tandem-editor 0.2.6 → 0.2.8

package/CHANGELOG.md

@@ -0,0 +1,75 @@
+# Changelog
+
+All notable changes to Tandem will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.2.8] - 2026-04-05
+
+### Added
+
+- CHANGELOG.md opens as the active tab on first startup after an npm update
+- `checkVersionChange` helper tracks version transitions via `last-seen-version` file
+- CHANGELOG.md now ships in the npm package
+
+## [0.2.7] - 2026-04-05
+
+### Fixed
+
+- Force-reload (`tandem_open` with `force: true`) now clears Y.Doc in-place instead of destroying the Hocuspocus room — sidebar, observers, and connections survive
+- TOCTOU fix: session deletion moved after successful reload transaction
+- Observer ownership table corrected in architecture docs
+
+### Added
+
+- 4 new tests for force-reload (annotation clearing, awareness clearing, .txt reload, metadata)
+
+## [0.2.6] - 2026-04-05
+
+### Fixed
+
+- Demo script rewritten to be self-referential for recording
+- Observer ownership documentation added to architecture.md
+
+## [0.2.5] - 2026-04-05
+
+### Fixed
+
+- `tandem setup` Claude Code MCP config path updated
+
+## [0.2.4] - 2026-04-05
+
+### Fixed
+
+- Security audit findings (DNS rebinding, CORS, input validation)
+
+## [0.2.3] - 2026-04-05
+
+### Fixed
+
+- `tandem setup` now writes Claude Code MCP config to `~/.claude.json` instead of `~/.claude/mcp_settings.json`, which Claude Code no longer reads
+
+## [0.2.2] - 2025-04-05
+
+### Fixed
+
+- Silent failure review findings
+
+## [0.2.1] - 2025-04-05
+
+### Fixed
+
+- Full security audit — 25 findings across 7 categories (#172)
+
+## [0.2.0] - 2025-04-04
+
+### Added
+
+- Initial public release on npm as `tandem-editor`
+- 30 MCP tools for collaborative document editing
+- Multi-document tabs with CRDT-anchored annotations
+- Chat sidebar with real-time channel push
+- Support for .md, .docx, .txt, .html files
+- `tandem` CLI with `setup` and `start` commands
+- Claude Code skill auto-installation

package/dist/cli/index.js

@@ -337,7 +337,7 @@ var init_start = __esm({
 
 // src/cli/index.ts
 import updateNotifier from "update-notifier";
-var version = true ? "0.2.6" : "0.0.0-dev";
+var version = true ? "0.2.8" : "0.0.0-dev";
 updateNotifier({ pkg: { name: "tandem-editor", version } }).notify();
 var args = process.argv.slice(2);
 if (args.includes("--help") || args.includes("-h")) {

package/dist/server/index.js

@@ -60,9 +60,6 @@ function getOrCreateDocument(name) {
   }
   return doc;
 }
-function removeDocument(name) {
-  return documents.delete(name);
-}
 async function startHocuspocus(port) {
   hocuspocusInstance = new Hocuspocus({
     port,
@@ -119,9 +116,6 @@ async function startHocuspocus(port) {
   }
   return hocuspocusInstance;
 }
-function getHocuspocus() {
-  return hocuspocusInstance;
-}
 var hocuspocusInstance, documents, shouldKeepDocument, onDocSwapped, onDocUnloaded;
 var init_provider = __esm({
   "src/server/yjs/provider.ts"() {
@@ -220,12 +214,13 @@ function freePortUnix(port) {
     }
   }
 }
-var paths, SESSION_DIR;
+var paths, SESSION_DIR, LAST_SEEN_VERSION_FILE;
 var init_platform = __esm({
   "src/server/platform.ts"() {
     "use strict";
     paths = envPaths("tandem", { suffix: "" });
     SESSION_DIR = path.join(paths.data, "sessions");
+    LAST_SEEN_VERSION_FILE = path.join(paths.data, "last-seen-version");
   }
 });
 
