@agenticmail/enterprise 0.2.1

package/dist/chunk-N2JVTNNJ.js

@@ -0,0 +1,2553 @@
+import {
+  __esm,
+  __export,
+  __toCommonJS
+} from "./chunk-PNKVD2UK.js";
+
+// src/engine/tool-catalog.ts
+var tool_catalog_exports = {};
+__export(tool_catalog_exports, {
+  AGENTICMAIL_TOOLS: () => AGENTICMAIL_TOOLS,
+  ALL_TOOLS: () => ALL_TOOLS,
+  OPENCLAW_CORE_TOOLS: () => OPENCLAW_CORE_TOOLS,
+  TOOL_INDEX: () => TOOL_INDEX,
+  generateOpenClawToolPolicy: () => generateOpenClawToolPolicy,
+  getToolsBySkill: () => getToolsBySkill
+});
+function getToolsBySkill() {
+  const map = /* @__PURE__ */ new Map();
+  for (const tool of ALL_TOOLS) {
+    const list = map.get(tool.skillId) || [];
+    list.push(tool.id);
+    map.set(tool.skillId, list);
+  }
+  return map;
+}
+function generateOpenClawToolPolicy(allowedToolIds, blockedToolIds) {
+  const config = {};
+  if (blockedToolIds.length > 0 && allowedToolIds.length === 0) {
+    config["tools.deny"] = blockedToolIds;
+  } else if (allowedToolIds.length > 0) {
+    config["tools.allow"] = allowedToolIds;
+  }
+  return config;
+}
+var OPENCLAW_CORE_TOOLS, AGENTICMAIL_TOOLS, ALL_TOOLS, TOOL_INDEX;
+var init_tool_catalog = __esm({
+  "src/engine/tool-catalog.ts"() {
+    "use strict";
+    OPENCLAW_CORE_TOOLS = [
+      // File system
+      { id: "read", name: "Read File", description: "Read file contents (text and images)", category: "read", risk: "low", skillId: "files", sideEffects: [] },
+      { id: "write", name: "Write File", description: "Create or overwrite files", category: "write", risk: "medium", skillId: "files", sideEffects: ["modifies-files"] },
+      { id: "edit", name: "Edit File", description: "Make precise edits to files", category: "write", risk: "medium", skillId: "files", sideEffects: ["modifies-files"] },
+      // Execution
+      { id: "exec", name: "Shell Command", description: "Execute shell commands", category: "execute", risk: "critical", skillId: "exec", sideEffects: ["runs-code", "modifies-files", "network-request"] },
+      { id: "process", name: "Process Manager", description: "Manage running exec sessions", category: "execute", risk: "high", skillId: "exec", sideEffects: ["runs-code"] },
+      // Web
+      { id: "web_search", name: "Web Search", description: "Search the web via Brave Search API", category: "read", risk: "low", skillId: "web-search", sideEffects: ["network-request"] },
+      { id: "web_fetch", name: "Web Fetch", description: "Fetch and extract content from URLs", category: "read", risk: "low", skillId: "web-fetch", sideEffects: ["network-request"] },
+      // Browser
+      { id: "browser", name: "Browser Control", description: "Automate web browsers", category: "execute", risk: "high", skillId: "browser", sideEffects: ["network-request", "runs-code"] },
+      // Canvas
+      { id: "canvas", name: "Canvas", description: "Present/eval/snapshot rendered UI", category: "read", risk: "low", skillId: "canvas", sideEffects: [] },
+      // Nodes
+      { id: "nodes", name: "Node Control", description: "Control paired devices", category: "execute", risk: "high", skillId: "nodes", sideEffects: ["controls-device"] },
+      // Cron
+      { id: "cron", name: "Cron Jobs", description: "Schedule tasks and reminders", category: "write", risk: "medium", skillId: "cron", sideEffects: [] },
+      // Messaging
+      { id: "message", name: "Send Message", description: "Send messages via channels", category: "communicate", risk: "high", skillId: "messaging", sideEffects: ["sends-message"] },
+      // Gateway
+      { id: "gateway", name: "Gateway Control", description: "Restart, configure, update OpenClaw", category: "execute", risk: "critical", skillId: "gateway", sideEffects: ["runs-code"] },
+      // Sessions / Sub-agents
+      { id: "agents_list", name: "List Agents", description: "List agent IDs for spawning", category: "read", risk: "low", skillId: "sessions", sideEffects: [] },
+      { id: "sessions_list", name: "List Sessions", description: "List active sessions", category: "read", risk: "low", skillId: "sessions", sideEffects: [] },
+      { id: "sessions_history", name: "Session History", description: "Fetch message history", category: "read", risk: "low", skillId: "sessions", sideEffects: [] },
+      { id: "sessions_send", name: "Send to Session", description: "Send message to another session", category: "communicate", risk: "medium", skillId: "sessions", sideEffects: ["sends-message"] },
+      { id: "sessions_spawn", name: "Spawn Sub-Agent", description: "Spawn a background sub-agent", category: "execute", risk: "medium", skillId: "sessions", sideEffects: [] },
+      { id: "subagents", name: "Sub-Agent Control", description: "List, steer, or kill sub-agents", category: "execute", risk: "medium", skillId: "sessions", sideEffects: [] },
+      { id: "session_status", name: "Session Status", description: "Show session usage and status", category: "read", risk: "low", skillId: "sessions", sideEffects: [] },
+      // Image
+      { id: "image", name: "Image Analysis", description: "Analyze images with vision model", category: "read", risk: "low", skillId: "media", sideEffects: [] },
+      // TTS
+      { id: "tts", name: "Text-to-Speech", description: "Convert text to speech audio", category: "write", risk: "low", skillId: "media", sideEffects: [] },
+      // Memory
+      { id: "memory_search", name: "Memory Search", description: "Search agent memory files", category: "read", risk: "low", skillId: "memory", sideEffects: [] },
+      { id: "memory_get", name: "Memory Get", description: "Read memory file snippets", category: "read", risk: "low", skillId: "memory", sideEffects: [] }
+    ];
+    AGENTICMAIL_TOOLS = [
+      // Core email
+      { id: "agenticmail_inbox", name: "Inbox", description: "List recent emails", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_read", name: "Read Email", description: "Read a specific email by UID", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_send", name: "Send Email", description: "Send an email", category: "communicate", risk: "high", skillId: "agenticmail", sideEffects: ["sends-email"] },
+      { id: "agenticmail_reply", name: "Reply to Email", description: "Reply to an email", category: "communicate", risk: "high", skillId: "agenticmail", sideEffects: ["sends-email"] },
+      { id: "agenticmail_forward", name: "Forward Email", description: "Forward an email", category: "communicate", risk: "high", skillId: "agenticmail", sideEffects: ["sends-email"] },
+      { id: "agenticmail_search", name: "Search Email", description: "Search emails", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_delete", name: "Delete Email", description: "Delete an email", category: "destroy", risk: "medium", skillId: "agenticmail", sideEffects: ["deletes-data"] },
+      { id: "agenticmail_move", name: "Move Email", description: "Move email to folder", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_mark_read", name: "Mark Read", description: "Mark email as read", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_mark_unread", name: "Mark Unread", description: "Mark email as unread", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_digest", name: "Inbox Digest", description: "Get compact inbox digest", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_list_folder", name: "List Folder", description: "List messages in a folder", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_folders", name: "List Folders", description: "List all mail folders", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_create_folder", name: "Create Folder", description: "Create a mail folder", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_import_relay", name: "Import Relay", description: "Import email from Gmail/Outlook", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      // Batch operations
+      { id: "agenticmail_batch_read", name: "Batch Read", description: "Read multiple emails", category: "read", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_batch_delete", name: "Batch Delete", description: "Delete multiple emails", category: "destroy", risk: "medium", skillId: "agenticmail", sideEffects: ["deletes-data"] },
+      { id: "agenticmail_batch_move", name: "Batch Move", description: "Move multiple emails", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_batch_mark_read", name: "Batch Mark Read", description: "Mark multiple as read", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_batch_mark_unread", name: "Batch Mark Unread", description: "Mark multiple as unread", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      // Agent coordination
+      { id: "agenticmail_call_agent", name: "Call Agent", description: "Call another agent with a task", category: "execute", risk: "medium", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_message_agent", name: "Message Agent", description: "Send message to another agent", category: "communicate", risk: "low", skillId: "agenticmail-coordination", sideEffects: ["sends-message"] },
+      { id: "agenticmail_list_agents", name: "List Agents", description: "List available agents", category: "read", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_check_messages", name: "Check Messages", description: "Check for unread messages", category: "read", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_check_tasks", name: "Check Tasks", description: "Check pending tasks", category: "read", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_claim_task", name: "Claim Task", description: "Claim a pending task", category: "write", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_complete_task", name: "Complete Task", description: "Complete a claimed task", category: "write", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_submit_result", name: "Submit Result", description: "Submit task result", category: "write", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      { id: "agenticmail_wait_for_email", name: "Wait for Email", description: "Wait for new email (SSE)", category: "read", risk: "low", skillId: "agenticmail-coordination", sideEffects: [] },
+      // Account management
+      { id: "agenticmail_create_account", name: "Create Account", description: "Create agent email account", category: "write", risk: "high", skillId: "agenticmail-admin", sideEffects: [] },
+      { id: "agenticmail_delete_agent", name: "Delete Agent", description: "Delete agent account", category: "destroy", risk: "critical", skillId: "agenticmail-admin", sideEffects: ["deletes-data"] },
+      { id: "agenticmail_cleanup", name: "Cleanup Agents", description: "Remove inactive agents", category: "destroy", risk: "high", skillId: "agenticmail-admin", sideEffects: ["deletes-data"] },
+      { id: "agenticmail_deletion_reports", name: "Deletion Reports", description: "List deletion reports", category: "read", risk: "low", skillId: "agenticmail-admin", sideEffects: [] },
+      { id: "agenticmail_whoami", name: "Who Am I", description: "Get agent account info", category: "read", risk: "low", skillId: "agenticmail-admin", sideEffects: [] },
+      { id: "agenticmail_update_metadata", name: "Update Metadata", description: "Update agent metadata", category: "write", risk: "low", skillId: "agenticmail-admin", sideEffects: [] },
+      { id: "agenticmail_status", name: "Server Status", description: "Check server health", category: "read", risk: "low", skillId: "agenticmail-admin", sideEffects: [] },
+      { id: "agenticmail_pending_emails", name: "Pending Emails", description: "Check blocked outbound emails", category: "read", risk: "low", skillId: "agenticmail-admin", sideEffects: [] },
+      // Organization
+      { id: "agenticmail_contacts", name: "Contacts", description: "Manage contacts", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_tags", name: "Tags", description: "Manage email tags/labels", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_signatures", name: "Signatures", description: "Manage email signatures", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_templates", name: "Templates", description: "Manage email templates", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_template_send", name: "Send Template", description: "Send email from template", category: "communicate", risk: "high", skillId: "agenticmail", sideEffects: ["sends-email"] },
+      { id: "agenticmail_rules", name: "Email Rules", description: "Manage auto-processing rules", category: "write", risk: "medium", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_spam", name: "Spam Management", description: "Manage spam folder", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_drafts", name: "Drafts", description: "Manage email drafts", category: "write", risk: "low", skillId: "agenticmail", sideEffects: [] },
+      { id: "agenticmail_schedule", name: "Schedule Email", description: "Schedule emails for later", category: "communicate", risk: "medium", skillId: "agenticmail", sideEffects: ["sends-email"] },
+      // Setup (admin only)
+      { id: "agenticmail_setup_relay", name: "Setup Relay", description: "Configure Gmail/Outlook relay", category: "write", risk: "critical", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_setup_domain", name: "Setup Domain", description: "Configure custom domain", category: "write", risk: "critical", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_setup_guide", name: "Setup Guide", description: "Email setup comparison", category: "read", risk: "low", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_setup_gmail_alias", name: "Gmail Alias", description: "Add Gmail send-as alias", category: "read", risk: "low", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_setup_payment", name: "Setup Payment", description: "Add Cloudflare payment", category: "read", risk: "low", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_purchase_domain", name: "Purchase Domain", description: "Search available domains", category: "read", risk: "low", skillId: "agenticmail-setup", sideEffects: [] },
