svamp-cli 0.2.48 → 0.2.50

package/dist/{run-6umeTX-K.mjs → run-CIPCavEp.mjs}

@@ -15,7 +15,7 @@ import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
 import { ElicitRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import { z } from 'zod';
-import { mkdir, rm, chmod, access, mkdtemp, copyFile, writeFile, stat, readdir, readFile as readFile$1 } from 'node:fs/promises';
+import { mkdir, rm, chmod, access, mkdtemp, copyFile, writeFile, readdir, stat, readFile as readFile$1 } from 'node:fs/promises';
 import { promisify } from 'node:util';
 
 let connectToServerFn = null;
@@ -71,6 +71,14 @@ const ROLE_HIERARCHY = {
   interact: 1,
   admin: 2
 };
+function normalizeAllowedUser(input, addedBy) {
+  return {
+    email: input.email.trim(),
+    role: "admin",
+    addedAt: typeof input.addedAt === "number" ? input.addedAt : Date.now(),
+    addedBy: input.addedBy ?? addedBy
+  };
+}
 const ISOLATION_PREFERENCE = ["nono", "docker", "podman"];
 
 function resolveRoleLevel(sharing, userEmail) {
@@ -80,7 +88,7 @@ function resolveRoleLevel(sharing, userEmail) {
       (u) => u.email.toLowerCase() === userEmail.toLowerCase()
     );
     if (sharedUser) {
-      level = ROLE_HIERARCHY[sharedUser.role];
+      level = ROLE_HIERARCHY.admin;
     }
   }
   if (sharing.publicAccess) {
@@ -737,6 +745,14 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         if (newSharing.enabled && !newSharing.owner && context?.user?.email) {
           newSharing = { ...newSharing, owner: context.user.email };
         }
+        const ownerEmail = newSharing.owner || context?.user?.email || "";
+        newSharing = {
+          ...newSharing,
+          allowedUsers: (newSharing.allowedUsers || []).map(
+            (u) => normalizeAllowedUser(u, ownerEmail)
+          ),
+          publicAccess: null
+        };
         const oldSharing = currentMetadata.sharing;
         currentMetadata = { ...currentMetadata, sharing: newSharing };
         metadataVersion++;
@@ -1748,6 +1764,13 @@ function createSessionStore(server, sessionId, initialMetadata, initialAgentStat
       if (newSharing.enabled && !newSharing.owner && context?.user?.email) {
         newSharing = { ...newSharing, owner: context.user.email };
       }
+      const ownerEmail = newSharing.owner || context?.user?.email || "";
+      newSharing = {
+        ...newSharing,
+        allowedUsers: (newSharing.allowedUsers || []).map(
+          (u) => normalizeAllowedUser(u, ownerEmail)
+        )
+      };
       metadata = { ...metadata, sharing: newSharing };
       metadataVersion++;
       notifyListeners({
@@ -2576,7 +2599,8 @@ class SharingNotificationSync {
         userEmail: params.ownerEmail
       },
       title: `${typeLabel} shared with you`,
-      body: `${params.ownerEmail} shared "${params.label || "Untitled"}" with you as ${params.role}`,
+      // Per-user tiers were retired; explicit users always have full access.
