run(serverId);
   return true;
 }
+function getDeletedByServerId(db, serverId) {
+  const row = db.prepare(
+    `SELECT deleted_at as deletedAt, deleted_by as deletedBy FROM deleted_items WHERE server_id = ? ORDER BY deleted_at DESC LIMIT 1`
+  ).get(serverId);
+  return row || null;
+}
+function recordDeletion(db, serverId, deletedAt, userId) {
+  db.prepare(`DELETE FROM deleted_items WHERE server_id = ?`).run(serverId);
+  const deleteId = crypto.randomUUID();
+  const recordedAt = (/* @__PURE__ */ new Date()).toISOString();
+  db.prepare(
+    `
+    INSERT INTO deleted_items (id, server_id, deleted_at, recorded_at, deleted_by)
+    VALUES (?, ?, ?, ?, ?)
+  `
+  ).run(deleteId, serverId, deletedAt, recordedAt, userId);
+}
+function clearDeletion(db, serverId) {
+  db.prepare(`DELETE FROM deleted_items WHERE server_id = ?`).run(serverId);
+}
 function getDeletedSince(db, since) {
-  const rows = db.prepare(`
-    SELECT things_id, item_type FROM deleted_items WHERE deleted_at > ?
-  `).all(since);
-  return {
-    todos: rows.filter((r) => r.item_type === "todo").map((r) => r.things_id),
-    headings: rows.filter((r) => r.item_type === "heading").map((r) => r.things_id)
-  };
+  return db.prepare(
+    `
+    SELECT server_id as serverId, deleted_at as deletedAt
+    FROM deleted_items
+    WHERE recorded_at > ?
+  `
+  ).all(since);
 }
 function resetUserData(db, userId) {
-  const todoResult = db.prepare(`DELETE FROM todos WHERE updated_by = ?`).run(userId);
-  const headingResult = db.prepare(`DELETE FROM headings WHERE updated_by = ?`).run(userId);
+  const todoResult = db.prepare(`DELETE FROM todos WHERE updated_by = ? OR created_by = ?`).run(userId, userId);
   db.prepare(`DELETE FROM deleted_items WHERE deleted_by = ?`).run(userId);
   return {
-    deletedTodos: todoResult.changes,
-    deletedHeadings: headingResult.changes
+    deletedTodos: todoResult.changes
   };
 }
 
-// src/cli.ts
-import * as fs2 from "fs";
-import * as path2 from "path";
-import * as os2 from "os";
-import { spawn } from "child_process";
-import Fastify from "fastify";
-import cors from "@fastify/cors";
-
 // src/auth.ts
 function authMiddleware(db) {
   return (request, reply, done) => {
@@ -294,7 +350,10 @@ function authMiddleware(db) {
     }
     const authHeader = request.headers.authorization;
     if (!authHeader || !authHeader.startsWith("Bearer ")) {
-      reply.code(401).send({ error: "Missing or invalid authorization header", code: "UNAUTHORIZED" });
+      reply.code(401).send({
+        error: "Missing or invalid authorization header",
+        code: "UNAUTHORIZED"
+      });
       return;
     }
     const apiKey = authHeader.slice(7);
@@ -309,15 +368,14 @@ function authMiddleware(db) {
 }
 
 // src/routes.ts
+import * as crypto2 from "crypto";
 function registerRoutes(app, db) {
   app.get("/health", async () => {
     return { status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() };
   });
-  app.get("/state", async (request) => {
-    const headings = getAllHeadings(db);
+  app.get("/state", async (_request) => {
     const todos = getAllTodos(db);
     return {
-      headings,
       todos,
       syncedAt: (/* @__PURE__ */ new Date()).toISOString()
     };
@@ -327,89 +385,181 @@ function registerRoutes(app, db) {
     if (!since) {
       return { error: 'Missing "since" query parameter', code: "BAD_REQUEST" };
     }
-    const headings = getHeadingsSince(db, since);
     const todos = getTodosSince(db, since);
     const deleted = getDeletedSince(db, since);
     return {
-      headings: {
-        upserted: headings,
-        deleted: deleted.headings
-      },
       todos: {
         upserted: todos,
-        deleted: deleted.todos
+        deleted
       },
       syncedAt: (/* @__PURE__ */ new Date()).toISOString()
     };
   });
-  app.post("/push", async (request, reply) => {
-    const { headings, todos } = request.body;
-    const userId = request.user.id;
-    const conflicts = [];
-    try {
-      for (const thingsId of headings.deleted) {
