@botcord/daemon 0.2.29 → 0.2.30

package/dist/gateway/runtimes/claude-code.js

@@ -88,22 +88,13 @@ export class ClaudeCodeAdapter extends NdjsonStreamAdapter {
             args.push("--resume", opts.sessionId);
         }
         // Permission-mode policy:
-        //  - owner: bypassPermissions (owner fully trusts their own agent; daemon
-        //    has no authorization-relay UI yet, so any other mode causes Bash /
-        //    WebFetch / MCP tool calls to deadlock waiting for a prompt that
-        //    never reaches the user — see issue #332 for the planned MCP-bridge
-        //    relay that will let us tighten this back up).
-        //  - non-owner (trusted/public): default (let Claude Code prompt / reject
-        //    per its own rules — we must NOT auto-bypass for agents the operator
-        //    doesn't own).
-        // `extraArgs` still wins — operators who know what they're doing can override either.
+        // Daemon-driven Claude Code runs are non-interactive. Any mode that waits
+        // for a local permission prompt can deadlock tool use (Bash / WebFetch /
+        // MCP) because there is no prompt relay back to the user yet. Default to
+        // bypassPermissions for every trust tier; operators who need a stricter
+        // posture can still override with route/defaultRoute extraArgs.
         if (!opts.extraArgs?.some((a) => a.startsWith("--permission-mode"))) {
-            if (opts.trustLevel === "owner") {
-                args.push("--permission-mode", "bypassPermissions");
-            }
-            else {
-                args.push("--permission-mode", "default");
-            }
+            args.push("--permission-mode", "bypassPermissions");
         }
         // Claude Code's `--append-system-prompt` is applied per invocation and NOT
         // persisted in the resumed session transcript — ideal for memory / digest

package/dist/gateway/runtimes/codex.js

@@ -159,8 +159,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
         // Sandbox / approval policy. Expressed as `-c` overrides because
         // `codex exec resume` rejects `-s` / `--full-auto`. `-c` works on both
         // the fresh `exec` and `exec resume` paths.
-        //  - owner turn: bypass approvals + sandbox (owner trusts their agent)
-        //  - non-owner turn: `workspace-write` sandbox + on-request approvals
+        //
+        // Daemon-driven Codex runs are non-interactive. Any mode that waits for a
+        // local approval prompt can deadlock tool use because there is no prompt
+        // relay back to the user yet. Default to bypassing both approvals and the
+        // sandbox for every trust tier; operators who need a stricter posture can
+        // still override with route/defaultRoute extraArgs.
         const hasSandboxOverride = opts.extraArgs?.some((a) => a === "-s" ||
             a.startsWith("--sandbox") ||
             a === "--full-auto" ||
@@ -168,12 +172,7 @@ export class CodexAdapter extends NdjsonStreamAdapter {
             a.startsWith("-c sandbox_mode=") ||
             a.startsWith("-csandbox_mode=")) ?? false;
         if (!hasSandboxOverride) {
-            if (opts.trustLevel === "owner") {
-                tail.push("-c", 'sandbox_mode="danger-full-access"', "-c", 'approval_policy="never"');
-            }
-            else {
-                tail.push("-c", 'sandbox_mode="workspace-write"', "-c", 'approval_policy="on-request"');
-            }
+            tail.push("-c", 'sandbox_mode="danger-full-access"', "-c", 'approval_policy="never"');
         }
         tail.push("--skip-git-repo-check", "--json");
         if (opts.extraArgs?.length)

package/dist/provision.d.ts

@@ -115,6 +115,9 @@ export type WsEndpointProbeFn = (args: {
             name?: string;
             provider?: string;
         };
+        botcordBinding?: {
+            agentId: string;
+        };
     }>;
     error?: string;
 }>;

