@aitne/daemon 0.1.9 → 0.1.10

package/dist/safety/always-disallowed.js

@@ -186,6 +186,22 @@ export const ALWAYS_DISALLOWED_TOOLS = [
     "Read(~/.personal-agent/backups/**)",
     "Read(~/.personal-agent/whatsapp/auth/**)",
     "Read(~/.personal-agent/secrets/**)",
+    // ── Backend CLI credential files ──
+    // The agent's own Claude / Codex / Gemini OAuth tokens. The daemon
+    // reads these itself (claude-credentials-store.ts, codex-core.ts:377,
+    // gemini-cli-core.ts:488) to drive auth-health recovery, but the agent
+    // must never reach around to lift the long-lived refresh token for its
+    // own — or a sibling — backend and exfiltrate it through the sanctioned
+    // curl-to-localhost write path. On macOS the Claude token lives in the
+    // Keychain (covered by `~/Library/Keychains/**` above); these are the
+    // Linux/Windows plaintext fallback (Claude) and the all-platform
+    // plaintext stores (Codex `auth.json`, Gemini OAuth json).
+    "Read(~/.claude/.credentials.json)",
+    "Read(~/.claude.json)",
+    "Read(~/.codex/auth.json)",
+    "Read(~/.gemini/gemini-credentials.json)",
+    "Read(~/.gemini/oauth_creds.json)",
+    "Read(~/.config/anthropic/**)",
     // ── Secret-file writes ──
     // Kept symmetrical to the read list — an agent that can WRITE .env or
     // ~/.ssh/authorized_keys can leak via its own exfil channel even without
@@ -208,6 +224,15 @@ export const ALWAYS_DISALLOWED_TOOLS = [
     "Write(~/.personal-agent/backups/**)", "Edit(~/.personal-agent/backups/**)",
     "Write(~/.personal-agent/whatsapp/auth/**)", "Edit(~/.personal-agent/whatsapp/auth/**)",
     "Write(~/.personal-agent/secrets/**)", "Edit(~/.personal-agent/secrets/**)",
+    // Backend CLI credential files (symmetric twins of the read block above —
+    // an agent that can overwrite a token store can plant/replace credentials,
+    // which is strictly worse than reading them).
+    "Write(~/.claude/.credentials.json)", "Edit(~/.claude/.credentials.json)",
+    "Write(~/.claude.json)", "Edit(~/.claude.json)",
+    "Write(~/.codex/auth.json)", "Edit(~/.codex/auth.json)",
+    "Write(~/.gemini/gemini-credentials.json)", "Edit(~/.gemini/gemini-credentials.json)",
+    "Write(~/.gemini/oauth_creds.json)", "Edit(~/.gemini/oauth_creds.json)",
+    "Write(~/.config/anthropic/**)", "Edit(~/.config/anthropic/**)",
     // ── Browser-history profile directories (BROWSER_HISTORY_INTEGRATION_PLAN §11.4) ──
     // The browser-history integration's threat model assumes the agent
     // never reads raw browser profile files directly — all access goes
@@ -646,6 +671,13 @@ export function looksLikeBashSecretRead(cmd) {
         "/.personal-agent/backups/",
         "/.personal-agent/whatsapp/auth/",
         "/.personal-agent/secrets/",
+        // Backend CLI OAuth credential files (Claude / Codex / Gemini).
+        "/.claude/.credentials.json",
+        "/.claude.json",
+        "/.codex/auth.json",
+        "/.gemini/gemini-credentials.json",
+        "/.gemini/oauth_creds.json",
+        "/.config/anthropic/",
     ];
     if (fragments.some((f) => lc.includes(f)))
         return true;
@@ -831,6 +863,13 @@ export function looksLikeSecretPath(raw) {
         /Library\/Keychains(\/|$)/i,
         /\.local\/share\/keyrings(\/|$)/i,
         /\.personal-agent\/(backups|whatsapp\/auth|secrets)(\/|$)/i,
+        // Backend CLI OAuth credential files (Claude / Codex / Gemini) +
+        // the Anthropic config dir.
+        /(^|\/)\.claude\.json$/i,
+        /\.claude\/\.credentials\.json$/i,
+        /\.codex\/auth\.json$/i,
+        /\.gemini\/(gemini-credentials|oauth_creds)\.json$/i,
+        /\.config\/anthropic(\/|$)/i,
     ];
     return patterns.some((r) => r.test(p));
 }

package/dist/safety/risk-classifier.js

@@ -451,6 +451,12 @@ const API_RISK = {
     "PUT /api/observations/{*}/consume": RiskTier.Autonomous,
     "PATCH /api/observations/{*}/consume": RiskTier.Autonomous,
     "DELETE /api/observations/{*}/consume": RiskTier.Autonomous,
+    "POST /api/feedback": RiskTier.Autonomous,
+    "POST /api/feedback/consume": RiskTier.Autonomous,
+    // Read-only lesson-store overview for the dashboard Lessons settings page
+    // (FEEDBACK_LEARNING_LOOP_DESIGN.md §9 Phase 5). Summarises cap utilisation
+    // only — lesson prose was redaction-scrubbed at capture — so Autonomous.
+    "GET /api/feedback/lessons": RiskTier.Autonomous,
     // ── Notification ──
     "/api/notify": RiskTier.Autonomous,
     // ── External Service Proxy ──
@@ -797,13 +803,22 @@ const API_RISK = {
     "GET /api/skill-curation/signals": RiskTier.Autonomous,
     "GET /api/skill-curation/knowledge-map": RiskTier.Autonomous,
     "GET /api/skill-curation/proposals/": RiskTier.Autonomous,
-    // Mutation endpoints are Autonomous — the optimizer agent's runToken
-    // (HMAC, one-time, scoped to a single run) is the auth surface, enforced
-    // inside the route. Per design §2.1 the chokepoint applies every passing
-    // proposal atomically; there are no per-proposal approve/reject/revert
-    // routes. The only roll-back path is the system-driven auto-revert
-    // (`auto-revert.ts`), which never crosses the HTTP boundary.
