@agenticmail/enterprise 0.5.167 → 0.5.169

package/dist/cli-serve-D5G3XNSI.js

@@ -0,0 +1,34 @@
+import "./chunk-KFQGP6VL.js";
+
+// src/cli-serve.ts
+async function runServe(_args) {
+  const DATABASE_URL = process.env.DATABASE_URL;
+  const JWT_SECRET = process.env.JWT_SECRET;
+  const PORT = parseInt(process.env.PORT || "8080", 10);
+  if (!DATABASE_URL) {
+    console.error("ERROR: DATABASE_URL environment variable is required");
+    process.exit(1);
+  }
+  if (!JWT_SECRET) {
+    console.error("ERROR: JWT_SECRET environment variable is required");
+    process.exit(1);
+  }
+  const { createAdapter } = await import("./factory-MBP7N2OQ.js");
+  const { createServer } = await import("./server-O45YMZQ3.js");
+  const db = await createAdapter({
+    type: DATABASE_URL.startsWith("postgres") ? "postgres" : "sqlite",
+    connectionString: DATABASE_URL
+  });
+  await db.migrate();
+  const server = createServer({
+    port: PORT,
+    db,
+    jwtSecret: JWT_SECRET,
+    corsOrigins: ["*"]
+  });
+  await server.start();
+  console.log(`AgenticMail Enterprise server running on :${PORT}`);
+}
+export {
+  runServe
+};

package/dist/cli.js

@@ -47,14 +47,14 @@ Skill Development:
 `);
     break;
   case "serve":
-    import("./cli-serve-ZNKBEF4M.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-D5G3XNSI.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-MX4RTFC5.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-SHOCSBKU.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-4ZOKKRK3.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-NLVGTWZ3.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/pages/agent-detail.js

@@ -6410,6 +6410,227 @@ function ToolSecuritySection(props) {
 // AGENT DETAIL PAGE  (Main Orchestrator)
 // ════════════════════════════════════════════════════════════
 
