@alook/cli 0.0.14 → 0.0.16

package/dist/index.js

@@ -297,14 +297,30 @@ function statusCommand() {
 // commands/daemon.ts
 import { Command as Command3 } from "commander";
 import { spawn as spawn3 } from "child_process";
-import { openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync4 } from "fs";
+import { openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync6 } from "fs";
 import { dirname as dirname4 } from "path";
 
 // ../shared/src/constants.ts
+var TaskStatus = {
+  QUEUED: "queued",
+  DISPATCHED: "dispatched",
+  RUNNING: "running",
+  COMPLETED: "completed",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+  SUPERSEDED: "superseded"
+};
+var TERMINAL_TASK_STATUSES = [
+  TaskStatus.COMPLETED,
+  TaskStatus.FAILED,
+  TaskStatus.CANCELLED,
+  TaskStatus.SUPERSEDED
+];
 var TASK_TYPES = {
   USER_DM_MESSAGE: "user_dm_message",
   EMAIL_NOTIFICATION: "email_notification",
-  CALENDAR_EVENT: "calendar_event"
+  CALENDAR_EVENT: "calendar_event",
+  KILL_TASK: "kill_task"
 };
 var POLL_INTERVAL_MS = Number(process.env.POLL_INTERVAL_MS) || 3000;
 var OFFLINE_THRESHOLD_MS = Number(process.env.OFFLINE_THRESHOLD_MS) || 9000;
@@ -13851,7 +13867,8 @@ var TaskStatusSchema = exports_external.enum([
   "running",
   "completed",
   "failed",
-  "cancelled"
+  "cancelled",
+  "superseded"
 ]);
 var ClaimedTaskRowSchema = exports_external.object({
   id: exports_external.string(),
@@ -14032,8 +14049,9 @@ var UpdateAgentRequestSchema = exports_external.object({
   description: exports_external.string().optional(),
   instructions: exports_external.string().optional(),
   runtime_id: exports_external.string().min(1).optional(),
-  runtime_config: RuntimeConfigSchema
-}).refine((v) => v.name !== undefined || v.description !== undefined || v.instructions !== undefined || v.runtime_id !== undefined || v.runtime_config !== undefined, { message: "at least one field is required" });
+  runtime_config: RuntimeConfigSchema,
+  visibility: exports_external.enum(["public", "private"]).optional()
+}).refine((v) => v.name !== undefined || v.description !== undefined || v.instructions !== undefined || v.runtime_id !== undefined || v.runtime_config !== undefined || v.visibility !== undefined, { message: "at least one field is required" });
 var CreateConversationRequestSchema = exports_external.object({
   agent_id: exports_external.string().min(1, "agent_id is required")
 });
@@ -14125,6 +14143,16 @@ var CreateWorkspaceRequestSchema = exports_external.object({
   name: exports_external.string().min(1, "name is required"),
   slug: exports_external.string().min(1, "slug is required")
 });
+var UpdateWorkspaceRequestSchema = exports_external.object({
+  name: exports_external.string().min(1, "name is required").max(100).trim().optional(),
+  slug: exports_external.string().min(1, "slug is required").max(100).trim().toLowerCase().optional()
+});
+var DeleteWorkspaceRequestSchema = exports_external.object({
+  confirm_name: exports_external.string().min(1, "confirm_name is required")
+});
+var GrantAgentAccessRequestSchema = exports_external.object({
+  user_id: exports_external.string().min(1, "user_id is required")
+});
 // ../../node_modules/.pnpm/drizzle-orm@0.45.2_@cloudflare+workers-types@4.20260418.1_@opentelemetry+api@1.9.1_bun-types@1.3.12_kysely@0.28.16/node_modules/drizzle-orm/entity.js
 var entityKind = Symbol.for("drizzle:entityKind");
 var hasOwnEntityKind = Symbol.for("drizzle:hasOwnEntityKind");
@@ -15556,6 +15584,48 @@ var member = sqliteTable("member", {
   globalInstruction: text("global_instruction").notNull().default(""),
   createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
 }, (t) => [unique("member_workspace_user").on(t.workspaceId, t.userId)]);
+var workspaceInvite = sqliteTable("workspace_invite", {
+  id: text("id").primaryKey().$defaultFn(() => "inv_" + nanoid3()),
+  workspaceId: text("workspace_id").notNull().references(() => workspace.id, { onDelete: "cascade" }),
+  token: text("token").unique().notNull().$defaultFn(() => nanoid3(32)),
+  createdBy: text("created_by").notNull().references(() => user.id, { onDelete: "cascade" }),
+  usedBy: text("used_by").references(() => user.id, { onDelete: "set null" }),
+  usedAt: text("used_at"),
+  expiresAt: text("expires_at").notNull(),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  index("idx_workspace_invite_token").on(t.token),
+  index("idx_workspace_invite_workspace").on(t.workspaceId)
+]);
+var agentAccess = sqliteTable("agent_access", {
+  id: text("id").primaryKey().$defaultFn(() => nanoid3()),
+  agentId: text("agent_id").notNull(),
+  workspaceId: text("workspace_id").notNull(),
+  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  unique("agent_access_agent_ws_user").on(t.agentId, t.workspaceId, t.userId),
+  index("idx_agent_access_agent_ws").on(t.agentId, t.workspaceId),
+  index("idx_agent_access_user").on(t.userId),
+  foreignKey({
+    columns: [t.agentId, t.workspaceId],
+    foreignColumns: [agent.id, agent.workspaceId]
+  }).onDelete("cascade")
+]);
+var agentPin = sqliteTable("agent_pin", {
+  id: text("id").primaryKey().$defaultFn(() => nanoid3()),
+  agentId: text("agent_id").notNull(),
+  workspaceId: text("workspace_id").notNull(),
+  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  unique("agent_pin_agent_ws_user").on(t.agentId, t.workspaceId, t.userId),
+  index("idx_agent_pin_ws_user").on(t.workspaceId, t.userId),
+  foreignKey({
+    columns: [t.agentId, t.workspaceId],
+    foreignColumns: [agent.id, agent.workspaceId]
+  }).onDelete("cascade")
+]);
 var machine = sqliteTable("machine", {
   daemonId: text("daemon_id").notNull(),
   workspaceId: text("workspace_id").notNull().references(() => workspace.id, { onDelete: "cascade" }),
@@ -15693,6 +15763,7 @@ var emails = sqliteTable("emails", {
   htmlBody: text("html_body").notNull().default(""),
   attachments: text("attachments").notNull().default("[]"),
   status: text("status").notNull().default("unread"),
+  direction: text("direction").notNull().default("inbound"),
   createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
 }, (t) => [
   foreignKey({
@@ -15826,16 +15897,33 @@ class DaemonClient {
       "Content-Type": "application/json",
       Authorization: `Bearer ${token}`
     };
-    const res = await fetch(this.baseURL + path, {
-      method,
-      headers,
-      body: body ? JSON.stringify(body) : undefined
-    });
-    if (!res.ok)
-      throw new Error(`HTTP ${res.status}: ${await res.text()}`);
-    if (res.status === 204)
-      return;
-    return res.json();
+    const MAX_RETRIES = 3;
+    const BASE_DELAY_MS = 500;
+    let lastError;
+    for (let attempt = 0;attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const res = await fetch(this.baseURL + path, {
+          method,
+          headers,
+          body: body ? JSON.stringify(body) : undefined
+        });
+        if (!res.ok)
+          throw new Error(`HTTP ${res.status}: ${await res.text()}`);
+        if (res.status === 204)
+          return;
+        return res.json();
+      } catch (e) {
+        if (e instanceof TypeError) {
+          lastError = e;
+          if (attempt < MAX_RETRIES) {
+            await new Promise((r) => setTimeout(r, BASE_DELAY_MS * 2 ** attempt));
+            continue;
+          }
+        }
+        throw e;
+      }
+    }
+    throw lastError;
   }
   async register(token, body) {
     const raw = await this.request("POST", "/api/daemon/register", token, body);
@@ -15866,15 +15954,35 @@ class DaemonClient {
       error: error48
     });
   }
+  supersedeTask(token, taskId) {
+    return this.request("POST", `/api/daemon/tasks/${taskId}/supersede`, token);
+  }
   async getArtifactMeta(token, artifactId, workspaceId) {
     return this.request("GET", `/api/artifacts/${artifactId}?workspace_id=${encodeURIComponent(workspaceId)}`, token);
   }
   async downloadArtifact(token, artifactId, workspaceId) {
-    const res = await fetch(`${this.baseURL}/api/artifacts/${artifactId}/content?workspace_id=${encodeURIComponent(workspaceId)}`, { headers: { Authorization: `Bearer ${token}` } });
-    if (!res.ok) {
-      throw new Error(`artifact download failed: HTTP ${res.status}`);
+    const MAX_RETRIES = 3;
+    const BASE_DELAY_MS = 500;
+    let lastError;
+    for (let attempt = 0;attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const res = await fetch(`${this.baseURL}/api/artifacts/${artifactId}/content?workspace_id=${encodeURIComponent(workspaceId)}`, { headers: { Authorization: `Bearer ${token}` } });
+        if (!res.ok) {
+          throw new Error(`artifact download failed: HTTP ${res.status}`);
+        }
+        return res.arrayBuffer();
+      } catch (e) {
+        if (e instanceof TypeError) {
+          lastError = e;
+          if (attempt < MAX_RETRIES) {
+            await new Promise((r) => setTimeout(r, BASE_DELAY_MS * 2 ** attempt));
+            continue;
+          }
+        }
+        throw e;
+      }
     }
-    return res.arrayBuffer();
+    throw lastError;
   }
   reportMessages(token, taskId, messages) {
     return this.request("POST", `/api/daemon/tasks/${taskId}/messages`, token, { messages });
@@ -16282,13 +16390,172 @@ async function handleCliUpdate(version3, onSuccess, profile) {
   }
 }
 
