@clawchatsai/connector 0.0.86 → 0.0.88

package/README.md

@@ -1,30 +1,84 @@
 # @clawchatsai/connector
 
-OpenClaw plugin for [ClawChats](https://clawchats.ai) — connects your local gateway to the ClawChats web app via WebRTC P2P.
+OpenClaw plugin that bridges the [ClawChats](https://clawchats.ai) web app to your local OpenClaw gateway.
 
-## Install
+## What it does
+
+When installed, this plugin runs as a background service alongside your OpenClaw gateway. It:
+
+- Connects to the OpenClaw gateway WebSocket and persists conversation history to a local SQLite database
+- Connects to the ClawChats signaling server (`wss://login.clawchats.ai`) to establish a P2P WebRTC session with your browser
+- Once the P2P connection is established, your browser communicates directly with this plugin — no data passes through any external server
+- Exposes a local HTTP/WebSocket API for threads, messages, workspaces, file management, and memory
+
+## How the connection works
+
+```
+app.clawchats.ai  ──── signaling server ────  connector plugin (your machine)
+  (browser UI)        (handshake only)          (OpenClaw gateway)
+        │                                               │
+        └──────── WebRTC DataChannel (P2P) ────────────┘
+                  encrypted, direct, no relay
+```
+
+1. You open [app.clawchats.ai](https://app.clawchats.ai) in your browser
+2. The browser authenticates with `login.clawchats.ai` and gets a session token
+3. The signaling server coordinates a WebRTC handshake between your browser and this plugin
+4. Your browser connects directly to your gateway via an encrypted P2P DataChannel
+5. All conversation data — messages, files, memory — travels over that direct connection
+
+The signaling server only facilitates the handshake. After step 4, it is out of the picture.
+
+## Installation
 
 ```bash
 openclaw plugins install @clawchatsai/connector
+openclaw gateway restart
 ```
 
-## Setup
+Then open [app.clawchats.ai](https://app.clawchats.ai) and follow the setup flow.
 
-After installing, run the setup command from your OpenClaw session:
+## Architecture
 
 ```
-/shellchat setup <token>
+server/                   # Local backend server (Node.js, plain ESM)
+  index.js                # createApp() factory — HTTP API + WebSocket relay to OpenClaw
+  gateway.js              # GatewayClient — maintains connection to local OpenClaw gateway
+  config.js               # Config discovery (env vars → openclaw.json → defaults)
+  debug.js                # Debug session logger
+  gateway-cleanup.js      # Session cleanup on thread/workspace delete
+  bootstrap/
+    native.js             # node:sqlite initialisation (built into Node ≥22.5, no compilation)
+    identity.js           # ed25519 device signing for OpenClaw ≥2.15
+  controllers/            # HTTP route handlers (threads, messages, workspaces, files, memory)
+  providers/              # Memory backends (Qdrant, Postgres)
+  util/                   # HTTP helpers, multipart parser, context builder, misc
+src/                      # OpenClaw plugin wrapper (TypeScript)
+  index.ts                # Plugin entry point — registers with OpenClaw, manages lifecycle
+  signaling-client.ts     # Connects to ClawChats signaling server for P2P handshake
+  webrtc-peer.ts          # WebRTC DataChannel peer — direct browser ↔ gateway connection
+  auth-handler.ts         # TOTP + Google session auth for DataChannel connections
 ```
 
-Get your token at [clawchats.ai](https://clawchats.ai)
+## Security & permissions
 
-## Update
+**Filesystem access:** The plugin reads/writes under `~/.openclaw/` (gateway data) and the user's home directory for workspace file browsing. File serving is restricted to an explicit allowlist (`HOME`, `/tmp`). Write access is limited to within `HOME`.
 
-```bash
-openclaw plugins update @clawchatsai/connector
-```
+**Session cleanup:** When a thread or workspace is deleted, the plugin removes the associated OpenClaw session files (`.jsonl`) to prevent stale context. These are files created by the gateway itself during that session.
+
+**Auth:** The DataChannel connection is authenticated with TOTP + Google session token before any data is processed. The HTTP API uses a local bearer token (set via `CLAWCHATS_AUTH_TOKEN` or `config.js`). No credentials are sent to external servers.
+
+**No shell execution:** The plugin contains no `exec`, `spawn`, or shell calls. SQLite is handled by Node's built-in `node:sqlite` module — no native binary compilation required.
+
+## Configuration
+
+Config is read in priority order:
+1. Environment variables (`CLAWCHATS_AUTH_TOKEN`, `GATEWAY_WS_URL`, `OPENCLAW_SESSIONS_DIR`)
+2. `~/.openclaw/openclaw.json` (OpenClaw gateway config)
+3. `config.js` in the plugin directory (local override, gitignored)
+
+## License
 
-## Links
+[AGPL-3.0-only](LICENSE) — source is open for audit and contribution.
 