@@ -2827,7 +2822,25 @@ async function openFileByPath(filePath, options) {
     };
   }
   if (forceReload) {
-    await forceCloseDocument(id, existing);
+    const doc2 = getDocument(id) ?? getOrCreateDocument(id);
+    const fileName2 = path5.basename(resolved);
+    await clearAndReload(id, doc2, resolved, format, existing);
+    addDoc(id, { id, filePath: resolved, format, readOnly, source: "file" });
+    setActiveDocId(id);
+    broadcastOpenDocs();
+    ensureAutoSave();
+    return {
+      ...buildResult(doc2, {
+        documentId: id,
+        filePath: resolved,
+        fileName: fileName2,
+        format,
+        readOnly,
+        source: "file",
+        restoredFromSession: false
+      }),
+      forceReloaded: true
+    };
   }
   const doc = getOrCreateDocument(id);
   const fileName = path5.basename(resolved);
@@ -2868,7 +2881,7 @@ async function openFileByPath(filePath, options) {
       source: "file",
       restoredFromSession
     }),
-    forceReloaded: forceReload === true
+    forceReloaded: false
   };
 }
 async function openFileFromContent(fileName, content) {
@@ -2908,57 +2921,64 @@ async function openFileFromContent(fileName, content) {
     restoredFromSession: false
   });
 }
-async function forceCloseDocument(id, existing) {
-  console.error(`[Tandem] forceCloseDocument: tearing down ${id}`);
-  let errors = 0;
-  try {
-    detachObservers(id);
-  } catch (err) {
-    errors++;
-    console.error(`[Tandem] forceCloseDocument: detachObservers failed for ${id}:`, err);
-  }
-  try {
-    removeDoc(id);
-    broadcastOpenDocs();
-  } catch (err) {
-    errors++;
-    console.error(`[Tandem] forceCloseDocument: removeDoc/broadcast failed for ${id}:`, err);
-  }
-  try {
-    const hp = getHocuspocus();
-    if (hp) {
-      hp.closeConnections(id);
-      const hpDoc = hp.documents.get(id);
-      if (hpDoc) {
-        hp.documents.delete(id);
-        hpDoc.destroy();
-      }
-      hp.loadingDocuments.delete(id);
-    }
-  } catch (err) {
-    errors++;
-    console.error(`[Tandem] forceCloseDocument: Hocuspocus cleanup failed for ${id}:`, err);
-  }
-  try {
-    const oldDoc = getDocument(id);
-    if (oldDoc) {
-      oldDoc.destroy();
-      removeDocument(id);
-    }
-  } catch (err) {
-    errors++;
-    console.error(`[Tandem] forceCloseDocument: Y.Doc removal failed for ${id}:`, err);
+async function clearAndReload(id, doc, filePath, format, existing) {
+  console.error(`[Tandem] clearAndReload: reloading ${id} from disk`);
+  const isDocx = format === "docx";
+  let preparedHtml;
+  let preparedComments;
+  let preparedContent;
+  if (isDocx) {
+    const buffer3 = await fs3.readFile(filePath);
+    [preparedHtml, preparedComments] = await Promise.all([
+      loadDocx(buffer3),
+      extractDocxComments(buffer3).catch((err) => {
+        console.error(
+          "[docx-comments] Comment extraction failed; document will reload without imported comments:",
+          err
+        );
+        return [];
+      })
+    ]);
+  } else {
+    preparedContent = await fs3.readFile(filePath, "utf-8");
   }
   try {
-    await deleteSession(existing.filePath);
+    doc.transact(() => {
+      const annotations = doc.getMap(Y_MAP_ANNOTATIONS);
+      annotations.forEach((_, k) => annotations.delete(k));
+      const awareness = doc.getMap(Y_MAP_AWARENESS);
+      awareness.forEach((_, k) => awareness.delete(k));
+      const userAwareness = doc.getMap(Y_MAP_USER_AWARENESS);
+      userAwareness.forEach((_, k) => userAwareness.delete(k));
+      if (isDocx && preparedHtml !== void 0) {
+        htmlToYDoc(doc, preparedHtml);
+        if (preparedComments && preparedComments.length > 0) {
+          injectCommentsAsAnnotations(doc, preparedComments);
+        }
+      } else if (format === "md" && preparedContent !== void 0) {
+        loadMarkdown(doc, preparedContent);
+      } else if (preparedContent !== void 0) {
+        populateYDoc(doc, preparedContent);
+      }
+      const meta = doc.getMap(Y_MAP_DOCUMENT_META);
+      meta.set("readOnly", isDocx);
+      meta.set("format", format);
+      meta.set("documentId", id);
+      meta.set("fileName", path5.basename(filePath));
+      meta.set(Y_MAP_SAVED_AT_VERSION, Date.now());
+    }, MCP_ORIGIN);
+    attachObservers(id, doc);
   } catch (err) {
-    errors++;
-    console.error(`[Tandem] forceCloseDocument: deleteSession failed for ${id}:`, err);
+    console.error(
+      `[Tandem] clearAndReload: failed for ${id} (format=${format}). Y.Doc may be in a partially cleared state:`,
+      err
+    );
+    throw err;
   }
-  await new Promise((resolve) => setTimeout(resolve, 100));
-  console.error(
-    `[Tandem] forceCloseDocument: teardown complete for ${id}${errors > 0 ? ` with ${errors} error(s)` : ""}`
-  );
+  await deleteSession(existing.filePath).catch((err) => {
+    console.error(`[Tandem] clearAndReload: deleteSession failed for ${id}:`, err);
+  });
+  console.error(`[Tandem] clearAndReload: complete for ${id}`);
 }
 function initSavedBaseline(doc) {
   const meta = doc.getMap(Y_MAP_DOCUMENT_META);
@@ -3010,6 +3030,10 @@ var init_file_opener = __esm({
     init_constants();
     init_queue();
     init_file_io();
+    init_markdown();
+    init_docx();
+    init_docx_html();
+    init_docx_comments();
     init_manager();
     init_document_model();
     init_document_service();
@@ -3554,7 +3578,7 @@ var init_launcher = __esm({
 });
 