+      body: `${params.ownerEmail} shared "${params.label || "Untitled"}" with you (full access)`,
       level: "info",
       action: shareType === "session" ? {
         type: "add-session-bookmark",
@@ -4939,6 +4963,28 @@ function sanitizeEnvForSharing(env) {
   }
   return sanitized;
 }
+async function sweepOrphanedStagedHomes(activeSessionIds) {
+  const removed = [];
+  if (!existsSync(STAGED_HOMES_DIR)) return { removed };
+  const active = new Set(activeSessionIds);
+  let entries;
+  try {
+    entries = await readdir(STAGED_HOMES_DIR, { withFileTypes: true });
+  } catch {
+    return { removed };
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (active.has(entry.name)) continue;
+    const path = join$1(STAGED_HOMES_DIR, entry.name);
+    try {
+      await rm(path, { recursive: true, force: true });
+      removed.push(entry.name);
+    } catch {
+    }
+  }
+  return { removed };
+}
 async function copyDirRecursive(src, dest) {
   const srcStat = await stat(src);
   if (!srcStat.isDirectory()) return;
@@ -4958,7 +5004,8 @@ async function copyDirRecursive(src, dest) {
 var credentialStaging = /*#__PURE__*/Object.freeze({
     __proto__: null,
     sanitizeEnvForSharing: sanitizeEnvForSharing,
-    stageCredentialsForSharing: stageCredentialsForSharing
+    stageCredentialsForSharing: stageCredentialsForSharing,
+    sweepOrphanedStagedHomes: sweepOrphanedStagedHomes
 });
 
 function shouldIsolate(input) {
@@ -5125,6 +5172,287 @@ var claudeAuth = /*#__PURE__*/Object.freeze({
     updateEnvFile: updateEnvFile
 });
 
+const DEFAULT_WEB_BASE = "https://svamp.hypha.aicell.io";
+function getShareBaseUrl() {
+  const fromEnv = (process.env.SVAMP_WEB_URL || "").trim();
+  const base = fromEnv || DEFAULT_WEB_BASE;
+  return base.replace(/\/+$/, "");
+}
+function buildSessionShareUrl(input) {
+  const params = new URLSearchParams();
+  if (input.workspace) params.set("ws", input.workspace);
+  if (input.machineServiceId) params.set("svc", input.machineServiceId);
+  const query = params.toString();
+  return `${getShareBaseUrl()}/share/${input.sessionId}${query ? `?${query}` : ""}`;
+}
+function buildMachineShareUrl(input) {
+  const params = new URLSearchParams();
+  if (input.workspace) params.set("ws", input.workspace);
+  const query = params.toString();
+  return `${getShareBaseUrl()}/share/machine/${input.machineId}${query ? `?${query}` : ""}`;
+}
+const DAEMON_SHARE_EMAILS_ENV = "SVAMP_SHARE_EMAILS";
+function parseDaemonShareEmails(raw) {
+  if (!raw) return [];
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const part of raw.split(",")) {
+    const email = part.trim();
+    if (!email || !email.includes("@")) continue;
+    const k = email.toLowerCase();
+    if (seen.has(k)) continue;
+    seen.add(k);
+    out.push(email);
+  }
+  return out;
+}
+function applyDaemonShareSeed(sharing, seedEmails, ownerEmail) {
+  const base = sharing ? { ...sharing, allowedUsers: [...sharing.allowedUsers || []] } : { enabled: true, owner: ownerEmail || "", allowedUsers: [] };
+  base.enabled = true;
+  if (!base.owner && ownerEmail) base.owner = ownerEmail;
+  const existing = new Set(base.allowedUsers.map((u) => u.email.toLowerCase()));
+  const addedEmails = [];
+  for (const email of seedEmails) {
+    if (existing.has(email.toLowerCase())) continue;
+    base.allowedUsers.push(
+      normalizeAllowedUser({ email, addedBy: "daemon-share-flag" }, base.owner || "daemon-share-flag")
+    );
+    existing.add(email.toLowerCase());
+    addedEmails.push(email);
+  }
+  return { sharing: base, addedEmails };
+}
+
+const AUTH0_NAMESPACES = ["https://api.imjoy.io/", "https://amun.ai/"];
+const COOKIE_NAME = "svamp_serve_token";
+const DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+const DEFAULT_CACHE_MAX_SIZE = 1e3;
+class TokenCache {
+  cache = /* @__PURE__ */ new Map();
+  ttlMs;
+  maxSize;
+  constructor(ttlMs = DEFAULT_CACHE_TTL_MS, maxSize = DEFAULT_CACHE_MAX_SIZE) {
+    this.ttlMs = ttlMs;
