kward 0.76.0 → 0.77.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +8 -1
  3. data/CHANGELOG.md +36 -0
  4. data/Gemfile.lock +2 -2
  5. data/README.md +12 -4
  6. data/doc/agent-tools.md +0 -3
  7. data/doc/api.md +4 -0
  8. data/doc/composer.md +219 -0
  9. data/doc/configuration.md +75 -27
  10. data/doc/editor.md +18 -2
  11. data/doc/files.md +1 -1
  12. data/doc/getting-started.md +4 -0
  13. data/doc/git.md +2 -2
  14. data/doc/lifecycle-hooks.md +2 -14
  15. data/doc/pan.md +167 -0
  16. data/doc/rpc.md +0 -22
  17. data/doc/security.md +180 -0
  18. data/doc/usage.md +15 -32
  19. data/lib/kward/ansi.rb +2 -2
  20. data/lib/kward/cancellation.rb +2 -2
  21. data/lib/kward/cli/commands.rb +1 -3
  22. data/lib/kward/cli/interactive_turn.rb +0 -17
  23. data/lib/kward/cli/plugins.rb +2 -7
  24. data/lib/kward/cli/prompt_interface.rb +1 -0
  25. data/lib/kward/cli/runtime_helpers.rb +0 -38
  26. data/lib/kward/cli/sessions.rb +14 -5
  27. data/lib/kward/cli/settings.rb +22 -0
  28. data/lib/kward/cli/slash_commands.rb +1 -561
  29. data/lib/kward/cli/tabs.rb +14 -2
  30. data/lib/kward/cli.rb +1 -17
  31. data/lib/kward/compactor.rb +3 -3
  32. data/lib/kward/config_files.rb +18 -0
  33. data/lib/kward/ekwsh.rb +0 -4
  34. data/lib/kward/hooks/catalog.rb +0 -5
  35. data/lib/kward/image_attachments.rb +1 -1
  36. data/lib/kward/pan/index.html.erb +459 -64
  37. data/lib/kward/pan/kward_logo.png +0 -0
  38. data/lib/kward/pan/server.rb +248 -23
  39. data/lib/kward/plugin_registry.rb +18 -0
  40. data/lib/kward/prompt_interface/editor/auto_indent.rb +31 -23
  41. data/lib/kward/prompt_interface/editor/modes/vibe.rb +72 -3
  42. data/lib/kward/prompt_interface/layout.rb +0 -4
  43. data/lib/kward/prompt_interface/project_browser.rb +40 -1
  44. data/lib/kward/prompt_interface/runtime_state.rb +4 -0
  45. data/lib/kward/prompt_interface/selection_prompt.rb +0 -1
  46. data/lib/kward/prompt_interface/transcript_renderer.rb +0 -12
  47. data/lib/kward/prompt_interface.rb +18 -1
  48. data/lib/kward/prompts/commands.rb +1 -3
  49. data/lib/kward/prompts.rb +20 -0
  50. data/lib/kward/rpc/server.rb +13 -41
  51. data/lib/kward/rpc/session_manager.rb +75 -25
  52. data/lib/kward/rpc/tool_event_normalizer.rb +2 -0
  53. data/lib/kward/rpc/tool_metadata.rb +23 -0
  54. data/lib/kward/rpc/transcript_normalizer.rb +4 -0
  55. data/lib/kward/session_store.rb +55 -16
  56. data/lib/kward/skills/registry.rb +21 -1
  57. data/lib/kward/tools/base.rb +14 -0
  58. data/lib/kward/tools/registry.rb +11 -16
  59. data/lib/kward/tools/search/code.rb +1 -1
  60. data/lib/kward/tools/search/web.rb +1 -1
  61. data/lib/kward/tools/tool_call.rb +0 -4
  62. data/lib/kward/transcript_export.rb +1 -1
  63. data/lib/kward/version.rb +1 -1
  64. data/templates/default/kward_navigation.rb +5 -1
  65. data/templates/default/layout/html/layout.erb +0 -2
  66. metadata +5 -12
  67. data/lib/kward/workers/git_guard.rb +0 -93
  68. data/lib/kward/workers/job.rb +0 -99
  69. data/lib/kward/workers/live_view.rb +0 -49
  70. data/lib/kward/workers/manager.rb +0 -328
  71. data/lib/kward/workers/queue_runner.rb +0 -166
  72. data/lib/kward/workers/queue_store.rb +0 -112
  73. data/lib/kward/workers/store.rb +0 -72
  74. data/lib/kward/workers/tool_policy.rb +0 -23
  75. data/lib/kward/workers/worker.rb +0 -82
  76. data/lib/kward/workers/write_lock.rb +0 -38
  77. data/lib/kward/workers.rb +0 -10
@@ -34,6 +34,8 @@ kward doctor
34
34
 
35
35
  This checks your config, auth, writable directories, and workspace. Run `kward help` to see all available commands and examples.
36
36
 
37
+ Interactive startup also performs a cached RubyGems version check by default. It does not contact RubyGems on every start; disable it with `KWARD_DISABLE_UPDATE_CHECK=1` or the `updates.check` configuration setting. See [Configuration](configuration.md#Update_checks).
38
+
37
39
  If you are working from a checkout instead:
38
40
 