+// daemon/execenv/timeline.ts
+import { appendFileSync, readFileSync as readFileSync5, writeFileSync as writeFileSync4, renameSync } from "fs";
+import { join as join4 } from "path";
+
+// daemon/execenv/filelock.ts
+import { mkdirSync as mkdirSync3, rmdirSync, statSync } from "fs";
+var DEFAULT_STALE_MS = 3600000;
+function acquireLock(lockPath, staleMs = DEFAULT_STALE_MS) {
+  try {
+    mkdirSync3(lockPath);
+    return true;
+  } catch {
+    try {
+      const stat = statSync(lockPath);
+      if (Date.now() - stat.mtimeMs > staleMs) {
+        rmdirSync(lockPath);
+        try {
+          mkdirSync3(lockPath);
+          return true;
+        } catch {
+          return false;
+        }
+      }
+    } catch {
+      try {
+        mkdirSync3(lockPath);
+        return true;
+      } catch {
+        return false;
+      }
+    }
+    return false;
+  }
+}
+function releaseLock(lockPath) {
+  try {
+    rmdirSync(lockPath);
+  } catch {}
+}
+
+// daemon/execenv/timeline.ts
+function readJsonl(filePath) {
+  let content;
+  try {
+    content = readFileSync5(filePath, "utf-8");
+  } catch {
+    return [];
+  }
+  const entries = [];
+  for (const line of content.trimEnd().split(`
+`)) {
+    if (!line)
+      continue;
+    try {
+      entries.push(JSON.parse(line));
+    } catch {}
+  }
+  return entries;
+}
+function filenameForDate(date5) {
+  const y = date5.getFullYear();
+  const m = String(date5.getMonth() + 1).padStart(2, "0");
+  const d = String(date5.getDate()).padStart(2, "0");
+  return `${y}-${m}-${d}.jsonl`;
+}
+function recentFilenames(maxDays) {
+  const filenames = [];
+  const now = new Date;
+  for (let i = 0;i < maxDays; i++) {
+    const d = new Date(now);
+    d.setDate(d.getDate() - i);
+    filenames.push(filenameForDate(d));
+  }
+  return filenames;
+}
+var DEFAULT_RESUME_MAX_AGE_MS = 3 * 60 * 60 * 1000;
+var EMAIL_RESUME_MAX_AGE_MS = 48 * 60 * 60 * 1000;
+function findRunningPidByTaskId(timelineDir, taskId) {
+  for (const filename of recentFilenames(7)) {
+    const entries = readJsonl(join4(timelineDir, filename));
+    for (const entry of entries) {
+      if (entry.task_id === taskId && entry.status === "running" && entry.pid != null) {
+        return entry.pid;
+      }
+    }
+  }
+  return null;
+}
+function findRunningEntryByContextKey(timelineDir, contextKey, provider) {
+  for (const filename of recentFilenames(7)) {
+    const dayEntries = readJsonl(join4(timelineDir, filename));
+    for (let i = dayEntries.length - 1;i >= 0; i--) {
+      const entry = dayEntries[i];
+      if (entry.status === "running" && entry.context_key === contextKey && entry.provider === provider) {
+        return entry;
+      }
+    }
+  }
+  return null;
+}
+
+// daemon/execenv/steering.ts
+import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync5, readFileSync as readFileSync6, unlinkSync as unlinkSync3, readdirSync, statSync as statSync2 } from "fs";
+import { join as join5 } from "path";
+var INTENT_DIR_NAME = ".kill_intents";
+var STEERING_LOCK_DIR = ".steering_locks";
+var INTENT_STALE_MS = 10 * 60 * 1000;
+function intentFilePath(baseDir, taskId) {
+  return join5(baseDir, INTENT_DIR_NAME, `${taskId}.json`);
+}
+function intentDirPath(baseDir) {
+  return join5(baseDir, INTENT_DIR_NAME);
+}
+function steeringLockPath(baseDir, contextKey) {
+  const safeKey = contextKey.replace(/[^a-zA-Z0-9_:-]/g, "_");
+  return join5(baseDir, STEERING_LOCK_DIR, safeKey);
+}
+function writeKillIntent(baseDir, intent) {
+  const dir = intentDirPath(baseDir);
+  try {
+    mkdirSync4(dir, { recursive: true });
+  } catch {}
+  const filePath = intentFilePath(baseDir, intent.targetTaskId);
+  writeFileSync5(filePath, JSON.stringify(intent));
+}
+function cleanupStaleIntents(baseDir) {
+  const dir = intentDirPath(baseDir);
+  let files;
+  try {
+    files = readdirSync(dir).filter((f) => f.endsWith(".json"));
+  } catch {
+    return;
+  }
+  const now = Date.now();
+  for (const file2 of files) {
+    const filePath = join5(dir, file2);
+    try {
+      const content = readFileSync6(filePath, "utf-8");
+      const intent = JSON.parse(content);
+      const stat = statSync2(filePath);
+      if (now - stat.mtimeMs > INTENT_STALE_MS) {
+        unlinkSync3(filePath);
+        log.debug(`Cleaned up stale kill intent for task ${intent.targetTaskId}`);
+      }
+    } catch {}
+  }
+}
+function acquireSteeringLock(baseDir, contextKey) {
+  const lockPath = steeringLockPath(baseDir, contextKey);
+  try {
+    mkdirSync4(join5(baseDir, STEERING_LOCK_DIR), { recursive: true });
+  } catch {}
+  return acquireLock(lockPath, 60000);
+}
+function releaseSteeringLock(baseDir, contextKey) {
+  const lockPath = steeringLockPath(baseDir, contextKey);
+  releaseLock(lockPath);
+}
+
 // daemon/daemon.ts
-import { existsSync, mkdirSync as mkdirSync3, openSync, closeSync, readdirSync, statSync, unlinkSync as unlinkSync3 } from "fs";
+import { existsSync, mkdirSync as mkdirSync5, openSync, closeSync, readdirSync as readdirSync2, statSync as statSync3, unlinkSync as unlinkSync4 } from "fs";
 import { execSync as execSync3, spawn as spawn2 } from "child_process";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { dirname as dirname3, join as join4 } from "path";
+import { dirname as dirname3, join as join6 } from "path";
 var _dir = dirname3(fileURLToPath2(import.meta.url));
-var sessionRunnerPath = existsSync(join4(_dir, "session-runner.js")) ? join4(_dir, "session-runner.js") : join4(_dir, "session-runner.ts");
+var sessionRunnerPath = existsSync(join6(_dir, "session-runner.js")) ? join6(_dir, "session-runner.js") : join6(_dir, "session-runner.ts");
 function isCommandAvailable2(cmd) {
   try {
     const check2 = process.platform === "win32" ? `where ${cmd}` : `which ${cmd}`;
@@ -16298,21 +16565,21 @@ function isCommandAvailable2(cmd) {
     return false;
   }
 }
-var MAX_SESSION_RUNNER_LOGS = 50;
+var MAX_SESSION_RUNNER_LOGS = 500;
 function pruneSessionRunnerLogs() {
   const logDir = sessionRunnerLogDir();
   let entries;
   try {
-    entries = readdirSync(logDir).filter((f) => f.endsWith(".log"));
+    entries = readdirSync2(logDir).filter((f) => f.endsWith(".log"));
   } catch {
     return;
   }
   if (entries.length <= MAX_SESSION_RUNNER_LOGS)
     return;
   const withMtime = entries.map((name) => {
-    const full = join4(logDir, name);
+    const full = join6(logDir, name);
     try {
-      return { name, mtime: statSync(full).mtimeMs };
+      return { name, mtime: statSync3(full).mtimeMs };
     } catch {
       return { name, mtime: 0 };
     }
@@ -16320,7 +16587,7 @@ function pruneSessionRunnerLogs() {
   withMtime.sort((a, b) => b.mtime - a.mtime);
   for (const entry of withMtime.slice(MAX_SESSION_RUNNER_LOGS)) {
     try {
-      unlinkSync3(join4(logDir, entry.name));
+      unlinkSync4(join6(logDir, entry.name));
     } catch {}
   }
 }
@@ -16399,12 +16666,7 @@ async function startDaemon(profile, serverUrl) {
       });
     } catch (e) {
       if (e instanceof Error && e.message.startsWith("HTTP 401")) {
-        log.warn(`Workspace ${ws.id} token invalid — removing from config`);
-        try {
-          const cfg = loadCLIConfigForProfile(profile);
-          cfg.watched_workspaces = (cfg.watched_workspaces || []).filter((w) => w.id !== ws.id);
-          saveCLIConfigForProfile(profile, cfg);
-        } catch {}
+        log.warn(`Workspace ${ws.id} token invalid — skipping (run '${cmdPrefix()} register --token <token>' to fix)`);
       } else {
         log.error(`Failed to register workspace ${ws.id}, skipping`, e);
       }
@@ -16463,7 +16725,7 @@ async function startDaemon(profile, serverUrl) {
       cfg.watched_workspaces = (cfg.watched_workspaces || []).filter((w) => w.id !== workspaceId);
       saveCLIConfigForProfile(profile, cfg);
     } catch {}
-    log.info(`Workspace ${workspaceId} evicted — runtimes removed server-side`);
+    log.info(`Workspace ${workspaceId} deleted server-side — removed from config`);
   }
