feat: unlock message, personal dashboard, fh watch, deployment diff tests, fh status sites

Unlock message — full stack
- sites.ts schema: unlockMessage field (already migrated via ALTER TABLE)
- access.ts: PATCH /sites/:id/visibility now accepts unlockMessage field
  Stored alongside passwordHash when saving visibility
- domainCache.ts: CachedSite interface gains unlockMessage: string | null
- hostRouter.ts: unlockMessage read from DB and cache, passed to renderPasswordGate()
  Cache reconstruction includes unlockMessage
- renderPasswordGate(): new optional message param injected as data-message attribute
- password-gate.html: JS reads data-message and shows it instead of default text
  Falls back to '{domain} is password protected.' if no custom message
- SiteSettings.tsx: new 'Custom message on password gate' input in visibility tab
  Inline Save button updates just the message without changing visibility/password

Personal dashboard section
- Dashboard.tsx: PersonalDashboard component appended below network stats
  Only rendered when isAuthenticated
  Fetches user's own sites (up to 5) with storageUsedMb and hitCount
  Each site card: name, domain, status badge, hits, storage, quick-action buttons
  Buttons: Deploy (→ /deploy/:id), Analytics, Builds, Settings
  Animated entry, links to /my-sites for full list

fh watch — live file watching with auto-deploy
- Watches a directory recursively for file changes
- Debounced (default 800ms, configurable --delay)
- Hash comparison prevents spurious deploys on unchanged files
- Uploads only changed files, deploys to staging environment
- Ctrl+C to stop
- Usage: fh watch ./dist --site 42

fh status — shows user's sites and deployment versions
- When authenticated (cfg.token set), fetches /sites?limit=5
- Shows each site: status dot, domain, storage
- Shows active deployment: version, environment badge (if staging/preview), file count, date

Deployment diff unit tests (tests/unit/deploymentDiff.test.ts)
- 8 tests covering: empty→empty, first deploy, identical, updated file, removed file,
  all change types together, null hash (legacy rows), net size calculation
- 8 tests for password gate unlock message injection including escaping, null/undefined

Author: The No Hands Company

artifacts/api-server/src/lib/domainCache.ts

@@ -18,11 +18,12 @@
  */
 
 export interface CachedSite {
-  siteId: number;
-  domain: string;
-  visibility: "public" | "private" | "password";
-  passwordHash: string | null;
-  cachedAt: number;
+  siteId:        number;
+  domain:        string;
+  visibility:    "public" | "private" | "password";
+  passwordHash:  string | null;
+  unlockMessage: string | null;
+  cachedAt:      number;
 }
 
 export interface CachedFile {

artifacts/api-server/src/middleware/hostRouter.ts

@@ -60,10 +60,10 @@ function verifyUnlockCookie(cookieValue: string | undefined, siteId: number): bo
   }
 }
 
-function renderPasswordGate(siteId: number, domain: string): string {
+function renderPasswordGate(siteId: number, domain: string, message?: string | null): string {
   return getPasswordGateHtml().replace(
     "<body>",
-    `<body data-site-id="${siteId}" data-domain="${domain.replace(/"/g, "&quot;")}">`
+    `<body data-site-id="${siteId}" data-domain="${domain.replace(/"/g, "&quot;")}"${message ? ` data-message="${message.replace(/"/g, "&quot;")}"` : ""}>`
   );
 }
 
@@ -192,7 +192,11 @@ export async function hostRouter(req: Request, res: Response, next: NextFunction
   const cached = getCachedSite(host);
   if (cached) {
     // Reconstruct minimal site object from cache
-    site = { id: cached.siteId, domain: cached.domain, visibility: cached.visibility, passwordHash: cached.passwordHash } as typeof sitesTable.$inferSelect;
+    site = {
+      id: cached.siteId, domain: cached.domain,
+      visibility: cached.visibility, passwordHash: cached.passwordHash,
+      unlockMessage: cached.unlockMessage,
+    } as typeof sitesTable.$inferSelect;
   } else {
     // Cache miss — query DB
     const [byPrimary] = await db.select().from(sitesTable).where(eq(sitesTable.domain, host));
@@ -216,6 +220,7 @@ export async function hostRouter(req: Request, res: Response, next: NextFunction
         domain: host,
         visibility: (site.visibility as "public" | "private" | "password") ?? "public",
         passwordHash: site.passwordHash ?? null,
+        unlockMessage: (site as any).unlockMessage ?? null,
       });
     }
   }
@@ -228,7 +233,7 @@ export async function hostRouter(req: Request, res: Response, next: NextFunction
   }
 
   if (site.visibility === "password" && !verifyUnlockCookie(req.cookies?.[`site_unlock_${site.id}`], site.id)) {
-    res.status(401).send(renderPasswordGate(site.id, host));
+    res.status(401).send(renderPasswordGate(site.id, host, (site as any).unlockMessage));
     return;
   }
 

artifacts/api-server/src/routes/access.ts

@@ -28,8 +28,9 @@ const AddMemberBody = z.object({
 });
 