-    "POST /api/skill-curation/runs": RiskTier.Autonomous,
+    // Run minting (`POST /runs`, exact) is Approve. In production this surface
+    // is unused — the dispatcher's `materializeOptimizerWorkdir` mints the
+    // runId/runToken directly and never crosses the HTTP boundary (see the
+    // route handler comment). Leaving it Autonomous let any Bearer-less local
+    // caller (incl. a prompt-injected DM agent) mint a valid optimizer token
+    // once curation is opted in, then drive `/proposals` to self-author skill
+    // overlays — a least-privilege violation. Approve confines minting to the
+    // dashboard/operator; the legitimate optimizer reads its token from the
+    // workdir preamble, not this route.
+    "POST /api/skill-curation/runs": RiskTier.Approve,
+    // The proposal chokepoint and the per-run finalize stay Autonomous — both
+    // are gated by the optimizer's runToken (HMAC, scoped to a single run)
+    // enforced inside the route, and the legitimate optimizer agent reaches
+    // them via curl from its session workdir (no Bearer). Per design §2.1 the
+    // chokepoint applies every passing proposal atomically; the only roll-back
+    // path is the system-driven auto-revert (`auto-revert.ts`).
     "POST /api/skill-curation/proposals": RiskTier.Autonomous,
     "POST /api/skill-curation/runs/": RiskTier.Autonomous,
     // P22 §6.1 — settings + listing surfaces consumed by the dashboard.

package/dist/services/browser-history/automation/egress-denylist.js

@@ -229,6 +229,10 @@ export const IP_DENYLIST_CIDRS = Object.freeze([
     "100.64.0.0/10",
     "224.0.0.0/4",
     "0.0.0.0/8",
+    // IETF protocol assignments (RFC 6890) — includes the DNS64 well-known
+    // host 192.0.0.171/.170 used to discover the NAT64 prefix. Not globally
+    // routable; no legitimate browse target lives here.
+    "192.0.0.0/24",
     // IPv6 equivalents
     "::1/128",
     "::/128", // IPv6 unspecified — mirrors IPv4 0.0.0.0/8; routes to ::1 as a connect target on common stacks
@@ -374,8 +378,20 @@ export function matchesCidrDenylist(ip) {
         const bits = ipv6ToBigInt(ip);
         if (bits !== null) {
             const mask96 = ((1n << 96n) - 1n) << 32n; // high 96 bits
-            const v4MappedPrefix = 0xffffn << 32n; // ::ffff:0:0
-            if ((bits & mask96) === v4MappedPrefix) {
+            const v4MappedPrefix = 0xffffn << 32n; // ::ffff:0:0/96
+            // NAT64 well-known prefix `64:ff9b::/96` (RFC 6052) — on NAT64/DNS64
+            // networks the entire IPv4 internet is reachable through this prefix,
+            // so `64:ff9b::a9fe:a9fe` routes to 169.254.169.254 and
+            // `64:ff9b::a00:1` to 10.0.0.1. We must NOT block the whole /96
+            // (that would break all IPv4 browsing on such networks) — instead
+            // decode the embedded IPv4 (low 32 bits, same position as the
+            // v4-mapped form) and run it through the IPv4 deny ranges, so only
+            // metadata/private destinations are blocked. Network-specific NAT64
+            // prefixes (operator-chosen /32../64) are out of scope — they aren't
+            // a guessable SSRF target the way the well-known prefix is.
+            const nat64WellKnownPrefix = 0x0064ff9bn << 96n; // 64:ff9b::/96
+            const prefix96 = bits & mask96;
+            if (prefix96 === v4MappedPrefix || prefix96 === nat64WellKnownPrefix) {
                 const embedded = Number(bits & 0xffffffffn);
                 const dotted = [
                     (embedded >>> 24) & 255,

package/dist/services/browser-history/lifecycle/platform.js

@@ -2,7 +2,7 @@ import { accessSync, constants, existsSync, readdirSync } from "node:fs";
 import { readlink } from "node:fs/promises";
 import { createRequire } from "node:module";
 import { homedir, release } from "node:os";
-import { dirname, join } from "node:path";
+import { delimiter, dirname, join } from "node:path";
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 const execFileAsync = promisify(execFile);
@@ -504,12 +504,54 @@ async function isUnixProcessRunning(binaryPath, userDataDir) {
         return false;
     }
 }
+/**
+ * Resolve the Windows PowerShell executable defensively.
+ *
+ * This is the same `powershell.exe → pwsh.exe` probe every other PS call
+ * site in the codebase performs (secret-client-factory.ts:findExecutableInPath,
+ * doctor.mjs, scripts/lib/read-api-token.mjs). On Windows desktop SKUs the
+ * in-box Windows PowerShell 5.1 (`powershell.exe`) is present, but on
+ * minimal / headless / Server-Core / Nano hosts — or future builds where
+ * 5.1 has been removed — only PowerShell 7+ (`pwsh.exe`) exists, and a
+ * hardcoded `powershell.exe` exec throws ENOENT (which the caller's catch
+ * swallows, silently reporting the managed Chromium as not-running).
+ *
+ * Prefer 5.1, fall back to 7+, else keep the default so the first exec
+ * surfaces a clear ENOENT rather than masking a misconfigured host.
