refactor: optimize capnweb integration to eliminate wasteful operations and improve security

Client (share-next.ts):
- Reuse a single capnweb RPC session instance instead of creating a new one on
  every sync tick and every create() call; the session is lazily initialized and
  then cached for the lifetime of the process.
- Cache the base URL after the first config read so Config.get() is not awaited
  on every operation.
- Fix queue deduplication: the previous key logic evaluated `"id" in item` on the
  SyncData wrapper (which never has a top-level id), so every event generated a
  fresh ulid key and updates for the same message/part accumulated rather than
  collapsing.  Keys are now type-scoped
  ("session", "message:<id>", "part:<id>", etc.) so repeated updates within the
  debounce window correctly overwrite each other.
- Pipeline create + initial full-sync into a single RPC call: gatherFullSnapshot
  is started concurrently with session creation; both results are passed together
  to createShare so no extra round-trip is needed for the initial sync.
- Parallelize gatherFullSnapshot: Session.get, Session.diff, and
  MessageV2.stream are now fetched with Promise.all instead of sequentially.
- Combine message + model into one sync call in the MessageV2.Updated handler to
  avoid a second setTimeout enqueue for the same session.
- Use RPC for remove() via the new deleteShare method (consistent with the rest
  of the RPC transport path).
- Extract syncHttp helper to deduplicate the HTTP fallback path.

RPC contract (both packages):
- createShare now accepts optional initialData so the initial full snapshot can
  be sent in the same request as the share creation (one round trip instead of
  two).
- Add deleteShare(shareID, secret) so the RPC transport can handle deletions
  without falling back to the HTTP API.

Server (rpc.ts):
- Move StorageAdapter instantiation to the constructor so adapters are created
  once per request instead of on every method call.
- Extract applyData() helper so createShare and syncShare share the same
  data-merge logic rather than duplicating it.
- createShare applies initialData when provided and stores the correct index
  counts immediately, eliminating the need for a follow-up syncShare call.
- Implement deleteShare with the same secret-validation pattern as syncShare.

Storage (storage.ts):
- exists() now uses bucket.head() instead of bucket.get() so only object
  metadata is fetched; the previous implementation downloaded the full body just
  to check existence.

Security (index.tsx):
- /api/sessions was completely unauthenticated, exposing an enumeration of all
  shared sessions.  It now requires the same x-opencode-share-key header as the
  RPC endpoint (SESSIONS_RPC_SHARED_KEY).  If the key is not configured the
  endpoint returns 401 rather than defaulting to open access.

https://claude.ai/code/session_01S5woDoxCnN62WNGjRhqWJ3

Author: claude

packages/cloudsession/src/index.tsx

@@ -34,6 +34,16 @@ function isAuthorizedRpcRequest(c: { req: { header: (name: string) => string | u
   return received === configured
 }
 
+function isAuthorizedAdminRequest(c: { req: { header: (name: string) => string | undefined }; env: Env }) {
+  // The admin key reuses the same SESSIONS_RPC_SHARED_KEY env var.
+  // If it is not configured the endpoint is inaccessible to prevent
+  // unauthenticated enumeration of all sessions.
+  const configured = c.env.SESSIONS_RPC_SHARED_KEY
+  if (!configured) return false
+  const received = c.req.header("x-opencode-share-key")
+  return received === configured
+}
+
 /**
  * Main Hono application
  */
@@ -318,10 +328,13 @@ app.get("/api/share/:id/metadata", async (c) => {
 })
 
 /**
- * List all sessions (admin endpoint - could be protected)
+ * List all sessions (admin endpoint — requires SESSIONS_RPC_SHARED_KEY)
  * GET /api/sessions
  */
 app.get("/api/sessions", async (c) => {
+  if (!isAuthorizedAdminRequest(c)) {
+    return c.json({ error: "Unauthorized" }, 401)
+  }
   const { index } = getStorageAdapter(c)
   const list = await index.list({ prefix: "index/" })
 

packages/cloudsession/src/rpc-contract.ts

@@ -39,8 +39,9 @@ export type ProbeValueOutput = {
 export type ProbeCallback = (msg: string) => string | Promise<string>
 