+    this.maxSize = maxSize;
+  }
+  get(token) {
+    const info = this.cache.get(token);
+    if (!info) return null;
+    if (Date.now() > info.expiresAt) {
+      this.cache.delete(token);
+      return null;
+    }
+    return info;
+  }
+  set(token, email) {
+    if (this.cache.size >= this.maxSize) {
+      const oldest = this.cache.keys().next().value;
+      if (oldest) this.cache.delete(oldest);
+    }
+    this.cache.set(token, {
+      email,
+      expiresAt: Date.now() + this.ttlMs
+    });
+  }
+  clear() {
+    this.cache.clear();
+  }
+}
+function hasCookieToken(req) {
+  return !!parseCookies(req.headers.cookie || "")[COOKIE_NAME];
+}
+function extractToken(req) {
+  const cookies = parseCookies(req.headers.cookie || "");
+  if (cookies[COOKIE_NAME]) return cookies[COOKIE_NAME];
+  const auth = req.headers.authorization;
+  if (auth?.startsWith("Bearer ") || auth?.startsWith("bearer ")) {
+    return auth.slice(7).trim();
+  }
+  const url = new URL(req.url || "/", "http://localhost");
+  const qToken = url.searchParams.get("token");
+  if (qToken) return qToken;
+  return null;
+}
+function parseCookies(header) {
+  const cookies = {};
+  for (const pair of header.split(";")) {
+    const eq = pair.indexOf("=");
+    if (eq > 0) {
+      const key = pair.slice(0, eq).trim();
+      const value = pair.slice(eq + 1).trim();
+      cookies[key] = value;
+    }
+  }
+  return cookies;
+}
+function parseJwtEmail(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    if (payload.exp && payload.exp * 1e3 < Date.now()) return null;
+    for (const ns of AUTH0_NAMESPACES) {
+      const email = payload[ns + "email"];
+      if (typeof email === "string" && email) return email.toLowerCase();
+    }
+    if (typeof payload.email === "string" && payload.email) return payload.email.toLowerCase();
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function verifyTokenViaHypha(token, hyphaServerUrl) {
+  try {
+    const baseUrl = hyphaServerUrl.replace(/\/$/, "");
+    const url = `${baseUrl}/public/services/ws/get_user_info`;
+    const resp = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`
+      },
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json();
+    const email = data?.email;
+    if (typeof email === "string" && email) return email.toLowerCase();
+    return null;
+  } catch {
+    return null;
+  }
+}
+class ServeAuth {
+  cache;
+  hyphaServerUrl;
+  constructor(options) {
+    this.hyphaServerUrl = options.hyphaServerUrl.replace(/\/$/, "");
+    this.cache = new TokenCache(
+      options.cacheTtlMs || DEFAULT_CACHE_TTL_MS,
+      options.cacheMaxSize || DEFAULT_CACHE_MAX_SIZE
+    );
+  }
+  /**
+   * Authenticate a request and return the user's email, or null if not authenticated.
+   */
+  async authenticate(req) {
+    const token = extractToken(req);
+    if (!token) return null;
+    const cached = this.cache.get(token);
+    if (cached) return cached.email;
+    const localEmail = parseJwtEmail(token);
+    if (localEmail) {
+      this.cache.set(token, localEmail);
+      return localEmail;
+    }
+    const serverEmail = await verifyTokenViaHypha(token, this.hyphaServerUrl);
+    if (serverEmail) {
+      this.cache.set(token, serverEmail);
+      return serverEmail;
+    }
+    return null;
+  }
+  /**
+   * Check if a user email is authorized for a mount's access level.
+   */
+  isAuthorized(email, access, ownerEmail) {
+    if (access === "public") return true;
+    if (!email) return false;
+    if (access === "owner") {
+      return !!ownerEmail && email.toLowerCase() === ownerEmail.toLowerCase();
+    }
+    return access.some((e) => e.toLowerCase() === email.toLowerCase());
+  }
+  /**
+   * Generate the login page HTML. Loads the `hypha-rpc` JS SDK from CDN and
+   * calls `hyphaWebsocketClient.login({ server_url, login_callback })`, which
+   * handles opening the login URL, polling, and token retrieval internally.
+   * Matches the pattern used by bioimage.io — proven to work.