39
41
  ```bash
@@ -128,5 +130,7 @@ Inside interactive Kward:
128
130
  ## Next steps
129
131
 
130
132
  - Read [Usage](usage.md) for day-to-day workflows.
133
+ - Read [Interactive composer](composer.md) for completion, history, file mentions, keyboard shortcuts, busy input, and images.
131
134
  - Read [Configuration](configuration.md) when you want to change providers, models, memory, or web search.
135
+ - Read [Security and trust](security.md) before using Kward with sensitive data, untrusted repositories, or third-party extensions.
132
136
  - Read [Extensibility](extensibility.md) when you want reusable prompts, skills, or project rules.
data/doc/git.md CHANGED
@@ -44,7 +44,7 @@ Use `Shift+Enter` to insert a newline if you need a multi-line commit message.
44
44
 
45
45
  Highlight a file in the `/git` overlay and press `Enter`.
46
46
 
47
- Kward opens a read-only diff viewer in the composer area. It shows classic Git diff output with added and removed lines colorized when terminal color is enabled.
47
+ Kward opens a read-only diff viewer in the composer area. Added and removed lines are colorized when terminal color is enabled. The viewer supports unified and side-by-side layouts; its default `auto` mode uses side-by-side output at 120 columns or wider and unified output in narrower terminals. Choose a fixed layout with `/settings` → Interface → Diff view. See [Configuration](configuration.md#Editor_settings) for the JSON setting.
48
48
 
49
49
  Useful keys in the diff viewer:
50
50
 
@@ -61,7 +61,7 @@ Useful keys in the diff viewer:
61
61
 
62
62
  After you close the viewer, Kward returns to the Git overlay with the file list refreshed.
63
63
 
64
- The diff viewer is read-only. It is meant for checking what changed, not editing. If you spot something you want to fix, close the viewer, return to chat, and ask Kward to make the change or open the file with the built-in editor using `$path/to/file` (see [Configuration](configuration.md) for editor modes and settings).
64
+ The diff viewer is read-only. It is meant for checking what changed, not editing. If you spot something you want to fix, close the viewer, return to chat, and ask Kward to make the change or open the file with the built-in editor using `$path/to/file`. See [Integrated Editor](editor.md) for editor workflows and keybindings.
65
65
 
66
66
  ## Example workflow
67
67
 
@@ -302,18 +302,6 @@ MCP events are emitted in addition to generic `tool_call_*` events for tools pro
302
302
  | `shell_command_before` | `command`, `timeout_seconds`, `cwd` | `command`, `timeout_seconds` |
303
303
  | `shell_command_after` | shell metadata plus `content` | none |
304
304
 
305
- ### Worker events
306
-
307
- | Event | Payload highlights | Supported modifications |
308
- | --- | --- | --- |
309
- | `worker_job_create` | `worker_id`, `role`, `title`, `status`, `session_path` | none |
310
- | `worker_job_start_before` | worker metadata | none |
311
- | `worker_job_start_after` | worker metadata | none |
312
- | `worker_job_ready_for_review` | worker metadata | none |
313
- | `worker_job_failed` | worker metadata plus `error` | none |
314
-
315
- Worker hooks are observe-and-warn hooks for background worker automation and audit trails. They do not control worker scheduling.
316
-
317
305
  ### Git events
318
306
 
319
307
  | Event | Payload highlights | Supported modifications |
@@ -337,9 +325,9 @@ Worker hooks are observe-and-warn hooks for background worker automation and aud
337
325
 
338
326
  `file_change_before` fires before `write_file` or `edit_file` mutates the workspace and can deny or ask for approval. `file_change_after` fires only after successful `write_file` or `edit_file` results.
339
327
 
340
- ### MCP events
328
+ ### Matching MCP tools
341
329
 
342
- MCP tools are surfaced through generic tool events with:
330
+ In addition to the dedicated MCP events above, MCP tools are surfaced through generic tool events with:
343
331
 
344
332
  - `source: "mcp"`
345
333
  - `server_name`
data/doc/pan.md ADDED
@@ -0,0 +1,167 @@
1
+ # Pan mode
2
+
3
+ Pan mode is Kward's browser interface for a workspace. It gives you a mobile-friendly transcript, prompt composer, live tool activity, and access to recent sessions while Kward continues running on your development machine.
4
+
5
+ Use it when you want to work from another browser or device on a trusted network without running the full terminal UI there.
6
+
7
+ ## Before you start
8
+
9
+ Pan is a small local HTTP server, not a hosted service. The machine running Kward performs model requests, reads and edits workspace files, runs tools, and stores sessions.
10
+
11
+ Pan requires HTTP Basic Auth. Add credentials to `~/.kward/config.json`:
12
+
13
+ ```json
14
+ {
15
+ "pan_mode": {
16
+ "host": "0.0.0.0",
17
+ "port": 8765,
18
+ "username": "kward",
19
+ "password": "choose-a-long-private-password"
20
+ }
21
+ }
22
+ ```
23
+
24
+ The defaults are:
25
+
26
+ - `host`: `0.0.0.0`, which listens on all network interfaces.
27
+ - `port`: `8765`.
28
+
29
+ Kward refuses to start Pan unless both `username` and `password` are configured. The password is stored as plaintext in your config file, so do not reuse an important password or share the file.
30
+
31
+ For access from the same machine only, bind to loopback instead:
32
+
33
+ ```json
34
+ {
35
+ "pan_mode": {
36
+ "host": "127.0.0.1",
37
+ "port": 8765,
38
+ "username": "kward",
39
+ "password": "choose-a-long-private-password"
40
+ }
41
+ }
42
+ ```
43
+
44
+ ## Start Pan
45
+
46
+ Run Pan from the project it should control:
47
+
48
+ ```bash
49
+ cd ~/code/my-project
50
+ kward pan
51
+ ```
52
+
53
+ Or select the workspace explicitly:
54
+
55
+ ```bash
56
+ kward --working-directory ~/code/my-project pan
57
+ ```
58
+
59
+ Kward prints the listening URL, workspace, and initial session path. With the default LAN binding, it detects and prints the machine's routed LAN address when available. Open port `8765` at that address, for example:
60
+
61
+ ```text
62
+ http://192.168.1.25:8765/
63
+ ```
64
+
65
+ Your browser asks for the configured Basic Auth username and password.
66
+
67
+ Press `Ctrl+C` in the server terminal to stop Pan. Closing a browser tab does not stop the server or an active turn.
68
+
69
+ ## A normal workflow
70
+
71
+ 1. Start Pan in the workspace you want to use.
72
+ 2. Open the printed address in a browser and sign in.
73
+ 3. Enter a concrete request in the composer:
74
+
75
+ ```text
76
+ Review the current changes, inspect the affected files, and run the focused tests.
77
+ ```
78
+
79
+ 4. Watch reasoning, tool calls, tool output, retries, and the answer stream into the transcript.
80