+      { id: "agenticmail_test_email", name: "Test Email", description: "Send test email", category: "communicate", risk: "low", skillId: "agenticmail-setup", sideEffects: ["sends-email"] },
+      { id: "agenticmail_gateway_status", name: "Gateway Status", description: "Check email gateway", category: "read", risk: "low", skillId: "agenticmail-setup", sideEffects: [] },
+      // SMS
+      { id: "agenticmail_sms_send", name: "Send SMS", description: "Send SMS via Google Voice", category: "communicate", risk: "high", skillId: "agenticmail-sms", sideEffects: ["sends-sms"] },
+      { id: "agenticmail_sms_messages", name: "SMS Messages", description: "List SMS messages", category: "read", risk: "low", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_check_code", name: "Check SMS Code", description: "Check for verification codes", category: "read", risk: "low", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_read_voice", name: "Read Voice SMS", description: "Read SMS from Google Voice", category: "read", risk: "low", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_record", name: "Record SMS", description: "Save SMS to database", category: "write", risk: "low", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_parse_email", name: "Parse SMS Email", description: "Parse SMS from forwarded email", category: "read", risk: "low", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_setup", name: "SMS Setup", description: "Configure Google Voice SMS", category: "write", risk: "medium", skillId: "agenticmail-sms", sideEffects: [] },
+      { id: "agenticmail_sms_config", name: "SMS Config", description: "Get SMS configuration", category: "read", risk: "low", skillId: "agenticmail-sms", sideEffects: [] }
+    ];
+    ALL_TOOLS = [...OPENCLAW_CORE_TOOLS, ...AGENTICMAIL_TOOLS];
+    TOOL_INDEX = new Map(ALL_TOOLS.map((t) => [t.id, t]));
+  }
+});
+
+// src/engine/skills.ts
+var PRESET_PROFILES = [
+  {
+    name: "Research Assistant",
+    description: "Can search the web, read files, and summarize content. Cannot send messages, run code, or modify anything.",
+    skills: { mode: "allowlist", list: ["research", "summarize", "data-read"] },
+    tools: { blocked: ["exec", "write", "edit"], allowed: ["web_search", "web_fetch", "read", "memory_search", "memory_get"] },
+    maxRiskLevel: "low",
+    blockedSideEffects: ["sends-email", "sends-message", "sends-sms", "posts-social", "runs-code", "modifies-files", "deletes-data", "controls-device", "financial"],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 30, toolCallsPerHour: 500, toolCallsPerDay: 5e3, externalActionsPerHour: 0 },
+    constraints: { maxConcurrentTasks: 3, maxSessionDurationMinutes: 480, sandboxMode: false }
+  },
+  {
+    name: "Customer Support Agent",
+    description: "Can read/send emails, search knowledge base, and manage tickets. Cannot run code or access files.",
+    skills: { mode: "allowlist", list: ["communication", "research", "agenticmail"] },
+    tools: { blocked: ["exec", "browser", "write", "edit"], allowed: ["agenticmail_send", "agenticmail_reply", "agenticmail_inbox", "agenticmail_read", "agenticmail_search", "web_search", "web_fetch"] },
+    maxRiskLevel: "medium",
+    blockedSideEffects: ["runs-code", "modifies-files", "deletes-data", "controls-device", "financial", "posts-social"],
+    requireApproval: { enabled: true, forRiskLevels: ["high", "critical"], forSideEffects: ["sends-email"], approvers: [], timeoutMinutes: 60 },
+    rateLimits: { toolCallsPerMinute: 20, toolCallsPerHour: 300, toolCallsPerDay: 3e3, externalActionsPerHour: 50 },
+    constraints: { maxConcurrentTasks: 5, maxSessionDurationMinutes: 480, sandboxMode: false }
+  },
+  {
+    name: "Developer Assistant",
+    description: "Full development capabilities: code, git, GitHub, shell. Cannot send external messages or access smart home.",
+    skills: { mode: "allowlist", list: ["development", "github", "coding-agent", "research", "data"] },
+    tools: { blocked: ["agenticmail_send", "message", "tts", "nodes"], allowed: ["exec", "read", "write", "edit", "web_search", "web_fetch", "browser"] },
+    maxRiskLevel: "high",
+    blockedSideEffects: ["sends-email", "sends-message", "sends-sms", "posts-social", "controls-device", "financial"],
+    requireApproval: { enabled: true, forRiskLevels: ["critical"], forSideEffects: [], approvers: [], timeoutMinutes: 15 },
+    rateLimits: { toolCallsPerMinute: 60, toolCallsPerHour: 1e3, toolCallsPerDay: 1e4, externalActionsPerHour: 100 },
+    constraints: { maxConcurrentTasks: 3, maxSessionDurationMinutes: 720, sandboxMode: false }
+  },
+  {
+    name: "Full Access (Owner)",
+    description: "Unrestricted access to all skills and tools. Use with caution.",
+    skills: { mode: "blocklist", list: [] },
+    tools: { blocked: [], allowed: [] },
+    maxRiskLevel: "critical",
+    blockedSideEffects: [],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 120, toolCallsPerHour: 5e3, toolCallsPerDay: 5e4, externalActionsPerHour: 500 },
+    constraints: { maxConcurrentTasks: 10, maxSessionDurationMinutes: 1440, sandboxMode: false }
+  },
+  {
+    name: "Sandbox (Testing)",
+    description: "All tools available but in simulation mode. No real external actions are taken.",
+    skills: { mode: "blocklist", list: [] },
+    tools: { blocked: [], allowed: [] },
+    maxRiskLevel: "critical",
+    blockedSideEffects: [],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 60, toolCallsPerHour: 1e3, toolCallsPerDay: 1e4, externalActionsPerHour: 500 },
+    constraints: { maxConcurrentTasks: 5, maxSessionDurationMinutes: 480, sandboxMode: true }
+  }
+];
+var BUILTIN_SKILLS = [
+  // Communication
+  { id: "agenticmail", name: "AgenticMail", description: "Full email system \u2014 send, receive, organize, search, forward, reply. Agent-to-agent messaging and task delegation.", category: "communication", risk: "medium", icon: "\u{1F4E7}", source: "builtin" },
+  { id: "imsg", name: "iMessage", description: "Send and receive iMessages and SMS via macOS.", category: "communication", risk: "high", icon: "\u{1F4AC}", source: "builtin", requires: ["macos"] },
+  { id: "wacli", name: "WhatsApp", description: "Send WhatsApp messages and search chat history.", category: "communication", risk: "high", icon: "\u{1F4F1}", source: "builtin" },
+  // Development
+  { id: "github", name: "GitHub", description: "Manage issues, PRs, CI runs, and repositories via gh CLI.", category: "development", risk: "medium", icon: "\u{1F419}", source: "builtin" },
+  { id: "coding-agent", name: "Coding Agent", description: "Run Codex CLI, Claude Code, or other coding agents as background processes.", category: "development", risk: "high", icon: "\u{1F4BB}", source: "builtin" },
+  // Productivity
+  { id: "gog", name: "Google Workspace", description: "Gmail, Calendar, Drive, Contacts, Sheets, and Docs.", category: "productivity", risk: "medium", icon: "\u{1F4C5}", source: "builtin" },
+  { id: "apple-notes", name: "Apple Notes", description: "Create, search, edit, and manage Apple Notes.", category: "productivity", risk: "low", icon: "\u{1F4DD}", source: "builtin", requires: ["macos"] },
+  { id: "apple-reminders", name: "Apple Reminders", description: "Manage Apple Reminders lists and items.", category: "productivity", risk: "low", icon: "\u2705", source: "builtin", requires: ["macos"] },
+  { id: "bear-notes", name: "Bear Notes", description: "Create, search, and manage Bear notes.", category: "productivity", risk: "low", icon: "\u{1F43B}", source: "builtin", requires: ["macos"] },
+  { id: "obsidian", name: "Obsidian", description: "Work with Obsidian vaults and automate via CLI.", category: "productivity", risk: "low", icon: "\u{1F48E}", source: "builtin" },
+  { id: "things-mac", name: "Things 3", description: "Manage tasks and projects in Things 3.", category: "productivity", risk: "low", icon: "\u2611\uFE0F", source: "builtin", requires: ["macos"] },
+  // Research
+  { id: "web-search", name: "Web Search", description: "Search the web via Brave Search API.", category: "research", risk: "low", icon: "\u{1F50D}", source: "builtin" },
+  { id: "web-fetch", name: "Web Fetch", description: "Fetch and extract readable content from URLs.", category: "research", risk: "low", icon: "\u{1F310}", source: "builtin" },
+  { id: "summarize", name: "Summarize", description: "Summarize or transcribe URLs, podcasts, and files.", category: "research", risk: "low", icon: "\u{1F4C4}", source: "builtin" },
+  { id: "blogwatcher", name: "Blog Watcher", description: "Monitor blogs and RSS/Atom feeds for updates.", category: "research", risk: "low", icon: "\u{1F4E1}", source: "builtin" },
+  // Media
+  { id: "openai-image-gen", name: "Image Generation", description: "Generate images via OpenAI Images API.", category: "media", risk: "low", icon: "\u{1F3A8}", source: "builtin" },
+  { id: "nano-banana-pro", name: "Gemini Image", description: "Generate or edit images via Gemini 3 Pro.", category: "media", risk: "low", icon: "\u{1F5BC}\uFE0F", source: "builtin" },
+  { id: "tts", name: "Text-to-Speech", description: "Convert text to speech audio.", category: "media", risk: "low", icon: "\u{1F50A}", source: "builtin" },
+  { id: "openai-whisper", name: "Whisper Transcription", description: "Transcribe audio via OpenAI Whisper API.", category: "media", risk: "low", icon: "\u{1F399}\uFE0F", source: "builtin" },
+  { id: "video-frames", name: "Video Frames", description: "Extract frames or clips from videos.", category: "media", risk: "low", icon: "\u{1F3AC}", source: "builtin" },
+  { id: "gifgrep", name: "GIF Search", description: "Search and download GIFs.", category: "media", risk: "low", icon: "\u{1F3AD}", source: "builtin" },
+  // Automation
+  { id: "browser", name: "Browser Control", description: "Automate web browsers \u2014 navigate, click, type, screenshot.", category: "automation", risk: "high", icon: "\u{1F30D}", source: "builtin" },
+  { id: "exec", name: "Shell Commands", description: "Execute shell commands on the host machine.", category: "automation", risk: "critical", icon: "\u26A1", source: "builtin" },
+  { id: "peekaboo", name: "macOS UI Automation", description: "Capture and automate macOS UI with Peekaboo.", category: "automation", risk: "high", icon: "\u{1F441}\uFE0F", source: "builtin", requires: ["macos"] },
+  { id: "cron", name: "Scheduled Tasks", description: "Create and manage cron jobs and reminders.", category: "automation", risk: "medium", icon: "\u23F0", source: "builtin" },
+  // Smart Home
+  { id: "openhue", name: "Philips Hue", description: "Control Hue lights and scenes.", category: "smart-home", risk: "low", icon: "\u{1F4A1}", source: "builtin" },
+  { id: "sonoscli", name: "Sonos", description: "Control Sonos speakers.", category: "smart-home", risk: "low", icon: "\u{1F508}", source: "builtin" },
+  { id: "blucli", name: "BluOS", description: "Control BluOS speakers.", category: "smart-home", risk: "low", icon: "\u{1F3B5}", source: "builtin" },
+  { id: "eightctl", name: "Eight Sleep", description: "Control Eight Sleep pod temperature and alarms.", category: "smart-home", risk: "low", icon: "\u{1F6CF}\uFE0F", source: "builtin" },
+  { id: "camsnap", name: "IP Cameras", description: "Capture frames from RTSP/ONVIF cameras.", category: "smart-home", risk: "medium", icon: "\u{1F4F7}", source: "builtin" },
+  // Data
+  { id: "files", name: "File System", description: "Read, write, and edit files on the host.", category: "data", risk: "medium", icon: "\u{1F4C1}", source: "builtin" },
+  { id: "memory", name: "Agent Memory", description: "Persistent memory search and storage.", category: "data", risk: "low", icon: "\u{1F9E0}", source: "builtin" },
+  // Security
+  { id: "1password", name: "1Password", description: "Read and manage secrets via 1Password CLI.", category: "security", risk: "critical", icon: "\u{1F510}", source: "builtin" },
+  { id: "healthcheck", name: "Security Audit", description: "Host security hardening and risk checks.", category: "security", risk: "medium", icon: "\u{1F6E1}\uFE0F", source: "builtin" },
+  // Social
+  { id: "twitter", name: "Twitter/X", description: "Post tweets, read timeline, manage social presence.", category: "social", risk: "high", icon: "\u{1F426}", source: "builtin" },
+  // Platform
+  { id: "gateway", name: "OpenClaw Gateway", description: "Restart, configure, and update the OpenClaw gateway.", category: "platform", risk: "critical", icon: "\u2699\uFE0F", source: "builtin" },
+  { id: "sessions", name: "Session Management", description: "Spawn sub-agents, list sessions, send messages between sessions.", category: "platform", risk: "medium", icon: "\u{1F504}", source: "builtin" },
+  { id: "nodes", name: "Node Control", description: "Discover and control paired devices (camera, screen, location).", category: "platform", risk: "high", icon: "\u{1F4E1}", source: "builtin" }
+];
+var PermissionEngine = class {
+  skills = /* @__PURE__ */ new Map();
+  profiles = /* @__PURE__ */ new Map();
+  constructor(skills) {
+    if (skills) {
+      for (const s of skills) this.skills.set(s.id, s);
+    }
+  }
+  registerSkill(skill) {
+    this.skills.set(skill.id, skill);
+  }
+  setProfile(agentId, profile) {
+    this.profiles.set(agentId, profile);
+  }
+  getProfile(agentId) {
+    return this.profiles.get(agentId);
+  }
+  /**
+   * Core permission check: Can this agent use this tool right now?