+ */
+function resolveWindowsPowerShell() {
+    const pathValue = process.env.PATH ?? "";
+    const exts = process.env.PATHEXT?.split(";").filter(Boolean) ?? [".EXE"];
+    const probe = (name) => {
+        const hasExt = /\.[A-Za-z0-9]+$/.test(name);
+        for (const dir of pathValue.split(delimiter)) {
+            if (!dir)
+                continue;
+            const candidates = hasExt ? [name] : exts.map((e) => `${name}${e}`);
+            for (const c of candidates) {
+                try {
+                    accessSync(join(dir, c), constants.X_OK);
+                    return true;
+                }
+                catch {
+                    // keep scanning
+                }
+            }
+        }
+        return false;
+    };
+    return probe("powershell.exe")
+        ? "powershell.exe"
+        : probe("pwsh.exe")
+            ? "pwsh.exe"
+            : "powershell.exe";
+}
 async function isWindowsProcessRunning(binaryPath, userDataDir) {
     const escapedBinary = binaryPath.replace(/'/g, "''");
     const escapedDir = userDataDir.replace(/'/g, "''");
     const command = `Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -like '*${escapedBinary}*' -and $_.CommandLine -like '*--user-data-dir=${escapedDir}*' } | Select-Object -First 1`;
     try {
-        const { stdout } = await execFileAsync("powershell.exe", [
+        const { stdout } = await execFileAsync(resolveWindowsPowerShell(), [
             "-NoProfile",
             "-Command",
             command,

package/dist/services/mcp/probe.js

@@ -3,6 +3,7 @@ import { mkdir } from "node:fs/promises";
 import { join } from "node:path";
 import { randomUUID } from "node:crypto";
 import { toSafeErrorMessage } from "../../logging.js";
+import { resolveWin32Invocation } from "../../core/backends/cli-utils.js";
 const PROBE_TIMEOUT_MS = 10_000;
 /**
  * MCP protocol version we send in `initialize`. The three official clients
@@ -93,7 +94,32 @@ async function probeStdio(server, options, timeoutMs) {
     // required arrays, but the DB row can carry `args` as null, so only that
     // path is genuinely observable from tests.
     const env = buildStdioEnv(server.envKeys, options.secrets);
-    const child = spawn(server.command, server.args ?? [], {
+    // MCP stdio commands are overwhelmingly npx/uvx/pnpm launchers, which
+    // resolve to .cmd/.ps1 batch shims on Windows. The earlier stopgap used
+    // `shell: process.platform === "win32"`, which let cmd.exe re-parse
+    // metacharacters in the registered command/args (a corruption + injection
+    // surface for any DB-registered server whose command/args contain
+    // %VAR%/&/|/^). Instead route through the same injection-safe path
+    // runLineCommand uses: resolve the bare name via PATHEXT and launch a
+    // resolved `.cmd`/`.bat` through an explicit, hand-escaped `cmd.exe`
+    // wrapper with windowsVerbatimArguments. POSIX is byte-identical
+    // (resolveWin32Invocation is win32-only; the block below never runs, and
+    // windowsVerbatimArguments:false is inert there). The taskkill /T
+    // parent-pid walk in killTree still reaps the added cmd.exe wrapper.
+    let spawnCommand = server.command;
+    let spawnArgs = server.args ?? [];
+    let windowsVerbatim = false;
+    /* c8 ignore start — Windows-only .cmd/.bat shim resolution, untestable on POSIX CI. */
+    if (process.platform === "win32") {
+        const win = resolveWin32Invocation(server.command, server.args ?? []);
+        if (win) {
+            spawnCommand = win.command;
+            spawnArgs = win.args;
+            windowsVerbatim = win.windowsVerbatimArguments;
+        }
+    }
+    /* c8 ignore stop */
+    const child = spawn(spawnCommand, spawnArgs, {
         cwd: server.cwd ?? sandboxCwd,
         env,
         stdio: ["pipe", "pipe", "pipe"],
@@ -104,13 +130,9 @@ async function probeStdio(server, options, timeoutMs) {
         // hidden-window helps avoid a flashing console for child binaries.
         detached: process.platform !== "win32",
         windowsHide: true,
-        // MCP stdio commands are overwhelmingly npx/uvx/pnpm launchers, which
-        // resolve to .cmd/.ps1 batch shims on Windows; those need a shell to
-        // launch (shell:false spawn of a bare `npx` ENOENTs). POSIX keeps
-        // shell:false — bare npx/node resolve via PATH+exec-bit there. Same
-        // win32-gated pattern as scripts/run-node.mjs / bin/aitne.mjs spawns;
-        // the taskkill /T parent-pid walk above reaps the added cmd.exe wrapper.
-        shell: process.platform === "win32",
+        // The cmd.exe wrapper's args are pre-escaped for cmd.exe; tell Node not
+        // to re-quote them. Inert/false on POSIX and the direct-.exe path.
+        windowsVerbatimArguments: windowsVerbatim,
     });
     let settled = false;
     const stderrBuf = [];

package/dist/settings/runtime-settings.d.ts

@@ -13,7 +13,7 @@ import { z } from "zod";
  * contract — `chmod`, `chown`, destructive `git` flags. Allow mode skips
  * these per design, Safe mode keeps them.