 export interface ShareRpc extends RpcTarget {
-  createShare: (sessionID: string) => Promise<SyncInfo>
+  createShare: (sessionID: string, initialData?: SyncData[]) => Promise<SyncInfo>
   syncShare: (shareID: string, secret: string, data: SyncData[]) => Promise<{ success: boolean; syncCount: number }>
+  deleteShare: (shareID: string, secret: string) => Promise<{ success: boolean }>
   probeValue: (input: ProbeValueInput) => ProbeValueOutput
   probeCallback: (cb: ProbeCallback) => Promise<string>
 }

packages/cloudsession/src/rpc.ts

@@ -13,12 +13,16 @@ type Env = {
 }
 
 export class ShareRpcImpl extends RpcTarget {
+  private readonly sessions: StorageAdapter<AgentSession>
+  private readonly index: StorageAdapter<SessionIndex>
+
   constructor(private env: Env) {
     super()
+    this.sessions = createStorageAdapter<AgentSession>(env.SESSIONS_STORE)
+    this.index = createStorageAdapter<SessionIndex>(env.SESSIONS_STORE)
   }
 
-  async createShare(sessionID: string): Promise<SyncInfo> {
-    const { sessions, index } = this.storage()
+  async createShare(sessionID: string, initialData?: SyncData[]): Promise<SyncInfo> {
     const shareID = sessionID.slice(-8)
     const secret = uuidv5(sessionID, this.env.SESSIONS_SHARED_SECRET)
     const now = Date.now()
@@ -54,27 +58,35 @@ export class ShareRpcImpl extends RpcTarget {
       },
     }
 
+    // Apply any initial data provided (pipeline create+sync into one round trip)
+    if (initialData && initialData.length > 0) {
+      applyData(initial, initialData)
+      initial.metadata.syncCount = 1
+    }
+
     const initialIndex: SessionIndex = {
       id: shareID,
       sessionID,
-      title: "",
-      directory: "",
-      messageCount: 0,
-      partCount: 0,
-      diffCount: 0,
-      modelCount: 0,
+      title: initial.session.title,
+      directory: initial.session.directory,
+      messageCount: initial.messages.length,
+      partCount: initial.parts.length,
+      diffCount: initial.diffs.length,
+      modelCount: initial.models.length,
       lastUpdated: now,
-      syncCount: 0,
+      syncCount: initial.metadata.syncCount,
       createdAt: now,
     }
 
-    await Promise.all([sessions.put(`share/${shareID}`, initial), index.put(`index/${shareID}`, initialIndex)])
+    await Promise.all([
+      this.sessions.put(`share/${shareID}`, initial),
+      this.index.put(`index/${shareID}`, initialIndex),
+    ])
     return info
   }
 
   async syncShare(shareID: string, secret: string, data: SyncData[]) {
-    const { sessions, index } = this.storage()
-    const agentSession = await sessions.get(`share/${shareID}`)
+    const agentSession = await this.sessions.get(`share/${shareID}`)
     if (!agentSession) {
       throw new Error("Share not found")
     }
@@ -93,48 +105,7 @@ export class ShareRpcImpl extends RpcTarget {
       },
     }
 
-    for (const item of data) {
-      if (item.type === "session") {
-        next.session = item.data
-        continue
-      }
-
-      if (item.type === "message") {
-        const idx = next.messages.findIndex((message) => message.id === item.data.id)
-        if (idx === -1) {
-          next.messages.push(item.data)
-          continue
-        }
-        next.messages[idx] = item.data
-        continue
-      }
-
-      if (item.type === "part") {
-        const idx = next.parts.findIndex((part) => part.id === item.data.id)
-        if (idx === -1) {
-          next.parts.push(item.data)
-          continue
-        }
-        next.parts[idx] = item.data
-        continue
-      }
-
-      if (item.type === "session_diff") {
-        next.diffs = [...next.diffs, ...item.data]
-        continue
-      }
-
-      if (item.type === "model") {
-        for (const model of item.data) {
-          const idx = next.models.findIndex((entry) => entry.id === model.id)
-          if (idx === -1) {
-            next.models.push(model)
-            continue
-          }
-          next.models[idx] = model
-        }
-      }
-    }
+    applyData(next, data)
 
     const updatedIndex: SessionIndex = {
       id: shareID,
@@ -150,7 +121,7 @@ export class ShareRpcImpl extends RpcTarget {
       createdAt: next.metadata.createdAt,
     }
 