+   * Returns { allowed, reason, requiresApproval }
+   */
+  checkPermission(agentId, toolId, context) {
+    const profile = this.profiles.get(agentId);
+    if (!profile) {
+      return { allowed: false, reason: "No permission profile assigned", requiresApproval: false };
+    }
+    if (profile.constraints.sandboxMode) {
+      return { allowed: true, reason: "Sandbox mode \u2014 action will be simulated", requiresApproval: false, sandbox: true };
+    }
+    if (profile.constraints.allowedWorkingHours) {
+      const now = context?.timestamp || /* @__PURE__ */ new Date();
+      const { start, end, timezone } = profile.constraints.allowedWorkingHours;
+      const hour = parseInt(new Intl.DateTimeFormat("en-US", { hour: "numeric", hour12: false, timeZone: timezone }).format(now));
+      const startHour = parseInt(start.split(":")[0]);
+      const endHour = parseInt(end.split(":")[0]);
+      if (hour < startHour || hour >= endHour) {
+        return { allowed: false, reason: `Outside working hours (${start}-${end} ${timezone})`, requiresApproval: false };
+      }
+    }
+    if (profile.constraints.allowedIPs?.length && context?.ip) {
+      if (!profile.constraints.allowedIPs.includes(context.ip)) {
+        return { allowed: false, reason: `IP ${context.ip} not in allowlist`, requiresApproval: false };
+      }
+    }
+    if (profile.tools.blocked.includes(toolId)) {
+      return { allowed: false, reason: `Tool "${toolId}" is explicitly blocked`, requiresApproval: false };
+    }
+    if (profile.tools.allowed.includes(toolId)) {
+      return this._checkApproval(profile, toolId);
+    }
+    const tool = this._findTool(toolId);
+    if (!tool) {
+      return { allowed: false, reason: `Unknown tool "${toolId}"`, requiresApproval: false };
+    }
+    const skillAllowed = profile.skills.mode === "allowlist" ? profile.skills.list.includes(tool.skillId) : !profile.skills.list.includes(tool.skillId);
+    if (!skillAllowed) {
+      return { allowed: false, reason: `Skill "${tool.skillId}" is not permitted`, requiresApproval: false };
+    }
+    const riskOrder = ["low", "medium", "high", "critical"];
+    const toolRiskIdx = riskOrder.indexOf(tool.risk);
+    const maxRiskIdx = riskOrder.indexOf(profile.maxRiskLevel);
+    if (toolRiskIdx > maxRiskIdx) {
+      return { allowed: false, reason: `Tool risk "${tool.risk}" exceeds max allowed "${profile.maxRiskLevel}"`, requiresApproval: false };
+    }
+    for (const effect of tool.sideEffects) {
+      if (profile.blockedSideEffects.includes(effect)) {
+        return { allowed: false, reason: `Side effect "${effect}" is blocked`, requiresApproval: false };
+      }
+    }
+    return this._checkApproval(profile, toolId, tool);
+  }
+  _checkApproval(profile, toolId, tool) {
+    if (!profile.requireApproval.enabled) {
+      return { allowed: true, reason: "Permitted", requiresApproval: false };
+    }
+    if (tool) {
+      if (profile.requireApproval.forRiskLevels.includes(tool.risk)) {
+        return { allowed: true, reason: "Requires human approval (risk level)", requiresApproval: true };
+      }
+      for (const effect of tool.sideEffects) {
+        if (profile.requireApproval.forSideEffects.includes(effect)) {
+          return { allowed: true, reason: `Requires human approval (${effect})`, requiresApproval: true };
+        }
+      }
+    }
+    return { allowed: true, reason: "Permitted", requiresApproval: false };
+  }
+  _findTool(toolId) {
+    for (const skill of this.skills.values()) {
+      const tool = skill.tools.find((t) => t.id === toolId);
+      if (tool) return tool;
+    }
+    try {
+      const { TOOL_INDEX: TOOL_INDEX2 } = (init_tool_catalog(), __toCommonJS(tool_catalog_exports));
+      return TOOL_INDEX2.get(toolId);
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Get the full resolved tool list for an agent — what they can actually use
+   */
+  getAvailableTools(agentId) {
+    const result = [];
+    for (const skill of this.skills.values()) {
+      for (const tool of skill.tools) {
+        const perm = this.checkPermission(agentId, tool.id);
+        if (perm.allowed) {
+          result.push({
+            tool,
+            status: perm.sandbox ? "sandbox" : perm.requiresApproval ? "approval-required" : "allowed"
+          });
+        }
+      }
+    }
+    return result;
+  }
+  /**
+   * Generate the OpenClaw tool policy config for an agent based on their profile
+   */
+  generateToolPolicy(agentId) {
+    const profile = this.profiles.get(agentId);
+    if (!profile) return { allowedTools: [], blockedTools: [], approvalRequired: [], rateLimits: { toolCallsPerMinute: 10, toolCallsPerHour: 100, toolCallsPerDay: 1e3, externalActionsPerHour: 10 } };
+    const allowed = [];
+    const blocked = [];
+    const approval = [];
+    for (const skill of this.skills.values()) {
+      for (const tool of skill.tools) {
+        const perm = this.checkPermission(agentId, tool.id);
+        if (perm.allowed) {
+          allowed.push(tool.id);
+          if (perm.requiresApproval) approval.push(tool.id);
+        } else {
+          blocked.push(tool.id);
+        }
+      }
+    }
+    return { allowedTools: allowed, blockedTools: blocked, approvalRequired: approval, rateLimits: profile.rateLimits };
+  }
+  getAllSkills() {
+    return Array.from(this.skills.values());
+  }
+  getSkillsByCategory() {
+    const result = {};
+    for (const skill of this.skills.values()) {
+      if (!result[skill.category]) result[skill.category] = [];
+      result[skill.category].push(skill);
+    }
+    return result;
+  }
+};
+
+// src/engine/agent-config.ts
+var AgentConfigGenerator = class {
+  /**
+   * Generate the complete workspace files for an agent
+   */
+  generateWorkspace(config) {
+    return {
+      "SOUL.md": this.generateSoul(config),
+      "USER.md": this.generateUser(config),
+      "AGENTS.md": this.generateAgents(config),
+      "IDENTITY.md": this.generateIdentity(config),
+      "HEARTBEAT.md": this.generateHeartbeat(config),
+      "TOOLS.md": this.generateTools(config),
+      "MEMORY.md": `# MEMORY.md \u2014 ${config.displayName}'s Long-Term Memory
+
+_Created ${(/* @__PURE__ */ new Date()).toISOString()}_
+`
+    };
+  }
+  /**
+   * Generate the OpenClaw gateway config for this agent
+   */
+  generateGatewayConfig(config) {
+    const channels = {};
+    for (const ch of config.channels.enabled) {
+      if (!ch.enabled) continue;
+      channels[ch.type] = ch.config;
+    }
+    return {
+      model: `${config.model.provider}/${config.model.modelId}`,
+      thinking: config.model.thinkingLevel,
+      temperature: config.model.temperature,
+      maxTokens: config.model.maxTokens,
+      channels,
+      heartbeat: config.heartbeat.enabled ? {
+        intervalMinutes: config.heartbeat.intervalMinutes
+      } : void 0,
+      workspace: config.workspace.workingDirectory
+    };
+  }
+  /**
+   * Generate a docker-compose.yml for this agent
+   */
+  generateDockerCompose(config) {
+    const dc = config.deployment.config.docker;
+    if (!dc) throw new Error("No Docker config");
+    const env = { ...dc.env };
+    env["OPENCLAW_MODEL"] = `${config.model.provider}/${config.model.modelId}`;
+    env["OPENCLAW_THINKING"] = config.model.thinkingLevel;
+    if (config.email.enabled && config.email.address) {
+      env["AGENTICMAIL_EMAIL"] = config.email.address;
+    }
+    const envLines = Object.entries(env).map(([k, v]) => `      ${k}: "${v}"`).join("\n");
+    const volumes = dc.volumes.map((v) => `      - ${v}`).join("\n");
+    const ports = dc.ports.map((p) => `      - "${p}:${p}"`).join("\n");
+    return `version: "3.8"
+
+services:
+  ${config.name}:
+    image: ${dc.image}:${dc.tag}
+    container_name: agenticmail-${config.name}
+    restart: ${dc.restart}
+    ports:
+${ports}
+    volumes:
+${volumes}
+    environment:
+${envLines}
+    deploy:
+      resources:
+        limits:
+          cpus: "${dc.resources.cpuLimit}"
+          memory: ${dc.resources.memoryLimit}
+${dc.network ? `    networks:
+      - ${dc.network}
+
+networks:
+  ${dc.network}:
+    external: true` : ""}
+`;
+  }
+  /**
+   * Generate a systemd service file for VPS deployment
+   */
+  generateSystemdUnit(config) {
+    const vps = config.deployment.config.vps;
+    if (!vps) throw new Error("No VPS config");
+    return `[Unit]
+Description=AgenticMail Agent: ${config.displayName}
+After=network.target
+
+[Service]
+Type=simple
+User=${vps.user}
+WorkingDirectory=${vps.installPath}
+ExecStart=/usr/bin/env node ${vps.installPath}/node_modules/.bin/openclaw gateway start
+Restart=always
+RestartSec=10
+Environment=NODE_ENV=production
+Environment=OPENCLAW_MODEL=${config.model.provider}/${config.model.modelId}
+Environment=OPENCLAW_THINKING=${config.model.thinkingLevel}
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=${vps.installPath}
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+`;
+  }
+  /**
+   * Generate a deployment script for VPS
+   */
+  generateVPSDeployScript(config) {
+    const vps = config.deployment.config.vps;
+    if (!vps) throw new Error("No VPS config");
+    return `#!/bin/bash
+set -euo pipefail
+
+# AgenticMail Agent Deployment Script
+# Agent: ${config.displayName}
+# Target: ${vps.host}
+
+echo "\u{1F680} Deploying ${config.displayName} to ${vps.host}..."
+
+INSTALL_PATH="${vps.installPath}"
+${vps.sudo ? 'SUDO="sudo"' : 'SUDO=""'}
+
+# 1. Install Node.js if needed
+if ! command -v node &> /dev/null; then
+  echo "\u{1F4E6} Installing Node.js..."
+  curl -fsSL https://deb.nodesource.com/setup_22.x | $SUDO bash -
+  $SUDO apt-get install -y nodejs
+fi
+
+# 2. Create workspace
+mkdir -p "$INSTALL_PATH/workspace"
+cd "$INSTALL_PATH"
+
+# 3. Install OpenClaw + AgenticMail
+echo "\u{1F4E6} Installing packages..."
+npm init -y 2>/dev/null || true
+npm install openclaw agenticmail @agenticmail/core @agenticmail/openclaw
+
+# 4. Write workspace files
+echo "\u{1F4DD} Writing agent configuration..."
+${Object.entries(this.generateWorkspace(config)).map(
+      ([file, content]) => `cat > "$INSTALL_PATH/workspace/${file}" << 'WORKSPACE_EOF'
+${content}
+WORKSPACE_EOF`
+    ).join("\n\n")}
+
+# 5. Write gateway config
+cat > "$INSTALL_PATH/config.yaml" << 'CONFIG_EOF'
+${JSON.stringify(this.generateGatewayConfig(config), null, 2)}
+CONFIG_EOF
+
+# 6. Install systemd service
+echo "\u2699\uFE0F Installing systemd service..."
+$SUDO tee /etc/systemd/system/agenticmail-${config.name}.service > /dev/null << 'SERVICE_EOF'
+${this.generateSystemdUnit(config)}
+SERVICE_EOF
+
+$SUDO systemctl daemon-reload
+$SUDO systemctl enable agenticmail-${config.name}
+$SUDO systemctl start agenticmail-${config.name}
+
+echo "\u2705 ${config.displayName} deployed and running!"
+echo "   Status: systemctl status agenticmail-${config.name}"
+echo "   Logs:   journalctl -u agenticmail-${config.name} -f"
+`;
+  }
+  // ─── Private Generators ─────────────────────────────
+  generateSoul(config) {
+    if (config.identity.personality) return config.identity.personality;
+    const toneMap = {
+      formal: "Be professional and precise. Use proper grammar. Avoid slang or casual language.",
+      casual: "Be relaxed and conversational. Use contractions. Feel free to be informal.",
+      professional: "Be competent and clear. Direct communication without being stiff.",
+      friendly: "Be warm and approachable. Show genuine interest. Use a positive tone.",
+      custom: config.identity.customTone || ""
+    };
+    return `# SOUL.md \u2014 Who You Are
+
+## Role
+You are **${config.displayName}**, a ${config.identity.role}.
+
+## Communication Style
+${toneMap[config.identity.tone]}
+
+## Language
+Primary language: ${config.identity.language}
+
+## Core Principles
+- Be genuinely helpful, not performatively helpful
+- Be resourceful \u2014 try to figure things out before asking
+- Earn trust through competence
+- Keep private information private
+
+## Boundaries
+- Never share confidential company information
+- Ask before taking irreversible actions
+- Stay within your assigned role and permissions
+`;
+  }
+  generateUser(config) {
+    return config.context?.userInfo || `# USER.md \u2014 About Your Organization
+
+_Configure this from the admin dashboard._
+`;
+  }
+  generateAgents(config) {
+    const customInstructions = config.context?.customInstructions || "";
+    return `# AGENTS.md \u2014 Your Workspace
+
+## Every Session
+1. Read SOUL.md \u2014 this is who you are
+2. Read USER.md \u2014 this is who you're helping
+3. Check memory/ for recent context
+
+## Memory
+- Daily notes: memory/YYYY-MM-DD.md
+- Long-term: MEMORY.md
+
+## Safety
+- Don't exfiltrate private data
+- Don't run destructive commands without asking
+- When in doubt, ask
+
+${customInstructions}
+`;
+  }
+  generateIdentity(config) {
+    return `# IDENTITY.md
+
+- **Name:** ${config.displayName}
+- **Role:** ${config.identity.role}
+- **Tone:** ${config.identity.tone}
+`;
+  }
+  generateHeartbeat(config) {
+    if (!config.heartbeat.enabled) return "# HEARTBEAT.md\n# Heartbeat disabled\n";
+    const checks = config.heartbeat.checks.map((c) => `- Check ${c}`).join("\n");
+    return `# HEARTBEAT.md
+
+## Periodic Checks
+${checks}
+
+## Schedule
+Check every ${config.heartbeat.intervalMinutes} minutes during active hours.