+ 5. Continue in the same session, or use the session sidebar to switch work.
81
+
82
+ Press Return to send. Use Shift+Return for a new line. The composer grows with multiline input up to its display limit.
83
+
84
+ Prompts are accepted while another turn is running. Pan puts them into a single queue and executes them sequentially. The status below the composer shows whether Kward is working and how many prompts remain queued.
85
+
86
+ ## Work with sessions
87
+
88
+ Pan saves conversations through the same workspace-scoped session store as the interactive CLI. The session sidebar shows up to 50 recent sessions with their title, modified time, and message count.
89
+
90
+ From the sidebar you can:
91
+
92
+ - select a session to resume it,
93
+ - create a new session,
94
+ - rename the active session,
95
+ - delete the active session.
96
+
97
+ On smaller screens, use the menu button to open the session drawer. Selecting a session closes the drawer and loads its transcript.
98
+
99
+ A few details matter:
100
+
101
+ - Pan starts with a new session when the server launches.
102
+ - Creating or resuming a session rebuilds the active conversation and agent around it.
103
+ - You cannot create, resume, rename, or delete sessions while a turn is active or prompts are queued. Wait for the queue to finish.
104
+ - Deleting the active session creates and activates a replacement session first.
105
+ - Pan asks for confirmation before deletion. The interface does not provide an undo action.
106
+ - Sessions remain available to the terminal CLI through `/session` because both frontends use the same session files.
107
+
108
+ See [Sessions](session-management.md) for storage, exports, forks, compaction, and other session operations that remain CLI-oriented.
109
+
110
+ ## Tools and live output
111
+
112
+ Pan creates the normal Kward agent tool registry for the selected workspace. Depending on configuration, the model can use file, shell, web, code-search, skill, and MCP tools just as it can in a normal agent turn.
113
+
114
+ The transcript displays:
115
+
116
+ - user prompts,
117
+ - streamed reasoning and assistant text,
118
+ - tool names and arguments,
119
+ - tool results,
120
+ - retries and errors,
121
+ - restored compaction summaries and prior session content.
122
+
123
+ Assistant and reasoning entries use a built-in, dependency-free Markdown renderer. It supports headings, paragraphs, fenced code blocks, blockquotes, ordered and unordered lists (including task lists), inline code, emphasis, strikethrough, and HTTP(S) or `mailto:` links. Message content remains text-based; unsupported Markdown stays readable as plain text.
124
+
125
+ Structured clarification questions are disabled in Pan because it does not have the interactive question picker. Ask the model to state uncertainties in the transcript when a task needs your decision.
126
+
127
+ Pan does not reproduce terminal-only interfaces such as `/git`, `/files`, `/shell`, the integrated editor, settings pickers, tabs, or clipboard commands. Use natural-language requests for agent work and return to the CLI for those local UI workflows.
128
+
129
+ ## Hooks and plugins
130
+
131
+ Pan runs configured command hooks and trusted plugin lifecycle hooks. Hook events and messages can appear in the browser's live event stream.
132
+
133
+ Pan does not provide a dedicated approval interface for hook `ask` decisions. An approval request without a bridge fails closed, so use deterministic `deny` or non-blocking `warn` policies for Pan-facing hooks.
134
+
135
+ Other plugin UI features, such as custom terminal commands, footers, or interactive canvas commands, are designed for the CLI or RPC clients and do not become controls in the Pan page.
136
+
137
+ See [Lifecycle hooks](lifecycle-hooks.md#Frontend_support) and [Plugins](plugins.md) for the supported extension surfaces.
138
+
139
+ ## Network and security
140
+
141
+ Pan exposes powerful agent tools through ordinary HTTP. Basic Auth protects every page and endpoint, but Pan does not provide TLS.
142
+
143
+ Use these precautions:
144
+
145
+ - Run it only on a network and machine you trust.
146
+ - Prefer `127.0.0.1` when remote access is unnecessary.
147
+ - Do not expose the port directly to the public internet.
148
+ - Do not put Pan behind a public tunnel unless you provide a properly secured TLS/authentication boundary and understand the risk.
149
+ - Use a unique password and protect `config.json`.
150
+ - Remember that anyone with the credentials can submit prompts that cause file reads, edits, shell commands, web requests, or MCP calls with your account's permissions.
151
+ - Stop the server when you are finished.
152
+
153
+ Multiple authenticated browser tabs connect to the same Pan process, active session, prompt queue, and workspace. They are not isolated users. A session change or prompt submitted in one connected browser is visible to the others.
154
+
155
+ Read [Security and trust](security.md) before using Pan with sensitive data or an unfamiliar repository.
156
+
157
+ ## Notes and limitations
158
+
159
+ - Pan serves one configured workspace per process.
160
+ - Turns run one at a time; queued prompts cannot be reordered or cancelled from the page.
161
+ - Session changes are blocked until all active and queued work finishes.
162
+ - There is no model or reasoning picker in the page; Pan uses the configured client defaults when it creates a conversation.
163
+ - There is no dedicated tool-approval UI or structured-question UI.
164
+ - The browser reconnects its event stream after a connection interruption, but events emitted while disconnected are not replayed through that stream. Reloading restores the persisted transcript.
165
+ - Request bodies are limited to 64 KB.
166
+ - Pan displays image entries from restored transcripts as text placeholders rather than rendering attached image data.
167
+ - The server is intentionally small and does not replace the richer CLI or the integration-oriented [RPC protocol](rpc.md).
data/doc/rpc.md CHANGED
@@ -67,7 +67,6 @@ Detailed capability fields include:
67
67
  - `composer`: composer-only UI features. Interactive session diff totals are explicitly unsupported over RPC (`composer.sessionDiff.supported: false`) because RPC clients already receive per-tool diff results and no live composer status payload is exposed. Clipboard copy is also unsupported over RPC (`composer.copy.supported: false`) because UI clients own clipboard access.
68
68
  - `security`: trusted-local behavior with optional per-turn tool approval. By default there is no workspace mutation guard or tool approval and shell/file mutation can run. File-tool workspace guardrails are reported under `capabilities.events.tools.workspaceGuardrails` and `runtime/state.workspaceGuardrailsEnabled`.