+// ─── Autonomy Settings Section ──────────────────────────
+
+function AutonomySection(props) {
+  var agentId = props.agentId;
+  var engineAgent = props.engineAgent;
+  var reload = props.reload;
+  var app = useApp();
+  var toast = app.toast;
+
+  var defaults = {
+    enabled: true,
+    clockEnabled: true,
+    dailyCatchupEnabled: true, dailyCatchupHour: 9, dailyCatchupMinute: 0,
+    weeklyCatchupEnabled: true, weeklyCatchupDay: 1, weeklyCatchupHour: 9, weeklyCatchupMinute: 0,
+    goalCheckEnabled: true, goalCheckHours: [14, 17],
+    knowledgeContribEnabled: true, knowledgeContribDay: 5, knowledgeContribHour: 15,
+    escalationEnabled: true, guardrailEnforcementEnabled: true, driveAccessRequestEnabled: true,
+  };
+
+  var existing = (engineAgent?.config?.autonomy) || {};
+  var _form = useState(Object.assign({}, defaults, existing));
+  var form = _form[0]; var setForm = _form[1];
+  var _saving = useState(false);
+  var saving = _saving[0]; var setSaving = _saving[1];
+  var _dirty = useState(false);
+  var dirty = _dirty[0]; var setDirty = _dirty[1];
+
+  var set = function(key, val) {
+    var u = Object.assign({}, form);
+    u[key] = val;
+    setForm(u);
+    setDirty(true);
+  };
+
+  var save = function() {
+    setSaving(true);
+    var ea = engineAgent || {};
+    var isRunning = ea.state === 'running' || ea.state === 'active' || ea.state === 'degraded';
+    var endpoint = isRunning ? '/agents/' + agentId + '/hot-update' : '/agents/' + agentId + '/config';
+    var method = isRunning ? 'POST' : 'PATCH';
+    engineCall(endpoint, {
+      method: method,
+      body: JSON.stringify({ updates: { autonomy: form }, updatedBy: 'dashboard' })
+    }).then(function() {
+      toast('Autonomy settings saved' + (isRunning ? ' (agent will reload within 10 min)' : ''), 'success');
+      setDirty(false);
+      setSaving(false);
+      if (reload) reload();
+    }).catch(function(err) {
+      toast(err.message, 'error');
+      setSaving(false);
+    });
+  };
+
+  var DAYS = ['Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'];
+
+  var toggleStyle = function(on) {
+    return {
+      width: 40, height: 22, borderRadius: 11,
+      background: on ? 'var(--success)' : 'var(--border)',
+      cursor: 'pointer', position: 'relative', flexShrink: 0,
+      transition: 'background 0.2s', display: 'inline-block',
+    };
+  };
+  var knobStyle = function(on) {
+    return {
+      width: 18, height: 18, borderRadius: '50%', background: '#fff',
+      position: 'absolute', top: 2, left: on ? 20 : 2,
+      transition: 'left 0.2s', boxShadow: '0 1px 3px rgba(0,0,0,0.2)',
+    };
+  };
+
+  var Toggle = function(p) {
+    return h('div', { style: { display: 'flex', alignItems: 'center', gap: 10 } },
+      h('div', { style: toggleStyle(p.value), onClick: function() { set(p.field, !p.value); } },
+        h('div', { style: knobStyle(p.value) })
+      ),
+      h('span', { style: { fontSize: 13, fontWeight: 500 } }, p.label),
+      p.desc && h('span', { style: { fontSize: 11, color: 'var(--text-muted)' } }, p.desc)
+    );
+  };
+
+  var TimeSelect = function(p) {
+    return h('div', { style: { display: 'flex', gap: 8, alignItems: 'center' } },
+      h('select', { className: 'input', style: { width: 80 }, value: p.hour, onChange: function(e) { set(p.hourField, parseInt(e.target.value)); } },
+        Array.from({length: 24}, function(_, i) {
+          var label = i === 0 ? '12 AM' : i < 12 ? i + ' AM' : i === 12 ? '12 PM' : (i - 12) + ' PM';
+          return h('option', { key: i, value: i }, label);
+        })
+      ),
+      h('span', null, ':'),
+      h('select', { className: 'input', style: { width: 65 }, value: p.minute, onChange: function(e) { set(p.minuteField, parseInt(e.target.value)); } },
+        [0, 15, 30, 45].map(function(m) { return h('option', { key: m, value: m }, String(m).padStart(2, '0')); })
+      )
+    );
+  };
+
+  var DaySelect = function(p) {
+    return h('select', { className: 'input', style: { width: 130 }, value: p.value, onChange: function(e) { set(p.field, parseInt(e.target.value)); } },
+      DAYS.map(function(d, i) { return h('option', { key: i, value: i }, d); })
+    );
+  };
+
+  var cardStyle = { marginBottom: 12 };
+  var rowStyle = { display: 'flex', justifyContent: 'space-between', alignItems: 'center', padding: '10px 16px', borderBottom: '1px solid var(--border)' };
+  var configRow = { display: 'flex', gap: 12, alignItems: 'center', padding: '8px 16px 8px 48px', borderBottom: '1px solid var(--border)', fontSize: 13 };
+
+  return h(Fragment, null,
+    // Header
+    h('div', { style: { display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: 16 } },
+      h('div', null,
+        h('div', { style: { fontSize: 15, fontWeight: 600 } }, 'Agent Autonomy Settings'),
+        h('div', { style: { fontSize: 12, color: 'var(--text-muted)' } }, 'Configure automated behaviors — all times use agent timezone')
+      ),
+      h('div', { style: { display: 'flex', gap: 8 } },
+        dirty && h('span', { style: { fontSize: 11, color: 'var(--warning)', alignSelf: 'center' } }, 'Unsaved changes'),
