sessionfs 0.3.0__tar.gz → 0.3.2__tar.gz

{sessionfs-0.3.0 → sessionfs-0.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sessionfs
-Version: 0.3.0
+Version: 0.3.2
 Summary: Capture, sync, and resume AI coding sessions across 8 tools — Claude Code, Codex, Gemini, Copilot, Cursor, Amp, Cline, and Roo Code.
 Project-URL: Homepage, https://sessionfs.dev
 Project-URL: Repository, https://github.com/sessionfs/sessionfs
@@ -36,6 +36,7 @@ Requires-Dist: alembic<2.0,>=1.13; extra == 'dev'
 Requires-Dist: asyncpg<1.0,>=0.29; extra == 'dev'
 Requires-Dist: boto3<2.0,>=1.34; extra == 'dev'
 Requires-Dist: build<2.0,>=1.0; extra == 'dev'
+Requires-Dist: cryptography<44.0,>=42.0; extra == 'dev'
 Requires-Dist: fastapi<1.0,>=0.110; extra == 'dev'
 Requires-Dist: google-cloud-storage<3.0,>=2.14; extra == 'dev'
 Requires-Dist: httpx<1.0,>=0.27; extra == 'dev'
@@ -52,6 +53,7 @@ Provides-Extra: server
 Requires-Dist: alembic<2.0,>=1.13; extra == 'server'
 Requires-Dist: asyncpg<1.0,>=0.29; extra == 'server'
 Requires-Dist: boto3<2.0,>=1.34; extra == 'server'
+Requires-Dist: cryptography<44.0,>=42.0; extra == 'server'
 Requires-Dist: fastapi<1.0,>=0.110; extra == 'server'
 Requires-Dist: google-cloud-storage<3.0,>=2.14; extra == 'server'
 Requires-Dist: pydantic-settings<3.0,>=2.0; extra == 'server'
@@ -61,6 +63,10 @@ Requires-Dist: sqlalchemy[asyncio]<3.0,>=2.0; extra == 'server'
 Requires-Dist: uvicorn[standard]<1.0,>=0.27; extra == 'server'
 Description-Content-Type: text/markdown
 
+<p align="center">
+  <img src="brand/logo-full.svg" alt="SessionFS" width="300">
+</p>
+
 # SessionFS
 
 **Stop re-prompting. Start resuming.**
@@ -217,21 +223,22 @@ All file paths are relative to workspace root. Sessions are append-only — conf
 
 ## Status
 
-**v0.3.0 — Public Beta.** 640 tests passing.
+**v0.3.2 — Public Beta.** 673 tests passing.
 
 What works today:
 - Eight-tool session capture (Claude Code, Codex, Gemini, Cursor, Copilot CLI, Amp, Cline, Roo Code)
 - Cross-tool resume between Claude Code, Codex, Gemini, and Copilot CLI
 - Full-text search across all sessions (CLI + dashboard + API)
 - MCP server — AI tools can search your past sessions for context
+- LLM-as-a-Judge — audit sessions for hallucinations (BYOK, multi-provider, OpenRouter)
+- Team handoff with email notification and smart workspace resolution
 - Browse, inspect, export, fork, and checkpoint sessions
 - Cloud sync with push/pull, email verification, and ETag conflict detection
 - Self-hosted API server with auth, PostgreSQL, S3/GCS storage
-- Web dashboard with session management and search
-- Team handoff with email notification
-- 12 security controls including secret detection, path traversal protection, and audit logging
+- Web dashboard with session management, search, handoffs, and audit
 
 On the roadmap:
+- Admin API and dashboard
 - Stripe billing integration
 - Session similarity and duplicate detection
 - Cost analytics dashboard

{sessionfs-0.3.0 → sessionfs-0.3.2}/README.md

@@ -1,3 +1,7 @@
+<p align="center">
+  <img src="brand/logo-full.svg" alt="SessionFS" width="300">
+</p>
+
 # SessionFS
 
 **Stop re-prompting. Start resuming.**
@@ -154,21 +158,22 @@ All file paths are relative to workspace root. Sessions are append-only — conf
 
 ## Status
 
-**v0.3.0 — Public Beta.** 640 tests passing.
+**v0.3.2 — Public Beta.** 673 tests passing.
 