-    await Promise.all([sessions.put(`share/${shareID}`, next), index.put(`index/${shareID}`, updatedIndex)])
+    await Promise.all([this.sessions.put(`share/${shareID}`, next), this.index.put(`index/${shareID}`, updatedIndex)])
 
     const doID = this.env.SESSIONS_BROADCAST.idFromName(shareID)
     const stub = this.env.SESSIONS_BROADCAST.get(doID)
@@ -159,6 +130,21 @@ export class ShareRpcImpl extends RpcTarget {
     return { success: true, syncCount: next.metadata.syncCount }
   }
 
+  async deleteShare(shareID: string, secret: string): Promise<{ success: boolean }> {
+    const agentSession = await this.sessions.get(`share/${shareID}`)
+    if (!agentSession) {
+      throw new Error("Share not found")
+    }
+
+    if (agentSession.metadata.secret !== secret) {
+      throw new Error("Invalid secret")
+    }
+
+    await Promise.all([this.sessions.delete(`share/${shareID}`), this.index.delete(`index/${shareID}`)])
+
+    return { success: true }
+  }
+
   probeValue(input: ProbeValueInput): ProbeValueOutput {
     return {
       when: input.when.toISOString(),
@@ -171,11 +157,53 @@ export class ShareRpcImpl extends RpcTarget {
   async probeCallback(cb: ProbeCallback): Promise<string> {
     return await cb("server-called")
   }
+}
 
-  private storage(): { sessions: StorageAdapter<AgentSession>; index: StorageAdapter<SessionIndex> } {
-    return {
-      sessions: createStorageAdapter<AgentSession>(this.env.SESSIONS_STORE),
-      index: createStorageAdapter<SessionIndex>(this.env.SESSIONS_STORE),
+/**
+ * Apply a batch of sync data items to an AgentSession in place.
+ * Extracted so createShare and syncShare share the same merge logic.
+ */
+function applyData(session: AgentSession, data: SyncData[]): void {
+  for (const item of data) {
+    if (item.type === "session") {
+      session.session = item.data
+      continue
+    }
+
+    if (item.type === "message") {
+      const idx = session.messages.findIndex((m) => m.id === item.data.id)
+      if (idx === -1) {
+        session.messages.push(item.data)
+      } else {
+        session.messages[idx] = item.data
+      }
+      continue
+    }
+
+    if (item.type === "part") {
+      const idx = session.parts.findIndex((p) => p.id === item.data.id)
+      if (idx === -1) {
+        session.parts.push(item.data)
+      } else {
+        session.parts[idx] = item.data
+      }
+      continue
+    }
+
+    if (item.type === "session_diff") {
+      session.diffs = [...session.diffs, ...item.data]
+      continue
+    }
+
+    if (item.type === "model") {
+      for (const model of item.data) {
+        const idx = session.models.findIndex((m) => m.id === model.id)
+        if (idx === -1) {
+          session.models.push(model)
+        } else {
+          session.models[idx] = model
+        }
+      }
     }
   }
 }

packages/cloudsession/src/storage.ts

@@ -75,7 +75,8 @@ export class R2StorageAdapter<T> implements StorageAdapter<T> {
   }
 
   async exists(key: string): Promise<boolean> {
-    const obj = await this.bucket.get(key)
+    // head() fetches only object metadata — no body download
+    const obj = await this.bucket.head(key)
     return !!obj
   }
 

packages/opencode/src/share/rpc-contract.ts

@@ -39,8 +39,9 @@ export type ProbeValueOutput = {
 export type ProbeCallback = (msg: string) => string | Promise<string>
 
 export interface ShareRpc extends RpcTarget {
-  createShare: (sessionID: string) => Promise<SyncInfo>
+  createShare: (sessionID: string, initialData?: SyncData[]) => Promise<SyncInfo>
   syncShare: (shareID: string, secret: string, data: SyncData[]) => Promise<{ success: boolean; syncCount: number }>
+  deleteShare: (shareID: string, secret: string) => Promise<{ success: boolean }>
   probeValue: (input: ProbeValueInput) => ProbeValueOutput
   probeCallback: (cb: ProbeCallback) => Promise<string>
 }