+   */
+  getLoginPageHtml(redirectUrl) {
+    return `<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Sign in \u2014 Svamp File Server</title>
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#f6f8fa;color:#24292f;padding:16px}
+.card{background:#fff;border:1px solid #d0d7de;border-radius:12px;padding:32px;max-width:420px;width:100%;text-align:center;box-shadow:0 4px 12px rgba(31,35,40,0.06)}
+h1{font-size:1.25rem;margin-bottom:8px}
+.subtitle{color:#656d76;font-size:0.9rem;margin-bottom:24px}
+button{background:#0969da;color:#fff;border:none;border-radius:8px;padding:12px 24px;font-size:1rem;cursor:pointer;font-weight:500;width:100%}
+button:hover{background:#0860c4}
+button:disabled{background:#94d3a2;cursor:wait}
+.status{margin-top:16px;color:#656d76;font-size:0.85rem;min-height:20px;word-break:break-word}
+.error{color:#cf222e}
+.ok{color:#1a7f37}
+a{color:#0969da;text-decoration:none}
+a:hover{text-decoration:underline}
+</style>
+<script src="https://cdn.jsdelivr.net/npm/hypha-rpc@0.21.28/dist/hypha-rpc-websocket.min.js"><\/script>
+</head><body>
+<div class="card">
+  <h1>Sign in required</h1>
+  <p class="subtitle">This resource is private. Sign in with your Hypha account to continue.</p>
+  <button id="login-btn">Sign in with Hypha</button>
+  <div class="status" id="status"></div>
+</div>
+<script>
+const hyphaServer = ${JSON.stringify(this.hyphaServerUrl)};
+const redirectUrl = ${JSON.stringify(redirectUrl)};
+const cookieName = ${JSON.stringify(COOKIE_NAME)};
+
+const btn = document.getElementById('login-btn');
+const statusEl = document.getElementById('status');
+
+function setError(msg) {
+    statusEl.innerHTML = '<span class="error">' + msg + '</span>';
+    btn.disabled = false;
+}
+
+btn.addEventListener('click', async () => {
+    if (typeof hyphaWebsocketClient === 'undefined' || !hyphaWebsocketClient.login) {
+        setError('Hypha SDK failed to load. Check your network connection and retry.');
+        return;
+    }
+
+    btn.disabled = true;
+    statusEl.textContent = 'Opening Hypha sign-in\u2026';
+
+    try {
+        const token = await hyphaWebsocketClient.login({
+            server_url: hyphaServer,
+            login_callback: (context) => {
+                statusEl.textContent = 'Waiting for you to sign in\u2026';
+                // Open the login URL in a new tab. Called synchronously from
+                // inside the SDK's login() after the user's button click, so
+                // popup blockers generally allow it.
+                window.open(context.login_url, '_blank');
+            },
+        });
+
+        if (!token) throw new Error('No token returned from login');
+
+        // Set the cookie so subsequent requests to this origin are authenticated.
+        const secure = location.protocol === 'https:' ? '; Secure' : '';
+        document.cookie = cookieName + '=' + token + '; path=/; SameSite=Lax' + secure;
+
+        statusEl.innerHTML = '<span class="ok">Signed in. Redirecting\u2026</span>';
+        setTimeout(() => { window.location.replace(redirectUrl); }, 300);
+    } catch (err) {
+        setError('Login failed: ' + (err && err.message ? err.message : err));
+    }
+});
+<\/script>
+</body></html>`;
+  }
+  destroy() {
+    this.cache.clear();
+  }
+}
+
 const DEFAULT_PROBE_INTERVAL_S = 10;
 const DEFAULT_PROBE_TIMEOUT_S = 5;
 const DEFAULT_PROBE_FAILURE_THRESHOLD = 3;
@@ -5975,6 +6303,28 @@ function checkTruncation(format, tail, fileSize, head) {
 const __filename$1 = fileURLToPath(import.meta.url);
 const __dirname$1 = dirname(__filename$1);
 const CLAUDE_SKILLS_DIR = join(os$1.homedir(), ".claude", "skills");
+function readSkillVersion(skillDir) {
+  try {
+    const md = readFileSync$1(join(skillDir, "SKILL.md"), "utf-8");