 What works today:
 - Eight-tool session capture (Claude Code, Codex, Gemini, Cursor, Copilot CLI, Amp, Cline, Roo Code)
 - Cross-tool resume between Claude Code, Codex, Gemini, and Copilot CLI
 - Full-text search across all sessions (CLI + dashboard + API)
 - MCP server — AI tools can search your past sessions for context
+- LLM-as-a-Judge — audit sessions for hallucinations (BYOK, multi-provider, OpenRouter)
+- Team handoff with email notification and smart workspace resolution
 - Browse, inspect, export, fork, and checkpoint sessions
 - Cloud sync with push/pull, email verification, and ETag conflict detection
 - Self-hosted API server with auth, PostgreSQL, S3/GCS storage
-- Web dashboard with session management and search
-- Team handoff with email notification
-- 12 security controls including secret detection, path traversal protection, and audit logging
+- Web dashboard with session management, search, handoffs, and audit
 
 On the roadmap:
+- Admin API and dashboard
 - Stripe billing integration
 - Session similarity and duplicate detection
 - Cost analytics dashboard

{sessionfs-0.3.0 → sessionfs-0.3.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sessionfs"
-version = "0.3.0"
+version = "0.3.2"
 description = "Capture, sync, and resume AI coding sessions across 8 tools — Claude Code, Codex, Gemini, Copilot, Cursor, Amp, Cline, and Roo Code."
 readme = "README.md"
 requires-python = ">=3.10"
@@ -56,6 +56,7 @@ server = [
     "pydantic-settings>=2.0,<3.0",
     "PyJWT>=2.8,<3.0",
     "google-cloud-storage>=2.14,<3.0",
+    "cryptography>=42.0,<44.0",
 ]
 dev = [
     "sessionfs[server]",

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/__init__.py

@@ -5,4 +5,4 @@ from importlib.metadata import version, PackageNotFoundError
 try:
     __version__ = version("sessionfs")
 except PackageNotFoundError:
-    __version__ = "0.3.0"  # fallback for development
+    __version__ = "0.3.2"  # fallback for development

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/cli/cmd_audit.py

@@ -24,10 +24,11 @@ def audit(
     session_id: str = typer.Argument(..., help="Session ID or prefix"),
     model: str = typer.Option("claude-sonnet-4", "--model", help="Judge LLM model"),
     api_key: Optional[str] = typer.Option(None, "--api-key", help="LLM API key"),
-    provider: Optional[str] = typer.Option(None, "--provider", help="LLM provider (anthropic, openai, google)"),
+    provider: Optional[str] = typer.Option(None, "--provider", help="LLM provider (anthropic, openai, google, openrouter)"),
     consensus: bool = typer.Option(False, "--consensus", help="Run 3 passes, report only where 2+ agree"),
     report_only: bool = typer.Option(False, "--report", help="Show existing report only"),
     json_output: bool = typer.Option(False, "--json", help="Output as JSON"),
+    fmt: Optional[str] = typer.Option(None, "--format", help="Export format: json, markdown, csv (use with --report)"),
 ) -> None:
     """Audit a session for hallucinations using LLM-as-a-Judge."""
     store = open_store()
@@ -35,7 +36,7 @@ def audit(
     session_dir = get_session_dir_or_exit(store, session_id)
 
     if report_only:
-        _show_existing_report(session_dir, session_id, json_output)
+        _show_existing_report(session_dir, session_id, json_output, fmt)
         return
 
     resolved_key = _resolve_api_key(api_key, model)
@@ -58,7 +59,10 @@ def audit(
         err_console.print(f"[red]Audit failed: {exc}[/red]")
         raise typer.Exit(1)
 