+        h('button', { className: 'btn btn-primary btn-sm', disabled: !dirty || saving, onClick: save }, saving ? 'Saving...' : 'Save')
+      )
+    ),
+
+    // Master switch
+    h('div', { className: 'card', style: cardStyle },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'enabled', value: form.enabled, label: 'Enable Autonomy System', desc: 'Master switch for all automated agent behaviors' })
+      )
+    ),
+
+    // Clock In/Out
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'clockEnabled', value: form.clockEnabled, label: 'Auto Clock-In/Out', desc: 'Clock in/out based on work schedule' })
+      ),
+      form.clockEnabled && h('div', { style: configRow },
+        h('span', { style: { color: 'var(--text-muted)' } }, 'Uses times from the Workforce tab schedule')
+      )
+    ),
+
+    // Daily Catchup
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'dailyCatchupEnabled', value: form.dailyCatchupEnabled, label: 'Daily Manager Catchup', desc: 'Email summary to manager each workday' })
+      ),
+      form.dailyCatchupEnabled && h('div', { style: configRow },
+        h('span', null, 'Send at'),
+        h(TimeSelect, { hour: form.dailyCatchupHour, minute: form.dailyCatchupMinute, hourField: 'dailyCatchupHour', minuteField: 'dailyCatchupMinute' })
+      )
+    ),
+
+    // Weekly Catchup
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'weeklyCatchupEnabled', value: form.weeklyCatchupEnabled, label: 'Weekly Manager Catchup', desc: 'Broader summary + goals, replaces daily on chosen day' })
+      ),
+      form.weeklyCatchupEnabled && h('div', { style: configRow },
+        h('span', null, 'Send on'),
+        h(DaySelect, { value: form.weeklyCatchupDay, field: 'weeklyCatchupDay' }),
+        h('span', null, 'at'),
+        h(TimeSelect, { hour: form.weeklyCatchupHour, minute: form.weeklyCatchupMinute, hourField: 'weeklyCatchupHour', minuteField: 'weeklyCatchupMinute' })
+      )
+    ),
+
+    // Goal Check
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'goalCheckEnabled', value: form.goalCheckEnabled, label: 'Goal Progress Checks', desc: 'Reviews Google Tasks at set hours (last = end-of-day review)' })
+      ),
+      form.goalCheckEnabled && h('div', { style: configRow },
+        h('span', null, 'Check at hours:'),
+        h('input', { className: 'input', style: { width: 150 },
+          value: (form.goalCheckHours || [14, 17]).join(', '),
+          placeholder: '14, 17',
+          onChange: function(e) {
+            var hrs = e.target.value.split(',').map(function(s) { return parseInt(s.trim()); }).filter(function(n) { return !isNaN(n) && n >= 0 && n <= 23; });
+            set('goalCheckHours', hrs.length > 0 ? hrs : [14, 17]);
+          }
+        }),
+        h('span', { style: { fontSize: 11, color: 'var(--text-muted)' } }, '(24h format, comma-separated)')
+      )
+    ),
+
+    // Knowledge Contribution
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'knowledgeContribEnabled', value: form.knowledgeContribEnabled, label: 'Weekly Knowledge Contribution', desc: 'Agent reviews learnings and contributes to role-based knowledge base' })
+      ),
+      form.knowledgeContribEnabled && h('div', { style: configRow },
+        h('span', null, 'Contribute on'),
+        h(DaySelect, { value: form.knowledgeContribDay, field: 'knowledgeContribDay' }),
+        h('span', null, 'at'),
+        h('select', { className: 'input', style: { width: 80 }, value: form.knowledgeContribHour, onChange: function(e) { set('knowledgeContribHour', parseInt(e.target.value)); } },
+          Array.from({length: 24}, function(_, i) {
+            var label = i === 0 ? '12 AM' : i < 12 ? i + ' AM' : i === 12 ? '12 PM' : (i - 12) + ' PM';
+            return h('option', { key: i, value: i }, label);
+          })
+        )
+      )
+    ),
+
+    // Smart Escalation
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'escalationEnabled', value: form.escalationEnabled, label: 'Smart Answer Escalation', desc: 'Search memory → Drive → escalate to manager when unsure' })
+      )
+    ),
+
+    // Guardrail Enforcement
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'guardrailEnforcementEnabled', value: form.guardrailEnforcementEnabled, label: 'Runtime Guardrail Enforcement', desc: 'Evaluate guardrail rules on inbound emails and tool calls' })
+      )
+    ),
+
+    // Drive Access Requests
+    h('div', { className: 'card', style: Object.assign({}, cardStyle, { opacity: form.enabled ? 1 : 0.5 }) },
+      h('div', { style: rowStyle },
+        h(Toggle, { field: 'driveAccessRequestEnabled', value: form.driveAccessRequestEnabled, label: 'Drive Access Requests', desc: 'When agent cannot access a file, it requests access from manager instead of failing silently' })
+      )
+    )
+  );
+}
+
 function AgentDetailPage(props) {
   var agentId = props.agentId;
   var onBack = props.onBack;
@@ -6430,8 +6651,8 @@ function AgentDetailPage(props) {
   var _agents = useState([]);
   var agents = _agents[0]; var setAgents = _agents[1];
 
