feat: relay session token caching, opt-in .vynignore, relay session TTL

.serena/.gitignore

@@ -0,0 +1,2 @@
+/cache
+/project.local.yml

.serena/project.yml

@@ -0,0 +1,127 @@
+# the name by which the project can be referenced within Serena
+project_name: "vyn"
+
+
+# list of languages for which language servers are started; choose from:
+#   al                  ansible             bash                clojure             cpp
+#   cpp_ccls            crystal             csharp              csharp_omnisharp    dart
+#   elixir              elm                 erlang              fortran             fsharp
+#   go                  groovy              haskell             haxe                hlsl
+#   java                json                julia               kotlin              lean4
+#   lua                 luau                markdown            matlab              msl
+#   nix                 ocaml               pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         python_ty
+#   r                   rego                ruby                ruby_solargraph     rust
+#   scala               solidity            swift               systemverilog       terraform
+#   toml                typescript          typescript_vts      vue                 yaml
+#   zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- rust
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# line ending convention to use when writing source files.
+# Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default)
+# This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings.
+line_ending:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# advanced configuration option allowing to configure language server-specific options.
+# Maps the language key to the options.
+# Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
+# No documentation on options means no options are available.
+ls_specific_settings: {}
+
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+excluded_tools: []
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+included_optional_tools: []
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+fixed_tools: []
+
+# list of mode names to that are always to be included in the set of active modes
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this setting overrides the global configuration.
+# Set this to [] to disable base modes for this project.
+# Set this to a list of mode names to always include the respective modes for this project.
+base_modes:
+
+# list of mode names that are to be activated by default, overriding the setting in the global configuration.
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply
+# for this project.
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+default_modes:
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: ""
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []
+
+# list of regex patterns for memories to completely ignore.
+# Matching memories will not appear in list_memories or activate_project output
+# and cannot be accessed via read_memory or write_memory.
+# To access ignored memory files, use the read_file tool on the raw file path.
+# Extends the list from the global configuration, merging the two lists.
+# Example: ["_archive/.*", "_episodes/.*"]
+ignored_memory_patterns: []
+
+# list of mode names to be activated additionally for this project, e.g. ["query-projects"]
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+added_modes:

.vynignore

@@ -1,18 +1,6 @@
-# vyn ignore rules example, processed by `ignore` crate
+# vyn opt-in model: everything is ignored unless explicitly included.
+# Add '!pattern' lines below to track additional files.
 
-## Ignore local artifacts and build outputs
-.vyn/
-.git/
-target/
+# Ignore everything by default
+*
 
-## Common local env files you may not want to sync
-.env.local
-.env.*.local
-
-## Temporary files
-*.tmp
-*.swp
-
- ## Dir
- crates/
- proto/

Cargo.toml

@@ -9,7 +9,7 @@ resolver = "2"
 [workspace.package]
 edition = "2024"
 license = "MIT"
-version = "0.1.3"
+version = "0.1.4"
 repository = "https://github.com/arnonsang/vyn"
 
 [workspace.dependencies]

crates/vyn-cli/Cargo.toml

@@ -29,5 +29,5 @@ secrecy.workspace = true
 tokio.workspace = true
 toml.workspace = true
 uuid.workspace = true
-vyn-core = { path = "../vyn-core", version = "0.1.3" }
-vyn-relay = { path = "../vyn-relay", version = "0.1.3" }
+vyn-core = { path = "../vyn-core", version = "0.1.4" }
+vyn-relay = { path = "../vyn-relay", version = "0.1.4" }

crates/vyn-cli/src/commands/history.rs

@@ -45,7 +45,7 @@ pub fn run() -> Result<()> {
         }
     }
 
-    entries.sort_by(|a, b| b.timestamp_unix.cmp(&a.timestamp_unix));
+    entries.sort_by_key(|e| std::cmp::Reverse(e.timestamp_unix));
 
     if entries.is_empty() {
         output::print_warning("no history found");

crates/vyn-cli/src/commands/init.rs

@@ -231,13 +231,6 @@ fn write_vynignore_interactive(root: &Path, vynignore_path: &Path) -> Result<()>
         }
     }
 