   const pollCycle = async () => {
     let remaining = config2.maxConcurrentTasks - activeTasks.size;
@@ -16500,7 +16762,7 @@ async function startDaemon(profile, serverUrl) {
         }
       } catch (e) {
         if (e instanceof Error && e.message.startsWith("HTTP 401")) {
-          evictedIds.push(ws.workspaceId);
+          log.warn(`Workspace ${ws.workspaceId} poll returned 401 — will retry next cycle`);
         } else {
           log.debug("Poll error", e);
         }
@@ -16537,17 +16799,28 @@ async function startDaemon(profile, serverUrl) {
     releaseDaemonPid(profile);
     health.server.close(() => {
       if (restartRequested) {
-        const args = ["daemon", "start", "--foreground"];
+        const entry = process.argv[1];
+        const args = [entry, "daemon", "start", "--foreground"];
         if (profile)
           args.push("--profile", profile);
         if (serverUrl)
           args.push("--server", serverUrl);
-        const child = spawn2("alook", args, {
+        const logPath = daemonLogFilePath();
+        let logFd;
+        try {
+          mkdirSync5(dirname3(logPath), { recursive: true, mode: 448 });
+          logFd = openSync(logPath, "a", 384);
+        } catch (e) {
+          log.error(`Failed to open daemon log file ${logPath}`, e);
+        }
+        const child = spawn2(process.execPath, args, {
           detached: true,
-          stdio: ["ignore", "ignore", "ignore"]
+          stdio: logFd != null ? ["ignore", logFd, logFd] : ["ignore", "ignore", "ignore"]
         });
         child.unref();
-        log.info(`Spawned new daemon (pid=${child.pid})`);
+        if (logFd != null)
+          closeSync(logFd);
+        log.info(`Spawned new daemon (pid=${child.pid}), logs: ${logPath}`);
       }
       clearTimeout(timeout);
       process.exit(0);
@@ -16559,21 +16832,62 @@ async function startDaemon(profile, serverUrl) {
 }
 function spawnSessionRunner(input) {
   const logDir = sessionRunnerLogDir();
-  mkdirSync3(logDir, { recursive: true });
-  const logFilePath = join4(logDir, `${input.task.id}.log`);
+  mkdirSync5(logDir, { recursive: true });
+  const logFilePath = join6(logDir, `${input.task.id}.log`);
   input.logFilePath = logFilePath;
   const encoded = Buffer.from(JSON.stringify(input)).toString("base64");
-  const fd = openSync(logFilePath, "a");
+  let fd;
+  try {
+    fd = openSync(logFilePath, "a");
+  } catch (e) {
+    log.error(`Failed to open log file ${logFilePath}`, e);
+  }
   const child = spawn2(process.execPath, [sessionRunnerPath, encoded], {
     detached: true,
-    stdio: ["ignore", fd, fd]
+    stdio: fd != null ? ["ignore", fd, fd] : ["ignore", "ignore", "ignore"]
   });
   child.unref();
-  closeSync(fd);
+  if (fd != null)
+    closeSync(fd);
   return child;
 }
 async function handleTask(client, config2, runtimeIndex, task, token, activeTasks) {
   log.info(`Task ${task.id} claimed agent=${task.agentId}`);
+  if (task.type === TASK_TYPES.KILL_TASK) {
+    const targetTaskId = task.context?.target_task_id;
+    if (!targetTaskId) {
+      await client.failTask(token, task.id, "missing target_task_id in context");
+      activeTasks.delete(task.id);
+      return;
+    }
+    const agentBaseDir = join6(config2.workspacesRoot, task.workspaceId, task.agentId, "workdir");
+    const timelineDir = join6(agentBaseDir, ".context_timeline");
+    const pid = findRunningPidByTaskId(timelineDir, targetTaskId);
+    if (pid != null) {
+      writeKillIntent(agentBaseDir, {
+        reason: "cancelled",
+        targetTaskId,
+        expectedPid: pid
+      });
+      try {
+        process.kill(pid, "SIGTERM");
+        await client.failTask(token, task.id, "killed");
+        log.info(`Kill task ${task.id}: sent SIGTERM to pid=${pid} for target=${targetTaskId}`);
+      } catch (e) {
+        if (e?.code === "ESRCH") {
+          await client.failTask(token, task.id, "target process already exited");
+          log.info(`Kill task ${task.id}: target pid=${pid} already exited`);
+        } else {
+          await client.failTask(token, task.id, `kill failed: ${e}`);
+        }
+      }
+    } else {
+      await client.failTask(token, task.id, "target not found in timeline");
+      log.info(`Kill task ${task.id}: target ${targetTaskId} not found in timeline`);
+    }
+    activeTasks.delete(task.id);
+    return;
+  }
   try {
     await client.startTask(token, task.id);
   } catch (e) {
@@ -16588,6 +16902,60 @@ async function handleTask(client, config2, runtimeIndex, task, token, activeTask
     return;
   }
   const provider = runtimeData.provider;
+  if (task.contextKey) {
+    const agentBaseDir = join6(config2.workspacesRoot, task.workspaceId, task.agentId, "workdir");
+    cleanupStaleIntents(agentBaseDir);
+    const timelineDir = join6(agentBaseDir, ".context_timeline");
+    const lockAcquired = acquireSteeringLock(agentBaseDir, task.contextKey);
+    if (!lockAcquired) {
+      log.warn(`Steering lock contention for context_key=${task.contextKey}, proceeding without steering`);
+    } else {
+      try {
+        const predecessor = findRunningEntryByContextKey(timelineDir, task.contextKey, provider);
+        if (predecessor && predecessor.task_id !== task.id) {
+          log.info(`Steering: task ${task.id} supersedes predecessor ${predecessor.task_id} (context_key=${task.contextKey})`);
+          if (predecessor.pid != null) {
+            writeKillIntent(agentBaseDir, {
+              reason: "superseded",
+              targetTaskId: predecessor.task_id,
+              expectedPid: predecessor.pid,
+              successorTaskId: task.id
+            });
+            try {
+              process.kill(predecessor.pid, "SIGTERM");
+              log.info(`Steering: sent SIGTERM to predecessor pid=${predecessor.pid}`);
+            } catch (e) {
+              if (e?.code === "ESRCH") {
+                log.info(`Steering: predecessor pid=${predecessor.pid} already exited`);
+              } else {
+                log.warn(`Steering: kill failed for pid=${predecessor.pid}`, e);
+              }
+            }
+            const waitStart = Date.now();
+            const MAX_WAIT_MS = 15000;
+            const POLL_MS = 200;
+            while (Date.now() - waitStart < MAX_WAIT_MS) {
+              const stillRunning = findRunningPidByTaskId(timelineDir, predecessor.task_id);
+              if (stillRunning == null)
+                break;
+              await new Promise((r) => setTimeout(r, POLL_MS));
+            }
+            if (findRunningPidByTaskId(timelineDir, predecessor.task_id) != null) {
+              log.warn(`Steering: predecessor pid=${predecessor.pid} did not exit within ${MAX_WAIT_MS}ms, proceeding anyway`);
+            }
+          }
+          try {
+            await client.supersedeTask(token, predecessor.task_id);
+            log.info(`Steering: predecessor ${predecessor.task_id} marked superseded`);
+          } catch (e) {
+            log.warn(`Steering: failed to mark predecessor superseded server-side`, e);
+          }
+        }
+      } finally {
+        releaseSteeringLock(agentBaseDir, task.contextKey);
+      }
+    }
+  }
   const cliPath = provider === "claude" ? config2.claudePath : provider === "codex" ? config2.codexPath : config2.opencodePath;
   const configModel = provider === "claude" ? config2.claudeModel : provider === "codex" ? config2.codexModel : config2.opencodeModel;
   const agentModel = task.agent?.runtimeConfig?.model;
@@ -16642,7 +17010,7 @@ async function startInBackground(profile, serverUrl) {
     return;
   }
   const logPath = daemonLogFilePath();
-  mkdirSync4(dirname4(logPath), { recursive: true, mode: 448 });
+  mkdirSync6(dirname4(logPath), { recursive: true, mode: 448 });
   const logFd = openSync2(logPath, "a", 384);
   const child = spawn3(process.execPath, buildChildArgs(profile, serverUrl), {
     detached: true,
@@ -16733,6 +17101,14 @@ function daemonCommand() {
 import { Command as Command4 } from "commander";
 