-  var TABS = ['overview', 'personal', 'email', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'budget', 'tool-security', 'deployment'];
-  var TAB_LABELS = { 'tool-security': 'Tool Security', 'manager': 'Manager & Catch-Up', 'email': 'Email', 'tools': 'Tools' };
+  var TABS = ['overview', 'personal', 'email', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'autonomy', 'budget', 'tool-security', 'deployment'];
+  var TAB_LABELS = { 'tool-security': 'Tool Security', 'manager': 'Manager & Catch-Up', 'email': 'Email', 'tools': 'Tools', 'autonomy': 'Autonomy' };
 
   var load = function() {
     setLoading(true);
@@ -6563,6 +6784,7 @@ function AgentDetailPage(props) {
     tab === 'workforce' && h(WorkforceSection, { agentId: agentId }),
     tab === 'memory' && h(MemorySection, { agentId: agentId }),
     tab === 'guardrails' && h(GuardrailsSection, { agentId: agentId, agents: agents }),
+    tab === 'autonomy' && h(AutonomySection, { agentId: agentId, engineAgent: engineAgent, reload: load }),
     tab === 'budget' && h(BudgetSection, { agentId: agentId }),
     tab === 'tool-security' && h(ToolSecuritySection, { agentId: agentId }),
     tab === 'deployment' && h(DeploymentSection, { agentId: agentId, engineAgent: engineAgent, agent: agent, reload: load, onBack: onBack })

package/dist/index.js

@@ -7,7 +7,7 @@ import {
 import {
   provision,
   runSetupWizard
-} from "./chunk-Y3SVP4G3.js";
+} from "./chunk-RNHBMPPK.js";
 import {
   ActionJournal,
   ActivityTracker,
@@ -54,7 +54,7 @@ import {
   executeTool,
   runAgentLoop,
   toolsToDefinitions
-} from "./chunk-4FHY5GLO.js";
+} from "./chunk-OZ7OBEUD.js";
 import "./chunk-AQH4DFYV.js";
 import {
   ValidationError,
@@ -69,7 +69,7 @@ import {
   requireRole,
   securityHeaders,
   validate
-} from "./chunk-SJRF5OLB.js";
+} from "./chunk-2ALM5WEM.js";
 import "./chunk-3SMTCIR4.js";
 import {
   CircuitBreaker,

package/dist/runtime-RNR3Y7HR.js

@@ -0,0 +1,49 @@
+import {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  runAgentLoop,
+  toolsToDefinitions
+} from "./chunk-OZ7OBEUD.js";
+import "./chunk-AQH4DFYV.js";
+import "./chunk-JLSQOQ5L.js";
+import {
+  PROVIDER_REGISTRY,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider
+} from "./chunk-67KZYSLU.js";
+import "./chunk-NRF3YRF7.js";
+import "./chunk-TYW5XTOW.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  PROVIDER_REGISTRY,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider,
+  runAgentLoop,
+  toolsToDefinitions
+};