-    _display_report(report, json_output)
+    if fmt:
+        _export_report(report, fmt, session_dir)
+    else:
+        _display_report(report, json_output)
 
 
 def _resolve_api_key(explicit_key: str | None, model: str) -> str | None:
@@ -137,7 +141,7 @@ async def _run_judge(
     )
 
 
-def _show_existing_report(session_dir, session_id: str, json_output: bool) -> None:
+def _show_existing_report(session_dir, session_id: str, json_output: bool, fmt: str | None = None) -> None:
     """Load and display an existing audit report."""
     from sessionfs.judge.report import load_report
 
@@ -149,7 +153,41 @@ def _show_existing_report(session_dir, session_id: str, json_output: bool) -> No
         )
         raise typer.Exit(1)
 
-    _display_report(report, json_output)
+    if fmt:
+        _export_report(report, fmt, session_dir)
+    else:
+        _display_report(report, json_output)
+
+
+def _export_report(report, fmt: str, session_dir=None) -> None:
+    """Export report in the specified format."""
+    from sessionfs.judge.export import export_csv, export_json, export_markdown
+
+    fmt = fmt.lower()
+
+    if fmt == "markdown":
+        # Try to read session metadata for richer markdown export
+        session_title = ""
+        session_tool = ""
+        message_count = 0
+        if session_dir:
+            manifest_path = session_dir / "manifest.json"
+            if manifest_path.exists():
+                try:
+                    manifest = json.loads(manifest_path.read_text())
+                    session_title = manifest.get("title", "")
+                    session_tool = manifest.get("source", {}).get("tool", "")
+                    message_count = manifest.get("stats", {}).get("message_count", 0)
+                except (json.JSONDecodeError, OSError):
+                    pass
+        console.print(export_markdown(report, session_title, session_tool, message_count))
+    elif fmt == "csv":
+        console.print(export_csv(report))
+    elif fmt == "json":
+        console.print(export_json(report))
+    else:
+        err_console.print(f"[red]Unknown format: {fmt}. Use json, markdown, or csv.[/red]")
+        raise typer.Exit(1)
 
 
 def _display_report(report, json_output: bool) -> None:

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/cli/cmd_cloud.py

@@ -194,13 +194,35 @@ def auth_signup(
 def auth_status() -> None:
     """Show current authentication status."""
     cfg = _load_sync_config()
-    if cfg["api_key"]:
-        console.print("[green]Authenticated[/green]")
-        console.print(f"  Server: {cfg['api_url']}")
-        console.print(f"  Sync enabled: {cfg['enabled']}")
-        console.print(f"  API key: {cfg['api_key'][:8]}...")
-    else:
+    if not cfg["api_key"]:
         console.print("[dim]Not authenticated. Run 'sfs auth login'.[/dim]")
+        return
+
+    console.print("[green]Authenticated[/green]")
+    console.print(f"  Server: {cfg['api_url']}")
+    console.print(f"  API key: {cfg['api_key'][:12]}...")
+
+    # Fetch user profile from server
+    try:
+        import httpx
+
+        resp = httpx.get(
+            f"{cfg['api_url']}/api/v1/auth/me",
+            headers={"Authorization": f"Bearer {cfg['api_key']}"},
+            timeout=10,
+        )
+        if resp.status_code == 200:
+            me = resp.json()
+            console.print(f"  Email: [cyan]{me.get('email', '?')}[/cyan]")
+            console.print(f"  Tier: {me.get('tier', 'free')}")
+            verified = me.get("email_verified", False)
+            console.print(f"  Verified: {'[green]yes[/green]' if verified else '[yellow]no — check your inbox[/yellow]'}")
+        else:
+            console.print(f"  [dim]Could not fetch profile (HTTP {resp.status_code})[/dim]")
+    except Exception:
+        console.print("  [dim]Could not reach server[/dim]")
+
+    console.print(f"  Sync enabled: {cfg['enabled']}")
 