69
69
  - `export`: supported transcript export formats. Currently `markdown` and `html`; default is `markdown`.
70
- - `workers`: experimental agent worker pipeline. Reports `supported: false` by default; set to `supported: true` with `methods: ["workers/list", "workers/show"]` when Kward is launched with `--experimental-workers`.
71
70
  - `starterPack`: explicitly unsupported (`supported: false`, reason `cliOnlyInstallCommand`). Use `kward init` from the shell.
72
71
  - `shell`: explicitly unsupported (`supported: false`, reason `interactiveTuiOnly`) because `/shell` is the local embedded TUI shell.
73
72
  - `logging`: local redacted telemetry logging support, the log directory, enabled categories, `methods: ["logging/stats", "logging/tokenCsv"]`, `usageCsv` sub-capability with bucket support, JSONL format, rotation (10 MB, manual retention), config key `logging`, env prefix `KWARD_LOGGING`, and redacted-metadata-only content.
@@ -784,27 +783,6 @@ Completes the login using the submitted code.
784
783
 
785
784
  Returns login status for a login ID.
786
785
 
787
- ## Worker methods (experimental)
788
-
789
- Worker methods are available only when Kward is launched with `--experimental-workers`. The `workers` capability reports `supported: false` by default and `supported: true` with `methods: ["workers/list", "workers/show"]` when the flag is active.
790
-
791
- ### `workers/list`
792
-
793
- Params:
794
-
795
- - `sessionId`: active RPC session ID.
796
-
797
- Returns the list of agent workers for the session.
798
-
799
- ### `workers/show`
800
-
801
- Params:
802
-
803
- - `sessionId`: active RPC session ID.
804
- - `workerId`: worker ID.
805
-
806
- Returns details for a specific worker.
807
-
808
786
  ## Security and privacy notes
809
787
 
810
788
  - RPC is intended for a trusted local UI and can read/write files, run shell commands, update secrets, and use OAuth.
data/doc/security.md ADDED
@@ -0,0 +1,180 @@
1
+ # Security and trust
2
+
3
+ Kward can read code, edit files, run commands, call model and search providers, and load local extensions. That makes it useful, but it also means you should treat it like a developer tool running with your account—not like a sandbox.
4
+
5
+ This guide explains the trust boundaries and gives you a safe way to start work in an unfamiliar repository.
6
+
7
+ ## The short version
8
+
9
+ - Kward and anything it launches run with your operating-system permissions.
10
+ - File tools stay inside the active workspace by default, but shell commands are not sandboxed.
11
+ - Existing files must be read before Kward's file tools can edit or overwrite them.
12
+ - Plugins, MCP servers, command hooks, and HTTP hooks should be configured only from sources and endpoints you trust.
13
+ - Project skills and workspace hooks are disabled until you opt in or trust them.
14
+ - Prompts, selected file contents, tool results, and conversation history may be sent to the active model provider as needed to answer a request.
15
+ - Web searches, fetched URLs, MCP calls, and HTTP hooks can send additional data to their respective services.
16
+
17
+ If a task involves secrets, production credentials, customer data, or an untrusted repository, narrow the workspace and tools before asking Kward to act.
18
+
19
+ ## A safe first run in an unfamiliar repository
20
+
21
+ Start with project-provided extensions disabled, which is the default:
22
+
23
+ ```bash
24
+ cd ~/code/unfamiliar-project
25
+ kward doctor
26
+ kward
27
+ ```
28
+
29
+ Then use a read-first workflow:
30
+
31
+ ```text
32
+ Inspect the project structure and its AGENTS.md. Do not edit files or run project scripts yet. Tell me what instructions, hooks, skills, plugins, generated files, and risky setup commands I should review first.
33
+ ```
34
+
35
+ Before enabling or running anything:
36
+
37
+ 1. Read the workspace `AGENTS.md` and any referenced instructions.
38
+ 2. Inspect `.kward/hooks.json`, `.kward/skills/`, and `.agents/skills/` yourself.
39
+ 3. Review setup scripts, package hooks, build files, and shell commands before allowing them to run.
40
+ 4. Keep project skills disabled unless you trust their instructions.
41
+ 5. Trust workspace hooks only after reviewing the full file with `kward hooks doctor` and `kward hooks trust`.
42
+ 6. Do not add repository-provided Ruby files to `~/.kward/plugins` unless you are willing to run them as your user.
43
+ 7. Ask Kward to explain proposed edits and commands before applying them when the impact is unclear.
44
+
45
+ For especially sensitive work, use a disposable checkout, container, virtual machine, or restricted operating-system account. Kward's own guardrails do not replace operating-system isolation.
46
+
47
+ ## Workspace access is a guardrail, not a sandbox
48
+
49
+ Kward's built-in file tools normally resolve paths inside the active workspace. They reject paths outside that boundary, and existing files must be read in the current conversation before `write_file` or `edit_file` can change them.
50
+
51
+ These protections reduce accidental edits. They do not contain the whole process:
52
+
53
+ - `run_shell_command`, `!command`, `/shell`, and `/pty` run with your user permissions.
54
+ - A shell command can access files, environment variables, processes, and networks available to your account.
55
+ - Plugins, command hooks, and MCP servers are local processes with the same general operating-system access.
56
+ - Read-before-edit applies to Kward's file tools, not to arbitrary shell commands or extension code.
57
+
58
+ You can disable the file boundary with `tools.workspace_guardrails: false`, but doing so broadens file-tool access and is rarely needed. See [Workspace tools](workspace-tools.md) for exact limits and [Configuration](configuration.md#Tool_workspace_guardrails) for the setting.
59
+
60
+ ## Tool approvals and policy hooks
61
+
62
+ The interactive CLI does not ask for blanket approval before every tool call. Built-in guardrails and configured lifecycle hooks still apply, but ordinary file and shell tools can run during a turn.
63
+
64
+ RPC clients can request per-turn approval with `approvalMode: "ask"`. Kward then emits `tool/approvalRequested` before each tool executes and waits for the client to answer. The default RPC approval mode is `none`.
65
+
66
+ Lifecycle hooks can add deterministic policy around tools, shell commands, files, Git actions, model requests, and other events. A hook can allow, deny, modify supported data, warn, or ask for approval. An `ask` decision fails closed when the frontend has no approval bridge.