 const UpdateVisibilityBody = z.object({
-  visibility: z.enum(["public", "private", "password"]),
-  password: z.string().min(6).max(128).optional(),
+  visibility:    z.enum(["public", "private", "password"]),
+  password:      z.string().min(6).max(128).optional(),
+  unlockMessage: z.string().max(200).optional(), // custom message shown on password gate
 });
 
 async function requireSiteOwner(req: Request, siteId: number) {
@@ -161,7 +162,7 @@ router.patch("/sites/:id/visibility", writeLimiter, asyncHandler(async (req: Req
 
   const [updated] = await db
     .update(sitesTable)
-    .set({ visibility, passwordHash })
+    .set({ visibility, passwordHash, unlockMessage: parsed.data.unlockMessage ?? null })
     .where(eq(sitesTable.id, siteId))
     .returning({ id: sitesTable.id, visibility: sitesTable.visibility });
 

artifacts/api-server/tests/unit/deploymentDiff.test.ts

@@ -0,0 +1,180 @@
+import { describe, it, expect } from "vitest";
+
+// ── Deployment diff logic ──────────────────────────────────────────────────────
+
+interface FileEntry {
+  filePath: string;
+  contentHash: string | null;
+  sizeBytes: number;
+}
+
+function computeDiff(targetFiles: FileEntry[], baseFiles: FileEntry[]) {
+  const targetMap = new Map(targetFiles.map(f => [f.filePath, f]));
+  const baseMap   = new Map(baseFiles.map(f => [f.filePath, f]));
+
+  const added:     FileEntry[] = [];
+  const changed:   FileEntry[] = [];
+  const unchanged: FileEntry[] = [];
+  const removed:   FileEntry[] = [];
+
+  for (const [path, file] of targetMap) {
+    const base = baseMap.get(path);
+    if (!base) {
+      added.push(file);
+    } else if (file.contentHash && base.contentHash && file.contentHash !== base.contentHash) {
+      changed.push(file);
+    } else {
+      unchanged.push(file);
+    }
+  }
+
+  for (const [path, file] of baseMap) {
+    if (!targetMap.has(path)) removed.push(file);
+  }
+
+  return { added, changed, removed, unchanged };
+}
+
+const f = (path: string, hash: string, size = 1024): FileEntry =>
+  ({ filePath: path, contentHash: hash, sizeBytes: size });
+
+describe("Deployment diff logic", () => {
+  it("empty → empty produces no changes", () => {
+    const d = computeDiff([], []);
+    expect(d.added).toHaveLength(0);
+    expect(d.removed).toHaveLength(0);
+    expect(d.changed).toHaveLength(0);
+    expect(d.unchanged).toHaveLength(0);
+  });
+
+  it("first deploy: all files are additions", () => {
+    const target = [f("index.html", "hash1"), f("style.css", "hash2")];
+    const d = computeDiff(target, []);
+    expect(d.added).toHaveLength(2);
+    expect(d.removed).toHaveLength(0);
+    expect(d.changed).toHaveLength(0);
+  });
+
+  it("identical deployments: all files are unchanged", () => {
+    const files = [f("index.html", "hash1"), f("app.js", "hash2")];
+    const d = computeDiff(files, files);
+    expect(d.unchanged).toHaveLength(2);
+    expect(d.added).toHaveLength(0);
+    expect(d.removed).toHaveLength(0);
+    expect(d.changed).toHaveLength(0);
+  });
+
+  it("updated file detected via hash change", () => {
+    const base   = [f("index.html", "old-hash"), f("app.js", "hash2")];
+    const target = [f("index.html", "new-hash"), f("app.js", "hash2")];
+    const d = computeDiff(target, base);
+    expect(d.changed).toHaveLength(1);
+    expect(d.changed[0]!.filePath).toBe("index.html");
+    expect(d.unchanged).toHaveLength(1);
+  });
+
+  it("removed file detected", () => {
+    const base   = [f("index.html", "hash1"), f("old-page.html", "hash2")];
+    const target = [f("index.html", "hash1")];
+    const d = computeDiff(target, base);
+    expect(d.removed).toHaveLength(1);
+    expect(d.removed[0]!.filePath).toBe("old-page.html");
+    expect(d.unchanged).toHaveLength(1);
+  });
+
+  it("all change types in one diff", () => {
+    const base = [
+      f("index.html",   "hash-a"),
+      f("old.html",     "hash-b"),
+      f("style.css",    "hash-c"),
+    ];
+    const target = [
+      f("index.html",   "hash-a"),  // unchanged
+      f("style.css",    "hash-c2"), // changed
+      f("new-page.html","hash-d"),  // added
+      // old.html is removed
+    ];
+    const d = computeDiff(target, base);
+    expect(d.unchanged).toHaveLength(1);
+    expect(d.unchanged[0]!.filePath).toBe("index.html");
+    expect(d.changed).toHaveLength(1);
+    expect(d.changed[0]!.filePath).toBe("style.css");
+    expect(d.added).toHaveLength(1);
+    expect(d.added[0]!.filePath).toBe("new-page.html");
+    expect(d.removed).toHaveLength(1);
+    expect(d.removed[0]!.filePath).toBe("old.html");
+  });
+
+  it("null contentHash treats file as unchanged (legacy rows without hash)", () => {
+    const base   = [f("index.html", "hash1"), { filePath: "legacy.html", contentHash: null, sizeBytes: 500 }];
+    const target = [f("index.html", "hash1"), { filePath: "legacy.html", contentHash: null, sizeBytes: 500 }];
+    const d = computeDiff(target, base);
+    expect(d.changed).toHaveLength(0);
+    expect(d.unchanged).toHaveLength(2);
+  });
+
+  it("summary net size bytes is correct", () => {
+    const base   = [f("old.html", "h1", 2000)];
+    const target = [f("new.html", "h2", 3000)];
+    const d = computeDiff(target, base);
+    const netSize = d.added.reduce((a, f) => a + f.sizeBytes, 0)
+                  - d.removed.reduce((a, f) => a + f.sizeBytes, 0);
+    expect(netSize).toBe(1000); // +3000 added, -2000 removed
+  });
+});
+
+// ── Unlock message injection ────────────────────────────────────────────────────
+
+function renderPasswordGate(html: string, siteId: number, domain: string, message?: string | null): string {
+  return html.replace(
+    "<body>",
+    `<body data-site-id="${siteId}" data-domain="${domain.replace(/"/g, "&quot;")}"${
+      message ? ` data-message="${message.replace(/"/g, "&quot;")}"` : ""
+    }>`
+  );
+}
+
+const GATE_HTML = '<html><body><p id="domain-label"></p></body></html>';
+
+describe("Password gate unlock message injection", () => {
+  it("injects data-site-id attribute", () => {
+    const html = renderPasswordGate(GATE_HTML, 42, "example.com");
+    expect(html).toContain('data-site-id="42"');
+  });
+
+  it("injects data-domain attribute", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, "mysite.example.com");
+    expect(html).toContain('data-domain="mysite.example.com"');
+  });
+
+  it("injects data-message when provided", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, "example.com", "Members only — please log in");
+    expect(html).toContain('data-message="Members only — please log in"');
+  });
+
+  it("does not add data-message when message is null", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, "example.com", null);
+    expect(html).not.toContain("data-message");
+  });
+
+  it("does not add data-message when message is undefined", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, "example.com");
+    expect(html).not.toContain("data-message");
+  });
+
+  it("escapes double quotes in domain", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, 'site"with"quotes.com');
+    expect(html).toContain('data-domain="site&quot;with&quot;quotes.com"');
+    expect(html).not.toContain('data-domain="site"with"');
+  });
+
+  it("escapes double quotes in message", () => {
+    const html = renderPasswordGate(GATE_HTML, 1, "example.com", 'Say "hello" to enter');
+    expect(html).toContain('data-message="Say &quot;hello&quot; to enter"');
+  });
+
+  it("all attributes appear on body tag", () => {
+    const html = renderPasswordGate(GATE_HTML, 99, "test.com", "Custom message");
+    expect(html).toContain('<body data-site-id="99" data-domain="test.com" data-message="Custom message">');
+  });
+});