 // lib/output.ts
+function printTable(headers, rows) {
+  const widths = headers.map((h, i) => Math.max(h.length, ...rows.map((r) => (r[i] || "").length)));
+  const header = headers.map((h, i) => h.padEnd(widths[i])).join("  ");
+  const separator = widths.map((w) => "-".repeat(w)).join("  ");
+  console.log(header);
+  console.log(separator);
+  rows.forEach((r) => console.log(r.map((c, i) => (c || "").padEnd(widths[i])).join("  ")));
+}
 function printJSON(data) {
   console.log(JSON.stringify(data, null, 2));
 }
@@ -16752,8 +17128,8 @@ function configCommand() {
 
 // commands/email.ts
 import { Command as Command5 } from "commander";
-import { writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, readFileSync as readFileSync5, statSync as statSync2 } from "fs";
-import { basename, join as join5 } from "path";
+import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync7, readFileSync as readFileSync7, statSync as statSync4 } from "fs";
+import { basename, join as join7 } from "path";
 import PostalMime from "postal-mime";
 var VALID_STATUSES = ["unread", "read", "archived"];
 var EMAIL_BASE = "/tmp/alook-emails";
@@ -16784,7 +17160,10 @@ function collectRepeated(value, previous) {
   return previous.concat([value]);
 }
 function resolveClientOpts(command, opts) {
-  const parentOpts = command.parent?.parent?.opts() || {};
+  let root = command;
+  while (root.parent)
+    root = root.parent;
+  const parentOpts = root.opts() || {};
   const profile = parentOpts.profile;
   const cfg = loadCLIConfigForProfile(profile);
   const serverUrl = parentOpts.server || cfg.server_url;
@@ -16813,7 +17192,7 @@ function emailCommand() {
       console.error(`Error: invalid status "${opts.status}", must be one of: ${VALID_STATUSES.join(", ")}`);
       process.exit(1);
     }
-    const emailDir_base = join5(EMAIL_BASE, workspaceId, opts.agent_id);
+    const emailDir_base = join7(EMAIL_BASE, workspaceId, opts.agent_id);
     try {
       let query = `/api/email?agentId=${opts.agent_id}`;
       if (opts.status)
@@ -16827,11 +17206,11 @@ function emailCommand() {
         printJSON(emails2);
         return;
       }
-      mkdirSync5(emailDir_base, { recursive: true });
+      mkdirSync7(emailDir_base, { recursive: true });
       const downloadedPaths = [];
       for (const email3 of emails2) {
-        const emailDir = join5(emailDir_base, email3.id);
-        mkdirSync5(emailDir, { recursive: true });
+        const emailDir = join7(emailDir_base, email3.id);
+        mkdirSync7(emailDir, { recursive: true });
         const metadata = {
           id: email3.id,
           from: email3.from_email,
@@ -16843,8 +17222,8 @@ function emailCommand() {
           in_reply_to: email3.in_reply_to || "",
           references: email3.references || ""
         };
-        const metadataPath = join5(emailDir, "metadata.json");
-        writeFileSync4(metadataPath, JSON.stringify(metadata, null, 2));
+        const metadataPath = join7(emailDir, "metadata.json");
+        writeFileSync6(metadataPath, JSON.stringify(metadata, null, 2));
         downloadedPaths.push(metadataPath);
         let rawMime;
         try {
@@ -16859,18 +17238,18 @@ function emailCommand() {
         }
         const parsed = await new PostalMime().parse(rawMime);
         if (parsed.text) {
-          const bodyPath = join5(emailDir, "body.txt");
-          writeFileSync4(bodyPath, parsed.text);
+          const bodyPath = join7(emailDir, "body.txt");
+          writeFileSync6(bodyPath, parsed.text);
           downloadedPaths.push(bodyPath);
         }
         if (parsed.html) {
-          const htmlPath = join5(emailDir, "body.html");
-          writeFileSync4(htmlPath, parsed.html);
+          const htmlPath = join7(emailDir, "body.html");
+          writeFileSync6(htmlPath, parsed.html);
           downloadedPaths.push(htmlPath);
         }
         if (parsed.attachments && parsed.attachments.length > 0) {
-          const attDir = join5(emailDir, "attachments");
-          mkdirSync5(attDir, { recursive: true });
+          const attDir = join7(emailDir, "attachments");
+          mkdirSync7(attDir, { recursive: true });
           const usedFilenames = new Set;
           for (let i = 0;i < parsed.attachments.length; i++) {
             const att = parsed.attachments[i];
@@ -16879,7 +17258,7 @@ function emailCommand() {
               filename = `${i}-${filename}`;
             }
             usedFilenames.add(filename);
-            const attPath = join5(attDir, filename);
+            const attPath = join7(attDir, filename);
             const content = att.content;
             let buf;
             if (typeof content === "string") {
@@ -16889,7 +17268,7 @@ function emailCommand() {
             } else {
               buf = Buffer.from(content);
             }
-            writeFileSync4(attPath, buf);
+            writeFileSync6(attPath, buf);
             downloadedPaths.push(attPath);
           }
         }
@@ -16928,7 +17307,7 @@ function emailCommand() {
     const client = new APIClient(serverUrl, token, workspaceId);
     let htmlBody;
     try {
-      htmlBody = readFileSync5(opts.bodyFile, "utf-8");
+      htmlBody = readFileSync7(opts.bodyFile, "utf-8");
     } catch (err) {
       console.error(`Error: cannot read body file "${opts.bodyFile}": ${err instanceof Error ? err.message : err}`);
       process.exit(1);
@@ -16944,8 +17323,8 @@ function emailCommand() {
         let bytes;
         let size;
         try {
-          bytes = readFileSync5(path);
-          size = statSync2(path).size;
+          bytes = readFileSync7(path);
+          size = statSync4(path).size;
         } catch (err) {
           console.error(`Error: cannot read attachment "${path}": ${err instanceof Error ? err.message : err}`);
           process.exit(1);
@@ -16990,6 +17369,73 @@ function emailCommand() {
       process.exit(1);
     }
   });
+  const whitelistCmd = new Command5("whitelist").description("Manage email whitelist (allowed senders)");
+  whitelistCmd.command("list").description("List all whitelisted emails for an agent").requiredOption("--agent_id <id>", "Agent ID").option("--workspace <id>", "Workspace ID").option("--json", "Output as JSON").action(async (opts, command) => {
+    const { serverUrl, token, workspaceId } = resolveClientOpts(command, {
+      workspace: opts.workspace,
+      agentId: opts.agent_id
+    });
+    const client = new APIClient(serverUrl, token, workspaceId);
+    try {
+      const entries = await client.getJSON(`/api/agents/${opts.agent_id}/whitelist`);
+      if (!entries.length) {
+        console.log("No whitelisted emails.");
+        return;
+      }
+      if (opts.json) {
+        printJSON(entries);
+        return;
+      }
+      printTable(["ID", "EMAIL", "CREATED AT"], entries.map((e) => [e.id, e.email, e.created_at]));
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  });
+  whitelistCmd.command("add").description("Add an email to the whitelist").requiredOption("--agent_id <id>", "Agent ID").option("--workspace <id>", "Workspace ID").argument("<email>", "Email address to whitelist").action(async (email3, opts, command) => {
+    const { serverUrl, token, workspaceId } = resolveClientOpts(command, {
+      workspace: opts.workspace,
+      agentId: opts.agent_id
+    });
+    const client = new APIClient(serverUrl, token, workspaceId);
+    try {
+      const entry = await client.postJSON(`/api/agents/${opts.agent_id}/whitelist`, { email: email3.toLowerCase() });
+      console.log(`Added ${entry.email} to whitelist (id: ${entry.id})`);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("409")) {
+        console.error(`Error: ${email3.toLowerCase()} is already whitelisted`);
+      } else {
+        console.error(`Error: ${msg}`);
+      }
+      process.exit(1);
+    }
+  });
+  whitelistCmd.command("delete").description("Remove an email from the whitelist").requiredOption("--agent_id <id>", "Agent ID").option("--workspace <id>", "Workspace ID").argument("<email>", "Email address to remove").action(async (email3, opts, command) => {
+    const { serverUrl, token, workspaceId } = resolveClientOpts(command, {
+      workspace: opts.workspace,
+      agentId: opts.agent_id
+    });
+    const client = new APIClient(serverUrl, token, workspaceId);
+    const normalizedEmail = email3.toLowerCase();
+    try {
+      const entries = await client.getJSON(`/api/agents/${opts.agent_id}/whitelist`);
+      const entry = entries.find((e) => e.email === normalizedEmail);
+      if (!entry) {
+        console.error(`Error: ${normalizedEmail} is not in the whitelist`);
+        process.exit(1);
+      }
+      await client.deleteJSON(`/api/agents/${opts.agent_id}/whitelist/${entry.id}`);
+      console.log(`Removed ${normalizedEmail} from whitelist`);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg === "__exit__")
+        throw err;
+      console.error(`Error: ${msg}`);
+      process.exit(1);
+    }
+  });
+  cmd.addCommand(whitelistCmd);
   return cmd;
 }
 