 
 def push(
@@ -519,7 +541,7 @@ def handoff(
             console.print(f"\n[green]Handoff created: {handoff_id}[/green]")
             console.print(f"  Recipient: {to}")
             console.print(f"  Expires: {data['expires_at']}")
-            console.print(f"\nRecipient can pull with:")
+            console.print("\nRecipient can pull with:")
             console.print(f"  sfs pull --handoff {handoff_id}")
         else:
             err_console.print(f"[red]Handoff failed: {resp.text}[/red]")
@@ -641,7 +663,7 @@ def pull_handoff(
             f"\n[green]Pulled handoff session {session_id}[/green]\n"
             f"  Size: {len(pull_result.data):,} bytes"
         )
-        console.print(f"\nResume with:")
+        console.print("\nResume with:")
         console.print(f"  sfs resume {session_id} --in {tool}")
 
     finally:

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/cli/cmd_sessions.py

@@ -168,6 +168,7 @@ def list_sessions(
         table.add_column("Msgs", justify="right", no_wrap=True, max_width=5)
         table.add_column("Tokens", justify="right", no_wrap=True, max_width=6)
         table.add_column("Age", no_wrap=True, max_width=8)
+        table.add_column("Audit", no_wrap=True, max_width=5)
         table.add_column("Title", ratio=1)
 
         for s in sessions:
@@ -178,6 +179,24 @@ def list_sessions(
                 from sessionfs.cli.titles import _truncate_at_word
                 title = _truncate_at_word(title, 60)
 
+            # Load audit report if it exists
+            audit_display = ""
+            session_dir = store.get_session_dir(s["session_id"])
+            if session_dir:
+                audit_path = session_dir / "audit_report.json"
+                if audit_path.exists():
+                    try:
+                        audit_data = json.loads(audit_path.read_text())
+                        trust = audit_data.get("summary", {}).get("trust_score", 0)
+                        if trust >= 0.8:
+                            audit_display = f"[green]{trust:.0%}[/green]"
+                        elif trust >= 0.5:
+                            audit_display = f"[yellow]{trust:.0%}[/yellow]"
+                        else:
+                            audit_display = f"[red]{trust:.0%}[/red]"
+                    except (json.JSONDecodeError, OSError):
+                        pass
+
             table.add_row(
                 s["session_id"][:8],
                 abbreviate_tool(s.get("source_tool")),
@@ -185,6 +204,7 @@ def list_sessions(
                 str(s.get("message_count", 0)),
                 format_token_count(total_tokens),
                 format_relative_time(s.get("updated_at") or s.get("created_at")),
+                audit_display,
                 title,
             )
 

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/daemon/main.py

@@ -370,18 +370,21 @@ class Daemon:
 
         try:
             while self._running:
-                # Handle config reload
-                if self._reload_requested:
-                    self._reload_requested = False
-                    self._reload_config()
+                try:
+                    # Handle config reload
+                    if self._reload_requested:
+                        self._reload_requested = False
+                        self._reload_config()
 
-                for watcher in self.watchers:
-                    watcher.process_events()
+                    for watcher in self.watchers:
+                        watcher.process_events()
 
-                # Sync any pending sessions
-                self._syncer.maybe_sync()
+                    # Sync any pending sessions
+                    self._syncer.maybe_sync()
 
-                self._update_status()
+                    self._update_status()
+                except Exception as exc:
+                    logger.error("Error in daemon loop (continuing): %s", exc)
                 time.sleep(1.0)
         finally:
             logger.info("sfsd shutting down...")

