add git diffs and permission support

CLAUDE.md

@@ -71,7 +71,13 @@ Claude Code/OpenCode CLI ↔ Spiceflow Server (Clojure) ↔ PWA Client (SvelteKi
 - **State**: Svelte stores in `src/lib/stores/` (sessions, runtime selection)
 - **API client**: `src/lib/api.ts` - HTTP and WebSocket clients
 - **Components**: `src/lib/components/` - UI components
+  - `MessageList.svelte` - Displays messages with collapsible long content
+  - `PermissionRequest.svelte` - Permission prompts with accept/deny/steer actions
+  - `FileDiff.svelte` - Expandable file diffs for Write/Edit operations
+  - `SessionSettings.svelte` - Session settings dropdown (auto-accept edits)
+  - `InputBar.svelte` - Message input with steer mode support
 - **PWA**: vite-plugin-pwa with Workbox service worker
+- **Responsive**: Landscape mobile mode collapses header to hamburger menu
 
 ### Key Protocols
 
@@ -98,6 +104,29 @@ Server configuration via `server/resources/config.edn` or environment variables:
 | `CLAUDE_SESSIONS_DIR` | ~/.claude/projects | Claude sessions directory |
 | `OPENCODE_CMD` | opencode | OpenCode command |
 
+## Features
+
+### Permission Handling
+When Claude Code requests permission for file operations (Write/Edit) or shell commands (Bash), Spiceflow intercepts these and presents them to the user:
+- **Accept**: Grant permission and continue
+- **Deny**: Reject the request
+- **Steer ("No, and...")**: Redirect Claude with alternative instructions
+
+File operations show expandable diffs displaying the exact changes being made.
+
+### Auto-Accept Edits
+Claude sessions can enable "Auto-accept edits" in session settings to automatically grant Write/Edit permissions, reducing interruptions during coding sessions.
+
+### Session Management
+- **Rename**: Click session title to rename
+- **Delete**: Remove sessions from the session list
+- **Condense**: Collapse long messages for easier scrolling
+
+### Mobile Optimization
+- Landscape mode collapses the header to a hamburger menu
+- Compact file diffs with minimal padding
+- Touch-friendly permission buttons
+
 ## Session Flow
 
 1. User opens PWA → sees list of tracked sessions
@@ -107,7 +136,22 @@ Server configuration via `server/resources/config.edn` or environment variables:
 5. Server pipes user message to stdin
 6. CLI streams response via stdout (JSONL format)
 7. Server broadcasts to client via WebSocket
-8. Process completes → response saved to database
+8. **If permission required** → WebSocket sends permission request → User accepts/denies/steers
+9. Process completes → response saved to database
+
+## API Endpoints
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/api/health` | GET | Health check |
+| `/api/sessions` | GET | List all sessions |
+| `/api/sessions` | POST | Create new session |
+| `/api/sessions/:id` | GET | Get session with messages |
+| `/api/sessions/:id` | PATCH | Update session (title, auto-accept-edits) |
+| `/api/sessions/:id` | DELETE | Delete session |
+| `/api/sessions/:id/send` | POST | Send message to session |
+| `/api/sessions/:id/permission` | POST | Respond to permission request |
+| `/ws` | WebSocket | Real-time message streaming |
 
 ## Tech Stack