@@ -17249,7 +17695,7 @@ ${result.output}`);
 
 // commands/sync.ts
 import { Command as Command9 } from "commander";
-import { readFileSync as readFileSync6, statSync as statSync3 } from "fs";
+import { readFileSync as readFileSync8, statSync as statSync5 } from "fs";
 import { basename as basename2 } from "path";
 var MIME_BY_EXT2 = {
   ".pdf": "application/pdf",
@@ -17298,9 +17744,9 @@ function syncCommand() {
     let bytes;
     let size;
     try {
-      const stat = statSync3(opts.file);
+      const stat = statSync5(opts.file);
       size = stat.size;
-      bytes = readFileSync6(opts.file);
+      bytes = readFileSync8(opts.file);
     } catch (err) {
       console.error(`Error: cannot read file "${opts.file}": ${err.message}`);
       process.exit(1);

package/dist/session-runner.js

@@ -18,10 +18,26 @@ import { mkdir, writeFile, rm } from "fs/promises";
 import path from "path";
 
 // ../shared/src/constants.ts
+var TaskStatus = {
+  QUEUED: "queued",
+  DISPATCHED: "dispatched",
+  RUNNING: "running",
+  COMPLETED: "completed",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+  SUPERSEDED: "superseded"
+};
+var TERMINAL_TASK_STATUSES = [
+  TaskStatus.COMPLETED,
+  TaskStatus.FAILED,
+  TaskStatus.CANCELLED,
+  TaskStatus.SUPERSEDED
+];
 var TASK_TYPES = {
   USER_DM_MESSAGE: "user_dm_message",
   EMAIL_NOTIFICATION: "email_notification",
-  CALENDAR_EVENT: "calendar_event"
+  CALENDAR_EVENT: "calendar_event",
+  KILL_TASK: "kill_task"
 };
 var POLL_INTERVAL_MS = Number(process.env.POLL_INTERVAL_MS) || 3000;
 var OFFLINE_THRESHOLD_MS = Number(process.env.OFFLINE_THRESHOLD_MS) || 9000;
@@ -13568,7 +13584,8 @@ var TaskStatusSchema = exports_external.enum([
   "running",
   "completed",
   "failed",
-  "cancelled"
+  "cancelled",
+  "superseded"
 ]);
 var ClaimedTaskRowSchema = exports_external.object({
   id: exports_external.string(),
@@ -13749,8 +13766,9 @@ var UpdateAgentRequestSchema = exports_external.object({
   description: exports_external.string().optional(),
   instructions: exports_external.string().optional(),
   runtime_id: exports_external.string().min(1).optional(),
-  runtime_config: RuntimeConfigSchema
-}).refine((v) => v.name !== undefined || v.description !== undefined || v.instructions !== undefined || v.runtime_id !== undefined || v.runtime_config !== undefined, { message: "at least one field is required" });
+  runtime_config: RuntimeConfigSchema,
+  visibility: exports_external.enum(["public", "private"]).optional()
+}).refine((v) => v.name !== undefined || v.description !== undefined || v.instructions !== undefined || v.runtime_id !== undefined || v.runtime_config !== undefined || v.visibility !== undefined, { message: "at least one field is required" });
 var CreateConversationRequestSchema = exports_external.object({
   agent_id: exports_external.string().min(1, "agent_id is required")
 });
@@ -13842,6 +13860,16 @@ var CreateWorkspaceRequestSchema = exports_external.object({
   name: exports_external.string().min(1, "name is required"),
   slug: exports_external.string().min(1, "slug is required")
 });
+var UpdateWorkspaceRequestSchema = exports_external.object({
+  name: exports_external.string().min(1, "name is required").max(100).trim().optional(),
+  slug: exports_external.string().min(1, "slug is required").max(100).trim().toLowerCase().optional()
+});
+var DeleteWorkspaceRequestSchema = exports_external.object({
+  confirm_name: exports_external.string().min(1, "confirm_name is required")
+});
+var GrantAgentAccessRequestSchema = exports_external.object({
+  user_id: exports_external.string().min(1, "user_id is required")
+});
 // ../../node_modules/.pnpm/drizzle-orm@0.45.2_@cloudflare+workers-types@4.20260418.1_@opentelemetry+api@1.9.1_bun-types@1.3.12_kysely@0.28.16/node_modules/drizzle-orm/entity.js
 var entityKind = Symbol.for("drizzle:entityKind");
 var hasOwnEntityKind = Symbol.for("drizzle:hasOwnEntityKind");
@@ -15273,6 +15301,48 @@ var member = sqliteTable("member", {
   globalInstruction: text("global_instruction").notNull().default(""),
   createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
 }, (t) => [unique("member_workspace_user").on(t.workspaceId, t.userId)]);
+var workspaceInvite = sqliteTable("workspace_invite", {
+  id: text("id").primaryKey().$defaultFn(() => "inv_" + nanoid3()),
+  workspaceId: text("workspace_id").notNull().references(() => workspace.id, { onDelete: "cascade" }),
+  token: text("token").unique().notNull().$defaultFn(() => nanoid3(32)),
+  createdBy: text("created_by").notNull().references(() => user.id, { onDelete: "cascade" }),
+  usedBy: text("used_by").references(() => user.id, { onDelete: "set null" }),
+  usedAt: text("used_at"),
+  expiresAt: text("expires_at").notNull(),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  index("idx_workspace_invite_token").on(t.token),
+  index("idx_workspace_invite_workspace").on(t.workspaceId)
+]);
+var agentAccess = sqliteTable("agent_access", {
+  id: text("id").primaryKey().$defaultFn(() => nanoid3()),
+  agentId: text("agent_id").notNull(),
+  workspaceId: text("workspace_id").notNull(),
+  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  unique("agent_access_agent_ws_user").on(t.agentId, t.workspaceId, t.userId),
+  index("idx_agent_access_agent_ws").on(t.agentId, t.workspaceId),
+  index("idx_agent_access_user").on(t.userId),