-        deleteHeading(db, thingsId, userId);
-      }
-      for (const heading of headings.upserted) {
-        upsertHeading(db, heading.thingsId, heading.title, heading.position, userId);
-      }
-      for (const serverId of todos.deleted) {
-        deleteTodoByServerId(db, serverId, userId);
-      }
-      for (const todo of todos.upserted) {
-        let headingId = null;
-        if (todo.headingId) {
-          const headingRow = db.prepare(`SELECT id FROM headings WHERE things_id = ?`).get(todo.headingId);
-          headingId = headingRow?.id || null;
+  app.post(
+    "/push",
+    async (request, reply) => {
+      const { todos } = request.body;
+      const userId = request.user.id;
+      const conflicts = [];
+      const mappings = [];
+      try {
+        const transaction = db.transaction(() => {
+          for (const deletion of todos.deleted) {
+            const existing = getTodoByServerId(db, deletion.serverId);
+            if (!existing) {
+              const existingDeletion = getDeletedByServerId(
+                db,
+                deletion.serverId
+              );
+              if (!existingDeletion || compareIso(deletion.deletedAt, existingDeletion.deletedAt) > 0) {
+                recordDeletion(
+                  db,
+                  deletion.serverId,
+                  deletion.deletedAt,
+                  userId
+                );
+              }
+              continue;
+            }
+            const shouldDelete = shouldApplyChange(
+              deletion.deletedAt,
+              existing.editedAt,
+              userId,
+              existing.updatedBy
+            );
+            if (!shouldDelete) {
+              conflicts.push({
+                serverId: deletion.serverId,
+                reason: "Remote edit was newer",
+                serverTodo: toTodo(existing),
+                clientDeletedAt: deletion.deletedAt
+              });
+              continue;
+            }
+            deleteTodoByServerId(db, deletion.serverId);
+            recordDeletion(db, deletion.serverId, deletion.deletedAt, userId);
+          }
+          for (const todo of todos.upserted) {
+            const serverId = todo.serverId || crypto2.randomUUID();
+            const position = typeof todo.position === "number" && Number.isFinite(todo.position) ? todo.position : 0;
+            const existingDeletion = getDeletedByServerId(db, serverId);
+            if (existingDeletion) {
+              const editWins = shouldApplyChange(
+                todo.editedAt,
+                existingDeletion.deletedAt,
+                userId,
+                existingDeletion.deletedBy
+              );
+              if (!editWins) {
+                conflicts.push({
+                  serverId,
+                  reason: "Remote delete was newer",
+                  serverTodo: null,
+                  clientTodo: todo
+                });
+                continue;
+              }
+              clearDeletion(db, serverId);
+            }
+            const existing = getTodoByServerId(db, serverId);
+            if (existing) {
+              const shouldApply = shouldApplyChange(
+                todo.editedAt,
+                existing.editedAt,
+                userId,
+                existing.updatedBy
+              );
+              if (!shouldApply) {
+                conflicts.push({
+                  serverId,
+                  reason: "Remote edit was newer",
+                  serverTodo: toTodo(existing),
+                  clientTodo: todo
+                });
+                continue;
+              }
+            } else if (todo.serverId) {
+            }
+            upsertTodo(
+              db,
+              serverId,
+              {
+                title: todo.title,
+                notes: todo.notes,
+                dueDate: todo.dueDate,
+                tags: todo.tags,
+                status: todo.status,
+                position,
+                editedAt: todo.editedAt
+              },
+              userId
+            );