  */
-export declare const DEFAULT_DISALLOWED_TOOLS: readonly ["Bash(rm -rf *)", "Bash(rm -rf /*)", "Bash(rm -rf ~*)", "Bash(rm -rf .*)", "Bash(rm -r *)", "Bash(rm -rf*)", "Bash(rm -rv*)", "Bash(rm -ri*)", "Bash(rm -rd*)", "Bash(rm -rI*)", "Bash(rm -fr*)", "Bash(rm -vr*)", "Bash(rm -ir*)", "Bash(rm -dr*)", "Bash(rm -Ir*)", "Bash(rm -R*)", "Bash(rm -fR*)", "Bash(rm -vR*)", "Bash(rm -iR*)", "Bash(rm -dR*)", "Bash(rm -IR*)", "Bash(rm --recursive*)", "Bash(rm --force --recursive*)", "Bash(rm --recursive --force*)", "Bash(sudo *)", "Bash(doas *)", "Bash(su *)", "Bash(curl * | sh*)", "Bash(curl * | bash*)", "Bash(wget * | sh*)", "Bash(wget * | bash*)", "Bash(bash <(*)*)", "Bash(sh <(*)*)", "Bash(bash<*)", "Bash(sh<*)", "Bash(eval *)", "Bash(source *)", "Bash(security *)", "Bash(secret-tool *)", "Bash(cmdkey *)", "Bash(certutil *)", "Bash(rundll32.exe *)", "Read(.env)", "Read(.env.*)", "Read(**/.env)", "Read(**/.env.*)", "Read(id_rsa*)", "Read(id_ed25519*)", "Read(~/.ssh/**)", "Read(~/.gnupg/**)", "Read(~/.aws/**)", "Read(~/.config/gcloud/**)", "Read(~/.config/gh/hosts.yml)", "Read(~/.netrc)", "Read(~/Library/Keychains/**)", "Read(~/.local/share/keyrings/**)", "Read(~/.personal-agent/backups/**)", "Read(~/.personal-agent/whatsapp/auth/**)", "Read(~/.personal-agent/secrets/**)", "Write(.env)", "Edit(.env)", "Write(.env.*)", "Edit(.env.*)", "Write(**/.env)", "Edit(**/.env)", "Write(**/.env.*)", "Edit(**/.env.*)", "Write(id_rsa*)", "Edit(id_rsa*)", "Write(id_ed25519*)", "Edit(id_ed25519*)", "Write(~/.ssh/**)", "Edit(~/.ssh/**)", "Write(~/.gnupg/**)", "Edit(~/.gnupg/**)", "Write(~/.aws/**)", "Edit(~/.aws/**)", "Write(~/.config/gcloud/**)", "Edit(~/.config/gcloud/**)", "Write(~/.config/gh/hosts.yml)", "Edit(~/.config/gh/hosts.yml)", "Write(~/.netrc)", "Edit(~/.netrc)", "Write(~/Library/Keychains/**)", "Edit(~/Library/Keychains/**)", "Write(~/.local/share/keyrings/**)", "Edit(~/.local/share/keyrings/**)", "Write(~/.personal-agent/backups/**)", "Edit(~/.personal-agent/backups/**)", "Write(~/.personal-agent/whatsapp/auth/**)", "Edit(~/.personal-agent/whatsapp/auth/**)", "Write(~/.personal-agent/secrets/**)", "Edit(~/.personal-agent/secrets/**)", "Bash(sqlite3 *)", "Bash(cp ~/Library/Application Support/Google/Chrome/*)", "Bash(cp ~/Library/Application Support/Chromium/*)", "Bash(cp ~/Library/Application Support/Microsoft Edge/*)", "Bash(cp ~/Library/Application Support/BraveSoftware/*)", "Bash(cp ~/Library/Application Support/Comet/*)", "Bash(cp ~/Library/Application Support/Perplexity Comet/*)", "Bash(cp ~/Library/Application Support/com.openai.atlas/*)", "Bash(cp ~/.config/google-chrome/*)", "Bash(cp ~/.config/chromium/*)", "Bash(cp ~/.config/microsoft-edge/*)", "Bash(cp ~/.config/BraveSoftware/*)", "Bash(cp ~/.config/Comet/*)", "Bash(cp ~/.var/app/com.google.Chrome/*)", "Bash(cp /mnt/c/Users/*)", "Bash(curl file://*)", "Read(~/Library/Application Support/Google/Chrome/**)", "Read(~/Library/Application Support/Chromium/**)", "Read(~/Library/Application Support/Microsoft Edge/**)", "Read(~/Library/Application Support/BraveSoftware/**)", "Read(~/Library/Application Support/Comet/**)", "Read(~/Library/Application Support/Perplexity Comet/**)", "Read(~/Library/Application Support/com.openai.atlas/**)", "Read(~/.config/google-chrome/**)", "Read(~/.config/chromium/**)", "Read(~/.config/microsoft-edge/**)", "Read(~/.config/BraveSoftware/**)", "Read(~/.config/Comet/**)", "Read(~/.var/app/com.google.Chrome/**)", "Read(/mnt/c/Users/**)", "Write(~/Library/Application Support/Google/Chrome/**)", "Edit(~/Library/Application Support/Google/Chrome/**)", "Write(~/Library/Application Support/Chromium/**)", "Edit(~/Library/Application Support/Chromium/**)", "Write(~/Library/Application Support/Microsoft Edge/**)", "Edit(~/Library/Application Support/Microsoft Edge/**)", "Write(~/Library/Application Support/BraveSoftware/**)", "Edit(~/Library/Application Support/BraveSoftware/**)", "Write(~/Library/Application Support/Comet/**)", "Edit(~/Library/Application Support/Comet/**)", "Write(~/Library/Application Support/Perplexity Comet/**)", "Edit(~/Library/Application Support/Perplexity Comet/**)", "Write(~/Library/Application Support/com.openai.atlas/**)", "Edit(~/Library/Application Support/com.openai.atlas/**)", "Write(~/.config/google-chrome/**)", "Edit(~/.config/google-chrome/**)", "Write(~/.config/chromium/**)", "Edit(~/.config/chromium/**)", "Write(~/.config/microsoft-edge/**)", "Edit(~/.config/microsoft-edge/**)", "Write(~/.config/BraveSoftware/**)", "Edit(~/.config/BraveSoftware/**)", "Write(~/.config/Comet/**)", "Edit(~/.config/Comet/**)", "Write(~/.var/app/com.google.Chrome/**)", "Edit(~/.var/app/com.google.Chrome/**)", "Write(/mnt/c/Users/**)", "Edit(/mnt/c/Users/**)", "Bash(cp ~/.personal-agent/chromium-*)", "Bash(mv ~/.personal-agent/chromium-*)", "Bash(tar ~/.personal-agent/chromium-*)", "Bash(zip ~/.personal-agent/chromium-*)", "Bash(rsync ~/.personal-agent/chromium-*)", "Bash(cp $HOME/.personal-agent/chromium-*)", "Bash(mv $HOME/.personal-agent/chromium-*)", "Bash(tar $HOME/.personal-agent/chromium-*)", "Bash(zip $HOME/.personal-agent/chromium-*)", "Bash(rsync $HOME/.personal-agent/chromium-*)", "Read(~/.personal-agent/chromium-sync/**)", "Read(~/.personal-agent/chromium-automation/**)", "Read(~/.personal-agent/chromium-automation-anon/**)", "Read(~/.personal-agent/chromium-automation-auth/**)", "Read(~/.personal-agent/chromium-automation-purchase/**)", "Write(~/.personal-agent/chromium-sync/**)", "Edit(~/.personal-agent/chromium-sync/**)", "Write(~/.personal-agent/chromium-automation/**)", "Edit(~/.personal-agent/chromium-automation/**)", "Write(~/.personal-agent/chromium-automation-anon/**)", "Edit(~/.personal-agent/chromium-automation-anon/**)", "Write(~/.personal-agent/chromium-automation-auth/**)", "Edit(~/.personal-agent/chromium-automation-auth/**)", "Write(~/.personal-agent/chromium-automation-purchase/**)", "Edit(~/.personal-agent/chromium-automation-purchase/**)", "CronCreate", "CronList", "CronDelete", "RemoteTrigger", "PushNotification", "Bash(chmod *)", "Bash(chown *)", "Bash(git push --force *)", "Bash(git push -f *)", "Bash(git reset --hard *)", "Bash(git clean *)"];
+export declare const DEFAULT_DISALLOWED_TOOLS: readonly ["Bash(rm -rf *)", "Bash(rm -rf /*)", "Bash(rm -rf ~*)", "Bash(rm -rf .*)", "Bash(rm -r *)", "Bash(rm -rf*)", "Bash(rm -rv*)", "Bash(rm -ri*)", "Bash(rm -rd*)", "Bash(rm -rI*)", "Bash(rm -fr*)", "Bash(rm -vr*)", "Bash(rm -ir*)", "Bash(rm -dr*)", "Bash(rm -Ir*)", "Bash(rm -R*)", "Bash(rm -fR*)", "Bash(rm -vR*)", "Bash(rm -iR*)", "Bash(rm -dR*)", "Bash(rm -IR*)", "Bash(rm --recursive*)", "Bash(rm --force --recursive*)", "Bash(rm --recursive --force*)", "Bash(sudo *)", "Bash(doas *)", "Bash(su *)", "Bash(curl * | sh*)", "Bash(curl * | bash*)", "Bash(wget * | sh*)", "Bash(wget * | bash*)", "Bash(bash <(*)*)", "Bash(sh <(*)*)", "Bash(bash<*)", "Bash(sh<*)", "Bash(eval *)", "Bash(source *)", "Bash(security *)", "Bash(secret-tool *)", "Bash(cmdkey *)", "Bash(certutil *)", "Bash(rundll32.exe *)", "Read(.env)", "Read(.env.*)", "Read(**/.env)", "Read(**/.env.*)", "Read(id_rsa*)", "Read(id_ed25519*)", "Read(~/.ssh/**)", "Read(~/.gnupg/**)", "Read(~/.aws/**)", "Read(~/.config/gcloud/**)", "Read(~/.config/gh/hosts.yml)", "Read(~/.netrc)", "Read(~/Library/Keychains/**)", "Read(~/.local/share/keyrings/**)", "Read(~/.personal-agent/backups/**)", "Read(~/.personal-agent/whatsapp/auth/**)", "Read(~/.personal-agent/secrets/**)", "Read(~/.claude/.credentials.json)", "Read(~/.claude.json)", "Read(~/.codex/auth.json)", "Read(~/.gemini/gemini-credentials.json)", "Read(~/.gemini/oauth_creds.json)", "Read(~/.config/anthropic/**)", "Write(.env)", "Edit(.env)", "Write(.env.*)", "Edit(.env.*)", "Write(**/.env)", "Edit(**/.env)", "Write(**/.env.*)", "Edit(**/.env.*)", "Write(id_rsa*)", "Edit(id_rsa*)", "Write(id_ed25519*)", "Edit(id_ed25519*)", "Write(~/.ssh/**)", "Edit(~/.ssh/**)", "Write(~/.gnupg/**)", "Edit(~/.gnupg/**)", "Write(~/.aws/**)", "Edit(~/.aws/**)", "Write(~/.config/gcloud/**)", "Edit(~/.config/gcloud/**)", "Write(~/.config/gh/hosts.yml)", "Edit(~/.config/gh/hosts.yml)", "Write(~/.netrc)", "Edit(~/.netrc)", "Write(~/Library/Keychains/**)", "Edit(~/Library/Keychains/**)", "Write(~/.local/share/keyrings/**)", "Edit(~/.local/share/keyrings/**)", "Write(~/.personal-agent/backups/**)", "Edit(~/.personal-agent/backups/**)", "Write(~/.personal-agent/whatsapp/auth/**)", "Edit(~/.personal-agent/whatsapp/auth/**)", "Write(~/.personal-agent/secrets/**)", "Edit(~/.personal-agent/secrets/**)", "Write(~/.claude/.credentials.json)", "Edit(~/.claude/.credentials.json)", "Write(~/.claude.json)", "Edit(~/.claude.json)", "Write(~/.codex/auth.json)", "Edit(~/.codex/auth.json)", "Write(~/.gemini/gemini-credentials.json)", "Edit(~/.gemini/gemini-credentials.json)", "Write(~/.gemini/oauth_creds.json)", "Edit(~/.gemini/oauth_creds.json)", "Write(~/.config/anthropic/**)", "Edit(~/.config/anthropic/**)", "Bash(sqlite3 *)", "Bash(cp ~/Library/Application Support/Google/Chrome/*)", "Bash(cp ~/Library/Application Support/Chromium/*)", "Bash(cp ~/Library/Application Support/Microsoft Edge/*)", "Bash(cp ~/Library/Application Support/BraveSoftware/*)", "Bash(cp ~/Library/Application Support/Comet/*)", "Bash(cp ~/Library/Application Support/Perplexity Comet/*)", "Bash(cp ~/Library/Application Support/com.openai.atlas/*)", "Bash(cp ~/.config/google-chrome/*)", "Bash(cp ~/.config/chromium/*)", "Bash(cp ~/.config/microsoft-edge/*)", "Bash(cp ~/.config/BraveSoftware/*)", "Bash(cp ~/.config/Comet/*)", "Bash(cp ~/.var/app/com.google.Chrome/*)", "Bash(cp /mnt/c/Users/*)", "Bash(curl