+  foreignKey({
+    columns: [t.agentId, t.workspaceId],
+    foreignColumns: [agent.id, agent.workspaceId]
+  }).onDelete("cascade")
+]);
+var agentPin = sqliteTable("agent_pin", {
+  id: text("id").primaryKey().$defaultFn(() => nanoid3()),
+  agentId: text("agent_id").notNull(),
+  workspaceId: text("workspace_id").notNull(),
+  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
+}, (t) => [
+  unique("agent_pin_agent_ws_user").on(t.agentId, t.workspaceId, t.userId),
+  index("idx_agent_pin_ws_user").on(t.workspaceId, t.userId),
+  foreignKey({
+    columns: [t.agentId, t.workspaceId],
+    foreignColumns: [agent.id, agent.workspaceId]
+  }).onDelete("cascade")
+]);
 var machine = sqliteTable("machine", {
   daemonId: text("daemon_id").notNull(),
   workspaceId: text("workspace_id").notNull().references(() => workspace.id, { onDelete: "cascade" }),
@@ -15410,6 +15480,7 @@ var emails = sqliteTable("emails", {
   htmlBody: text("html_body").notNull().default(""),
   attachments: text("attachments").notNull().default("[]"),
   status: text("status").notNull().default("unread"),
+  direction: text("direction").notNull().default("inbound"),
   createdAt: text("created_at").notNull().$defaultFn(() => new Date().toISOString())
 }, (t) => [
   foreignKey({
@@ -15532,16 +15603,33 @@ class DaemonClient {
       "Content-Type": "application/json",
       Authorization: `Bearer ${token}`
     };
-    const res = await fetch(this.baseURL + path, {
-      method,
-      headers,
-      body: body ? JSON.stringify(body) : undefined
-    });
-    if (!res.ok)
-      throw new Error(`HTTP ${res.status}: ${await res.text()}`);
-    if (res.status === 204)
-      return;
-    return res.json();
+    const MAX_RETRIES = 3;
+    const BASE_DELAY_MS = 500;
+    let lastError;
+    for (let attempt = 0;attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const res = await fetch(this.baseURL + path, {
+          method,
+          headers,
+          body: body ? JSON.stringify(body) : undefined
+        });
+        if (!res.ok)
+          throw new Error(`HTTP ${res.status}: ${await res.text()}`);
+        if (res.status === 204)
+          return;
+        return res.json();
+      } catch (e) {
+        if (e instanceof TypeError) {
+          lastError = e;
+          if (attempt < MAX_RETRIES) {
+            await new Promise((r) => setTimeout(r, BASE_DELAY_MS * 2 ** attempt));
+            continue;
+          }
+        }
+        throw e;
+      }
+    }
+    throw lastError;
   }
   async register(token, body) {
     const raw = await this.request("POST", "/api/daemon/register", token, body);
@@ -15572,15 +15660,35 @@ class DaemonClient {
       error: error48
     });
   }
+  supersedeTask(token, taskId) {
+    return this.request("POST", `/api/daemon/tasks/${taskId}/supersede`, token);
+  }
   async getArtifactMeta(token, artifactId, workspaceId) {
     return this.request("GET", `/api/artifacts/${artifactId}?workspace_id=${encodeURIComponent(workspaceId)}`, token);
   }
   async downloadArtifact(token, artifactId, workspaceId) {
-    const res = await fetch(`${this.baseURL}/api/artifacts/${artifactId}/content?workspace_id=${encodeURIComponent(workspaceId)}`, { headers: { Authorization: `Bearer ${token}` } });
-    if (!res.ok) {
-      throw new Error(`artifact download failed: HTTP ${res.status}`);
+    const MAX_RETRIES = 3;
+    const BASE_DELAY_MS = 500;
+    let lastError;
+    for (let attempt = 0;attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const res = await fetch(`${this.baseURL}/api/artifacts/${artifactId}/content?workspace_id=${encodeURIComponent(workspaceId)}`, { headers: { Authorization: `Bearer ${token}` } });
+        if (!res.ok) {
+          throw new Error(`artifact download failed: HTTP ${res.status}`);
+        }
+        return res.arrayBuffer();
+      } catch (e) {
+        if (e instanceof TypeError) {
+          lastError = e;
+          if (attempt < MAX_RETRIES) {
+            await new Promise((r) => setTimeout(r, BASE_DELAY_MS * 2 ** attempt));
+            continue;
+          }
+        }
+        throw e;
+      }
     }
-    return res.arrayBuffer();
+    throw lastError;
   }
   reportMessages(token, taskId, messages) {
     return this.request("POST", `/api/daemon/tasks/${taskId}/messages`, token, { messages });
@@ -16547,6 +16655,7 @@ Your current context is only a fraction of the full timeline of what's your have
 The full context timeline is inside './.context_timeline/YYYY-MM-DD.jsonl'.
 Each line of a timeline JSONL is a JSON object with these fields:
 - "task_id" — unique task identifier
+- "context_key" — thread identifier, the same context key meaning those tasks are in the same thread.
 - "session_id" — agent session identifier (null until completion)
 - "pid" — daemon process ID (present while running, null when done)
 - "status" — "running", "completed", or "failed"
@@ -16555,18 +16664,21 @@ Each line of a timeline JSONL is a JSON object with these fields:
 - "prompt" — what the user asked
 - "agent_responses" — assistant text outputs during execution
 - "errmsg" — error message (null unless status is "failed")
+- "detailed_log" — the running log for this task, including the actually task agent messages with tool-calls and failed logs.
 those json are sorted by datetime in asc order.
 