+            if (!todo.serverId && todo.clientId) {
+              mappings?.push({ serverId, clientId: todo.clientId });
+            }
+          }
+        });
+        transaction();
+      } catch (err) {
+        const error = err;
+        if (error.message?.includes("UNIQUE constraint failed")) {
+          reply.status(409);
+          return {
+            error: 'Sync conflict: Server has data that conflicts with your local state. Run "shared-things reset --server" to start fresh.',
+            code: "SYNC_CONFLICT"
+          };
         }
-        upsertTodoByServerId(db, todo.serverId, {
-          thingsId: todo.thingsId,
-          title: todo.title,
-          notes: todo.notes,
-          dueDate: todo.dueDate,
-          tags: todo.tags,
-          status: todo.status,
-          headingId,
-          position: todo.position
-        }, userId);
+        throw err;
       }
-    } catch (err) {
-      const error = err;
-      if (error.message?.includes("UNIQUE constraint failed")) {
-        reply.status(409);
-        return {
-          error: 'Sync conflict: Server has data that conflicts with your local state. Run "shared-things reset --server" to start fresh.',
-          code: "SYNC_CONFLICT"
-        };
-      }
-      throw err;
+      const currentTodos = getAllTodos(db);
+      return {
+        state: {
+          todos: currentTodos,
+          syncedAt: (/* @__PURE__ */ new Date()).toISOString()
+        },
+        conflicts,
+        mappings: mappings?.length ? mappings : void 0
+      };
     }
-    const currentHeadings = getAllHeadings(db);
-    const currentTodos = getAllTodos(db);
-    return {
-      state: {
-        headings: currentHeadings,
-        todos: currentTodos,
-        syncedAt: (/* @__PURE__ */ new Date()).toISOString()
-      },
-      conflicts
-    };
-  });
+  );
   app.delete("/reset", async (request) => {
     const userId = request.user.id;
     const result = resetUserData(db, userId);
     return {
       success: true,
       deleted: {
-        todos: result.deletedTodos,
-        headings: result.deletedHeadings
+        todos: result.deletedTodos
       }
     };
   });
 }
+function compareIso(a, b) {
+  return new Date(a).getTime() - new Date(b).getTime();
+}
+function shouldApplyChange(incomingEditedAt, storedEditedAt, incomingUserId, storedUserId) {
+  const diff = compareIso(incomingEditedAt, storedEditedAt);
+  if (diff > 0) return true;
+  if (diff < 0) return false;
+  return incomingUserId > storedUserId;
+}
+function toTodo(todo) {
+  return {
+    id: todo.id,
+    title: todo.title,
+    notes: todo.notes,
+    dueDate: todo.dueDate,
+    tags: todo.tags,
+    status: todo.status,
+    position: todo.position,
+    editedAt: todo.editedAt,
+    updatedAt: todo.updatedAt
+  };
+}
 
 // src/cli.ts
-var pkg = JSON.parse(fs2.readFileSync(new URL("../package.json", import.meta.url), "utf-8"));
+var pkg = JSON.parse(
+  fs2.readFileSync(new URL("../package.json", import.meta.url), "utf-8")
+);
 var updateCheckInterval = 1e3 * 60 * 60;
 var notifier = updateNotifier({ pkg, updateCheckInterval });
 if (notifier.update) {
@@ -439,8 +589,10 @@ if (notifier.update && notifier.update.current !== notifier.update.latest) {
 process.on("exit", () => {
   if (notifier.update && notifier.update.current !== notifier.update.latest) {
     console.error(
-      chalk.yellow(`
-  Update available: ${notifier.update.current} \u2192 ${notifier.update.latest}`) + chalk.dim(`
+      chalk.yellow(
+        `
+  Update available: ${notifier.update.current} \u2192 ${notifier.update.latest}`
+      ) + chalk.dim(`
   Run: npm i -g ${pkg.name}
 `)
     );
@@ -476,9 +628,13 @@ program.command("start").description("Start the sync server").option("-p, --port
   if (!isChildProcess) {
     const status = isServerRunning();
     if (status.running) {
-      console.log(chalk.yellow(`
-\u26A0\uFE0F  Server already running (PID: ${status.pid})`));
-      console.log(chalk.dim('Use "shared-things-server stop" to stop it first.\n'));
+      console.log(