package/dist/server-O45YMZQ3.js

@@ -0,0 +1,12 @@
+import {
+  createServer
+} from "./chunk-2ALM5WEM.js";
+import "./chunk-3SMTCIR4.js";
+import "./chunk-JLSQOQ5L.js";
+import "./chunk-RO537U6H.js";
+import "./chunk-DRXMYYKN.js";
+import "./chunk-67KZYSLU.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/setup-NLVGTWZ3.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-RNHBMPPK.js";
+import "./chunk-MHIFVS5L.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.167",
+  "version": "0.5.169",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/agent-tools/tools/google/drive.ts

@@ -11,6 +11,17 @@ import type { GoogleToolsConfig } from './index.js';
 const BASE = 'https://www.googleapis.com/drive/v3';
 const UPLOAD_BASE = 'https://www.googleapis.com/upload/drive/v3';
 
+class DriveAccessError extends Error {
+  status: number;
+  fileId?: string;
+  constructor(message: string, status: number, fileId?: string) {
+    super(message);
+    this.name = 'DriveAccessError';
+    this.status = status;
+    this.fileId = fileId;
+  }
+}
+
 async function gapi(token: string, path: string, opts?: { method?: string; body?: any; query?: Record<string, string>; base?: string; rawBody?: BodyInit; headers?: Record<string, string> }): Promise<any> {
   const method = opts?.method || 'GET';
   const base = opts?.base || BASE;
@@ -22,7 +33,15 @@ async function gapi(token: string, path: string, opts?: { method?: string; body?
     method, headers,
     body: opts?.rawBody || (opts?.body ? JSON.stringify(opts.body) : undefined),
   });
-  if (!res.ok) { const err = await res.text(); throw new Error(`Google Drive API ${res.status}: ${err}`); }
+  if (!res.ok) {
+    const err = await res.text();
+    if (res.status === 403 || res.status === 404) {
+      // Extract fileId from path if available
+      const fileIdMatch = path.match(/\/files\/([^/]+)/);
+      throw new DriveAccessError(`Google Drive API ${res.status}: ${err}`, res.status, fileIdMatch?.[1]);
+    }
+    throw new Error(`Google Drive API ${res.status}: ${err}`);
+  }
   if (res.status === 204) return {};
   return res.json();
 }
@@ -84,7 +103,7 @@ export function createGoogleDriveTools(config: GoogleToolsConfig, _options?: Too
     },
     {
       name: 'google_drive_get',
-      description: 'Get metadata and content of a file. For Google Docs/Sheets/Slides, exports as text. For other files, returns metadata only.',
+      description: 'Get metadata and content of a file. For Google Docs/Sheets/Slides, exports as text. For other files, returns metadata only. If you get ACCESS_DENIED, use google_drive_request_access to ask the file owner for access.',
       category: 'utility' as const,
       parameters: {
         type: 'object' as const,
@@ -129,6 +148,57 @@ export function createGoogleDriveTools(config: GoogleToolsConfig, _options?: Too
             }
           }
           return jsonResult(result);
+        } catch (e: any) {
+          if (e instanceof DriveAccessError && (e.status === 403 || e.status === 404)) {
+            return jsonResult({
+              error: 'ACCESS_DENIED',
+              fileId: params.fileId,
+              message: `You do not have access to this file (${e.status}). Use google_drive_request_access to request access from the file owner or your manager.`,
+              suggestion: `Call google_drive_request_access with fileId="${params.fileId}" and a reason for needing access.`,
+            });
+          }
+          return errorResult(e.message);
+        }
+      },
+    },
+    {
+      name: 'google_drive_request_access',
+      description: 'Request access to a file you cannot read. Sends an email to your manager (or file owner) asking for access. Use this when google_drive_get returns ACCESS_DENIED.',
+      category: 'utility' as const,
+      parameters: {
+        type: 'object' as const,
+        properties: {
+          fileId: { type: 'string', description: 'File ID to request access to (required)' },
+          reason: { type: 'string', description: 'Why you need access to this file (required)' },
+          requesterContext: { type: 'string', description: 'Who asked you to look at this file / what question you are trying to answer' },
+        },
+        required: ['fileId', 'reason'],
+      },
+      async execute(_id: string, params: any) {
+        try {
+          const token = await tp.getAccessToken();
+          // Try to get basic file metadata (may fail for 404 but works for some 403)
+          let fileName = params.fileId;
+          let fileOwner = '';
+          let fileLink = `https://drive.google.com/file/d/${params.fileId}/view`;
+          try {
+            const meta = await gapi(token, `/files/${params.fileId}`, { query: { fields: 'id,name,owners,webViewLink', supportsAllDrives: 'true' } });
+            if (meta.name) fileName = meta.name;
+            if (meta.owners?.[0]?.emailAddress) fileOwner = meta.owners[0].emailAddress;
+            if (meta.webViewLink) fileLink = meta.webViewLink;
+          } catch { /* may not have metadata access either */ }
+
+          // Store the access request in memory for tracking
+          return jsonResult({
+            accessRequested: true,
+            fileId: params.fileId,
+            fileName,
+            fileOwner: fileOwner || 'unknown',
+            fileLink,
+            reason: params.reason,
+            requesterContext: params.requesterContext || '',
+            instruction: `Access request recorded. Email your manager to request access to "${fileName}" (${fileLink}). Include why you need it: ${params.reason}. Wait for the manager to grant access before trying to read the file again. Store this in memory so you can follow up.`,
+          });
         } catch (e: any) { return errorResult(e.message); }
       },
     },