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/daemon/status.py

@@ -47,10 +47,14 @@ class DaemonStatus(BaseModel):
 
 def write_status(status: DaemonStatus, status_path: Path) -> None:
     """Write daemon status atomically (write to temp, rename)."""
-    status.last_updated_at = datetime.now(timezone.utc).isoformat()
-    tmp_path = status_path.with_suffix(".tmp")
-    tmp_path.write_text(json.dumps(status.model_dump(), indent=2))
-    tmp_path.rename(status_path)
+    try:
+        status.last_updated_at = datetime.now(timezone.utc).isoformat()
+        status_path.parent.mkdir(parents=True, exist_ok=True)
+        tmp_path = status_path.with_suffix(".tmp")
+        tmp_path.write_text(json.dumps(status.model_dump(), indent=2))
+        tmp_path.rename(status_path)
+    except OSError:
+        pass  # Non-fatal — status is informational, don't crash the daemon
 
 
 def read_status(status_path: Path) -> DaemonStatus | None:

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/judge/evidence.py

@@ -163,7 +163,6 @@ def gather_evidence(messages: list[dict]) -> list[Evidence]:
         if tool_id in tool_uses:
             use_idx, tool_name, inp = tool_uses[tool_id]
         else:
-            use_idx = idx
             tool_name = msg.get("name", "unknown")
             inp = {}
 

sessionfs-0.3.2/src/sessionfs/judge/export.py

@@ -0,0 +1,85 @@
+"""Export judge reports in multiple formats."""
+
+from __future__ import annotations
+
+import csv
+import io
+import json
+from dataclasses import asdict
+
+from sessionfs.judge.report import JudgeReport
+
+
+def export_markdown(
+    report: JudgeReport,
+    session_title: str = "",
+    session_tool: str = "",
+    message_count: int = 0,
+) -> str:
+    """Export audit report as markdown."""
+    s = report.summary
+    lines: list[str] = []
+
+    lines.append(f"# Audit Report: {report.session_id}")
+    lines.append("")
+
+    if session_title:
+        lines.append(f"**Title:** {session_title}")
+    if session_tool:
+        lines.append(f"**Tool:** {session_tool}")
+    if message_count:
+        lines.append(f"**Messages:** {message_count}")
+    lines.append(f"**Model:** {report.model}")
+    lines.append(f"**Timestamp:** {report.timestamp}")
+    lines.append("")
+
+    # Summary
+    lines.append("## Summary")
+    lines.append("")
+    lines.append("| Metric | Value |")
+    lines.append("|--------|-------|")
+    lines.append(f"| Trust Score | {s.trust_score:.0%} |")
+    lines.append(f"| Total Claims | {s.total_claims} |")
+    lines.append(f"| Verified | {s.verified} |")
+    lines.append(f"| Unverified | {s.unverified} |")
+    lines.append(f"| Hallucinations | {s.hallucinations} |")
+    lines.append(f"| Major | {s.major_findings} |")
+    lines.append(f"| Moderate | {s.moderate_findings} |")
+    lines.append(f"| Minor | {s.minor_findings} |")
+    lines.append("")
+
+    # Findings
+    if report.findings:
+        lines.append("## Findings")
+        lines.append("")
+        lines.append("| Msg | Verdict | Severity | Claim | Evidence | Explanation |")
+        lines.append("|-----|---------|----------|-------|----------|-------------|")
+        for f in report.findings:
+            claim = f.claim.replace("|", "\\|")
+            evidence = f.evidence.replace("|", "\\|")
+            explanation = f.explanation.replace("|", "\\|")
+            lines.append(
+                f"| {f.message_index} | {f.verdict} | {f.severity} "
+                f"| {claim} | {evidence} | {explanation} |"
+            )
+        lines.append("")
+    else:
+        lines.append("No verifiable claims found in this session.")
+        lines.append("")
+
+    return "\n".join(lines)
+
+
+def export_csv(report: JudgeReport) -> str:
+    """Export as CSV: message_index,verdict,severity,claim,evidence,explanation"""
+    output = io.StringIO()
+    writer = csv.writer(output)
+    writer.writerow(["message_index", "verdict", "severity", "claim", "evidence", "explanation"])
+    for f in report.findings:
+        writer.writerow([f.message_index, f.verdict, f.severity, f.claim, f.evidence, f.explanation])
+    return output.getvalue()
+
+
+def export_json(report: JudgeReport) -> str:
+    """Export as indented JSON."""
+    return json.dumps(asdict(report), indent=2)