package/dist/provision.js

@@ -1457,7 +1457,7 @@ export async function collectRuntimeSnapshotAsync(opts = {}) {
                 entry.diagnostics = [{ code: "gateway_unreachable", message: res.error }];
             }
             if (res.agents)
-                entry.agents = res.agents;
+                entry.agents = annotateOpenclawAgentsWithBotcordBindings(g.name, res.agents);
             return entry;
         }
         catch (err) {
@@ -1476,6 +1476,27 @@ export async function collectRuntimeSnapshotAsync(opts = {}) {
     out.runtimes = base.runtimes.map((r) => r.id === "openclaw-acp" ? { ...r, endpoints } : r);
     return out;
 }
+function annotateOpenclawAgentsWithBotcordBindings(gateway, agents) {
+    const bindings = openclawBindingIndex();
+    return agents.map((agent) => {
+        const botcordAgentId = bindings.get(`${gateway}\0${agent.id}`);
+        if (!botcordAgentId)
+            return agent;
+        return { ...agent, botcordBinding: { agentId: botcordAgentId } };
+    });
+}
+function openclawBindingIndex() {
+    const out = new Map();
+    const discovered = discoverAgentCredentials({
+        credentialsDir: path.join(homedir(), ".botcord", "credentials"),
+    });
+    for (const agent of discovered.agents) {
+        if (!agent.openclawGateway || !agent.openclawAgent)
+            continue;
+        out.set(`${agent.openclawGateway}\0${agent.openclawAgent}`, agent.agentId);
+    }
+    return out;
+}
 /**
  * Reconcile every agent identity carried by the `hello.agents` snapshot
  * against the on-disk `identity.md`. Best-effort: a malformed entry or a

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.2.29",
+  "version": "0.2.30",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {

package/src/__tests__/runtime-discovery.test.ts

@@ -146,6 +146,54 @@ describe("collectRuntimeSnapshotAsync", () => {
     ]);
   });
 
+  it("marks OpenClaw agent profiles that already have a BotCord binding", async () => {
+    const tmp = mkdtempSync(path.join(tmpdir(), "daemon-runtime-binding-"));
+    const prevHome = process.env.HOME;
+    process.env.HOME = tmp;
+    try {
+      mkdirSync(path.join(tmp, ".botcord", "credentials"), { recursive: true });
+      writeFileSync(
+        path.join(tmp, ".botcord", "credentials", "ag_bound.json"),
+        JSON.stringify({
+          hubUrl: "https://api.preview.botcord.chat",
+          agentId: "ag_bound",
+          keyId: "kid_bound",
+          privateKey: Buffer.alloc(32, 1).toString("base64"),
+          runtime: "openclaw-acp",
+          openclawGateway: "local",
+          openclawAgent: "swe",
+        }),
+      );
+      setRuntimes([
+        {
+          id: "openclaw-acp",
+          displayName: "OpenClaw",
+          binary: "openclaw",
+          supportsRun: true,
+          result: { available: true },
+        },
+      ]);
+
+      const snap = await collectRuntimeSnapshotAsync({
+        cfg: { openclawGateways: [{ name: "local", url: "ws://127.0.0.1:18789" }] },
+        wsProbe: async () => ({
+          ok: true,
+          agents: [{ id: "default" }, { id: "swe", name: "SWE" }],
+        }),
+      });
+
+      const runtime = snap.runtimes.find((r) => r.id === "openclaw-acp");
+      expect(runtime?.endpoints?.[0]?.agents).toEqual([
+        { id: "default" },
+        { id: "swe", name: "SWE", botcordBinding: { agentId: "ag_bound" } },
+      ]);
+    } finally {
+      if (prevHome === undefined) delete process.env.HOME;
+      else process.env.HOME = prevHome;
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
   it("reports acp_disabled without probing the gateway", async () => {
     const tmp = mkdtempSync(path.join(tmpdir(), "daemon-runtime-openclaw-"));
     const prevHome = process.env.HOME;

package/src/gateway/__tests__/claude-code-adapter.test.ts

@@ -263,7 +263,7 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
-    it("public → --permission-mode default", async () => {
+    it("public → --permission-mode bypassPermissions", async () => {
       const adapter = new ClaudeCodeAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -277,10 +277,10 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       const argv = JSON.parse(res.text) as string[];
       const modeIdx = argv.indexOf("--permission-mode");
       expect(modeIdx).toBeGreaterThanOrEqual(0);
-      expect(argv[modeIdx + 1]).toBe("default");
+      expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
-    it("trusted → --permission-mode default", async () => {
+    it("trusted → --permission-mode bypassPermissions", async () => {
       const adapter = new ClaudeCodeAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -294,7 +294,7 @@ process.stdout.write(JSON.stringify({type:"result", subtype:"success", session_i
       const argv = JSON.parse(res.text) as string[];
       const modeIdx = argv.indexOf("--permission-mode");
       expect(modeIdx).toBeGreaterThanOrEqual(0);
-      expect(argv[modeIdx + 1]).toBe("default");
+      expect(argv[modeIdx + 1]).toBe("bypassPermissions");
     });
 