package/src/cli-agent.ts

@@ -498,6 +498,72 @@ Available tools: gmail_send (to, subject, body) or agenticmail_send (to, subject
 
     // 14. Start calendar polling loop (checks for upcoming meetings to auto-join)
     startCalendarPolling(AGENT_ID, config, runtime, engineDb, memoryManager);
+
+    // 15. Start agent autonomy system (clock-in/out, catchup emails, goals, knowledge)
+    try {
+      const { AgentAutonomyManager } = await import('./engine/agent-autonomy.js');
+      const orgRows2 = await engineDb.query<any>(`SELECT org_id FROM managed_agents WHERE id = $1`, [AGENT_ID]);
+      const autoOrgId = orgRows2?.[0]?.org_id || orgId;
+      const managerEmail2 = (config as any).managerEmail || ((config as any).manager?.type === 'external' ? (config as any).manager.email : null);
+
+      // Parse schedule from work_schedules table
+      let schedule: { start: string; end: string; days: number[] } | undefined;
+      try {
+        const schedRows = await engineDb.query<any>(
+          `SELECT config FROM work_schedules WHERE agent_id = $1 ORDER BY created_at DESC LIMIT 1`,
+          [AGENT_ID]
+        );
+        if (schedRows && schedRows.length > 0) {
+          const schedConfig = typeof schedRows[0].config === 'string' ? JSON.parse(schedRows[0].config) : schedRows[0].config;
+          if (schedConfig?.standardHours) {
+            schedule = {
+              start: schedConfig.standardHours.start,
+              end: schedConfig.standardHours.end,
+              days: schedConfig.workDays || [0, 1, 2, 3, 4, 5, 6],
+            };
+          }
+        }
+      } catch {}
+
+      const autonomy = new AgentAutonomyManager({
+        agentId: AGENT_ID,
+        orgId: autoOrgId,
+        agentName: config.displayName || config.name,
+        role: config.identity?.role || 'AI Agent',
+        managerEmail: managerEmail2,
+        timezone: config.timezone || 'America/New_York',
+        schedule,
+        runtime,
+        engineDb,
+        memoryManager,
+        lifecycle,
+        settings: (config as any).autonomy || {},
+      });
+      await autonomy.start();
+      console.log('[autonomy] ✅ Agent autonomy system started');
+
+      // Store autonomy ref for shutdown
+      const origShutdown = process.listeners('SIGTERM');
+      process.on('SIGTERM', () => autonomy.stop());
+      process.on('SIGINT', () => autonomy.stop());
+    } catch (autoErr: any) {
+      console.warn(`[autonomy] Failed to start: ${autoErr.message}`);
+    }
+
+    // 16. Start guardrail enforcement (if enabled in autonomy settings)
+    const autoSettings = (config as any).autonomy || {};
+    if (autoSettings.guardrailEnforcementEnabled !== false) {
+      try {
+        const { GuardrailEnforcer } = await import('./engine/agent-autonomy.js');
+        const enforcer = new GuardrailEnforcer(engineDb);
+        (global as any).__guardrailEnforcer = enforcer;
+        console.log('[guardrails] ✅ Runtime guardrail enforcer active');
+      } catch (gErr: any) {
+        console.warn(`[guardrails] Failed to start enforcer: ${gErr.message}`);
+      }
+    } else {
+      console.log('[guardrails] Disabled via autonomy settings');
+    }
   }, 3000);
 }
 