artifacts/cli/src/commands/status.ts

@@ -129,4 +129,32 @@ export const statusCommand = new Command("status")
       console.log(`  ${chalk.dim("Uptime:")}      ${capacity.uptimePercent.toFixed(1)}%`);
       console.log();
     }
+
+    // Show authenticated user's sites if logged in
+    if (cfg.token) {
+      try {
+        const sites = await apiFetch<{ data: Array<{ id: number; name: string; domain: string; status: string; storageUsedMb: number }> }>(
+          "/sites?limit=5"
+        );
+        if (sites.data?.length) {
+          console.log(chalk.bold("  Your Sites"));
+          for (const s of sites.data) {
+            const icon = s.status === "active" ? chalk.green("●") : chalk.dim("○");
+            console.log(`  ${icon} ${chalk.white(s.domain.padEnd(35))} ${chalk.dim(`${s.storageUsedMb.toFixed(1)} MB`)}`);
+
+            try {
+              const deps = await apiFetch<{ data: Array<{ version: number; environment: string; deployedAt: string; fileCount: number }> }>(
+                `/sites/${s.id}/deployments?limit=1`
+              );
+              const d = deps.data?.[0];
+              if (d) {
+                const envLabel = d.environment && d.environment !== "production" ? chalk.yellow(` [${d.environment}]`) : "";
+                console.log(`    ${chalk.dim(`v${d.version}${envLabel} · ${d.fileCount} files · ${new Date(d.deployedAt).toLocaleDateString()}`)}`);
+              }
+            } catch { /* skip */ }
+          }
+          console.log();
+        }
+      } catch { /* skip if not authenticated */ }
+    }
   });