+`;
+  }
+  generateTools(config) {
+    return `# TOOLS.md \u2014 Local Notes
+
+_Add environment-specific notes here (camera names, SSH hosts, etc.)_
+`;
+  }
+};
+
+// src/engine/deployer.ts
+var DeploymentEngine = class {
+  configGen = new AgentConfigGenerator();
+  deployments = /* @__PURE__ */ new Map();
+  liveStatus = /* @__PURE__ */ new Map();
+  /**
+   * Deploy an agent to its configured target
+   */
+  async deploy(config, onEvent) {
+    const events = [];
+    const emit = (phase, status, message, details) => {
+      const event = { timestamp: (/* @__PURE__ */ new Date()).toISOString(), phase, status, message, details };
+      events.push(event);
+      onEvent?.(event);
+    };
+    try {
+      emit("validate", "started", "Validating agent configuration...");
+      this.validateConfig(config);
+      emit("validate", "completed", "Configuration valid");
+      let result;
+      switch (config.deployment.target) {
+        case "docker":
+          result = await this.deployDocker(config, emit);
+          break;
+        case "vps":
+          result = await this.deployVPS(config, emit);
+          break;
+        case "fly":
+          result = await this.deployFly(config, emit);
+          break;
+        case "railway":
+          result = await this.deployRailway(config, emit);
+          break;
+        default:
+          throw new Error(`Unsupported deployment target: ${config.deployment.target}`);
+      }
+      result.events = events;
+      this.deployments.set(config.id, result);
+      return result;
+    } catch (error) {
+      emit("complete", "failed", `Deployment failed: ${error.message}`);
+      const result = { success: false, events, error: error.message };
+      this.deployments.set(config.id, result);
+      return result;
+    }
+  }
+  /**
+   * Stop a running agent
+   */
+  async stop(config) {
+    switch (config.deployment.target) {
+      case "docker":
+        return this.execCommand(`docker stop agenticmail-${config.name} && docker rm agenticmail-${config.name}`);
+      case "vps":
+        return this.execSSH(config, `sudo systemctl stop agenticmail-${config.name}`);
+      case "fly":
+        return this.execCommand(`fly apps destroy agenticmail-${config.name} --yes`);
+      default:
+        return { success: false, message: `Cannot stop: unsupported target ${config.deployment.target}` };
+    }
+  }
+  /**
+   * Restart a running agent
+   */
+  async restart(config) {
+    switch (config.deployment.target) {
+      case "docker":
+        return this.execCommand(`docker restart agenticmail-${config.name}`);
+      case "vps":
+        return this.execSSH(config, `sudo systemctl restart agenticmail-${config.name}`);
+      case "fly":
+        return this.execCommand(`fly apps restart agenticmail-${config.name}`);
+      default:
+        return { success: false, message: `Cannot restart: unsupported target ${config.deployment.target}` };
+    }
+  }
+  /**
+   * Get live status of a deployed agent
+   */
+  async getStatus(config) {
+    const base = {
+      agentId: config.id,
+      name: config.displayName,
+      status: "not-deployed",
+      healthStatus: "unknown"
+    };
+    try {
+      switch (config.deployment.target) {
+        case "docker":
+          return await this.getDockerStatus(config, base);
+        case "vps":
+          return await this.getVPSStatus(config, base);
+        case "fly":
+          return await this.getCloudStatus(config, base);
+        default:
+          return base;
+      }
+    } catch {
+      return { ...base, status: "error", healthStatus: "unhealthy" };
+    }
+  }
+  /**
+   * Stream logs from a deployed agent
+   */
+  async getLogs(config, lines = 100) {
+    switch (config.deployment.target) {
+      case "docker":
+        return (await this.execCommand(`docker logs --tail ${lines} agenticmail-${config.name}`)).message;
+      case "vps":
+        return (await this.execSSH(config, `journalctl -u agenticmail-${config.name} --no-pager -n ${lines}`)).message;
+      case "fly":
+        return (await this.execCommand(`fly logs -a agenticmail-${config.name} -n ${lines}`)).message;
+      default:
+        return "Log streaming not supported for this target";
+    }
+  }
+  /**
+   * Update a deployed agent's configuration without full redeployment
+   */
+  async updateConfig(config) {
+    const workspace = this.configGen.generateWorkspace(config);
+    const gatewayConfig = this.configGen.generateGatewayConfig(config);
+    switch (config.deployment.target) {
+      case "docker": {
+        for (const [file, content] of Object.entries(workspace)) {
+          const escaped = content.replace(/'/g, "'\\''");
+          await this.execCommand(`docker exec agenticmail-${config.name} sh -c 'echo "${Buffer.from(content).toString("base64")}" | base64 -d > /workspace/${file}'`);
+        }
+        await this.execCommand(`docker exec agenticmail-${config.name} openclaw gateway restart`);
+        return { success: true, message: "Configuration updated and gateway restarted" };
+      }
+      case "vps": {
+        const vps = config.deployment.config.vps;
+        for (const [file, content] of Object.entries(workspace)) {
+          await this.execSSH(config, `cat > ${vps.installPath}/workspace/${file} << 'EOF'
+${content}
+EOF`);
+        }
+        await this.execSSH(config, `sudo systemctl restart agenticmail-${config.name}`);
+        return { success: true, message: "Configuration updated and service restarted" };
+      }
+      default:
+        return { success: false, message: "Hot config update not supported for this target" };
+    }
+  }
+  // ─── Docker Deployment ────────────────────────────────
+  async deployDocker(config, emit) {
+    const dc = config.deployment.config.docker;
+    if (!dc) throw new Error("Docker config missing");
+    emit("provision", "started", "Generating Docker configuration...");
+    const compose = this.configGen.generateDockerCompose(config);
+    emit("provision", "completed", "Docker Compose generated");
+    emit("configure", "started", "Generating agent workspace...");
+    const workspace = this.configGen.generateWorkspace(config);
+    emit("configure", "completed", `Generated ${Object.keys(workspace).length} workspace files`);
+    emit("install", "started", `Pulling image ${dc.image}:${dc.tag}...`);
+    await this.execCommand(`docker pull ${dc.image}:${dc.tag}`);
+    emit("install", "completed", "Image pulled");
+    emit("start", "started", "Starting container...");
+    const envArgs = Object.entries(dc.env).map(([k, v]) => `-e ${k}="${v}"`).join(" ");
+    const volumeArgs = dc.volumes.map((v) => `-v ${v}`).join(" ");
+    const portArgs = dc.ports.map((p) => `-p ${p}:${p}`).join(" ");
+    const runCmd = `docker run -d --name agenticmail-${config.name} --restart ${dc.restart} ${portArgs} ${volumeArgs} ${envArgs} ${dc.resources ? `--cpus="${dc.resources.cpuLimit}" --memory="${dc.resources.memoryLimit}"` : ""} ${dc.image}:${dc.tag}`;
+    const runResult = await this.execCommand(runCmd);
+    if (!runResult.success) {
+      throw new Error(`Container failed to start: ${runResult.message}`);
+    }
+    const containerId = runResult.message.trim().substring(0, 12);
+    emit("start", "completed", `Container ${containerId} running`);
+    emit("upload", "started", "Writing workspace files...");
+    for (const [file, content] of Object.entries(workspace)) {
+      await this.execCommand(`docker exec agenticmail-${config.name} sh -c 'echo "${Buffer.from(content).toString("base64")}" | base64 -d > /workspace/${file}'`);
+    }
+    emit("upload", "completed", "Workspace configured");
+    emit("healthcheck", "started", "Checking agent health...");
+    let healthy = false;
+    for (let i = 0; i < 10; i++) {
+      await new Promise((r) => setTimeout(r, 3e3));
+      const check = await this.execCommand(`docker exec agenticmail-${config.name} openclaw status 2>/dev/null || echo "not ready"`);
+      if (check.success && !check.message.includes("not ready")) {
+        healthy = true;
+        break;
+      }
+    }
+    if (healthy) {
+      emit("healthcheck", "completed", "Agent is healthy");
+      emit("complete", "completed", `Agent "${config.displayName}" deployed successfully`);
+    } else {
+      emit("healthcheck", "failed", "Agent did not become healthy within 30s");
+    }
+    return {
+      success: healthy,
+      containerId,
+      url: `http://localhost:${dc.ports[0]}`,
+      events: []
+    };
+  }
+  // ─── VPS Deployment ───────────────────────────────────
+  async deployVPS(config, emit) {
+    const vps = config.deployment.config.vps;
+    if (!vps) throw new Error("VPS config missing");
+    emit("provision", "started", `Connecting to ${vps.host}...`);
+    const script = this.configGen.generateVPSDeployScript(config);
+    emit("provision", "completed", "Deploy script generated");
+    emit("configure", "started", "Testing SSH connection...");
+    const sshTest = await this.execSSH(config, 'echo "ok"');
+    if (!sshTest.success) {
+      throw new Error(`SSH connection failed: ${sshTest.message}`);
+    }
+    emit("configure", "completed", "SSH connection verified");
+    emit("upload", "started", "Uploading deployment script...");
+    const scriptB64 = Buffer.from(script).toString("base64");
+    await this.execSSH(config, `echo "${scriptB64}" | base64 -d > /tmp/deploy-agenticmail.sh && chmod +x /tmp/deploy-agenticmail.sh`);
+    emit("upload", "completed", "Script uploaded");
+    emit("install", "started", "Running deployment (this may take a few minutes)...");
+    const deployResult = await this.execSSH(config, "bash /tmp/deploy-agenticmail.sh");
+    if (!deployResult.success) {
+      throw new Error(`Deployment script failed: ${deployResult.message}`);
+    }
+    emit("install", "completed", "Installation complete");
+    emit("healthcheck", "started", "Verifying service status...");
+    await new Promise((r) => setTimeout(r, 5e3));
+    const statusCheck = await this.execSSH(config, `systemctl is-active agenticmail-${config.name}`);
+    const isActive = statusCheck.success && statusCheck.message.trim() === "active";
+    if (isActive) {
+      emit("healthcheck", "completed", "Service is active");
+      emit("complete", "completed", `Agent deployed to ${vps.host}`);
+    } else {
+      emit("healthcheck", "failed", "Service not active");
+    }
+    return {
+      success: isActive,
+      sshCommand: `ssh ${vps.user}@${vps.host}${vps.port !== 22 ? ` -p ${vps.port}` : ""}`,
+      events: []
+    };
+  }
+  // ─── Fly.io Deployment ────────────────────────────────
+  async deployFly(config, emit) {
+    const cloud = config.deployment.config.cloud;
+    if (!cloud || cloud.provider !== "fly") throw new Error("Fly.io config missing");
+    const appName = cloud.appName || `agenticmail-${config.name}`;
+    emit("provision", "started", `Creating Fly.io app ${appName}...`);
+    await this.execCommand(`fly apps create ${appName} --org personal`, { FLY_API_TOKEN: cloud.apiToken });
+    emit("provision", "completed", `App ${appName} created`);
+    emit("configure", "started", "Generating Dockerfile...");
+    const dockerfile = this.generateDockerfile(config);
+    const workspace = this.configGen.generateWorkspace(config);
+    const buildDir = `/tmp/agenticmail-build-${config.name}`;
+    await this.execCommand(`mkdir -p ${buildDir}/workspace`);
+    await this.writeFile(`${buildDir}/Dockerfile`, dockerfile);
+    for (const [file, content] of Object.entries(workspace)) {
+      await this.writeFile(`${buildDir}/workspace/${file}`, content);
+    }
+    const flyToml = `
+app = "${appName}"
+primary_region = "${cloud.region || "iad"}"
+
+[build]
+  dockerfile = "Dockerfile"
+
+[http_service]
+  internal_port = 3000
+  force_https = true
+  auto_stop_machines = true
+  auto_start_machines = true
+  min_machines_running = 1
+
+[[vm]]
+  size = "${cloud.size || "shared-cpu-1x"}"
+  memory = "512mb"
+`;
+    await this.writeFile(`${buildDir}/fly.toml`, flyToml);
+    emit("configure", "completed", "Build context ready");
+    emit("install", "started", "Deploying to Fly.io (building + pushing)...");
+    const deployResult = await this.execCommand(`cd ${buildDir} && fly deploy --now`, { FLY_API_TOKEN: cloud.apiToken });
+    emit("install", deployResult.success ? "completed" : "failed", deployResult.message);
+    await this.execCommand(`rm -rf ${buildDir}`);
+    const url = cloud.customDomain || `https://${appName}.fly.dev`;
+    if (deployResult.success) {
+      emit("complete", "completed", `Agent live at ${url}`);
+    }
+    return {
+      success: deployResult.success,
+      url,
+      appId: appName,
+      events: []
+    };
+  }
+  // ─── Railway Deployment ───────────────────────────────
+  async deployRailway(config, emit) {
+    const cloud = config.deployment.config.cloud;
+    if (!cloud || cloud.provider !== "railway") throw new Error("Railway config missing");
+    emit("provision", "started", "Creating Railway project...");
+    const appName = cloud.appName || `agenticmail-${config.name}`;
+    const result = await this.execCommand(`railway init --name ${appName}`, { RAILWAY_TOKEN: cloud.apiToken });
+    emit("provision", result.success ? "completed" : "failed", result.message);
+    return {
+      success: result.success,
+      url: `https://${appName}.up.railway.app`,
+      appId: appName,
+      events: []
+    };
+  }
+  // ─── Status Checkers ──────────────────────────────────
+  async getDockerStatus(config, base) {
+    const inspect = await this.execCommand(`docker inspect agenticmail-${config.name} --format '{{.State.Status}} {{.State.StartedAt}}'`);
+    if (!inspect.success) return { ...base, status: "not-deployed" };