@@ -858,10 +924,55 @@ For meetings you organize or are invited to:
 
 When you receive an email containing a meeting link (meet.google.com, zoom.us, teams.microsoft.com):
 - Extract the link and attempt to join immediately if the meeting is now
-- If the meeting is in the future, store it in memory and note the time`;
+- If the meeting is in the future, store it in memory and note the time
+
+== SMART ANSWER WORKFLOW (MANDATORY) ==
+When you receive a question or request you're not 100% confident about, follow this escalation chain:
+
+STEP 1: Search your own memory
+- memory(action: "search", query: "relevant keywords")
+- Check for similar past questions, corrections, and learned patterns
+
+STEP 2: Search organization Drive (shared knowledge)
+- google_drive_list with query parameter to search shared docs (e.g. "fullText contains 'search terms'")
+- Read relevant documents with google_drive_get to find the answer
+- Check Google Sheets for data tables, Google Docs for procedures
+
+STEP 3: If still unsure — ESCALATE to manager
+${managerEmail ? `- Send an email to ${managerEmail} with:` : '- Email your manager with:'}
+  Subject: "Need Guidance: [Brief topic]"
+  Body must include:
+  a) The original question/request (who asked, what they need)
+  b) What you found in your search (memory + Drive results)
+  c) Your proposed answer (what you THINK the answer should be)
+  d) What specifically you're unsure about
+  e) Ask for approval or correction before responding
+
+NEVER guess or fabricate an answer when unsure. It's better to escalate than to be wrong.
+After receiving manager feedback, store the correct answer in memory as a "correction" or "org_knowledge" entry.`;
 
 
 
+          // Guardrail check: scan inbound email for security rules
+          const enforcer = (global as any).__guardrailEnforcer;
+          if (enforcer) {
+            try {
+              const orgRows3 = await engineDb.query<any>(`SELECT org_id FROM managed_agents WHERE id = $1`, [agentId]);
+              const gOrgId = orgRows3?.[0]?.org_id || '';
+              const check = await enforcer.evaluate({
+                agentId, orgId: gOrgId, type: 'email_send' as const,
+                content: emailText, metadata: { from: senderEmail, subject: fullMsg.subject },
+              });
+              if (!check.allowed) {
+                console.warn(`[email-poll] ⚠️ Guardrail blocked email from ${senderEmail}: ${check.reason} (action: ${check.action})`);
+                continue; // Skip this email
+              }
+            } catch (gErr: any) {
+              console.warn(`[email-poll] Guardrail check error: ${gErr.message}`);
+              // Continue anyway — don't block on guardrail failures
+            }
+          }
+
           const session = await runtime.spawnSession({
             agentId,
             message: emailText,