 // src/server/index.ts
-import path9 from "path";
+import path10 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // src/server/mcp/server.ts
@@ -5655,6 +5679,26 @@ init_constants();
 init_manager();
 init_platform();
 
+// src/server/version-check.ts
+import fs6 from "fs/promises";
+import path9 from "path";
+async function checkVersionChange(currentVersion, versionFilePath) {
+  let storedVersion = null;
+  try {
+    storedVersion = (await fs6.readFile(versionFilePath, "utf-8")).trim();
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error("[Tandem] Failed to read last-seen-version:", err);
+    }
+  }
+  const result = storedVersion === null ? "first-install" : storedVersion === currentVersion ? "current" : "upgraded";
+  if (result !== "current") {
+    await fs6.mkdir(path9.dirname(versionFilePath), { recursive: true });
+    await fs6.writeFile(versionFilePath, currentVersion, "utf-8");
+  }
+  return result;
+}
+
 // src/server/error-filter.ts
 function isKnownHocuspocusError(err) {
   if (!(err instanceof Error)) return false;
@@ -5871,9 +5915,22 @@ async function main() {
       })
     ]);
     httpServer = srv;
+    try {
+      const versionStatus = await checkVersionChange(APP_VERSION, LAST_SEEN_VERSION_FILE);
+      if (versionStatus === "upgraded") {
+        const changelogPath = path10.resolve(
+          path10.dirname(fileURLToPath2(import.meta.url)),
+          "../../CHANGELOG.md"
+        );
+        await openFileByPath(changelogPath);
+        console.error(`[Tandem] Opened CHANGELOG.md (upgraded to v${APP_VERSION})`);
+      }
+    } catch (err) {
+      console.error("[Tandem] Version check / changelog open failed (non-fatal):", err);
+    }
     if (getOpenDocs().size === 0 && !process.env.TANDEM_NO_SAMPLE) {
-      const samplePath = path9.resolve(
-        path9.dirname(fileURLToPath2(import.meta.url)),
+      const samplePath = path10.resolve(
+        path10.dirname(fileURLToPath2(import.meta.url)),
         "../../sample/welcome.md"
       );
       openFileByPath(samplePath).then(() => {