+        chalk.yellow(`
+\u26A0\uFE0F  Server already running (PID: ${status.pid})`)
+      );
+      console.log(
+        chalk.dim('Use "shared-things-server stop" to stop it first.\n')
+      );
       return;
     }
   }
@@ -486,11 +642,15 @@ program.command("start").description("Start the sync server").option("-p, --port
     ensureDataDir();
     const logFd = fs2.openSync(LOG_FILE, "a");
     const scriptPath = process.argv[1];
-    const child = spawn(process.execPath, [scriptPath, "start", "--port", String(PORT), "--host", HOST], {
-      detached: true,
-      stdio: ["ignore", logFd, logFd],
-      env: { ...process.env, SHARED_THINGS_DETACHED: "1" }
-    });
+    const child = spawn(
+      process.execPath,
+      [scriptPath, "start", "--port", String(PORT), "--host", HOST],
+      {
+        detached: true,
+        stdio: ["ignore", logFd, logFd],
+        env: { ...process.env, SHARED_THINGS_DETACHED: "1" }
+      }
+    );
     fs2.writeFileSync(PID_FILE, String(child.pid));
     child.unref();
     fs2.closeSync(logFd);
@@ -499,13 +659,17 @@ program.command("start").description("Start the sync server").option("-p, --port
     console.log(`  ${chalk.dim("PID:")}  ${child.pid}`);
     console.log(`  ${chalk.dim("URL:")}  http://${HOST}:${PORT}`);
     console.log(`  ${chalk.dim("Logs:")} ${LOG_FILE}`);
-    console.log(chalk.dim('\nUse "shared-things-server logs -f" to follow logs'));
-    console.log(chalk.dim('Use "shared-things-server stop" to stop the server\n'));
+    console.log(
+      chalk.dim('\nUse "shared-things-server logs -f" to follow logs')
+    );
+    console.log(
+      chalk.dim('Use "shared-things-server stop" to stop the server\n')
+    );
     return;
   }
   const db = initDatabase();
   const app = Fastify({
-    logger: isChildProcess ? true : true
+    logger: true
   });
   await app.register(cors, {
     origin: true
@@ -525,9 +689,11 @@ program.command("start").description("Start the sync server").option("-p, --port
   try {
     await app.listen({ port: PORT, host: HOST });
     if (!process.env.SHARED_THINGS_DETACHED) {
-      console.log(chalk.green(`
+      console.log(
+        chalk.green(`
 \u2705 Server running at http://${HOST}:${PORT}
-`));
+`)
+      );
     }
   } catch (err) {
     app.log.error(err);
@@ -599,7 +765,9 @@ program.command("logs").description("Show server logs").option("-f, --follow", "
       process.exit(0);
     });
   } else {
-    const tail = spawn("tail", ["-n", options.lines, LOG_FILE], { stdio: "inherit" });
+    const tail = spawn("tail", ["-n", options.lines, LOG_FILE], {
+      stdio: "inherit"
+    });
     tail.on("close", () => process.exit(0));
   }
 });
@@ -612,7 +780,8 @@ program.command("create-user").description("Create a new user and generate API k
       message: "Username",
       validate: (value) => {
         if (!value.trim()) return "Username is required";
-        if (userExists(db, value.trim())) return `User "${value.trim()}" already exists`;
+        if (userExists(db, value.trim()))
+          return `User "${value.trim()}" already exists`;
         return true;
       }
     });
@@ -628,14 +797,18 @@ program.command("create-user").description("Create a new user and generate API k
   console.log(`  ${chalk.dim("ID:")}       ${id}`);
   console.log(`  ${chalk.dim("Name:")}     ${name}`);
   console.log(`  ${chalk.dim("API Key:")}  ${chalk.cyan(apiKey)}`);
-  console.log(chalk.yellow("\n\u26A0\uFE0F  Save this API key - it cannot be retrieved later!\n"));
+  console.log(
+    chalk.yellow("\n\u26A0\uFE0F  Save this API key - it cannot be retrieved later!\n")
+  );
 });
 program.command("list-users").description("List all users").action(async () => {
   const db = initDatabase();
   const users = listUsers(db);
   if (users.length === 0) {
     console.log(chalk.yellow("\nNo users found.\n"));
-    console.log(chalk.dim("Create a user with: shared-things-server create-user\n"));
+    console.log(
+      chalk.dim("Create a user with: shared-things-server create-user\n")
+    );