 ## BE HUMAN
 - When you recall the timelines, don't say "I find ... in my timeline jsonl". Just say "I can recall..."
 - User don't know about the context timeline jsonl, this is your secret weapon.
 - Act and response like you're human and actually have memory, not a file reading machine.
+- Don't report your agent id and workspace id when not asked, it will break the image that you're a human colleague.
 
 ## RULES
 - Read @memory.md(if exists) before your action.
 - When you start a new task, read the last ~10 lines of today's timeline to understand what has been asked and done recently.
   - if you don't know the current datetime, obtain the current datetime first.
 - When user ask you something you don't have in your current context, try to read the timeline jsonl files for answer (today or previous days).
+  - Use grep tool to search in the context timeline jsonls if you have clean and focus keywords to recall.
 - When access other local projects, make sure you read the CLAUDE.md/AGENTS.md file under the project root dir to understand the requirements.
 `;
 function buildInstructionContent(task) {
@@ -16600,7 +16712,7 @@ ${task.agent?.userEmail ? `Your owner's email address is '${task.agent.userEmail
 
 ### Emails
 ---
-Run 'npx @alook/cli email pull --agent_id ${task.agentId} --workspace ${task.workspaceId} --status unread' to download unread emails to '/tmp/alook-emails/${task.workspaceId}/${task.agentId}/'.
+Run 'npx @alook/cli email pull --agent_id ${task.agentId} --status unread' to download unread emails to '/tmp/alook-emails/${task.workspaceId}/${task.agentId}/'.
 Each email is saved to '/tmp/alook-emails/${task.workspaceId}/${task.agentId}/<emailId>/' with:
 - 'metadata.json' — sender, recipient, subject, date, status, message_id, in_reply_to, references
 - 'body.txt' — plain text body
@@ -16608,22 +16720,31 @@ Each email is saved to '/tmp/alook-emails/${task.workspaceId}/${task.agentId}/<e
 - 'attachments/' — extracted attachment files (if any)
 ---
 Before starting to process an email, mark it as read:
-- Run 'npx @alook/cli email set --agent_id ${task.agentId} --workspace ${task.workspaceId} --email_id <EMAIL_ID> --status read'
+- Run 'npx @alook/cli email set --agent_id ${task.agentId} --email_id <EMAIL_ID> --status read'
 ---
 