67
+
68
+ Pan mode does not provide a dedicated hook-approval UI. Use `deny` or `warn` for Pan-facing policies instead of depending on interactive approval.
69
+
70
+ See [Lifecycle hooks](lifecycle-hooks.md) for policy examples and [RPC protocol](rpc.md#Tool_approval_bridge) for the approval contract.
71
+
72
+ ## Know what you are trusting
73
+
74
+ ### Workspace instructions
75
+
76
+ A repository-level `AGENTS.md` is guidance for the model, not executable code. Kward tells the model to read it for repository tasks. Instructions can still influence what the model proposes or which tools it calls, so review unfamiliar guidance just as you would review a contributor script.
77
+
78
+ ### Project skills
79
+
80
+ Project skills under `.kward/skills/` and `.agents/skills/` are skipped by default. Enable them only after reviewing their `SKILL.md` instructions and supporting files:
81
+
82
+ ```text
83
+ /settings → Tools & Search → Trust project skills
84
+ ```
85
+
86
+ This setting trusts project skills generally; it is not a per-repository digest. A skill's `allowed-tools` metadata does not grant permissions or constrain tools in Kward.
87
+
88
+ ### Workspace hooks
89
+
90
+ Project hooks in `.kward/hooks.json` run only after `/hooks trust`. Trust is tied to the file digest, so a change invalidates it and requires another review. Command hooks execute local commands; HTTP hooks send event data to their configured endpoint.
91
+
92
+ ### Plugins
93
+
94
+ Ruby plugins in `~/.kward/plugins/*.rb` run inside the Kward process with your permissions. They can read files and environment variables, write files, run commands, and make network requests. Kward intentionally does not load plugins from a workspace directory.
95
+
96
+ ### MCP servers
97
+
98
+ Configured MCP servers are local child processes. Their tools can expose application state such as browser pages, console messages, network traffic, or screenshots. Kward currently supports local stdio servers, but local transport does not make an untrusted server safe.
99
+
100
+ Only add commands you trust to `mcpServers`, and review any environment variables supplied to them. See [MCP servers](mcp.md).
101
+
102
+ ## What leaves your machine
103
+
104
+ ### Model providers
105
+
106
+ To answer a turn, Kward sends the assembled conversation context to the active model provider. Depending on the task, that context can include:
107
+
108
+ - your prompts and prior conversation,
109
+ - system instructions, personas, skills, memory, and plugin context,
110
+ - file content read into the conversation,
111
+ - shell and tool results,
112
+ - images you attach,
113
+ - summaries produced during compaction.
114
+
115
+ Provider retention and training policies are controlled by the provider and your account or organization. Do not give Kward content you are not permitted to send to that provider.
116
+
117
+ ### Web tools
118
+
119
+ Search queries go to the selected search provider. `fetch_content` and `fetch_raw` request the URL you provide or the model selects. Disable web tools when external lookup is inappropriate:
120
+
121
+ ```json
122
+ {
123
+ "web_search": {
124
+ "enabled": false
125
+ }
126
+ }
127
+ ```
128
+
129
+ See [Web search](web-search.md#Network_behavior) for provider order and request behavior.
130
+
131
+ ### Hooks and MCP
132
+
133
+ HTTP hook payloads can include prompts, commands, file paths, tool arguments, and selected event results. Avoid forwarding raw events to third parties. Git and file after-events may include command output or changed content.
134
+
135
+ MCP tool arguments and results pass between Kward and the configured server. What the MCP server stores or forwards is determined by that server.
136
+
137
+ ## Local data and permissions
138
+
139
+ Kward keeps user data under `~/.kward` by default, or mostly beside `KWARD_CONFIG_PATH` when that override is set.
140
+
141
+ | Data | Typical location | Notes |
142
+ | --- | --- | --- |
143
+ | Main config and OpenRouter key | `~/.kward/config.json` | Do not commit or share it. |
144
+ | OAuth credentials | `~/.kward/auth.json`, `anthropic_auth.json`, `github_auth.json` | Written with mode `0600` when possible. |
145
+ | Sessions and tool results | `~/.kward/sessions/` | Conversation, file/tool output, and compaction history; files use mode `0600`. |
146
+ | Prompt history | `~/.kward/history/` | Workspace-scoped submitted prompts; files use mode `0600`. |
147
+ | Memory | `~/.kward/memory/` | Off by default; directory `0700` and files `0600`. |
148
+ | Telemetry logs | `~/.kward/logs/` | Off by default; redacted metadata, not intentional prompt or file-content logging. |
149
+ | Plugins | `~/.kward/plugins/` | Trusted Ruby code, not private data storage. |
150
+ | Hook audit log and trust records | `~/.kward/logs/`, `~/.kward/trusted_workspace_hooks.json` | Audit records use redacted metadata rather than raw event values. |
151
+
152
+ Private file modes help on normal Unix-like systems but do not protect data from your own account, privileged users, backups, malware, or a compromised machine. Session exports are written to the path you choose and should be protected separately.
153
+
154
+ Use these commands to inspect or remove stored credentials and context:
155
+
156
+ ```bash
157
+ kward auth status
158
+ kward auth logout
159
+ ```
160
+
161
+ ```text
162
+ /session
163
+ /memory list
164
+ /memory forget <id>
165
+ ```
166
+
167
+ See [Authentication](authentication.md), [Sessions](session-management.md), [Memory](memory.md), and [Configuration](configuration.md#Logging_and_stats) for retention and management details.
168
+
169
+ ## Practical habits
170
+
171
+ - Keep secrets out of prompts, screenshots, shell output, plugin context, and hook messages.
172
+ - Prefer temporary environment variables to storing short-lived API keys in config.
173
+ - Disable web search for private work that should not trigger external requests.
174
+ - Keep memory off unless cross-session recall is useful and appropriate.
175
+ - Review diffs and `git status` before committing agent changes.
176
+ - Treat generated commands as suggestions you are responsible for running.
177
+ - Use `kward sysprompt` to inspect instructions assembled for a new conversation.
178
+ - Run `kward doctor` and `kward hooks doctor` when configuration or trust behavior is unclear.
179
+
180
+ Security here is layered: Kward supplies guardrails and explicit trust controls, while real isolation and least privilege come from the environment in which you run it.
data/doc/usage.md CHANGED
@@ -78,7 +78,7 @@ For several commands, enter the embedded Kward shell:
78
78
  /shell
79
79
  ```
80
80
 