   } else {
     console.log(chalk.bold(`
 \u{1F465} Users (${users.length})
@@ -666,7 +839,8 @@ program.command("delete-user").description("Delete a user").option("-n, --name <
       message: "Username to delete",
       validate: (value) => {
         if (!value.trim()) return "Username is required";
-        if (!users.find((u) => u.name === value.trim())) return "User not found";
+        if (!users.find((u) => u.name === value.trim()))
+          return "User not found";
         return true;
       }
     });
@@ -687,7 +861,6 @@ program.command("delete-user").description("Delete a user").option("-n, --name <
     return;
   }
   db.prepare("DELETE FROM todos WHERE updated_by = ?").run(user.id);
-  db.prepare("DELETE FROM headings WHERE updated_by = ?").run(user.id);
   db.prepare("DELETE FROM deleted_items WHERE deleted_by = ?").run(user.id);
   db.prepare("DELETE FROM users WHERE id = ?").run(user.id);
   console.log(chalk.green(`
@@ -696,7 +869,7 @@ program.command("delete-user").description("Delete a user").option("-n, --name <
 });
 program.command("list-todos").description("List all todos").option("-u, --user <name>", "Filter by username").action(async (options) => {
   const db = initDatabase();
-  const todos = getAllTodos(db);
+  const todos = getAllTodosWithMeta(db);
   const users = listUsers(db);
   const userMap = new Map(users.map((u) => [u.id, u.name]));
   let filteredTodos = todos;
@@ -724,7 +897,7 @@ ${title}
     const statusColor = todo.status === "completed" ? chalk.green : todo.status === "canceled" ? chalk.red : chalk.white;
     console.log(`  ${statusColor(statusIcon)} ${chalk.white(todo.title)}`);
     if (todo.notes) {
-      const shortNotes = todo.notes.length > 50 ? todo.notes.substring(0, 50) + "..." : todo.notes;
+      const shortNotes = todo.notes.length > 50 ? `${todo.notes.substring(0, 50)}...` : todo.notes;
       console.log(`    ${chalk.dim("Notes:")} ${shortNotes}`);
     }
     if (todo.dueDate) {
@@ -733,24 +906,24 @@ ${title}
     if (todo.tags && todo.tags.length > 0) {
       console.log(`    ${chalk.dim("Tags:")} ${todo.tags.join(", ")}`);
     }
-    console.log(`    ${chalk.dim("Status:")} ${todo.status} ${chalk.dim("|")} ${chalk.dim("By:")} ${userName} ${chalk.dim("|")} ${todo.updatedAt}`);
+    console.log(
+      `    ${chalk.dim("Status:")} ${todo.status} ${chalk.dim("|")} ${chalk.dim("By:")} ${userName} ${chalk.dim("|")} ${todo.updatedAt}`
+    );
     console.log();
   }
 });
-program.command("reset").description("Delete all todos and headings (keeps users)").action(async () => {
+program.command("reset").description("Delete all todos (keeps users)").action(async () => {
   const db = initDatabase();
   const todos = getAllTodos(db);
-  const headings = getAllHeadings(db);
-  if (todos.length === 0 && headings.length === 0) {
+  if (todos.length === 0) {
     console.log(chalk.yellow("\nNo data to reset.\n"));
     return;
   }
   console.log(chalk.bold("\n\u{1F504} Reset Server Data\n"));
   console.log(`  ${chalk.dim("Todos:")} ${todos.length}`);
-  console.log(`  ${chalk.dim("Headings:")} ${headings.length}`);
   console.log();
   const confirmed = await confirm({
-    message: "Delete all todos and headings? Users will be kept.",
+    message: "Delete all todos? Users will be kept.",
     default: false
   });
   if (!confirmed) {
@@ -758,9 +931,8 @@ program.command("reset").description("Delete all todos and headings (keeps users
     return;
   }
   db.prepare("DELETE FROM todos").run();
-  db.prepare("DELETE FROM headings").run();
   db.prepare("DELETE FROM deleted_items").run();
-  console.log(chalk.green("\n\u2705 All todos and headings deleted. Users preserved.\n"));
+  console.log(chalk.green("\n\u2705 All todos deleted. Users preserved.\n"));
 });
 program.command("purge").description("Delete entire database (all data including users)").action(async () => {
   const dataDir = process.env.DATA_DIR || path2.join(os2.homedir(), ".shared-things-server");
@@ -781,8 +953,12 @@ program.command("purge").description("Delete entire database (all data including