+    const [status, startedAt] = inspect.message.trim().split(" ");
+    const running = status === "running";
+    const uptime = running ? Math.floor((Date.now() - new Date(startedAt).getTime()) / 1e3) : 0;
+    let metrics = void 0;
+    if (running) {
+      const stats = await this.execCommand(`docker stats agenticmail-${config.name} --no-stream --format '{{.CPUPerc}} {{.MemUsage}}'`);
+      if (stats.success) {
+        const parts = stats.message.trim().split(" ");
+        metrics = {
+          cpuPercent: parseFloat(parts[0]) || 0,
+          memoryMb: parseFloat(parts[1]) || 0,
+          toolCallsToday: 0,
+          activeSessionCount: 0,
+          errorRate: 0
+        };
+      }
+    }
+    return {
+      ...base,
+      status: running ? "running" : "stopped",
+      uptime,
+      healthStatus: running ? "healthy" : "unhealthy",
+      lastHealthCheck: (/* @__PURE__ */ new Date()).toISOString(),
+      metrics
+    };
+  }
+  async getVPSStatus(config, base) {
+    const result = await this.execSSH(config, `systemctl is-active agenticmail-${config.name}`);
+    const active = result.success && result.message.trim() === "active";
+    let uptime = 0;
+    if (active) {
+      const uptimeResult = await this.execSSH(config, `systemctl show agenticmail-${config.name} --property=ActiveEnterTimestamp --value`);
+      if (uptimeResult.success) {
+        uptime = Math.floor((Date.now() - new Date(uptimeResult.message.trim()).getTime()) / 1e3);
+      }
+    }
+    return {
+      ...base,
+      status: active ? "running" : "stopped",
+      uptime,
+      healthStatus: active ? "healthy" : "unhealthy",
+      lastHealthCheck: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  async getCloudStatus(config, base) {
+    const cloud = config.deployment.config.cloud;
+    if (!cloud) return base;
+    const appName = cloud.appName || `agenticmail-${config.name}`;
+    const result = await this.execCommand(`fly status -a ${appName} --json`, { FLY_API_TOKEN: cloud.apiToken });
+    if (!result.success) return { ...base, status: "error" };
+    try {
+      const status = JSON.parse(result.message);
+      return {
+        ...base,
+        status: status.Deployed ? "running" : "stopped",
+        healthStatus: status.Deployed ? "healthy" : "unhealthy",
+        endpoint: `https://${appName}.fly.dev`,
+        version: status.Version?.toString()
+      };
+    } catch {
+      return { ...base, status: "error" };
+    }
+  }
+  // ─── Helpers ──────────────────────────────────────────
+  validateConfig(config) {
+    if (!config.name) throw new Error("Agent name is required");
+    if (!config.identity.role) throw new Error("Agent role is required");
+    if (!config.model.modelId) throw new Error("Model ID is required");
+    if (!config.deployment.target) throw new Error("Deployment target is required");
+    switch (config.deployment.target) {
+      case "docker":
+        if (!config.deployment.config.docker) throw new Error("Docker configuration missing");
+        break;
+      case "vps":
+        if (!config.deployment.config.vps?.host) throw new Error("VPS host is required");
+        break;
+      case "fly":
+      case "railway":
+        if (!config.deployment.config.cloud?.apiToken) throw new Error("Cloud API token is required");
+        break;
+    }
+  }
+  generateDockerfile(config) {
+    return `FROM node:22-slim
+
+WORKDIR /app
+
+RUN npm install -g openclaw agenticmail @agenticmail/core @agenticmail/openclaw
+
+COPY workspace/ /workspace/
+
+ENV NODE_ENV=production
+ENV OPENCLAW_MODEL=${config.model.provider}/${config.model.modelId}
+ENV OPENCLAW_THINKING=${config.model.thinkingLevel}
+
+EXPOSE 3000
+
+CMD ["openclaw", "gateway", "start"]
+`;
+  }
+  async execCommand(cmd, env) {
+    const { exec } = await import("child_process");
+    const { promisify } = await import("util");
+    const execAsync = promisify(exec);
+    try {
+      const { stdout, stderr } = await execAsync(cmd, {
+        timeout: 3e5,
+        // 5 min max
+        env: { ...process.env, ...env }
+      });
+      return { success: true, message: stdout || stderr };
+    } catch (error) {
+      return { success: false, message: error.stderr || error.message };
+    }
+  }
+  async execSSH(config, command) {
+    const vps = config.deployment.config.vps;
+    if (!vps) return { success: false, message: "No VPS config" };
+    const sshArgs = [
+      "-o StrictHostKeyChecking=no",
+      `-p ${vps.port || 22}`,
+      vps.sshKeyPath ? `-i ${vps.sshKeyPath}` : "",
+      `${vps.user}@${vps.host}`,
+      `"${command.replace(/"/g, '\\"')}"`
+    ].filter(Boolean).join(" ");
+    return this.execCommand(`ssh ${sshArgs}`);
+  }
+  async writeFile(path, content) {
+    const { writeFile } = await import("fs/promises");
+    const { dirname } = await import("path");
+    const { mkdir } = await import("fs/promises");
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, content, "utf-8");
+  }
+};
+
+// src/engine/approvals.ts
+var ApprovalEngine = class {
+  requests = /* @__PURE__ */ new Map();
+  policies = [];
+  listeners = [];
+  addPolicy(policy) {
+    this.policies.push(policy);
+  }
+  removePolicy(id) {
+    this.policies = this.policies.filter((p) => p.id !== id);
+  }
+  getPolicies() {
+    return [...this.policies];
+  }
+  /**
+   * Check if a tool call needs approval and create a request if so
+   */
+  async requestApproval(opts) {
+    const policy = this.findMatchingPolicy(opts.toolId, opts.riskLevel, opts.sideEffects);
+    if (!policy) return null;
+    const request = {
+      id: crypto.randomUUID(),
+      agentId: opts.agentId,
+      agentName: opts.agentName,
+      toolId: opts.toolId,
+      toolName: opts.toolName,
+      reason: `Policy "${policy.name}" requires approval`,
+      riskLevel: opts.riskLevel,
+      sideEffects: opts.sideEffects,
+      parameters: this.sanitizeParams(opts.parameters),
+      context: opts.context,
+      status: "pending",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      expiresAt: new Date(Date.now() + policy.timeout.minutes * 6e4).toISOString()
+    };
+    this.requests.set(request.id, request);
+    await this.notifyApprovers(request, policy);
+    setTimeout(() => {
+      const req = this.requests.get(request.id);
+      if (req && req.status === "pending") {
+        req.status = "expired";
+        if (policy.timeout.defaultAction === "allow") {
+          req.status = "approved";
+          req.decision = {
+            by: "system",
+            action: "approve",
+            reason: "Auto-approved: approval timeout expired",
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          };
+        }
+        this.notifyListeners(req);
+      }
+    }, policy.timeout.minutes * 6e4);
+    this.notifyListeners(request);
+    return request;
+  }
+  /**
+   * Approve or deny a pending request
+   */
+  decide(requestId, decision) {
+    const request = this.requests.get(requestId);
+    if (!request || request.status !== "pending") return null;
+    request.status = decision.action === "approve" ? "approved" : "denied";
+    request.decision = { ...decision, timestamp: (/* @__PURE__ */ new Date()).toISOString() };
+    this.notifyListeners(request);
+    return request;
+  }
+  /**
+   * Get all pending requests (for the dashboard)
+   */
+  getPendingRequests(agentId) {
+    const all = Array.from(this.requests.values()).filter((r) => r.status === "pending");
+    return agentId ? all.filter((r) => r.agentId === agentId) : all;
+  }
+  /**
+   * Get request by ID
+   */
+  getRequest(id) {
+    return this.requests.get(id);
+  }
+  /**
+   * Get history of all requests
+   */
+  getHistory(opts) {
+    let all = Array.from(this.requests.values()).sort(
+      (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()
+    );
+    if (opts?.agentId) all = all.filter((r) => r.agentId === opts.agentId);
+    const total = all.length;
+    const offset = opts?.offset || 0;
+    const limit = opts?.limit || 25;
+    return { requests: all.slice(offset, offset + limit), total };
+  }
+  /**
+   * Wait for a specific request to be decided (for sync approval flows)
+   */
+  async waitForDecision(requestId, timeoutMs = 3e5) {
+    return new Promise((resolve, reject) => {
+      const check = setInterval(() => {
+        const req = this.requests.get(requestId);
+        if (req && req.status !== "pending") {
+          clearInterval(check);
+          clearTimeout(timeout);
+          resolve(req);
+        }
+      }, 1e3);
+      const timeout = setTimeout(() => {
+        clearInterval(check);
+        const req = this.requests.get(requestId);
+        if (req) {
+          req.status = "expired";
+          resolve(req);
+        } else {
+          reject(new Error("Request not found"));
+        }
+      }, timeoutMs);
+    });
+  }
+  /**
+   * Subscribe to approval request changes
+   */
+  onRequest(listener) {
+    this.listeners.push(listener);
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  // ─── Private ──────────────────────────────────────────
+  findMatchingPolicy(toolId, riskLevel, sideEffects) {
+    return this.policies.find((p) => {
+      if (!p.enabled) return false;
+      if (p.triggers.toolIds?.includes(toolId)) return true;
+      if (p.triggers.riskLevels?.includes(riskLevel)) return true;
+      if (p.triggers.sideEffects?.some((e) => sideEffects.includes(e))) return true;
+      if (p.triggers.allExternalActions && sideEffects.length > 0) return true;
+      return false;
+    });
+  }
+  sanitizeParams(params) {
+    if (!params) return void 0;
+    const sanitized = { ...params };
+    for (const key of ["password", "token", "secret", "key", "apiKey", "credential"]) {
+      if (key in sanitized) sanitized[key] = "***";
+    }
+    return sanitized;
+  }
+  async notifyApprovers(request, policy) {
+    for (const channel of policy.notify.channels) {
+      switch (channel) {
+        case "webhook":
+          if (policy.notify.webhookUrl) {
+            try {
+              await fetch(policy.notify.webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ type: "approval_request", request })
+              });
+            } catch {
+            }
+          }
+          break;
+      }
+    }
+  }
+  notifyListeners(request) {
+    for (const listener of this.listeners) {
+      try {
+        listener(request);
+      } catch {
+      }
+    }
+  }
+};
+
+// src/engine/lifecycle.ts
+var AgentLifecycleManager = class {
+  agents = /* @__PURE__ */ new Map();
+  healthCheckIntervals = /* @__PURE__ */ new Map();
+  deployer = new DeploymentEngine();
+  configGen = new AgentConfigGenerator();
+  permissions;
+  db;
+  eventListeners = [];
+  constructor(opts) {
+    this.db = opts?.db;
+    this.permissions = opts?.permissions || new PermissionEngine();
+  }
+  // ─── Agent CRUD ─────────────────────────────────────
+  /**
+   * Create a new managed agent (starts in 'draft' state)
+   */
+  async createAgent(orgId, config, createdBy) {
+    const agent = {
+      id: config.id || crypto.randomUUID(),
+      orgId,
+      config,
+      state: "draft",
+      stateHistory: [],
+      health: {
+        status: "unknown",
+        lastCheck: (/* @__PURE__ */ new Date()).toISOString(),
+        uptime: 0,
+        consecutiveFailures: 0,
+        checks: []
+      },
+      usage: this.emptyUsage(),
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      version: 1
+    };
+    this.agents.set(agent.id, agent);
+    await this.persistAgent(agent);
+    this.emitEvent(agent, "created", { createdBy });
+    return agent;
+  }
+  /**
+   * Update agent configuration (must be in draft, ready, stopped, or error state)
+   */
+  async updateConfig(agentId, updates, updatedBy) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    const mutableStates = ["draft", "ready", "stopped", "error"];
+    if (!mutableStates.includes(agent.state)) {
+      throw new Error(`Cannot update config in state "${agent.state}". Stop the agent first.`);
+    }
+    agent.config = { ...agent.config, ...updates, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+    agent.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    agent.version++;
+    if (agent.state === "draft" && this.isConfigComplete(agent.config)) {
+      this.transition(agent, "ready", "Configuration complete", updatedBy);
+    } else if (agent.state !== "draft") {
+      this.transition(agent, "ready", "Configuration updated", updatedBy);
+    }
+    await this.persistAgent(agent);
+    this.emitEvent(agent, "configured", { updatedBy, changes: Object.keys(updates) });
+    return agent;
+  }
+  /**
+   * Deploy an agent to its target environment
+   */
+  async deploy(agentId, deployedBy) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    if (!["ready", "stopped", "error"].includes(agent.state)) {
+      throw new Error(`Cannot deploy from state "${agent.state}"`);
+    }
+    if (!this.isConfigComplete(agent.config)) {
+      throw new Error("Agent configuration is incomplete");
+    }
+    this.transition(agent, "provisioning", "Deployment initiated", deployedBy);
+    await this.persistAgent(agent);
+    try {
+      this.transition(agent, "deploying", "Pushing configuration", "system");
+      const result = await this.deployer.deploy(agent.config, (event) => {
+        this.emitEvent(agent, "deployed", { phase: event.phase, status: event.status, message: event.message });
+      });
+      if (result.success) {
+        this.transition(agent, "starting", "Deployment successful, agent starting", "system");
+        agent.lastDeployedAt = (/* @__PURE__ */ new Date()).toISOString();
+        const healthy = await this.waitForHealthy(agent, 6e4);