81
- `/shell` opens `ekwsh`, a Kward-native command mode. Kward keeps the tab bar, composer editing, and transcript rendering while each command runs through your configured shell. Built-ins such as `cd`, `pwd`, `export`, `unset`, `alias`, `clear`, `pty`, and `exit` maintain shell-mode state between commands. Plain Tab completes built-in command names, configured aliases, executables from `$PATH`, and file paths from the shell's current directory; `cd` completion suggests directories only. `ekwsh` preserves safe ANSI SGR color/style output while stripping terminal-control sequences that could corrupt the TUI, and sets conservative color-friendly environment defaults such as `CLICOLOR=1`, `COLORTERM=truecolor`, and `TERM=xterm-256color` when needed. Use `pty git log` or `/pty git log` when you intentionally want to hand the terminal to an interactive tool such as `less` or `vim`. You can set global shell env vars and aliases in `~/.kward/ekwsh.yml`; see [Configuration](configuration.md).
81
+ `/shell` opens `ekwsh`, a Kward-native command mode that keeps the tab bar and transcript visible. It preserves state such as the current directory, environment variables, and aliases between commands. Use `pty git log` or `/pty git log` when you intentionally want to hand the terminal to an interactive tool such as `less` or `vim`. See [Embedded shell](shell.md) for built-ins, completion, configuration, ANSI handling, PTY passthrough, and limitations.
82
82
 