     return;
   }
   fs2.unlinkSync(dbPath);
-  if (fs2.existsSync(dbPath + "-wal")) fs2.unlinkSync(dbPath + "-wal");
-  if (fs2.existsSync(dbPath + "-shm")) fs2.unlinkSync(dbPath + "-shm");
-  console.log(chalk.green('\n\u2705 Database deleted. Run "shared-things-server create-user" to start fresh.\n'));
+  if (fs2.existsSync(`${dbPath}-wal`)) fs2.unlinkSync(`${dbPath}-wal`);
+  if (fs2.existsSync(`${dbPath}-shm`)) fs2.unlinkSync(`${dbPath}-shm`);
+  console.log(
+    chalk.green(
+      '\n\u2705 Database deleted. Run "shared-things-server create-user" to start fresh.\n'
+    )
+  );
 });
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shared-things-server",
-  "version": "1.0.5",
+  "version": "2.0.0",
   "description": "Sync server for Things 3 projects",
   "type": "module",
   "main": "./dist/index.js",
@@ -9,6 +9,7 @@
   },
   "files": [
     "dist",
+    "scripts",
     "README.md"
   ],
   "keywords": [
@@ -55,6 +56,10 @@
   },
   "scripts": {
     "build": "tsup",
-    "dev": "tsx watch src/cli.ts start"
+    "dev": "tsx watch src/cli.ts start",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "postinstall": "node scripts/postinstall.js || true"
   }
 }

package/scripts/postinstall.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+
+/**
+ * Postinstall script: Automatically restart the server if it's running.
+ * This ensures users get the new version after `npm update -g shared-things-server`.
+ *
+ * Safe behaviors:
+ * - Silent success if server is not running
+ * - Never fails npm install (catches all errors)
+ * - Works on any platform (Linux, macOS)
+ */
+
+import { execSync } from "node:child_process";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+
+const DATA_DIR =
+	process.env.DATA_DIR || path.join(os.homedir(), ".shared-things-server");
+const PID_FILE = path.join(DATA_DIR, "server.pid");
+
+function isServerRunning() {
+	if (!fs.existsSync(PID_FILE)) {
+		return { running: false };
+	}
+
+	const pid = parseInt(fs.readFileSync(PID_FILE, "utf-8").trim(), 10);
+
+	try {
+		// Check if process exists (signal 0 doesn't kill, just checks)
+		process.kill(pid, 0);
+		return { running: true, pid };
+	} catch {
+		// Process doesn't exist, clean up stale PID file
+		try {
+			fs.unlinkSync(PID_FILE);
+		} catch {
+			// Ignore cleanup errors
+		}
+		return { running: false };
+	}
+}
+
+function stopServer(pid) {
+	try {
+		process.kill(pid, "SIGTERM");
+		// Wait for graceful shutdown
+		let attempts = 0;
+		while (attempts < 10) {
+			try {
+				process.kill(pid, 0);
+				// Still running, wait
+				execSync("sleep 0.2", { stdio: "pipe" });
+				attempts++;
+			} catch {
+				// Process stopped
+				break;
+			}
+		}
+		// Clean up PID file if still exists
+		if (fs.existsSync(PID_FILE)) {
+			fs.unlinkSync(PID_FILE);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+function startServer() {
+	// Verify the command exists
+	try {
+		execSync("which shared-things-server", { stdio: "pipe" });
+	} catch {
+		// Command not in PATH, can't start
+		return false;
+	}
+
+	// Use the CLI's built-in detach mode (-d flag)
+	// This properly handles daemonization and PID file management
+	try {
+		execSync("shared-things-server start -d", {
+			stdio: "pipe",
+			timeout: 10000,
+		});
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+function main() {
+	const status = isServerRunning();
+
+	if (!status.running) {
+		// Server not running, nothing to restart
+		return;
+	}
+
+	// Stop the old server
+	const stopped = stopServer(status.pid);
+	if (!stopped) {
+		console.log(
+			'  ℹ️  Could not auto-restart server. Run "shared-things-server stop && shared-things-server start -d" manually.',
+		);
+		return;
+	}
+
+	// Start with new version
+	const started = startServer();
+	if (started) {
+		console.log("  ✅ Server restarted with new version");
+	} else {
+		console.log(
+			'  ℹ️  Server stopped. Run "shared-things-server start -d" to start it again.',
+		);
+	}
+}
+
+try {
+	main();
+} catch {
+	// Never fail npm install
+}