+        if (healthy) {
+          this.transition(agent, "running", "Agent is healthy and running", "system");
+          this.startHealthCheckLoop(agent);
+        } else {
+          this.transition(agent, "degraded", "Agent started but health check failed", "system");
+          this.startHealthCheckLoop(agent);
+        }
+      } else {
+        this.transition(agent, "error", `Deployment failed: ${result.error}`, "system");
+      }
+      await this.persistAgent(agent);
+      return agent;
+    } catch (error) {
+      this.transition(agent, "error", `Deployment error: ${error.message}`, "system");
+      await this.persistAgent(agent);
+      throw error;
+    }
+  }
+  /**
+   * Stop a running agent
+   */
+  async stop(agentId, stoppedBy, reason) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    if (!["running", "degraded", "starting", "error"].includes(agent.state)) {
+      throw new Error(`Cannot stop from state "${agent.state}"`);
+    }
+    this.stopHealthCheckLoop(agentId);
+    try {
+      await this.deployer.stop(agent.config);
+      this.transition(agent, "stopped", reason || "Stopped by user", stoppedBy);
+    } catch (error) {
+      this.transition(agent, "stopped", `Stopped with error: ${error.message}`, stoppedBy);
+    }
+    await this.persistAgent(agent);
+    this.emitEvent(agent, "stopped", { stoppedBy, reason });
+    return agent;
+  }
+  /**
+   * Restart a running agent
+   */
+  async restart(agentId, restartedBy) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    this.transition(agent, "updating", "Restarting", restartedBy);
+    try {
+      await this.deployer.restart(agent.config);
+      const healthy = await this.waitForHealthy(agent, 3e4);
+      this.transition(agent, healthy ? "running" : "degraded", "Restarted", "system");
+    } catch (error) {
+      this.transition(agent, "error", `Restart failed: ${error.message}`, "system");
+    }
+    await this.persistAgent(agent);
+    this.emitEvent(agent, "restarted", { restartedBy });
+    return agent;
+  }
+  /**
+   * Hot-update config on a running agent (no full redeploy)
+   */
+  async hotUpdate(agentId, updates, updatedBy) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    if (agent.state !== "running" && agent.state !== "degraded") {
+      throw new Error(`Hot update only works on running agents (current: "${agent.state}")`);
+    }
+    const prevState = agent.state;
+    this.transition(agent, "updating", "Hot config update", updatedBy);
+    agent.config = { ...agent.config, ...updates, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+    agent.version++;
+    try {
+      await this.deployer.updateConfig(agent.config);
+      this.transition(agent, prevState, "Config updated successfully", "system");
+    } catch (error) {
+      this.transition(agent, "degraded", `Config update failed: ${error.message}`, "system");
+    }
+    await this.persistAgent(agent);
+    this.emitEvent(agent, "updated", { updatedBy, hotUpdate: true });
+    return agent;
+  }
+  /**
+   * Destroy an agent completely (stop + delete all resources)
+   */
+  async destroy(agentId, destroyedBy) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    this.transition(agent, "destroying", "Agent being destroyed", destroyedBy);
+    this.stopHealthCheckLoop(agentId);
+    if (["running", "degraded", "starting"].includes(agent.state)) {
+      try {
+        await this.deployer.stop(agent.config);
+      } catch {
+      }
+    }
+    this.emitEvent(agent, "destroyed", { destroyedBy });
+    this.agents.delete(agentId);
+  }
+  // ─── Monitoring ─────────────────────────────────────
+  /**
+   * Record a tool call for usage tracking
+   */
+  recordToolCall(agentId, toolId, opts) {
+    const agent = this.agents.get(agentId);
+    if (!agent) return;
+    const usage = agent.usage;
+    usage.toolCallsToday++;
+    usage.toolCallsThisMonth++;
+    if (opts?.tokensUsed) {
+      usage.tokensToday += opts.tokensUsed;
+      usage.tokensThisMonth += opts.tokensUsed;
+    }
+    if (opts?.costUsd) {
+      usage.costToday += opts.costUsd;
+      usage.costThisMonth += opts.costUsd;
+    }
+    if (opts?.isExternalAction) {
+      usage.externalActionsToday++;
+      usage.externalActionsThisMonth++;
+    }
+    if (opts?.error) {
+      usage.errorsToday++;
+    }
+    usage.lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
+    if (usage.tokenBudgetMonthly > 0 && usage.tokensThisMonth >= usage.tokenBudgetMonthly) {
+      this.emitEvent(agent, "budget_exceeded", { type: "tokens", used: usage.tokensThisMonth, budget: usage.tokenBudgetMonthly });
+      this.stop(agentId, "system", "Monthly token budget exceeded").catch(() => {
+      });
+    } else if (usage.tokenBudgetMonthly > 0 && usage.tokensThisMonth >= usage.tokenBudgetMonthly * 0.8) {
+      this.emitEvent(agent, "budget_warning", { type: "tokens", used: usage.tokensThisMonth, budget: usage.tokenBudgetMonthly, percent: 80 });
+    }
+    if (usage.costBudgetMonthly > 0 && usage.costThisMonth >= usage.costBudgetMonthly) {
+      this.emitEvent(agent, "budget_exceeded", { type: "cost", used: usage.costThisMonth, budget: usage.costBudgetMonthly });
+      this.stop(agentId, "system", "Monthly cost budget exceeded").catch(() => {
+      });
+    }
+    this.emitEvent(agent, "tool_call", { toolId, ...opts });
+  }
+  /**
+   * Get all agents for an org
+   */
+  getAgentsByOrg(orgId) {
+    return Array.from(this.agents.values()).filter((a) => a.orgId === orgId);
+  }
+  /**
+   * Get a single agent
+   */
+  getAgent(agentId) {
+    return this.agents.get(agentId);
+  }
+  /**
+   * Get org-wide usage summary
+   */
+  getOrgUsage(orgId) {
+    const agents = this.getAgentsByOrg(orgId);
+    return {
+      totalAgents: agents.length,
+      runningAgents: agents.filter((a) => a.state === "running").length,
+      totalTokensToday: agents.reduce((sum, a) => sum + a.usage.tokensToday, 0),
+      totalCostToday: agents.reduce((sum, a) => sum + a.usage.costToday, 0),
+      totalToolCallsToday: agents.reduce((sum, a) => sum + a.usage.toolCallsToday, 0),
+      totalErrorsToday: agents.reduce((sum, a) => sum + a.usage.errorsToday, 0),
+      agents: agents.map((a) => ({ id: a.id, name: a.config.displayName, state: a.state, usage: a.usage }))
+    };
+  }
+  /**
+   * Subscribe to lifecycle events (for dashboard real-time updates)
+   */
+  onEvent(listener) {
+    this.eventListeners.push(listener);
+    return () => {
+      this.eventListeners = this.eventListeners.filter((l) => l !== listener);
+    };
+  }
+  /**
+   * Reset daily counters (call at midnight via cron)
+   */
+  resetDailyCounters() {
+    for (const agent of this.agents.values()) {
+      agent.usage.tokensToday = 0;
+      agent.usage.toolCallsToday = 0;
+      agent.usage.externalActionsToday = 0;
+      agent.usage.costToday = 0;
+      agent.usage.errorsToday = 0;
+      agent.usage.totalSessionsToday = 0;
+    }
+  }
+  /**
+   * Reset monthly counters (call on 1st of month)
+   */
+  resetMonthlyCounters() {
+    for (const agent of this.agents.values()) {
+      agent.usage.tokensThisMonth = 0;
+      agent.usage.toolCallsThisMonth = 0;
+      agent.usage.externalActionsThisMonth = 0;
+      agent.usage.costThisMonth = 0;
+    }
+  }
+  // ─── Health Check Loop ────────────────────────────────
+  startHealthCheckLoop(agent) {
+    this.stopHealthCheckLoop(agent.id);
+    const interval = setInterval(async () => {
+      try {
+        const status = await this.deployer.getStatus(agent.config);
+        agent.lastHealthCheckAt = (/* @__PURE__ */ new Date()).toISOString();
+        const check = {
+          name: "deployment_status",
+          status: status.status === "running" ? "pass" : "fail",
+          message: `Status: ${status.status}, Health: ${status.healthStatus}`,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          durationMs: 0
+        };
+        agent.health.checks = [check, ...agent.health.checks].slice(0, 10);
+        if (status.status === "running" && status.healthStatus === "healthy") {
+          agent.health.status = "healthy";
+          agent.health.consecutiveFailures = 0;
+          if (status.uptime) agent.health.uptime = status.uptime;
+          if (status.metrics) {
+            agent.usage.activeSessionCount = status.metrics.activeSessionCount;
+          }
+          if (agent.state === "degraded") {
+            this.transition(agent, "running", "Health restored", "system");
+            this.emitEvent(agent, "auto_recovered", {});
+          }
+        } else {
+          agent.health.consecutiveFailures++;
+          agent.health.status = agent.health.consecutiveFailures >= 3 ? "unhealthy" : "degraded";
+          if (agent.state === "running" && agent.health.consecutiveFailures >= 2) {
+            this.transition(agent, "degraded", `Health degraded: ${agent.health.consecutiveFailures} consecutive failures`, "system");
+          }
+          if (agent.health.consecutiveFailures >= 5 && agent.state !== "error") {
+            this.emitEvent(agent, "auto_recovered", { action: "restart", failures: agent.health.consecutiveFailures });
+            agent.health.consecutiveFailures = 0;
+            try {
+              await this.deployer.restart(agent.config);
+              this.transition(agent, "starting", "Auto-restarted after health failures", "system");
+            } catch {
+              this.transition(agent, "error", "Auto-restart failed", "system");
+            }
+          }
+        }
+        agent.health.lastCheck = (/* @__PURE__ */ new Date()).toISOString();
+        await this.persistAgent(agent);
+      } catch (error) {
+        agent.health.consecutiveFailures++;
+        agent.health.status = "unhealthy";
+      }
+    }, 3e4);
+    this.healthCheckIntervals.set(agent.id, interval);
+  }
+  stopHealthCheckLoop(agentId) {
+    const interval = this.healthCheckIntervals.get(agentId);
+    if (interval) {
+      clearInterval(interval);
+      this.healthCheckIntervals.delete(agentId);
+    }
+  }
+  // ─── Private Helpers ──────────────────────────────────
+  transition(agent, to, reason, triggeredBy) {
+    const from = agent.state;
+    agent.stateHistory.push({
+      from,
+      to,
+      reason,
+      triggeredBy,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    if (agent.stateHistory.length > 50) agent.stateHistory = agent.stateHistory.slice(-50);
+    agent.state = to;
+    agent.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  isConfigComplete(config) {
+    return !!(config.name && config.displayName && config.identity?.role && config.model?.modelId && config.deployment?.target && config.permissionProfileId);
+  }
+  async waitForHealthy(agent, timeoutMs) {
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+      try {
+        const status = await this.deployer.getStatus(agent.config);
+        if (status.status === "running") return true;
+      } catch {
+      }
+      await new Promise((r) => setTimeout(r, 3e3));
+    }
+    return false;
+  }
+  async persistAgent(agent) {
+    this.agents.set(agent.id, agent);
+  }
+  emitEvent(agent, type, data) {
+    const event = {
+      id: crypto.randomUUID(),
+      agentId: agent.id,
+      orgId: agent.orgId,
+      type,
+      data,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    for (const listener of this.eventListeners) {
+      try {
+        listener(event);
+      } catch {
+      }
+    }
+  }
+  emptyUsage() {
+    return {
+      tokensToday: 0,
+      tokensThisMonth: 0,
+      tokenBudgetMonthly: 0,
+      toolCallsToday: 0,
+      toolCallsThisMonth: 0,
+      externalActionsToday: 0,
+      externalActionsThisMonth: 0,
+      costToday: 0,
+      costThisMonth: 0,
+      costBudgetMonthly: 0,
+      activeSessionCount: 0,
+      totalSessionsToday: 0,
+      errorsToday: 0,
+      errorRate1h: 0,
+      lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Cleanup: stop all health check loops
+   */
+  shutdown() {
+    for (const [id] of this.healthCheckIntervals) {
+      this.stopHealthCheckLoop(id);
+    }
+  }
+};
+
+// src/engine/knowledge.ts
+var KnowledgeBaseEngine = class {
+  knowledgeBases = /* @__PURE__ */ new Map();
+  embeddings = /* @__PURE__ */ new Map();
+  // chunkId → embedding
+  /**
+   * Create a new knowledge base
+   */
+  createKnowledgeBase(orgId, opts) {
+    const kb = {
+      id: crypto.randomUUID(),
+      orgId,
+      name: opts.name,
+      description: opts.description,
+      agentIds: opts.agentIds || [],
+      documents: [],
+      stats: { totalDocuments: 0, totalChunks: 0, totalTokens: 0, lastUpdated: (/* @__PURE__ */ new Date()).toISOString() },
+      config: {
+        chunkSize: 512,
+        chunkOverlap: 50,
+        embeddingModel: "text-embedding-3-small",
+        embeddingProvider: "openai",
+        maxResultsPerQuery: 5,
+        minSimilarityScore: 0.7,
+        autoRefreshUrls: false,
+        refreshIntervalHours: 24,
+        ...opts.config
+      },
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.knowledgeBases.set(kb.id, kb);
+    return kb;
+  }
+  /**
+   * Ingest a document into a knowledge base
+   */
+  async ingestDocument(kbId, opts) {
+    const kb = this.knowledgeBases.get(kbId);
+    if (!kb) throw new Error(`Knowledge base ${kbId} not found`);
+    const doc = {
+      id: crypto.randomUUID(),
+      knowledgeBaseId: kbId,
+      name: opts.name,
+      sourceType: opts.sourceType,
+      sourceUrl: opts.sourceUrl,
+      mimeType: opts.mimeType || "text/plain",
+      size: Buffer.byteLength(opts.content, "utf-8"),
+      chunks: [],
+      metadata: opts.metadata || {},
+      status: "processing",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    try {