     it("systemContext → --append-system-prompt <text>", async () => {

package/src/gateway/__tests__/codex-adapter.test.ts

@@ -338,7 +338,7 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
       expect(argv).not.toContain("-s");
     });
 
-    it("public → sandbox_mode=\"workspace-write\" + approval_policy=\"on-request\"", async () => {
+    it("public → sandbox_mode=\"danger-full-access\" + approval_policy=\"never\"", async () => {
       const adapter = new CodexAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -350,12 +350,12 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
         trustLevel: "public",
       });
       const argv = JSON.parse(res.text) as string[];
-      expect(argv).toContain('sandbox_mode="workspace-write"');
-      expect(argv).toContain('approval_policy="on-request"');
+      expect(argv).toContain('sandbox_mode="danger-full-access"');
+      expect(argv).toContain('approval_policy="never"');
       expect(argv).not.toContain("--dangerously-bypass-approvals-and-sandbox");
     });
 
-    it("trusted → sandbox_mode=\"workspace-write\" + approval_policy=\"on-request\"", async () => {
+    it("trusted → sandbox_mode=\"danger-full-access\" + approval_policy=\"never\"", async () => {
       const adapter = new CodexAdapter({ binary: echoScript() });
       const ctrl = new AbortController();
       const res = await adapter.run({
@@ -367,8 +367,8 @@ process.stdout.write(JSON.stringify({type:"item.completed", item:{id:"i0", type:
         trustLevel: "trusted",
       });
       const argv = JSON.parse(res.text) as string[];
-      expect(argv).toContain('sandbox_mode="workspace-write"');
-      expect(argv).toContain('approval_policy="on-request"');
+      expect(argv).toContain('sandbox_mode="danger-full-access"');
+      expect(argv).toContain('approval_policy="never"');
     });
 
     it("extraArgs `-s read-only` suppresses the default sandbox `-c`s", async () => {

package/src/gateway/runtimes/claude-code.ts

@@ -107,21 +107,13 @@ export class ClaudeCodeAdapter extends NdjsonStreamAdapter {
       args.push("--resume", opts.sessionId);
     }
     // Permission-mode policy:
-    //  - owner: bypassPermissions (owner fully trusts their own agent; daemon
-    //    has no authorization-relay UI yet, so any other mode causes Bash /
-    //    WebFetch / MCP tool calls to deadlock waiting for a prompt that
-    //    never reaches the user — see issue #332 for the planned MCP-bridge
-    //    relay that will let us tighten this back up).
-    //  - non-owner (trusted/public): default (let Claude Code prompt / reject
-    //    per its own rules — we must NOT auto-bypass for agents the operator
-    //    doesn't own).
-    // `extraArgs` still wins — operators who know what they're doing can override either.
+    // Daemon-driven Claude Code runs are non-interactive. Any mode that waits
+    // for a local permission prompt can deadlock tool use (Bash / WebFetch /
+    // MCP) because there is no prompt relay back to the user yet. Default to
+    // bypassPermissions for every trust tier; operators who need a stricter
+    // posture can still override with route/defaultRoute extraArgs.
     if (!opts.extraArgs?.some((a) => a.startsWith("--permission-mode"))) {
-      if (opts.trustLevel === "owner") {
-        args.push("--permission-mode", "bypassPermissions");
-      } else {
-        args.push("--permission-mode", "default");
-      }
+      args.push("--permission-mode", "bypassPermissions");
     }
     // Claude Code's `--append-system-prompt` is applied per invocation and NOT
     // persisted in the resumed session transcript — ideal for memory / digest