-    // Artifact patterns are always excluded, no prompt needed.
-    let artifact_patterns: Vec<&str> = patterns
-        .iter()
-        .copied()
-        .filter(|p| is_artifact(p))
-        .collect();
-
     println!();
     println!(
         "  {} Scanning git-ignored files…",
@@ -308,19 +301,13 @@ fn write_vynignore_interactive(root: &Path, vynignore_path: &Path) -> Result<()>
     if secret_candidates.is_empty() && other_candidates.is_empty() {
         println!("  No git-ignored files detected on disk. Excluding all gitignore patterns.");
         println!();
-        let content = build_vynignore_content(&patterns, &[]);
+        let content = build_vynignore_content(&[]);
         fs::write(vynignore_path, content).context("failed to write .vynignore")?;
         return Ok(());
     }
 
-    // Patterns to exclude = all gitignore patterns minus what the user wants to track.
-    let excluded_patterns: Vec<&str> = patterns
-        .iter()
-        .copied()
-        .filter(|p| !tracked_patterns.iter().any(|t| t == p))
-        .collect();
-
-    let content = build_vynignore_content(&excluded_patterns, &artifact_patterns);
+    let tracked_refs: Vec<&str> = tracked_patterns.iter().map(|s| s.as_str()).collect();
+    let content = build_vynignore_content(&tracked_refs);
     fs::write(vynignore_path, &content).context("failed to write .vynignore")?;
 
     println!();
@@ -346,25 +333,22 @@ fn write_vynignore_interactive(root: &Path, vynignore_path: &Path) -> Result<()>
     Ok(())
 }
 
-/// Build the `.vynignore` file content from the list of patterns to exclude.
-/// Always prepends the mandatory hardcoded exclusions.
-fn build_vynignore_content(excluded: &[&str], _artifact_patterns: &[&str]) -> String {
+fn build_vynignore_content(tracked: &[&str]) -> String {
     let mut lines = vec![
         "# Generated by vyn init".to_string(),
-        "# Patterns listed here are excluded from vyn tracking.".to_string(),
-        "# Remove a pattern to start tracking those files.".to_string(),
+        "# vyn uses an opt-in model: everything is ignored unless explicitly included.".to_string(),
+        "# Add '!pattern' lines below to track additional files.".to_string(),
         String::new(),
-        "# vyn internals".to_string(),
-        ".vyn/".to_string(),
-        ".git/".to_string(),
-        String::new(),
-        "# Excluded patterns (from .gitignore)".to_string(),
+        "# Ignore everything by default".to_string(),
+        "*".to_string(),
     ];
-
-    for p in excluded {
-        lines.push(p.to_string());
+    if !tracked.is_empty() {
+        lines.push(String::new());
+        lines.push("# Tracked patterns (selected during vyn init)".to_string());
+        for p in tracked {
+            lines.push(format!("!{p}"));
+        }
     }
-
     lines.push(String::new());
     lines.join("\n")
 }

crates/vyn-cli/src/commands/link.rs

@@ -37,10 +37,9 @@ pub fn run(vault_id: String) -> Result<()> {
     let runtime = tokio::runtime::Runtime::new().context("failed to create tokio runtime")?;
     runtime.block_on(async {
         let provider = RelayStorageProvider::new(relay_url);
-        provider
-            .authenticate_with_identity(&vault_dir)
-            .await
-            .context("relay authentication failed (run `vyn auth` first)")?;
+        let spinner = output::new_spinner("authenticating with relay...");
+        provider.authenticate_with_identity(&vault_dir).await?;
+        output::finish_progress(&spinner, "authenticated");
 
         let spinner = output::new_spinner("fetching invite from relay…");
         let invites = provider
@@ -138,5 +137,5 @@ fn load_relay_url(root: &Path) -> Result<String> {
         .with_context(|| format!("missing or unreadable file: {}", config_path.display()))?;
     let cfg: VaultConfig = toml::from_str(&text).context("invalid .vyn/config.toml format")?;
     cfg.relay_url
-        .context("missing `relay_url` in .vyn/config.toml — run `vyn config` to set it")
+        .context("missing `relay_url` in .vyn/config.toml - run `vyn config` to set it")
 }