+      const text = this.extractText(opts.content, doc.mimeType);
+      const chunks = this.chunkText(text, doc.id, kb.config);
+      doc.chunks = chunks;
+      if (kb.config.embeddingProvider !== "none") {
+        await this.generateEmbeddings(chunks, kb.config);
+      }
+      doc.status = "ready";
+      kb.documents.push(doc);
+      kb.stats.totalDocuments = kb.documents.length;
+      kb.stats.totalChunks = kb.documents.reduce((sum, d) => sum + d.chunks.length, 0);
+      kb.stats.totalTokens = kb.documents.reduce((sum, d) => sum + d.chunks.reduce((cs, c) => cs + c.tokenCount, 0), 0);
+      kb.stats.lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
+      kb.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    } catch (error) {
+      doc.status = "error";
+      doc.error = error.message;
+    }
+    return doc;
+  }
+  /**
+   * Search across knowledge bases for an agent
+   */
+  async search(agentId, query, opts) {
+    const kbs = Array.from(this.knowledgeBases.values()).filter((kb) => {
+      if (opts?.kbIds?.length) return opts.kbIds.includes(kb.id);
+      return kb.agentIds.includes(agentId) || kb.agentIds.length === 0;
+    });
+    if (kbs.length === 0) return [];
+    const maxResults = opts?.maxResults || 5;
+    const minScore = opts?.minScore || 0.7;
+    const queryEmbedding = await this.getEmbedding(query, kbs[0].config);
+    const results = [];
+    for (const kb of kbs) {
+      for (const doc of kb.documents) {
+        if (doc.status !== "ready") continue;
+        for (const chunk of doc.chunks) {
+          let score;
+          if (queryEmbedding && chunk.embedding) {
+            score = this.cosineSimilarity(queryEmbedding, chunk.embedding);
+          } else {
+            score = this.keywordScore(query, chunk.content);
+          }
+          if (score >= minScore) {
+            results.push({
+              chunk,
+              document: doc,
+              score,
+              highlight: this.extractHighlight(query, chunk.content)
+            });
+          }
+        }
+      }
+    }
+    return results.sort((a, b) => b.score - a.score).slice(0, maxResults);
+  }
+  /**
+   * Generate context string for an agent's prompt (RAG injection)
+   */
+  async getContext(agentId, query, maxTokens = 2e3) {
+    const results = await this.search(agentId, query);
+    if (results.length === 0) return "";
+    let context = "## Relevant Knowledge Base Context\n\n";
+    let tokenCount = 0;
+    for (const result of results) {
+      const chunkTokens = result.chunk.tokenCount;
+      if (tokenCount + chunkTokens > maxTokens) break;
+      context += `### From: ${result.document.name}`;
+      if (result.chunk.metadata.section) context += ` > ${result.chunk.metadata.section}`;
+      context += `
+${result.chunk.content}
+
+`;
+      tokenCount += chunkTokens;
+    }
+    return context;
+  }
+  // ─── CRUD ───────────────────────────────────────────
+  getKnowledgeBase(id) {
+    return this.knowledgeBases.get(id);
+  }
+  getKnowledgeBasesByOrg(orgId) {
+    return Array.from(this.knowledgeBases.values()).filter((kb) => kb.orgId === orgId);
+  }
+  getKnowledgeBasesForAgent(agentId) {
+    return Array.from(this.knowledgeBases.values()).filter(
+      (kb) => kb.agentIds.includes(agentId) || kb.agentIds.length === 0
+    );
+  }
+  deleteDocument(kbId, docId) {
+    const kb = this.knowledgeBases.get(kbId);
+    if (!kb) return false;
+    const idx = kb.documents.findIndex((d) => d.id === docId);
+    if (idx < 0) return false;
+    for (const chunk of kb.documents[idx].chunks) {
+      this.embeddings.delete(chunk.id);
+    }
+    kb.documents.splice(idx, 1);
+    kb.stats.totalDocuments = kb.documents.length;
+    kb.stats.totalChunks = kb.documents.reduce((sum, d) => sum + d.chunks.length, 0);
+    kb.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    return true;
+  }
+  deleteKnowledgeBase(id) {
+    return this.knowledgeBases.delete(id);
+  }
+  // ─── Text Processing ─────────────────────────────────
+  extractText(content, mimeType) {
+    switch (mimeType) {
+      case "text/html":
+        return content.replace(/<[^>]*>/g, " ").replace(/\s+/g, " ").trim();
+      case "text/csv":
+        return content.split("\n").map((row) => row.replace(/,/g, " | ")).join("\n");
+      default:
+        return content;
+    }
+  }
+  chunkText(text, documentId, config) {
+    const chunks = [];
+    const sentences = this.splitIntoSentences(text);
+    let currentChunk = "";
+    let currentTokens = 0;
+    let position = 0;
+    let currentSection;
+    for (const sentence of sentences) {
+      const headingMatch = sentence.match(/^#+\s+(.+)$/);
+      if (headingMatch) {
+        currentSection = headingMatch[1];
+      }
+      const sentenceTokens = this.estimateTokens(sentence);
+      if (currentTokens + sentenceTokens > config.chunkSize && currentChunk.length > 0) {
+        chunks.push({
+          id: crypto.randomUUID(),
+          documentId,
+          content: currentChunk.trim(),
+          tokenCount: currentTokens,
+          position: position++,
+          metadata: { section: currentSection }
+        });
+        const overlapText = this.getOverlapText(currentChunk, config.chunkOverlap);
+        currentChunk = overlapText + " " + sentence;
+        currentTokens = this.estimateTokens(currentChunk);
+      } else {
+        currentChunk += " " + sentence;
+        currentTokens += sentenceTokens;
+      }
+    }
+    if (currentChunk.trim().length > 0) {
+      chunks.push({
+        id: crypto.randomUUID(),
+        documentId,
+        content: currentChunk.trim(),
+        tokenCount: currentTokens,
+        position,
+        metadata: { section: currentSection }
+      });
+    }
+    return chunks;
+  }
+  splitIntoSentences(text) {
+    return text.split(/(?<=[.!?])\s+|(?=^#+\s)/m).filter((s) => s.trim().length > 0);
+  }
+  estimateTokens(text) {
+    return Math.ceil(text.length / 4);
+  }
+  getOverlapText(text, overlapTokens) {
+    const words = text.split(/\s+/);
+    const overlapWords = Math.ceil(overlapTokens * 0.75);
+    return words.slice(-overlapWords).join(" ");
+  }
+  // ─── Embeddings ─────────────────────────────────────
+  async generateEmbeddings(chunks, config) {
+    if (config.embeddingProvider === "openai") {
+      const apiKey = process.env.OPENAI_API_KEY;
+      if (!apiKey) return;
+      const batchSize = 100;
+      for (let i = 0; i < chunks.length; i += batchSize) {
+        const batch = chunks.slice(i, i + batchSize);
+        try {
+          const response = await fetch("https://api.openai.com/v1/embeddings", {
+            method: "POST",
+            headers: { "Content-Type": "application/json", "Authorization": `Bearer ${apiKey}` },
+            body: JSON.stringify({
+              model: config.embeddingModel,
+              input: batch.map((c) => c.content)
+            })
+          });
+          if (response.ok) {
+            const data = await response.json();
+            for (let j = 0; j < data.data.length; j++) {
+              batch[j].embedding = data.data[j].embedding;
+              this.embeddings.set(batch[j].id, data.data[j].embedding);
+            }
+          }
+        } catch {
+        }
+      }
+    }
+  }
+  async getEmbedding(text, config) {
+    if (config.embeddingProvider !== "openai") return null;
+    const apiKey = process.env.OPENAI_API_KEY;
+    if (!apiKey) return null;
+    try {
+      const response = await fetch("https://api.openai.com/v1/embeddings", {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "Authorization": `Bearer ${apiKey}` },
+        body: JSON.stringify({ model: config.embeddingModel, input: text })
+      });
+      if (response.ok) {
+        const data = await response.json();
+        return data.data[0].embedding;
+      }
+    } catch {
+    }
+    return null;
+  }
+  cosineSimilarity(a, b) {
+    if (a.length !== b.length) return 0;
+    let dotProduct = 0, normA = 0, normB = 0;
+    for (let i = 0; i < a.length; i++) {
+      dotProduct += a[i] * b[i];
+      normA += a[i] * a[i];
+      normB += b[i] * b[i];
+    }
+    const denominator = Math.sqrt(normA) * Math.sqrt(normB);
+    return denominator === 0 ? 0 : dotProduct / denominator;
+  }
+  keywordScore(query, content) {
+    const queryWords = query.toLowerCase().split(/\s+/).filter((w) => w.length > 2);
+    const contentLower = content.toLowerCase();
+    let matches = 0;
+    for (const word of queryWords) {
+      if (contentLower.includes(word)) matches++;
+    }
+    return queryWords.length > 0 ? matches / queryWords.length : 0;
+  }
+  extractHighlight(query, content, maxLength = 200) {
+    const queryWords = query.toLowerCase().split(/\s+/).filter((w) => w.length > 2);
+    const sentences = content.split(/[.!?]+/).filter((s) => s.trim().length > 0);
+    let bestSentence = sentences[0] || content.slice(0, maxLength);
+    let bestScore = 0;
+    for (const sentence of sentences) {
+      const lower = sentence.toLowerCase();
+      const score = queryWords.filter((w) => lower.includes(w)).length;
+      if (score > bestScore) {
+        bestScore = score;
+        bestSentence = sentence;
+      }
+    }
+    return bestSentence.trim().slice(0, maxLength) + (bestSentence.length > maxLength ? "..." : "");
+  }
+};
+
+// src/engine/tenant.ts
+var PLAN_LIMITS = {
+  free: {
+    maxAgents: 3,
+    maxUsers: 5,
+    maxKnowledgeBases: 1,
+    maxDocumentsPerKB: 10,
+    maxStorageMb: 100,
+    tokenBudgetMonthly: 1e6,
+    apiCallsPerMinute: 30,
+    deploymentTargets: ["docker", "local"],
+    features: ["knowledge-base"]
+  },
+  team: {
+    maxAgents: 25,
+    maxUsers: 50,
+    maxKnowledgeBases: 10,
+    maxDocumentsPerKB: 100,
+    maxStorageMb: 5e3,
+    tokenBudgetMonthly: 1e7,
+    apiCallsPerMinute: 120,
+    deploymentTargets: ["docker", "vps", "fly", "railway", "local"],
+    features: ["knowledge-base", "api-access", "webhooks", "approval-workflows", "sso", "audit-export", "custom-skills"]
+  },
+  enterprise: {
+    maxAgents: 999999,
+    maxUsers: 999999,
+    maxKnowledgeBases: 999,
+    maxDocumentsPerKB: 1e4,
+    maxStorageMb: 1e5,
+    tokenBudgetMonthly: 0,
+    // Unlimited
+    apiCallsPerMinute: 600,
+    deploymentTargets: ["docker", "vps", "fly", "railway", "aws", "gcp", "azure", "local"],
+    features: ["knowledge-base", "api-access", "webhooks", "approval-workflows", "sso", "audit-export", "custom-skills", "custom-domain", "priority-support", "sla", "data-residency", "ip-allowlist", "multi-deploy", "white-label"]
+  },
+  "self-hosted": {
+    maxAgents: 999999,
+    maxUsers: 999999,
+    maxKnowledgeBases: 999,
+    maxDocumentsPerKB: 1e4,
+    maxStorageMb: 999999,
+    tokenBudgetMonthly: 0,
+    apiCallsPerMinute: 999,
+    deploymentTargets: ["docker", "vps", "fly", "railway", "aws", "gcp", "azure", "local"],
+    features: ["knowledge-base", "api-access", "webhooks", "approval-workflows", "sso", "audit-export", "custom-skills", "custom-domain", "data-residency", "ip-allowlist", "multi-deploy", "white-label"]
+  }
+};
+var TenantManager = class {
+  orgs = /* @__PURE__ */ new Map();
+  /**
+   * Create a new organization
+   */
+  createOrg(opts) {
+    if (this.orgs.has(opts.slug)) {
+      throw new Error(`Organization slug "${opts.slug}" already exists`);
+    }
+    const limits = { ...PLAN_LIMITS[opts.plan] };
+    const org = {
+      id: crypto.randomUUID(),
+      name: opts.name,
+      slug: opts.slug,
+      plan: opts.plan,
+      limits,
+      usage: {
+        agents: 0,
+        users: 1,
+        tokensThisMonth: 0,
+        costThisMonth: 0,
+        storageMb: 0,
+        apiCallsToday: 0,
+        deploymentsThisMonth: 0,
+        lastUpdated: (/* @__PURE__ */ new Date()).toISOString()
+      },
+      allowedDomains: [],
+      settings: {
+        defaultModel: "anthropic/claude-sonnet-4-20250514",
+        defaultPermissionProfile: "Customer Support Agent",
+        requireApprovalForDeploy: true,
+        auditRetentionDays: opts.plan === "free" ? 30 : opts.plan === "team" ? 90 : 365,
+        dataRegion: "us-east-1",
+        ...opts.settings
+      },
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.orgs.set(org.id, org);
+    return org;
+  }
+  /**
+   * Check if an org can perform an action (within limits)
+   */
+  checkLimit(orgId, resource, currentCount) {
+    const org = this.orgs.get(orgId);
+    if (!org) throw new Error(`Organization ${orgId} not found`);
+    const limit = org.limits[resource];
+    if (typeof limit !== "number") return { allowed: true, limit: 0, current: 0, remaining: 0 };
+    let current = currentCount ?? 0;
+    if (!currentCount) {
+      switch (resource) {
+        case "maxAgents":
+          current = org.usage.agents;
+          break;
+        case "maxUsers":
+          current = org.usage.users;
+          break;
+        case "tokenBudgetMonthly":
+          current = org.usage.tokensThisMonth;
+          break;
+        case "maxStorageMb":
+          current = org.usage.storageMb;
+          break;
+      }
+    }
+    const remaining = Math.max(0, limit - current);
+    return {
+      allowed: limit === 0 || current < limit,
+      // 0 = unlimited
+      limit,
+      current,
+      remaining
+    };
+  }
+  /**
+   * Check if an org has a specific feature
+   */
+  hasFeature(orgId, feature) {
+    const org = this.orgs.get(orgId);
+    if (!org) return false;
+    return org.limits.features.includes(feature);
+  }
+  /**
+   * Check if a deployment target is allowed for this org's plan
+   */
+  canDeployTo(orgId, target) {
+    const org = this.orgs.get(orgId);
+    if (!org) return false;
+    return org.limits.deploymentTargets.includes(target);
+  }
+  /**
+   * Record usage (tokens, API calls, etc.)