+    const m = md.match(/^---\s*\n([\s\S]*?)\n---/);
+    if (!m) return null;
+    const versionLine = m[1].split("\n").find((l) => /^\s*version\s*:/.test(l));
+    if (!versionLine) return null;
+    return versionLine.split(":").slice(1).join(":").trim().replace(/^["']|["']$/g, "");
+  } catch {
+    return null;
+  }
+}
+function compareVersions(a, b) {
+  const pa = a.split(".").map((p) => parseInt(p, 10) || 0);
+  const pb = b.split(".").map((p) => parseInt(p, 10) || 0);
+  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+    const ai = pa[i] ?? 0;
+    const bi = pb[i] ?? 0;
+    if (ai !== bi) return ai < bi ? -1 : 1;
+  }
+  return 0;
+}
 async function installSkillFromEndpoint(name, baseUrl) {
   const resp = await fetch(baseUrl, { signal: AbortSignal.timeout(15e3) });
   if (!resp.ok) throw new Error(`HTTP ${resp.status} from ${baseUrl}`);
@@ -6076,25 +6426,56 @@ function preventMachineSleep(logger) {
     return;
   }
 }
+async function fetchMarketplaceSkillVersion(name) {
+  try {
+    const url = `https://hypha.aicell.io/hypha-cloud/artifacts/${name}/files/SKILL.md`;
+    const resp = await fetch(url, { signal: AbortSignal.timeout(1e4) });
+    if (!resp.ok) return null;
+    const md = await resp.text();
+    const m = md.match(/^---\s*\n([\s\S]*?)\n---/);
+    if (!m) return null;
+    const versionLine = m[1].split("\n").find((l) => /^\s*version\s*:/.test(l));
+    if (!versionLine) return null;
+    return versionLine.split(":").slice(1).join(":").trim().replace(/^["']|["']$/g, "");
+  } catch {
+    return null;
+  }
+}
 async function ensureAutoInstalledSkills(logger) {
   const tasks = [
     {
       name: "svamp",
-      install: () => installSkillFromMarketplace("svamp")
+      install: () => installSkillFromMarketplace("svamp"),
+      marketplaceVersion: () => fetchMarketplaceSkillVersion("svamp")
     },
     {
       name: "hypha",
       install: () => installSkillFromEndpoint("hypha", "https://hypha.aicell.io/ws/agent-skills/")
+      // hypha skill ships from a different endpoint without a version probe yet.
     }
   ];
   for (const task of tasks) {
     const targetDir = join(CLAUDE_SKILLS_DIR, task.name);
-    if (existsSync$1(targetDir)) continue;
+    const installed = existsSync$1(targetDir);
+    if (!installed) {
+      try {
+        await task.install();
+        logger.log(`[skills] Auto-installed: ${task.name}`);
+      } catch (err) {
+        logger.log(`[skills] Auto-install of "${task.name}" failed (non-fatal): ${err.message}`);
+      }
+      continue;
+    }
+    if (!task.marketplaceVersion) continue;
     try {
-      await task.install();
-      logger.log(`[skills] Auto-installed: ${task.name}`);
+      const remote = await task.marketplaceVersion();
+      const local = readSkillVersion(targetDir);
+      if (remote && local && compareVersions(remote, local) > 0) {
+        logger.log(`[skills] Refreshing "${task.name}" ${local} \u2192 ${remote}...`);
+        await task.install();
+        logger.log(`[skills] Refreshed: ${task.name} \u2192 ${remote}`);
+      }
     } catch (err) {
-      logger.log(`[skills] Auto-install of "${task.name}" failed (non-fatal): ${err.message}`);
     }
   }
 }
@@ -6913,7 +7294,7 @@ async function startDaemon(options) {
   const supervisor = new ProcessSupervisor(join(SVAMP_HOME, "processes"));
   await supervisor.init();
   const tunnels = /* @__PURE__ */ new Map();
-  const { ServeManager } = await import('./serveManager-RvRL-weX.mjs');
+  const { ServeManager } = await import('./serveManager-rHhOPkW4.mjs');
   const serveManager = new ServeManager(SVAMP_HOME, (msg) => logger.log(`[SERVE] ${msg}`), hyphaServerUrl);
   ensureAutoInstalledSkills(logger).catch(() => {
   });
@@ -9164,6 +9545,29 @@ The automated loop has finished. Review the progress above and let me know if yo