crates/vyn-cli/src/commands/pull.rs

@@ -173,10 +173,24 @@ async fn provider_for_config(config: &VaultConfig, vault_dir: &Path) -> Result<P
                 .clone()
                 .context("missing `relay_url` for storage_provider = \"relay\"")?;
             let provider = RelayStorageProvider::new(relay_url);
-            provider
-                .authenticate_with_identity(vault_dir)
-                .await
-                .context("relay authentication failed (run `vyn auth` first)")?;
+            let spinner = crate::output::new_spinner("authenticating with relay...");
+            if let Err(e) = provider.authenticate_with_identity(vault_dir).await {
+                let msg = e.to_string();
+                if msg.contains("invalid or expired token") || msg.contains("session expired") {
+                    RelayStorageProvider::clear_cached_token(vault_dir);
+                    crate::output::fail_progress(
+                        &spinner,
+                        "relay session expired - run `vyn auth` to re-authenticate",
+                    );
+                    return Err(anyhow::anyhow!(
+                        "relay session expired - run `vyn auth` to re-authenticate"
+                    ));
+                }
+                crate::output::fail_progress(&spinner, "relay authentication failed");
+                return Err(anyhow::anyhow!(e)
+                    .context("relay authentication failed (run `vyn auth` first)"));
+            }
+            crate::output::finish_progress(&spinner, "authenticated");
             Ok(Provider::Relay(provider))
         }
         "unconfigured" => anyhow::bail!(

crates/vyn-cli/src/commands/push.rs

@@ -155,10 +155,24 @@ async fn provider_for_config(config: &VaultConfig, vault_dir: &Path) -> Result<P
                 .clone()
                 .context("missing `relay_url` for storage_provider = \"relay\"")?;
             let provider = RelayStorageProvider::new(relay_url);
-            provider
-                .authenticate_with_identity(vault_dir)
-                .await
-                .context("relay authentication failed (run `vyn auth` first)")?;
+            let spinner = crate::output::new_spinner("authenticating with relay...");
+            if let Err(e) = provider.authenticate_with_identity(vault_dir).await {
+                let msg = e.to_string();
+                if msg.contains("invalid or expired token") || msg.contains("session expired") {
+                    RelayStorageProvider::clear_cached_token(vault_dir);
+                    crate::output::fail_progress(
+                        &spinner,
+                        "relay session expired - run `vyn auth` to re-authenticate",
+                    );
+                    return Err(anyhow::anyhow!(
+                        "relay session expired - run `vyn auth` to re-authenticate"
+                    ));
+                }
+                crate::output::fail_progress(&spinner, "relay authentication failed");
+                return Err(anyhow::anyhow!(e)
+                    .context("relay authentication failed (run `vyn auth` first)"));
+            }
+            crate::output::finish_progress(&spinner, "authenticated");
             Ok(Provider::Relay(provider))
         }
         "unconfigured" => anyhow::bail!(

crates/vyn-cli/src/commands/rotate.rs

@@ -222,10 +222,24 @@ async fn provider_for_config(config: &VaultConfig, vault_dir: &Path) -> Result<P
                 .clone()
                 .context("missing `relay_url` for storage_provider = \"relay\"")?;
             let provider = RelayStorageProvider::new(relay_url);
-            provider
-                .authenticate_with_identity(vault_dir)
-                .await
-                .context("relay authentication failed (run `vyn auth` first)")?;
+            let spinner = crate::output::new_spinner("authenticating with relay...");
+            if let Err(e) = provider.authenticate_with_identity(vault_dir).await {
+                let msg = e.to_string();
+                if msg.contains("invalid or expired token") || msg.contains("session expired") {
+                    RelayStorageProvider::clear_cached_token(vault_dir);
+                    crate::output::fail_progress(
+                        &spinner,
+                        "relay session expired - run `vyn auth` to re-authenticate",
+                    );
+                    return Err(anyhow::anyhow!(
+                        "relay session expired - run `vyn auth` to re-authenticate"
+                    ));
+                }
+                crate::output::fail_progress(&spinner, "relay authentication failed");
+                return Err(anyhow::anyhow!(e)
+                    .context("relay authentication failed (run `vyn auth` first)"));
+            }
+            crate::output::finish_progress(&spinner, "authenticated");
             Ok(Provider::Relay(provider))
         }
         "unconfigured" => anyhow::bail!(