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/judge/judge.py

@@ -160,7 +160,7 @@ def _parse_judge_response(response: str, claims: list[Claim]) -> list[Finding]:
     if text.startswith("```"):
         lines = text.split("\n")
         # Remove first and last fence lines
-        lines = [l for l in lines if not l.strip().startswith("```")]
+        lines = [ln for ln in lines if not ln.strip().startswith("```")]
         text = "\n".join(lines)
 
     try:

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/judge/providers.py

@@ -17,6 +17,7 @@ _PROVIDER_DETECT = [
     ("gpt-", "openai"),
     ("o1", "openai"),
     ("o3", "openai"),
+    ("o4", "openai"),
     ("gemini-", "google"),
 ]
 
@@ -25,18 +26,25 @@ _OPENAI_URL = "https://api.openai.com/v1/chat/completions"
 _GOOGLE_URL_TEMPLATE = (
     "https://generativelanguage.googleapis.com/v1beta/models/{model}:generateContent"
 )
+_OPENROUTER_URL = "https://openrouter.ai/api/v1/chat/completions"
 
 
 def _detect_provider(model: str) -> str:
-    """Auto-detect provider from model name."""
+    """Auto-detect provider from model name.
+
+    Models containing "/" are routed to OpenRouter.
+    Unknown models fall back to OpenRouter.
+    """
+    if "/" in model:
+        return "openrouter"
+
     model_lower = model.lower()
     for prefix, provider in _PROVIDER_DETECT:
         if model_lower.startswith(prefix):
             return provider
-    raise ValueError(
-        f"Cannot auto-detect provider for model '{model}'. "
-        "Pass --provider explicitly (anthropic, openai, google)."
-    )
+
+    # Unknown model — fall back to OpenRouter
+    return "openrouter"
 
 
 async def _call_anthropic(model: str, system: str, prompt: str, api_key: str, temperature: float = 0) -> str:
@@ -108,6 +116,31 @@ async def _call_google(model: str, system: str, prompt: str, api_key: str, tempe
     return ""
 
 
+async def _call_openrouter(model: str, system: str, prompt: str, api_key: str, temperature: float = 0) -> str:
+    """Call the OpenRouter Chat Completions API."""
+    headers = {
+        "Authorization": f"Bearer {api_key}",
+        "Content-Type": "application/json",
+        "HTTP-Referer": "https://sessionfs.dev",
+        "X-Title": "SessionFS",
+    }
+    body = {
+        "model": model,
+        "messages": [
+            {"role": "system", "content": system},
+            {"role": "user", "content": prompt},
+        ],
+        "max_tokens": 4096,
+        "temperature": temperature,
+        "response_format": {"type": "json_object"},
+    }
+    async with httpx.AsyncClient(timeout=120) as client:
+        resp = await client.post(_OPENROUTER_URL, json=body, headers=headers)
+    resp.raise_for_status()
+    data = resp.json()
+    return data["choices"][0]["message"]["content"]
+
+
 async def call_llm(
     model: str,
     system: str,
@@ -122,6 +155,8 @@ async def call_llm(
     - claude-* -> anthropic
     - gpt-*, o1*, o3* -> openai
     - gemini-* -> google
+    - models containing "/" -> openrouter
+    - unknown models -> openrouter (fallback)
 