83
83
  ## Shell commands
84
84
 
@@ -113,7 +113,7 @@ kward --skip-config edit ~/.kward/config.json
113
113
 
114
114
  ## Interactive slash commands
115
115
 
116
- Slash commands run local actions in the current session. Most do not send a prompt to the model; exceptions like `/git` and `/workers` orchestrate local flows that may then trigger model work.
116
+ Slash commands run local actions in the current session. Most do not send a prompt to the model; exceptions like `/git` orchestrate local flows that may then trigger model work.
117
117
 
118
118
  | Command | Use it when you want to... |
119
119
  | --- | --- |
@@ -125,7 +125,7 @@ Slash commands run local actions in the current session. Most do not send a prom
125
125
  | `/files` | browse project files in a nested tree and open them in the editor. |
126
126
  | `/shell` | run workspace commands in the embedded Kward shell. |
127
127
  | `/pty <command>` | hand the terminal to an interactive command such as `git log`/`less` or `vim`. |
128
- | `/settings` | configure prompt overlays. |
128
+ | `/settings` | configure models, accounts, memory, interface, tools, context, personalization, and logging. |
129
129
  | `/status` | see session, model, and context status. |
130
130
  | `/new` | start a fresh session in the current tab. |
131
131
  | `/tab 2` | switch to tab 2. |
@@ -140,6 +140,7 @@ Slash commands run local actions in the current session. Most do not send a prom
140
140
  | `/session name <name>` | name or clear the current session. |
141
141
  | `/rename <name>` | rename the current session. |
142
142
  | `/clone` | copy the current session into a new branch. |
143
+ | `/fork` | fork from an earlier prompt into a new session. |
143
144
  | `/rewind` | revisit an earlier prompt and try a different direction. |
144
145
  | `/tree` | inspect and navigate the full technical session tree. |
145
146
  | `/copy last` | copy the latest assistant answer. |
@@ -147,39 +148,21 @@ Slash commands run local actions in the current session. Most do not send a prom
147
148
  | `/export notes.md` | write the transcript to a Markdown file. |
148
149
  | `/compact [instructions]` | summarize older context so a long chat can continue. |
149
150
  | `/memory ...` | manage opt-in memory. |
151
+ | `/skill <name>` | activate a configured skill explicitly for the current session. |
152
+ | `/stats [range]` | summarize enabled local telemetry. |
153
+ | `/hooks ...` | inspect, diagnose, trust, or untrust lifecycle hooks. |
154
+ | `/scratchpad [text|markdown|ruby]` | open an unsaved editor buffer. |
150
155
  | `/redraw` | fix terminal drawing after resize or glitches. |
151
156
  | `/reload` | reload installed plugins. |
152
- | `/workers` | open the experimental worker pipeline (`new`, `do <task>`, or `list`). |
153
- | `/queue` | manage the experimental tab-backed worker queue (`add`, `list`, `open <id>`, `run`, `suspend <id>`, or `resume <id>`). |
154
157
  | `/exit` | leave Kward. |
158
+ | `/quit` | alias for `/exit`. |
155
159
 
156
- Prompt templates and plugins can add more slash commands.
157
-
158
- ### Experimental tab-backed worker queue
159
-
160
- Start Kward with `--experimental-workers` to try the tab-backed worker queue. The queue is an MVP for turning an existing tab/session into implementation work that can be reviewed later.
161
-
162
- Typical flow:
163
-
164
- ```text
165
- /plan Add retry handling to webhook delivery
166
- /queue add
167
- /queue run
168
- /queue open <id>
169
- ```
170
-
171
- `/queue add` stores the current tab session as a queued worker job. `/queue run` drains queued jobs one at a time. Each job continues its saved session as an implementation worker, starts only from a clean git workspace, commits any resulting changes, and then becomes `ready_for_review`. Use `/queue open <id>` to inspect the worker session, test the feature yourself, and continue the same session if a follow-up fix is needed.
172
-
173
- Current MVP limitations:
174
-
175
- - The queue is manual: run it with `/queue run` when you want it to work.
176
- - Jobs run sequentially and stop when one becomes `blocked` or `failed`.
177
- - A job will not start if the workspace is dirty; clean, commit, or stash your changes first.
178
- - `/queue suspend <id>` and `/queue resume <id>` provide explicit stash-based parking primitives, but automatic foreground-tool-triggered yielding is not wired yet.
179
- - The queue is experimental and stores metadata locally in Kward's config directory.
160
+ Prompt templates, configured skills, and plugins can add more slash commands. Their commands appear in the interactive slash-command picker alongside built-ins.
180
161
 
181
162
  ## Prompt history
182
163
 
164
+ The [Interactive composer](composer.md) guide covers multiline editing, slash and file completion, reasoning shortcuts, busy input, cancellation, attachments, and terminal compatibility.
165
+
183
166
  In interactive mode, Kward keeps prompt history per workspace under `~/.kward/history/`. Press Up/Down to recall previous prompts across restarts.
184
167
 
185
168
  Press `Ctrl-R` to search history. Type a fuzzy query in the composer, use Up/Down to choose a result from the overlay, then press Enter to place it back in the composer for editing or resubmission. Press Esc or Ctrl-C to cancel the search and restore the draft.
@@ -260,7 +243,7 @@ Important guardrails:
260
243
 