     if (persistedMachineMeta) {
       logger.log(`Restored machine metadata (sharing=${!!persistedMachineMeta.sharing}, securityContextConfig=${!!persistedMachineMeta.securityContextConfig}, injectPlatformGuidance=${persistedMachineMeta.injectPlatformGuidance})`);
     }
+    let seededSharing = persistedMachineMeta?.sharing;
+    const seedEmails = parseDaemonShareEmails(process.env[DAEMON_SHARE_EMAILS_ENV]);
+    if (seedEmails.length > 0) {
+      const ownerEmail = parseJwtEmail(process.env.HYPHA_TOKEN || "") || void 0;
+      const result = applyDaemonShareSeed(seededSharing, seedEmails, ownerEmail);
+      seededSharing = result.sharing;
+      if (result.addedEmails.length > 0) {
+        logger.log(`Seeded machine sharing with ${result.addedEmails.length} user(s): ${result.addedEmails.join(", ")}`);
+      } else {
+        logger.log(`Daemon --share seed: no new users (all already in allowedUsers).`);
+      }
+      savePersistedMachineMetadata(SVAMP_HOME, {
+        sharing: seededSharing,
+        securityContextConfig: persistedMachineMeta?.securityContextConfig,
+        injectPlatformGuidance: persistedMachineMeta?.injectPlatformGuidance
+      });
+      try {
+        updateEnvFile({ [DAEMON_SHARE_EMAILS_ENV]: void 0 });
+        process.env[DAEMON_SHARE_EMAILS_ENV] = "";
+      } catch (err) {
+        logger.log(`[share-seed] Failed to clear ${DAEMON_SHARE_EMAILS_ENV} from .env: ${err.message}`);
+      }
+    }
     const machineMetadata = {
       host: os$1.hostname(),
       platform: os$1.platform(),
@@ -9173,8 +9577,9 @@ The automated loop has finished. Review the progress above and let me know if yo
       svampLibDir: join(__dirname$1, ".."),
       displayName: process.env.SVAMP_DISPLAY_NAME || void 0,
       isolationCapabilities,
-      // Restore persisted sharing, security context config, and platform guidance flag
-      ...persistedMachineMeta?.sharing && { sharing: persistedMachineMeta.sharing },
+      // Restore persisted sharing (possibly augmented with --share seed above),
+      // security context config, and platform guidance flag.
+      ...seededSharing && { sharing: seededSharing },
       ...persistedMachineMeta?.securityContextConfig && { securityContextConfig: persistedMachineMeta.securityContextConfig },
       ...persistedMachineMeta?.injectPlatformGuidance !== void 0 && { injectPlatformGuidance: persistedMachineMeta.injectPlatformGuidance }
     };
@@ -9223,6 +9628,15 @@ The automated loop has finished. Review the progress above and let me know if yo
       }
     );
     logger.log(`Machine service registered: svamp-machine-${machineId}`);
+    if (seededSharing?.enabled) {
+      const shareUrl = buildMachineShareUrl({
+        machineId,
+        workspace: server.config?.workspace
+      });
+      logger.log(`Machine share URL: ${shareUrl}`);
+      const userList = (seededSharing.allowedUsers || []).map((u) => u.email).join(", ");
+      if (userList) logger.log(`  Shared with: ${userList}`);
+    }
     machineServiceRef = machineService;
     const artifactSync = new SessionArtifactSync(server, logger.log);
     const debugService = await registerDebugService(server, machineId, {
@@ -9243,6 +9657,15 @@ The automated loop has finished. Review the progress above and let me know if yo
     logger.log(`Debug service registered: svamp-debug-${machineId}`);
     await serveManager.restore();
     const persistedSessions = loadPersistedSessions();
+    try {
+      const knownIds = new Set(persistedSessions.map((s) => s.sessionId).concat(Object.keys(loadSessionIndex())));
+      const { removed } = await sweepOrphanedStagedHomes(knownIds);
+      if (removed.length > 0) {
+        logger.log(`Cleaned up ${removed.length} orphaned staged home(s) from prior runs.`);