 #### Sending a new email
 Write the HTML body to a file first, then send it. The body is forwarded as-is (HTML).
-- Run 'npx @alook/cli email send --agent_id ${task.agentId} --workspace ${task.workspaceId} --to <ADDRESS> --subject "<SUBJECT>" --body-file <PATH_TO_HTML>'
+- Run 'npx @alook/cli email send --agent_id ${task.agentId} --to <ADDRESS> --subject "<SUBJECT>" --body-file <PATH_TO_HTML>'
 - To send from a specific mailbox, add '--from <YOUR_EMAIL_ADDRESS>'. Without '--from', the default Alook address is used.
 - Attach files with '--attachment <PATH>' — repeat the flag for multiple attachments. Each file is uploaded before sending.
-- Example: 'npx @alook/cli email send --agent_id ${task.agentId} --workspace ${task.workspaceId} --to foo@bar.com --subject "Weekly report" --body-file /tmp/body.html --from alice@company.com --attachment /tmp/report.pdf'
+- Example: 'npx @alook/cli email send --agent_id ${task.agentId} --to foo@bar.com --subject "Weekly report" --body-file /tmp/body.html --from alice@company.com --attachment /tmp/report.pdf'
 
 #### Replying to an email
 To reply to an email, add '--in-reply-to <EMAIL_ID>' to the send command. This sets the correct email threading headers so the recipient's email client groups the reply into the same conversation thread.
 - Use 'Re: <original subject>' as the subject.
 - Quote the original email body in your reply (wrap it in a blockquote).
 - The <EMAIL_ID> is the Alook email id from metadata.json (not the message_id header).
-- Example: 'npx @alook/cli email send --agent_id ${task.agentId} --workspace ${task.workspaceId} --to sender@example.com --subject "Re: Bug report" --body-file /tmp/reply.html --in-reply-to <EMAIL_ID>'
+- Example: 'npx @alook/cli email send --agent_id ${task.agentId} --to sender@example.com --subject "Re: Bug report" --body-file /tmp/reply.html --in-reply-to <EMAIL_ID>'
+Tips:
+- If you think the task will take a while, consider sending a short "I'm on it" style email reply first to reassure the sender.
+---
+
+#### Email Whitelist (Allowed Senders)
+Manage which email addresses are allowed to send you emails.
+- List: 'npx @alook/cli email whitelist list --agent_id ${task.agentId}' (add '--json' for machine-readable output)
+- Add: 'npx @alook/cli email whitelist add --agent_id ${task.agentId} <EMAIL_ADDRESS>'
+- Remove: 'npx @alook/cli email whitelist delete --agent_id ${task.agentId} <EMAIL_ADDRESS>'
 ---
 `;
   }
@@ -16633,6 +16754,8 @@ Upload files for your owner to review in the app.
 - Your current conversation id is available via env var: $ALOOK_CONVERSATION_ID
 - Run 'npx @alook/cli sync upload-artifact --agent_id ${task.agentId} --conversation_id $ALOOK_CONVERSATION_ID --file <PATH>'
 - Use this after generating plans, reports, or any file the owner should review.
+- You response will be rendered in remote server, so don't output link format with local path in your response (cause user can click it and jump to nowheres)
+- If you think user may need to know any file detail, use upload-artifact tool to send the file to user.
 ---
 
 ### Attachments
@@ -17024,7 +17147,7 @@ function findResumableSessionByContextKey(timelineDir, contextKey, provider) {
   }
   entries.sort((a, b) => new Date(b.datetime).getTime() - new Date(a.datetime).getTime());
   for (const entry of entries) {
-    if (entry.status === "completed" && entry.context_key === contextKey && entry.provider === provider && entry.session_id && new Date(entry.datetime) >= cutoff) {
+    if (entry.status !== "running" && entry.context_key === contextKey && entry.provider === provider && entry.session_id && new Date(entry.datetime) >= cutoff) {
       return entry.session_id;
     }
   }
@@ -17048,9 +17171,37 @@ function prepare(config2, task) {
   return { workDir, timelineDir, env };
 }
 
+// daemon/execenv/steering.ts
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3, readFileSync as readFileSync3, unlinkSync as unlinkSync2, readdirSync, statSync as statSync2 } from "fs";
+import { join as join4 } from "path";
+var INTENT_DIR_NAME = ".kill_intents";
+var INTENT_STALE_MS = 10 * 60 * 1000;
+function intentFilePath(baseDir, taskId) {
+  return join4(baseDir, INTENT_DIR_NAME, `${taskId}.json`);
+}
+function readKillIntent(baseDir, taskId) {
+  const filePath = intentFilePath(baseDir, taskId);
+  try {
+    const content = readFileSync3(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+function clearKillIntent(baseDir, taskId) {
+  const filePath = intentFilePath(baseDir, taskId);
+  try {
+    unlinkSync2(filePath);
+  } catch {}
+}
+
 // daemon/prompt.ts
+var EMAIL_NOTICE = "This task was triggered automatically by an incoming email. There is no human in this session." + " If you need to communicate with a human, you MUST send an email using the email sending tool." + " If you need more information or confirmation from the human, send them an email asking for it and then exit." + " Do not wait — when the human replies, a new task will be triggered automatically and you will be woken up with their response.";
 function buildPrompt(task, attachments) {
   const obj = { type: task.type, instruction: task.prompt };
+  if (task.type === "email_notification") {
+    obj.notice = EMAIL_NOTICE;
+  }
   if (attachments && attachments.length > 0) {
     obj.attachments = attachments.map((a) => ({
       path: a.path,
@@ -17144,6 +17295,7 @@ async function runSession(input) {
   };
   const flushTimer = setInterval(flushMessages, FLUSH_INTERVAL_MS);
   let killed = false;
+  const agentBaseDir = path.dirname(timelineDir);
   const onKill = async () => {
     if (killed)
       return;
@@ -17159,14 +17311,37 @@ async function runSession(input) {
       await flushMessages();
     } catch {}
     await cleanupAttachments(task.id);
-    updateEntry(timelineDir, task.id, (entry) => {
-      entry.pid = null;
-      entry.status = "killed";
-      entry.errmsg = "killed by signal";
-    });
-    try {
-      await client.failTask(token, task.id, "killed by signal");
-    } catch {}
+    const intent = readKillIntent(agentBaseDir, task.id);
+    clearKillIntent(agentBaseDir, task.id);
+    if (intent?.reason === "superseded") {
+      updateEntry(timelineDir, task.id, (entry) => {
+        entry.pid = null;
+        entry.status = "superseded";
+        entry.successor_task_id = intent.successorTaskId ?? null;
+        entry.supersede_reason = "superseded by newer task";
+      });
+      try {
+        await client.supersedeTask(token, task.id);
+      } catch {}
+    } else if (intent?.reason === "cancelled") {
+      updateEntry(timelineDir, task.id, (entry) => {
+        entry.pid = null;
+        entry.status = "cancelled";
+        entry.errmsg = "cancelled by user";
+      });
+      try {
+        await client.failTask(token, task.id, "cancelled by user");
+      } catch {}
+    } else {
+      updateEntry(timelineDir, task.id, (entry) => {
+        entry.pid = null;
+        entry.status = "killed";
+        entry.errmsg = "killed by signal";
+      });
+      try {
+        await client.failTask(token, task.id, "killed by signal");
+      } catch {}
+    }
     process.exit(1);
   };
   process.on("SIGTERM", onKill);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alook/cli",
-  "version": "0.0.14",
+  "version": "0.0.16",
   "description": "Alook CLI — register and run always-on AI coding agents.",
   "license": "Apache-2.0",
   "homepage": "https://github.com/alookai/alook#readme",