261
244
  ## Images
262
245
 
263
- If the active model supports images, Kward can attach image paths, Markdown image links, `file://` URLs, or image data URLs pasted into the composer. Supported formats are GIF, JPEG, PNG, and WebP, up to 20 MB per image.
246
+ If the active model supports images, Kward can attach image paths, Markdown image links, `file://` URLs, or image data URLs pasted into the composer. Supported formats are GIF, JPEG, PNG, and WebP, up to 20 MB per image. See [Interactive composer](composer.md#Attach_images) for attachment badges, removal, and terminal previews.
264
247
 
265
248
  Use this for tasks such as:
266
249
 
@@ -270,13 +253,13 @@ This screenshot shows the broken layout. Find the likely CSS issue.
270
253
 
271
254
  ## Pan mode
272
255
 
273
- Pan mode starts a simple LAN web UI:
256
+ Pan mode starts a mobile-friendly LAN web UI:
274
257
 
275
258
  ```bash
276
259
  kward --working-directory ~/code/project pan
277
260
  ```
278
261
 
279
- Use it only on trusted networks. It exposes the same file, shell, and web tools through a browser UI and requires credentials configured in `config.json`. See [Configuration](configuration.md).
262
+ Use it only on trusted networks. It exposes file, shell, web, and configured extension tools through a browser UI and requires credentials configured in `config.json`. Pan saves conversations to the normal workspace session store; its session drawer can create, resume, rename, and delete sessions. Session changes are disabled while turns are active or queued. See [Pan mode](pan.md) for setup, browser workflows, security, and limitations.
280
263
 
281
264
  ## RPC backend
282
265
 
data/lib/kward/ansi.rb CHANGED
@@ -262,8 +262,8 @@ module Kward
262
262
  end
263
263
 
264
264
  def inline_links(text, enabled: enabled?)
265
- text.split(/(\[[^\]\n]+\]\([^)\s\n]+\))/).map do |part|
266
- if (match = part.match(/\A\[([^\]\n]+)\]\(([^)\s\n]+)\)\z/))
265
+ text.split(/(\[[^\n\]]+\]\([^)\s]+\))/).map do |part|
266
+ if (match = part.match(/\A\[([^\n\]]+)\]\(([^)\s]+)\)\z/))
267
267
  "#{colorize(match[1], :cyan, enabled: enabled)} (#{colorize(match[2], :dim, enabled: enabled)})"
268
268
  else
269
269
  inline_emphasis(part, enabled: enabled)
@@ -2,9 +2,9 @@ require "thread"
2
2
 
3
3
  # Namespace for the Kward CLI agent runtime.
4
4
  module Kward
5
- # Cooperative cancellation token shared by model calls, tools, and workers.
5
+ # Cooperative cancellation token shared by model calls, tools, and background operations.
6
6
  class Cancellation
7
- # Cooperative cancellation token shared by model calls, tools, and workers.
7
+ # Cooperative cancellation token shared by model calls, tools, and background operations.
8
8
  class CancelledError < StandardError; end
9
9
 
10
10
  def initialize
@@ -156,7 +156,7 @@ module Kward
156
156
  },
157
157
  "pan" => {
158
158
  usage: "kward pan",
159
- description: "Start Pan mode, a minimal LAN web UI with a prompt textarea and transcript.",
159
+ description: "Start Pan mode, a mobile-friendly LAN web UI with persistent sessions.",
160
160
  examples: ["kward pan", "kward --working-directory ~/code/project pan"]
161
161
  },
162
162
  "rpc" => {
@@ -220,8 +220,6 @@ module Kward
220
220
  @prompt_delimited = true
221
221
  remaining.concat(arguments[(index + 1)..] || [])
222
222
  break
223
- when "--experimental-workers"
224
- @experimental_workers = true
225
223
  when "--skip-config"
226
224
  @skip_config = true
227
225
  when "--filter"
@@ -7,7 +7,6 @@ module Kward
7
7
  private
8
8
 
9
9
  def run_interactive_turn(agent, input, display_input: nil)
10
- stop_live_worker_view if respond_to?(:stop_live_worker_view, true)
11
10
  prepare_memory_context(agent.conversation, input) if agent.respond_to?(:conversation)
12
11
  print_user_transcript(input, display_input: display_input) if prompt_interface?
13
12
  return run_blocking_interactive_turn(agent, input, display_input: display_input) unless prompt_interface?
@@ -235,22 +234,6 @@ module Kward
235
234
  ["/exit", "/quit", "/new"].include?(input.to_s.strip)
236
235
  end
237
236
 
238
- def handle_busy_worker_input(input, agent, queued_inputs)
239
- return false unless agent
240
-
241
- command = input.to_s.strip
242
- return false unless command == "/workers" || command.start_with?("/workers ")
243
-
244
- _handled, replacement_agent = handle_local_slash_command(command, agent, @session_store)
245
- @busy_replacement_agent = replacement_agent if replacement_agent?(replacement_agent)
246
- restore_busy_input_prompt
247
- true
248
- rescue StandardError => e
249
- runtime_output("Error: #{e.message}")
250
- restore_busy_input_prompt
251
- true
252
- end
253
-
254
237
  def replacement_agent?(object)
255
238
  object.respond_to?(:conversation) && object.respond_to?(:ask)
256
239
  end