package/src/gateway/runtimes/codex.ts

@@ -171,8 +171,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
     // Sandbox / approval policy. Expressed as `-c` overrides because
     // `codex exec resume` rejects `-s` / `--full-auto`. `-c` works on both
     // the fresh `exec` and `exec resume` paths.
-    //  - owner turn: bypass approvals + sandbox (owner trusts their agent)
-    //  - non-owner turn: `workspace-write` sandbox + on-request approvals
+    //
+    // Daemon-driven Codex runs are non-interactive. Any mode that waits for a
+    // local approval prompt can deadlock tool use because there is no prompt
+    // relay back to the user yet. Default to bypassing both approvals and the
+    // sandbox for every trust tier; operators who need a stricter posture can
+    // still override with route/defaultRoute extraArgs.
     const hasSandboxOverride =
       opts.extraArgs?.some(
         (a) =>
@@ -184,21 +188,12 @@ export class CodexAdapter extends NdjsonStreamAdapter {
           a.startsWith("-csandbox_mode="),
       ) ?? false;
     if (!hasSandboxOverride) {
-      if (opts.trustLevel === "owner") {
-        tail.push(
-          "-c",
-          'sandbox_mode="danger-full-access"',
-          "-c",
-          'approval_policy="never"',
-        );
-      } else {
-        tail.push(
-          "-c",
-          'sandbox_mode="workspace-write"',
-          "-c",
-          'approval_policy="on-request"',
-        );
-      }
+      tail.push(
+        "-c",
+        'sandbox_mode="danger-full-access"',
+        "-c",
+        'approval_policy="never"',
+      );
     }
     tail.push("--skip-git-repo-check", "--json");
     if (opts.extraArgs?.length) tail.push(...opts.extraArgs);

package/src/provision.ts

@@ -1326,6 +1326,7 @@ export type WsEndpointProbeFn = (args: {
     name?: string;
     workspace?: string;
     model?: { name?: string; provider?: string };
+    botcordBinding?: { agentId: string };
   }>;
   error?: string;
 }>;
@@ -1381,6 +1382,7 @@ async function defaultWsProbe(args: {
     name?: string;
     workspace?: string;
     model?: { name?: string; provider?: string };
+    botcordBinding?: { agentId: string };
   }>;
   error?: string;
 }> {
@@ -1715,7 +1717,7 @@ export async function collectRuntimeSnapshotAsync(opts: {
           entry.error = res.error;
           entry.diagnostics = [{ code: "gateway_unreachable", message: res.error }];
         }
-        if (res.agents) entry.agents = res.agents;
+        if (res.agents) entry.agents = annotateOpenclawAgentsWithBotcordBindings(g.name, res.agents);
         return entry;
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
@@ -1737,6 +1739,41 @@ export async function collectRuntimeSnapshotAsync(opts: {
   return out;
 }
 
+function annotateOpenclawAgentsWithBotcordBindings(
+  gateway: string,
+  agents: Array<{
+    id: string;
+    name?: string;
+    workspace?: string;
+    model?: { name?: string; provider?: string };
+  }>,
+): Array<{
+  id: string;
+  name?: string;
+  workspace?: string;
+  model?: { name?: string; provider?: string };
+  botcordBinding?: { agentId: string };
+}> {
+  const bindings = openclawBindingIndex();
+  return agents.map((agent) => {
+    const botcordAgentId = bindings.get(`${gateway}\0${agent.id}`);
+    if (!botcordAgentId) return agent;
+    return { ...agent, botcordBinding: { agentId: botcordAgentId } };
+  });
+}
+
+function openclawBindingIndex(): Map<string, string> {
+  const out = new Map<string, string>();
+  const discovered = discoverAgentCredentials({
+    credentialsDir: path.join(homedir(), ".botcord", "credentials"),
+  });
+  for (const agent of discovered.agents) {
+    if (!agent.openclawGateway || !agent.openclawAgent) continue;
+    out.set(`${agent.openclawGateway}\0${agent.openclawAgent}`, agent.agentId);
+  }
+  return out;
+}
+
 // ---------------------------------------------------------------------------
 // hello agents snapshot (lightweight identity sync)
 // ---------------------------------------------------------------------------