file://*)", "Read(~/Library/Application Support/Google/Chrome/**)", "Read(~/Library/Application Support/Chromium/**)", "Read(~/Library/Application Support/Microsoft Edge/**)", "Read(~/Library/Application Support/BraveSoftware/**)", "Read(~/Library/Application Support/Comet/**)", "Read(~/Library/Application Support/Perplexity Comet/**)", "Read(~/Library/Application Support/com.openai.atlas/**)", "Read(~/.config/google-chrome/**)", "Read(~/.config/chromium/**)", "Read(~/.config/microsoft-edge/**)", "Read(~/.config/BraveSoftware/**)", "Read(~/.config/Comet/**)", "Read(~/.var/app/com.google.Chrome/**)", "Read(/mnt/c/Users/**)", "Write(~/Library/Application Support/Google/Chrome/**)", "Edit(~/Library/Application Support/Google/Chrome/**)", "Write(~/Library/Application Support/Chromium/**)", "Edit(~/Library/Application Support/Chromium/**)", "Write(~/Library/Application Support/Microsoft Edge/**)", "Edit(~/Library/Application Support/Microsoft Edge/**)", "Write(~/Library/Application Support/BraveSoftware/**)", "Edit(~/Library/Application Support/BraveSoftware/**)", "Write(~/Library/Application Support/Comet/**)", "Edit(~/Library/Application Support/Comet/**)", "Write(~/Library/Application Support/Perplexity Comet/**)", "Edit(~/Library/Application Support/Perplexity Comet/**)", "Write(~/Library/Application Support/com.openai.atlas/**)", "Edit(~/Library/Application Support/com.openai.atlas/**)", "Write(~/.config/google-chrome/**)", "Edit(~/.config/google-chrome/**)", "Write(~/.config/chromium/**)", "Edit(~/.config/chromium/**)", "Write(~/.config/microsoft-edge/**)", "Edit(~/.config/microsoft-edge/**)", "Write(~/.config/BraveSoftware/**)", "Edit(~/.config/BraveSoftware/**)", "Write(~/.config/Comet/**)", "Edit(~/.config/Comet/**)", "Write(~/.var/app/com.google.Chrome/**)", "Edit(~/.var/app/com.google.Chrome/**)", "Write(/mnt/c/Users/**)", "Edit(/mnt/c/Users/**)", "Bash(cp ~/.personal-agent/chromium-*)", "Bash(mv ~/.personal-agent/chromium-*)", "Bash(tar ~/.personal-agent/chromium-*)", "Bash(zip ~/.personal-agent/chromium-*)", "Bash(rsync ~/.personal-agent/chromium-*)", "Bash(cp $HOME/.personal-agent/chromium-*)", "Bash(mv $HOME/.personal-agent/chromium-*)", "Bash(tar $HOME/.personal-agent/chromium-*)", "Bash(zip $HOME/.personal-agent/chromium-*)", "Bash(rsync $HOME/.personal-agent/chromium-*)", "Read(~/.personal-agent/chromium-sync/**)", "Read(~/.personal-agent/chromium-automation/**)", "Read(~/.personal-agent/chromium-automation-anon/**)", "Read(~/.personal-agent/chromium-automation-auth/**)", "Read(~/.personal-agent/chromium-automation-purchase/**)", "Write(~/.personal-agent/chromium-sync/**)", "Edit(~/.personal-agent/chromium-sync/**)", "Write(~/.personal-agent/chromium-automation/**)", "Edit(~/.personal-agent/chromium-automation/**)", "Write(~/.personal-agent/chromium-automation-anon/**)", "Edit(~/.personal-agent/chromium-automation-anon/**)", "Write(~/.personal-agent/chromium-automation-auth/**)", "Edit(~/.personal-agent/chromium-automation-auth/**)", "Write(~/.personal-agent/chromium-automation-purchase/**)", "Edit(~/.personal-agent/chromium-automation-purchase/**)", "CronCreate", "CronList", "CronDelete", "RemoteTrigger", "PushNotification", "Bash(chmod *)", "Bash(chown *)", "Bash(git push --force *)", "Bash(git push -f *)", "Bash(git reset --hard *)", "Bash(git clean *)"];
 /**
  * Shape of a "watched git repository" — projected from the unified
  * `repositories` table by `selectGitWatchedRepos` for legacy consumers
@@ -137,6 +137,12 @@ export declare const runtimeSettingsSchema: z.ZodObject<{
     dmStalenessStrict: z.ZodDefault<z.ZodBoolean>;
     proactiveForwardChannelTimelineEnabled: z.ZodDefault<z.ZodBoolean>;
     proactiveForwardForceFreshSession: z.ZodDefault<z.ZodBoolean>;
+    feedbackLearningEnabled: z.ZodDefault<z.ZodBoolean>;
+    feedbackPromotionThreshold: z.ZodDefault<z.ZodNumber>;
+    feedbackLessonMaxBytesGlobal: z.ZodDefault<z.ZodNumber>;
+    feedbackLessonMaxBytesPerAgent: z.ZodDefault<z.ZodNumber>;
+    feedbackLessonStaleDays: z.ZodDefault<z.ZodNumber>;
+    feedbackSignalRetentionDays: z.ZodDefault<z.ZodNumber>;
     agentDisplayName: z.ZodDefault<z.ZodString>;
     character: z.ZodDefault<z.ZodString>;
     timezone: z.ZodDefault<z.ZodString>;
@@ -281,7 +287,7 @@ export declare const runtimeSettingsSchema: z.ZodObject<{
     voiceTranscriptionPrimaryLanguage: z.ZodDefault<z.ZodNullable<z.ZodString>>;
 }, z.core.$strip>;
 export type RuntimeSettings = z.infer<typeof runtimeSettingsSchema>;