+      }
+    } catch (err) {
+      logger.log(`[staged-homes] sweep failed: ${err.message}`);
+    }
     const sessionsToAutoContinue = [];
     const sessionsToRalphResume = [];
     if (persistedSessions.length > 0) {
@@ -9922,4 +10345,4 @@ var run = /*#__PURE__*/Object.freeze({
     stopDaemon: stopDaemon
 });
 
-export { DefaultTransport$1 as D, GeminiTransport$1 as G, registerSessionService as a, stopDaemon as b, connectToHypha as c, daemonStatus as d, resolveSecurityContext as e, buildSecurityContextFromFlags as f, getHyphaServerUrl as g, generateHookSettings as h, acpBackend as i, acpAgentConfig as j, codexMcpBackend as k, loadSecurityContextConfig as l, mergeSecurityContexts as m, claudeAuth as n, run as o, registerMachineService as r, startDaemon as s };
+export { DefaultTransport$1 as D, GeminiTransport$1 as G, ServeAuth as S, registerSessionService as a, stopDaemon as b, connectToHypha as c, daemonStatus as d, resolveSecurityContext as e, buildSecurityContextFromFlags as f, getHyphaServerUrl as g, hasCookieToken as h, buildSessionShareUrl as i, buildMachineShareUrl as j, generateHookSettings as k, loadSecurityContextConfig as l, mergeSecurityContexts as m, normalizeAllowedUser as n, acpBackend as o, acpAgentConfig as p, codexMcpBackend as q, registerMachineService as r, startDaemon as s, claudeAuth as t, run as u };

package/dist/{run-DR7E3IZL.mjs → run-CPV6r3M6.mjs}

@@ -2,7 +2,7 @@ import{createRequire as _pkgrollCR}from"node:module";const require=_pkgrollCR(im
 import os from 'node:os';
 import { resolve, join } from 'node:path';
 import { existsSync, readFileSync, watch } from 'node:fs';
-import { c as connectToHypha, a as registerSessionService, h as generateHookSettings } from './run-6umeTX-K.mjs';
+import { c as connectToHypha, a as registerSessionService, k as generateHookSettings } from './run-CIPCavEp.mjs';
 import { createServer } from 'node:http';
 import { spawn } from 'node:child_process';
 import { createInterface } from 'node:readline';

package/dist/{serveCommands-FUE8m232.mjs → serveCommands-Bzmgmhxk.mjs}

@@ -54,7 +54,7 @@ async function handleServeCommand() {
   }
 }
 async function serveAdd(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-JWrmpGcs.mjs');
+  const { connectAndGetMachine } = await import('./commands-CvWyrVnY.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -86,7 +86,7 @@ async function serveAdd(args, machineId) {
   }
 }
 async function serveApply(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-JWrmpGcs.mjs');
+  const { connectAndGetMachine } = await import('./commands-CvWyrVnY.mjs');
   const fs = await import('fs');
   const yaml = await import('yaml');
   const file = positionalArgs(args)[0];
@@ -171,7 +171,7 @@ async function serveApply(args, machineId) {
   }
 }
 async function serveRemove(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-JWrmpGcs.mjs');
+  const { connectAndGetMachine } = await import('./commands-CvWyrVnY.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -191,7 +191,7 @@ async function serveRemove(args, machineId) {
   }
 }
 async function serveList(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-JWrmpGcs.mjs');
+  const { connectAndGetMachine } = await import('./commands-CvWyrVnY.mjs');
   const all = hasFlag(args, "--all", "-a");
   const json = hasFlag(args, "--json");
   const sessionId = getFlag(args, "--session");
@@ -224,7 +224,7 @@ async function serveList(args, machineId) {
   }
 }
 async function serveInfo(machineId) {
-  const { connectAndGetMachine } = await import('./commands-JWrmpGcs.mjs');
+  const { connectAndGetMachine } = await import('./commands-CvWyrVnY.mjs');
   const { machine, server } = await connectAndGetMachine(machineId);
   try {
     const info = await machine.serveInfo();