     Uses httpx directly — no SDK dependencies. The API key is used for
     this single request only and is never persisted. Temperature defaults
@@ -139,5 +174,7 @@ async def call_llm(
         return await _call_openai(model, system, prompt, api_key, temperature)
     elif provider == "google":
         return await _call_google(model, system, prompt, api_key, temperature)
+    elif provider == "openrouter":
+        return await _call_openrouter(model, system, prompt, api_key, temperature)
     else:
         raise ValueError(f"Unsupported provider: {provider}")

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/server/app.py

@@ -12,7 +12,7 @@ from sessionfs import __version__
 from sessionfs.server.config import ServerConfig
 from sessionfs.server.db.engine import close_engine, init_engine
 from sessionfs.server.errors import register_exception_handlers
-from sessionfs.server.routes import audit, auth, handoffs, health, sessions
+from sessionfs.server.routes import admin, audit, auth, handoffs, health, sessions, settings
 from sessionfs.server.storage.local import LocalBlobStore
 
 
@@ -81,6 +81,8 @@ def create_app(config: ServerConfig | None = None) -> FastAPI:
     app.include_router(sessions.router)
     app.include_router(handoffs.router)
     app.include_router(audit.router)
+    app.include_router(settings.router)
+    app.include_router(admin.router)
 
     # Serve dashboard static files if the dist directory exists.
     # The dashboard is a React SPA — all non-API routes serve index.html.

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/server/auth/dependencies.py

@@ -70,6 +70,15 @@ async def get_current_user(
     return user
 
 
+async def require_admin(
+    user: User = Depends(get_current_user),
+) -> User:
+    """Require that the authenticated user has admin tier."""
+    if user.tier != "admin":
+        raise HTTPException(status_code=403, detail="Admin access required")
+    return user
+
+
 async def require_verified_user(
     user: User = Depends(get_current_user),
 ) -> User:

{sessionfs-0.3.0 → sessionfs-0.3.2}/src/sessionfs/server/config.py

@@ -22,7 +22,8 @@ class ServerConfig(BaseSettings):
 
     resend_api_key: str = ""
     verification_secret: str = ""
-    max_sync_bytes: int = 10_485_760  # 10 MB
+    max_sync_bytes_free: int = 52_428_800  # 50 MB — free tier
+    max_sync_bytes_paid: int = 314_572_800  # 300 MB — pro/team/enterprise/admin
     retention_days_free: int = 14
 
     host: str = "0.0.0.0"

sessionfs-0.3.2/src/sessionfs/server/db/migrations/versions/006_judge_settings.py

@@ -0,0 +1,25 @@
+"""Add user_judge_settings table for stored LLM API keys.
+
+Revision ID: 006
+Revises: 005
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = "006"
+down_revision = "005"
+
+
+def upgrade():
+    op.create_table(
+        "user_judge_settings",
+        sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), primary_key=True),
+        sa.Column("provider", sa.String(50), nullable=False),
+        sa.Column("model", sa.String(100), nullable=False),
+        sa.Column("encrypted_api_key", sa.Text(), nullable=False),
+        sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now()),
+    )
+
+
+def downgrade():
+    op.drop_table("user_judge_settings")

sessionfs-0.3.2/src/sessionfs/server/db/migrations/versions/007_admin_audit_log.py

@@ -0,0 +1,27 @@
+"""Add admin_actions table for audit logging.
+
+Revision ID: 007
+Revises: 006
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = "007"
+down_revision = "006"
+
+
+def upgrade():
+    op.create_table(
+        "admin_actions",
+        sa.Column("id", sa.String(36), primary_key=True),
+        sa.Column("admin_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
+        sa.Column("action", sa.String(50), nullable=False),
+        sa.Column("target_type", sa.String(20), nullable=False),
+        sa.Column("target_id", sa.String(64), nullable=False),
+        sa.Column("details", sa.Text(), nullable=True),
+        sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now()),
+    )
+
+
+def downgrade():
+    op.drop_table("admin_actions")