-export declare const RUNTIME_SETTING_KEYS: readonly ["slackOwnerUserId", "telegramOwnerChatId", "discordOwnerUserId", "whatsappEnabled", "whatsappOwnerPhone", "whatsappAuthDir", "googleCalendarId", "notionDatabaseIds", "primaryVaultPath", "primaryVaultName", "externalObsidianVaultPath", "externalObsidianVaultName", "externalObsidianWatch", "gitAccounts", "advisorEnabled", "advisorModel", "enforceReadToken", "maxConcurrentSessions", "maxReactiveSessions", "delegatedProxyMaxConcurrent", "delegatedTaskModeEnabled", "delegatedTaskMaxPerDay", "delegatedTaskDefaultMaxToolCalls", "delegatedTaskDefaultMaxBudgetUsd", "delegatedTaskDefaultTimeoutMs", "delegatedTaskHeavyEnabled", "delegatedTaskStructuredOutputEnabled", "delegatedTaskSubprocessPoolEnabled", "delegatedTaskSubprocessPoolTtlSeconds", "delegatedTaskCacheEnabled", "delegatedTaskCacheTtlSeconds", "delegatedTaskCacheMaxEntries", "executeTimeoutMinutes", "sessionTimeoutDmMinutes", "sessionTimeoutChannelMinutes", "sessionTimeoutDashboardMinutes", "historyInjectionMaxMessages", "historyInjectionMaxTokens", "historyOtherSurfaceWindowMinutes", "dmStalenessStrict", "proactiveForwardChannelTimelineEnabled", "proactiveForwardForceFreshSession", "agentDisplayName", "character", "timezone", "dayBoundaryHour", "monthlyReviewEnabled", "browserTaskMaxConcurrent", "browserTaskPendingQueueTimeoutMinutes", "browserTaskRespectQuietHours", "browserTaskHostnameDenylist", "hourlyCheckEnabled", "hourlyCheckIntervalMinutes", "hourlyCheckActiveStartHour", "hourlyCheckActiveEndHour", "hourlyCheckMinObservations", "hourlyCheckStage2Enabled", "hourlyCheckHeartbeatHours", "hourlyCheckLowSignalPendingCeiling", "hourlyCheckPrePassFreshnessMinutes", "authProbeDisabled", "authPreflightFreshnessMs", "schedulePollIntervalSeconds", "maxBriefingDelayMinutes", "maxNotificationsPerHour", "maxNotificationsPerDay", "quietHoursStart", "quietHoursEnd", "batchIntervalMinutes", "primaryPlatform", "defaultNotificationPlatforms", "disallowedTools", "allowedToolsOverride", "claudeExecutionPermissionMode", "codexExecutionPermissionMode", "geminiExecutionPermissionMode", "opencodeExecutionPermissionMode", "opencodeBaseUrl", "opencodeServerUsername", "obsidianDebounceSeconds", "gitPollIntervalSeconds", "gitPushOverdueMinutes", "gitProjectUpdateDebounceMinutes", "notionPollIntervalSeconds", "calendarPollIntervalSeconds", "gmailPollIntervalSeconds", "githubPollIntervalSeconds", "browserHistoryConsentAccepted", "browserHistoryBrowserOverrides", "browserHistoryCategories", "browserHistoryRetentionDays", "browserHistorySearchQueryRetentionDays", "browserHistoryLifecycle", "browserHistoryResearchDomainAllowlist", "browserHistoryResearchDomainDenylist", "mcpAutoProbeIntervalMinutes", "delegatedProbeIntervalMinutes", "enabledMailProviders", "mailPollIntervalSeconds", "mailIdleEnabled", "mailIdleInstabilityThreshold", "mailIdleFallbackRecoveryMinutes", "mailMaxMessagesPerPoll", "mailAuthFailureRetryHours", "hourlyObservationCharBudget", "prePassMaxAttemptsPerIntegration", "prePassBackoffMs", "prePassRetryEscalationTier", "prePassFanOutConcurrency", "prePassMaxBudgetUsdPerIntegration", "prePassMaxBudgetUsdPerRoutine", "prePassRetryOnPartial", "observationSummarizerEnabled", "observationSummarizerConcurrency", "observationSummarizerMaxCallsPerMinute", "observationSummarizerQueueLimit", "observationSummarizerTimeoutMs", "vipMailSenders", "outlookDeltaPageSize", "outlookGraphConcurrency", "imapReconnectBaseMs", "imapReconnectMaxMs", "autonomousDailyCostCapUsd", "autonomousMonthlyCostCapUsd", "primaryLanguage", "vaultMode", "useReviewDossiers", "useContextIndex", "voiceTranscriptionEnabled", "voiceTranscriptionPrimaryLanguage"];
+export declare const RUNTIME_SETTING_KEYS: readonly ["slackOwnerUserId", "telegramOwnerChatId", "discordOwnerUserId", "whatsappEnabled", "whatsappOwnerPhone", "whatsappAuthDir", "googleCalendarId", "notionDatabaseIds", "primaryVaultPath", "primaryVaultName", "externalObsidianVaultPath", "externalObsidianVaultName", "externalObsidianWatch", "gitAccounts", "advisorEnabled", "advisorModel", "enforceReadToken", "maxConcurrentSessions", "maxReactiveSessions", "delegatedProxyMaxConcurrent", "delegatedTaskModeEnabled", "delegatedTaskMaxPerDay", "delegatedTaskDefaultMaxToolCalls", "delegatedTaskDefaultMaxBudgetUsd", "delegatedTaskDefaultTimeoutMs", "delegatedTaskHeavyEnabled", "delegatedTaskStructuredOutputEnabled", "delegatedTaskSubprocessPoolEnabled", "delegatedTaskSubprocessPoolTtlSeconds", "delegatedTaskCacheEnabled", "delegatedTaskCacheTtlSeconds", "delegatedTaskCacheMaxEntries", "executeTimeoutMinutes", "sessionTimeoutDmMinutes", "sessionTimeoutChannelMinutes", "sessionTimeoutDashboardMinutes", "historyInjectionMaxMessages", "historyInjectionMaxTokens", "historyOtherSurfaceWindowMinutes", "dmStalenessStrict", "proactiveForwardChannelTimelineEnabled", "proactiveForwardForceFreshSession", "feedbackLearningEnabled", "feedbackPromotionThreshold", "feedbackLessonMaxBytesGlobal", "feedbackLessonMaxBytesPerAgent", "feedbackLessonStaleDays", "feedbackSignalRetentionDays", "agentDisplayName", "character", "timezone", "dayBoundaryHour", "monthlyReviewEnabled", "browserTaskMaxConcurrent", "browserTaskPendingQueueTimeoutMinutes", "browserTaskRespectQuietHours", "browserTaskHostnameDenylist", "hourlyCheckEnabled", "hourlyCheckIntervalMinutes", "hourlyCheckActiveStartHour", "hourlyCheckActiveEndHour", "hourlyCheckMinObservations", "hourlyCheckStage2Enabled", "hourlyCheckHeartbeatHours", "hourlyCheckLowSignalPendingCeiling", "hourlyCheckPrePassFreshnessMinutes", "authProbeDisabled", "authPreflightFreshnessMs", "schedulePollIntervalSeconds", "maxBriefingDelayMinutes", "maxNotificationsPerHour", "maxNotificationsPerDay", "quietHoursStart", "quietHoursEnd", "batchIntervalMinutes", "primaryPlatform", "defaultNotificationPlatforms", "disallowedTools", "allowedToolsOverride", "claudeExecutionPermissionMode", "codexExecutionPermissionMode", "geminiExecutionPermissionMode", "opencodeExecutionPermissionMode", "opencodeBaseUrl", "opencodeServerUsername", "obsidianDebounceSeconds", "gitPollIntervalSeconds", "gitPushOverdueMinutes", "gitProjectUpdateDebounceMinutes", "notionPollIntervalSeconds", "calendarPollIntervalSeconds", "gmailPollIntervalSeconds", "githubPollIntervalSeconds", "browserHistoryConsentAccepted", "browserHistoryBrowserOverrides", "browserHistoryCategories", "browserHistoryRetentionDays", "browserHistorySearchQueryRetentionDays", "browserHistoryLifecycle", "browserHistoryResearchDomainAllowlist", "browserHistoryResearchDomainDenylist", "mcpAutoProbeIntervalMinutes", "delegatedProbeIntervalMinutes", "enabledMailProviders", "mailPollIntervalSeconds", "mailIdleEnabled", "mailIdleInstabilityThreshold", "mailIdleFallbackRecoveryMinutes", "mailMaxMessagesPerPoll", "mailAuthFailureRetryHours", "hourlyObservationCharBudget", "prePassMaxAttemptsPerIntegration", "prePassBackoffMs", "prePassRetryEscalationTier", "prePassFanOutConcurrency", "prePassMaxBudgetUsdPerIntegration", "prePassMaxBudgetUsdPerRoutine", "prePassRetryOnPartial", "observationSummarizerEnabled", "observationSummarizerConcurrency", "observationSummarizerMaxCallsPerMinute", "observationSummarizerQueueLimit", "observationSummarizerTimeoutMs", "vipMailSenders", "outlookDeltaPageSize", "outlookGraphConcurrency", "imapReconnectBaseMs", "imapReconnectMaxMs", "autonomousDailyCostCapUsd", "autonomousMonthlyCostCapUsd", "primaryLanguage", "vaultMode", "useReviewDossiers", "useContextIndex", "voiceTranscriptionEnabled", "voiceTranscriptionPrimaryLanguage"];
 export type RuntimeSettingKey = (typeof RUNTIME_SETTING_KEYS)[number];
 export declare const INTERNAL_RUNTIME_SETTING_KEYS: readonly ["enforceReadToken", "useReviewDossiers", "useContextIndex"];
 export type InternalRuntimeSettingKey = (typeof INTERNAL_RUNTIME_SETTING_KEYS)[number];

package/dist/settings/runtime-settings.js

@@ -268,6 +268,12 @@ export const runtimeSettingsSchema = z.object({
     dmStalenessStrict: z.boolean().default(false),
     proactiveForwardChannelTimelineEnabled: z.boolean().default(true),
     proactiveForwardForceFreshSession: z.boolean().default(false),
+    feedbackLearningEnabled: z.boolean().default(true),
+    feedbackPromotionThreshold: z.number().int().min(1).max(10).default(2),
+    feedbackLessonMaxBytesGlobal: z.number().int().min(1024).max(32768).default(8192),
+    feedbackLessonMaxBytesPerAgent: z.number().int().min(512).max(16384).default(4096),
+    feedbackLessonStaleDays: z.number().int().min(7).max(365).default(60),
+    feedbackSignalRetentionDays: z.number().int().min(30).max(365).default(180),
     agentDisplayName: z.string().default(DEFAULT_AGENT_DISPLAY_NAME).refine((value) => validateAgentDisplayName(value) === null, { message: "PA_AGENT_DISPLAY_NAME must be a single line, 40 characters or fewer" }),
     /**
      * User-defined communication style / persona. See docs/design/15-character.md.
@@ -900,6 +906,12 @@ export const RUNTIME_SETTING_KEYS = [
     "dmStalenessStrict",
     "proactiveForwardChannelTimelineEnabled",
     "proactiveForwardForceFreshSession",
+    "feedbackLearningEnabled",
+    "feedbackPromotionThreshold",
+    "feedbackLessonMaxBytesGlobal",
+    "feedbackLessonMaxBytesPerAgent",
+    "feedbackLessonStaleDays",
+    "feedbackSignalRetentionDays",
     "agentDisplayName",
     "character",
     "timezone",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aitne/daemon",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Aitne daemon — long-running TypeScript service that hosts the event bus, scheduler, observers, safety layer, and HTTP API. Consumed by the `aitne` CLI; not intended for standalone use.",
   "homepage": "https://github.com/Aitne-sh/Aitne#readme",
   "bugs": {
@@ -66,7 +66,7 @@
     "telegraf": "^4.16.3",
     "tsdav": "^2.1.8",
     "zod": "^4.3.6",
-    "@aitne/shared": "0.1.9"
+    "@aitne/shared": "0.1.10"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",