+   */
+  recordUsage(orgId, update) {
+    const org = this.orgs.get(orgId);
+    if (!org) return;
+    if (update.tokensThisMonth) org.usage.tokensThisMonth += update.tokensThisMonth;
+    if (update.costThisMonth) org.usage.costThisMonth += update.costThisMonth;
+    if (update.apiCallsToday) org.usage.apiCallsToday += update.apiCallsToday;
+    if (update.storageMb) org.usage.storageMb = update.storageMb;
+    if (update.deploymentsThisMonth) org.usage.deploymentsThisMonth += update.deploymentsThisMonth;
+    org.usage.lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  /**
+   * Upgrade/downgrade org plan
+   */
+  changePlan(orgId, newPlan) {
+    const org = this.orgs.get(orgId);
+    if (!org) throw new Error(`Organization ${orgId} not found`);
+    org.plan = newPlan;
+    org.limits = { ...PLAN_LIMITS[newPlan] };
+    org.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    org.settings.auditRetentionDays = newPlan === "free" ? 30 : newPlan === "team" ? 90 : 365;
+    return org;
+  }
+  getOrg(id) {
+    return this.orgs.get(id);
+  }
+  getOrgBySlug(slug) {
+    return Array.from(this.orgs.values()).find((o) => o.slug === slug);
+  }
+  listOrgs() {
+    return Array.from(this.orgs.values());
+  }
+  /**
+   * Single-tenant mode: create default org with unlimited (self-hosted) plan.
+   * For open-source / self-hosted deployments that don't need multi-tenancy.
+   */
+  createDefaultOrg(name = "Default") {
+    const existing = this.getOrgBySlug("default");
+    if (existing) return existing;
+    return this.createOrg({
+      name,
+      slug: "default",
+      plan: "self-hosted",
+      adminEmail: "admin@localhost",
+      settings: { requireApprovalForDeploy: false }
+    });
+  }
+  /**
+   * Is this a single-tenant deployment?
+   */
+  isSingleTenant() {
+    const orgs = this.listOrgs();
+    return orgs.length === 1 && orgs[0].slug === "default";
+  }
+  /**
+   * Reset daily counters for all orgs
+   */
+  resetDailyCounters() {
+    for (const org of this.orgs.values()) {
+      org.usage.apiCallsToday = 0;
+    }
+  }
+  /**
+   * Reset monthly counters for all orgs
+   */
+  resetMonthlyCounters() {
+    for (const org of this.orgs.values()) {
+      org.usage.tokensThisMonth = 0;
+      org.usage.costThisMonth = 0;
+      org.usage.deploymentsThisMonth = 0;
+    }
+  }
+};
+
+// src/engine/activity.ts
+var ActivityTracker = class {
+  events = [];
+  toolCalls = /* @__PURE__ */ new Map();
+  conversations = [];
+  listeners = [];
+  sseClients = /* @__PURE__ */ new Set();
+  // Buffer settings
+  maxEvents = 1e4;
+  // Keep last N events in memory
+  maxToolCalls = 5e3;
+  maxConversations = 5e3;
+  // ─── Record Events ───────────────────────────────────
+  /**
+   * Record a generic activity event
+   */
+  record(event) {
+    const full = {
+      ...event,
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.events.push(full);
+    if (this.events.length > this.maxEvents) {
+      this.events = this.events.slice(-this.maxEvents);
+    }
+    for (const listener of this.listeners) {
+      try {
+        listener(full);
+      } catch {
+      }
+    }
+    for (const client of this.sseClients) {
+      try {
+        client(full);
+      } catch {
+        this.sseClients.delete(client);
+      }
+    }
+    return full;
+  }
+  /**
+   * Record a tool call starting
+   */
+  startToolCall(opts) {
+    const record = {
+      id: crypto.randomUUID(),
+      agentId: opts.agentId,
+      orgId: opts.orgId,
+      sessionId: opts.sessionId,
+      toolId: opts.toolId,
+      toolName: opts.toolName,
+      parameters: this.sanitizeParams(opts.parameters),
+      timing: { startedAt: (/* @__PURE__ */ new Date()).toISOString() },
+      permission: opts.permission
+    };
+    this.toolCalls.set(record.id, record);
+    if (this.toolCalls.size > this.maxToolCalls) {
+      const keys = Array.from(this.toolCalls.keys());
+      for (let i = 0; i < 1e3; i++) this.toolCalls.delete(keys[i]);
+    }
+    this.record({
+      agentId: opts.agentId,
+      orgId: opts.orgId,
+      sessionId: opts.sessionId,
+      type: opts.permission.allowed ? "tool_call_start" : "tool_blocked",
+      data: { toolCallId: record.id, toolId: opts.toolId, toolName: opts.toolName }
+    });
+    return record;
+  }
+  /**
+   * Record a tool call completing
+   */
+  endToolCall(toolCallId, result) {
+    const record = this.toolCalls.get(toolCallId);
+    if (!record) return;
+    record.timing.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+    record.timing.durationMs = new Date(record.timing.completedAt).getTime() - new Date(record.timing.startedAt).getTime();
+    record.result = {
+      success: result.success,
+      truncatedOutput: result.output?.slice(0, 500),
+      error: result.error
+    };
+    if (result.inputTokens || result.outputTokens || result.costUsd) {
+      record.cost = {
+        inputTokens: result.inputTokens || 0,
+        outputTokens: result.outputTokens || 0,
+        estimatedCostUsd: result.costUsd || 0
+      };
+    }
+    this.record({
+      agentId: record.agentId,
+      orgId: record.orgId,
+      sessionId: record.sessionId,
+      type: result.success ? "tool_call_end" : "tool_call_error",
+      data: {
+        toolCallId,
+        toolId: record.toolId,
+        durationMs: record.timing.durationMs,
+        success: result.success,
+        error: result.error
+      }
+    });
+  }
+  /**
+   * Record a conversation message
+   */
+  recordMessage(entry) {
+    const full = {
+      ...entry,
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      content: entry.content.slice(0, 2e3)
+      // Truncate
+    };
+    this.conversations.push(full);
+    if (this.conversations.length > this.maxConversations) {
+      this.conversations = this.conversations.slice(-this.maxConversations);
+    }
+    this.record({
+      agentId: entry.agentId,
+      orgId: "",
+      sessionId: entry.sessionId,
+      type: entry.role === "user" ? "message_received" : "message_sent",
+      data: { messageId: full.id, role: entry.role, channel: entry.channel, tokenCount: entry.tokenCount }
+    });
+    return full;
+  }
+  // ─── Query ──────────────────────────────────────────
+  /**
+   * Get recent events for an agent
+   */
+  getEvents(opts) {
+    let events = [...this.events];
+    if (opts.agentId) events = events.filter((e) => e.agentId === opts.agentId);
+    if (opts.orgId) events = events.filter((e) => e.orgId === opts.orgId);
+    if (opts.types?.length) events = events.filter((e) => opts.types.includes(e.type));
+    if (opts.since) {
+      const sinceTs = new Date(opts.since).getTime();
+      events = events.filter((e) => new Date(e.timestamp).getTime() >= sinceTs);
+    }
+    events.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    return events.slice(0, opts.limit || 50);
+  }
+  /**
+   * Get tool call history for an agent
+   */
+  getToolCalls(opts) {
+    let calls = Array.from(this.toolCalls.values());
+    if (opts.agentId) calls = calls.filter((c) => c.agentId === opts.agentId);
+    if (opts.orgId) calls = calls.filter((c) => c.orgId === opts.orgId);
+    if (opts.toolId) calls = calls.filter((c) => c.toolId === opts.toolId);
+    calls.sort((a, b) => new Date(b.timing.startedAt).getTime() - new Date(a.timing.startedAt).getTime());
+    return calls.slice(0, opts.limit || 50);
+  }
+  /**
+   * Get conversation history for a session
+   */
+  getConversation(sessionId, limit = 50) {
+    return this.conversations.filter((c) => c.sessionId === sessionId).sort((a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()).slice(-limit);
+  }
+  /**
+   * Generate a daily timeline for an agent
+   */
+  getTimeline(agentId, date) {
+    const dayStart = /* @__PURE__ */ new Date(date + "T00:00:00Z");
+    const dayEnd = /* @__PURE__ */ new Date(date + "T23:59:59Z");
+    const dayEvents = this.events.filter((e) => {
+      if (e.agentId !== agentId) return false;
+      const ts = new Date(e.timestamp).getTime();
+      return ts >= dayStart.getTime() && ts <= dayEnd.getTime();
+    });
+    const dayToolCalls = Array.from(this.toolCalls.values()).filter((tc) => {
+      if (tc.agentId !== agentId) return false;
+      const ts = new Date(tc.timing.startedAt).getTime();
+      return ts >= dayStart.getTime() && ts <= dayEnd.getTime();
+    });
+    const toolCounts = /* @__PURE__ */ new Map();
+    let totalTokens = 0, totalCost = 0, totalErrors = 0;
+    const activeHours = /* @__PURE__ */ new Set();
+    for (const tc of dayToolCalls) {
+      toolCounts.set(tc.toolId, (toolCounts.get(tc.toolId) || 0) + 1);
+      if (tc.cost) {
+        totalTokens += tc.cost.inputTokens + tc.cost.outputTokens;
+        totalCost += tc.cost.estimatedCostUsd;
+      }
+      if (tc.result && !tc.result.success) totalErrors++;
+      activeHours.add(new Date(tc.timing.startedAt).getUTCHours());
+    }
+    const topTools = Array.from(toolCounts.entries()).map(([toolId, count]) => ({ toolId, count })).sort((a, b) => b.count - a.count).slice(0, 10);
+    const totalMessages = dayEvents.filter(
+      (e) => e.type === "message_received" || e.type === "message_sent"
+    ).length;
+    const totalSessions = new Set(dayEvents.filter((e) => e.sessionId).map((e) => e.sessionId)).size;
+    return {
+      agentId,
+      date,
+      events: dayEvents.map((e) => ({
+        timestamp: e.timestamp,
+        type: e.type,
+        summary: this.summarizeEvent(e),
+        details: e.data
+      })),
+      summary: {
+        totalSessions,
+        totalMessages,
+        totalToolCalls: dayToolCalls.length,
+        totalErrors,
+        totalTokens,
+        totalCostUsd: totalCost,
+        topTools,
+        activeHours: Array.from(activeHours).sort((a, b) => a - b)
+      }
+    };
+  }
+  // ─── Real-time Streaming (SSE) ────────────────────────
+  /**
+   * Subscribe to real-time events (for SSE endpoint)
+   */
+  subscribe(callback) {
+    this.sseClients.add(callback);
+    return () => this.sseClients.delete(callback);
+  }
+  /**
+   * Subscribe to events (general listener)
+   */
+  onEvent(listener) {
+    this.listeners.push(listener);
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  // ─── Stats ──────────────────────────────────────────
+  /**
+   * Get real-time stats for dashboard
+   */
+  getStats(orgId) {
+    const fiveMinAgo = new Date(Date.now() - 5 * 6e4).toISOString();
+    let recent = this.events.filter((e) => e.timestamp >= fiveMinAgo);
+    if (orgId) recent = recent.filter((e) => e.orgId === orgId);
+    const toolCalls = recent.filter((e) => e.type === "tool_call_start" || e.type === "tool_call_end");
+    const errors = recent.filter((e) => e.type === "tool_call_error" || e.type === "error");
+    const activeAgents = [...new Set(recent.map((e) => e.agentId))];
+    const activeSessions = new Set(recent.filter((e) => e.sessionId).map((e) => e.sessionId)).size;
+    return {
+      eventsLast5min: recent.length,
+      toolCallsLast5min: toolCalls.length,
+      errorsLast5min: errors.length,
+      activeAgents,
+      activeSessions
+    };
+  }
+  // ─── Private ──────────────────────────────────────────
+  sanitizeParams(params) {
+    const sanitized = { ...params };
+    const sensitiveKeys = ["password", "token", "secret", "key", "apiKey", "credential", "authorization"];
+    for (const key of Object.keys(sanitized)) {
+      if (sensitiveKeys.some((sk) => key.toLowerCase().includes(sk))) {
+        sanitized[key] = "***";
+      }
+      if (typeof sanitized[key] === "string" && sanitized[key].length > 200) {
+        sanitized[key] = sanitized[key].slice(0, 200) + "...";
+      }
+    }
+    return sanitized;
+  }
+  summarizeEvent(event) {
+    switch (event.type) {
+      case "session_start":
+        return "Session started";
+      case "session_end":
+        return "Session ended";
+      case "message_received":
+        return `Received message via ${event.data.channel || "unknown"}`;
+      case "message_sent":
+        return `Sent reply via ${event.data.channel || "unknown"}`;
+      case "tool_call_start":
+        return `Called ${event.data.toolName || event.data.toolId}`;
+      case "tool_call_end":
+        return `${event.data.toolName || event.data.toolId} completed (${event.data.durationMs}ms)`;
+      case "tool_call_error":
+        return `${event.data.toolName || event.data.toolId} failed: ${event.data.error}`;
+      case "tool_blocked":
+        return `Blocked: ${event.data.toolName || event.data.toolId}`;
+      case "email_received":
+        return "Received email";
+      case "email_sent":
+        return "Sent email";
+      case "error":
+        return `Error: ${event.data.message || "Unknown"}`;
+      case "heartbeat":
+        return "Heartbeat check";
+      default:
+        return event.type;
+    }
+  }
+};
+
+export {
+  OPENCLAW_CORE_TOOLS,
+  AGENTICMAIL_TOOLS,
+  ALL_TOOLS,
+  TOOL_INDEX,
+  getToolsBySkill,
+  generateOpenClawToolPolicy,
+  init_tool_catalog,
+  PRESET_PROFILES,
+  BUILTIN_SKILLS,
+  PermissionEngine,
+  AgentConfigGenerator,
+  DeploymentEngine,
+  ApprovalEngine,
+  AgentLifecycleManager,
+  KnowledgeBaseEngine,
+  PLAN_LIMITS,
+  TenantManager,
+  ActivityTracker
+};