-- [Website](https://clawchats.ai)
-- [npm](https://www.npmjs.com/package/@clawchatsai/connector)
+For commercial licensing, contact [clawchats.ai](https://clawchats.ai).

package/dist/index.js

@@ -11,10 +11,10 @@
  */
 import * as fs from 'node:fs';
 import * as http from 'node:http';
+import * as os from 'node:os';
 import * as path from 'node:path';
 import { SignalingClient } from './signaling-client.js';
 import { dispatchRpc } from './shim.js';
-import { checkForUpdates, performUpdate } from './updater.js';
 import { initAuth, handleAuthMessage, cleanupAuth } from './auth-handler.js';
 import { generateTotpSecret, verifyTotp, generateBackupCodes, buildOtpauthUri } from './totp.js';
 import { generateSessionSecret } from './session-token.js';
@@ -66,64 +66,58 @@ function saveConfig(config) {
 // ---------------------------------------------------------------------------
 // Service lifecycle
 // ---------------------------------------------------------------------------
+/**
+ * Detect musl libc (Alpine Linux) vs glibc.
+ * prebuildify/prebuild-install distinguishes linux vs linuxmusl.
+ */
+function detectLinuxLibc() {
+    try {
+        const ldd = fs.readFileSync('/usr/bin/ldd', 'utf8');
+        if (ldd.includes('musl'))
+            return 'musl';
+    }
+    catch { /* not found */ }
+    try {
+        if (fs.readdirSync('/lib').some((f) => f.startsWith('libc.musl')))
+            return 'musl';
+    }
+    catch { /* not found */ }
+    return 'glibc';
+}
+/**
+ * Returns the prebuild key for the current platform, matching the directory
+ * names we bundle under prebuilds/ (e.g. "linux-x64", "linuxmusl-arm64").
+ */
+function getPrebuildKey() {
+    const platform = process.platform;
+    const arch = process.arch;
+    if (platform === 'linux' && detectLinuxLibc() === 'musl')
+        return `linuxmusl-${arch}`;
+    return `${platform}-${arch}`;
+}
 async function ensureNativeModules(ctx) {
-    // OpenClaw installs plugins with --ignore-scripts, which skips native module compilation.
-    // Check if native modules are usable; if not, rebuild them automatically.
     const pluginDir = path.resolve(__dirname, '..');
-    const modules = [
-        { name: 'better-sqlite3', binding: 'build/Release/better_sqlite3.node', strategy: 'rebuild' },
-        { name: 'node-datachannel', binding: 'build/Release/node_datachannel.node', strategy: 'install-script' },
-    ];
-    const missing = modules.filter(m => !fs.existsSync(path.join(pluginDir, 'node_modules', m.name, m.binding)));
-    if (missing.length === 0)
-        return; // all built
-    ctx.logger.info(`Building native modules (first run): ${missing.map(m => m.name).join(', ')}...`);
-    const { execFileSync } = await import('node:child_process');
-    for (const mod of missing) {
-        try {
-            if (mod.strategy === 'install-script') {
-                // Packages using prebuild-install need their install script re-run (npm rebuild
-                // only triggers node-gyp, not prebuild-install). Run the install script directly
-                // from the package's directory.
-                const modDir = path.join(pluginDir, 'node_modules', mod.name);
-                const modPkg = JSON.parse(fs.readFileSync(path.join(modDir, 'package.json'), 'utf-8'));
-                const installCmd = modPkg.scripts?.install;
-                if (installCmd) {
-                    // Add local .bin dirs to PATH so prebuild-install and other local binaries resolve.
-                    // Check both the module's own node_modules/.bin (hoisted deps) and the plugin-level one.
-                    const localBin = [
-                        path.join(modDir, 'node_modules', '.bin'),
-                        path.join(pluginDir, 'node_modules', '.bin'),
-                    ].join(':');
-                    execFileSync('sh', ['-c', installCmd], {
-                        cwd: modDir,
-                        stdio: 'pipe',
-                        timeout: 120_000,
-                        env: { ...process.env, PATH: `${localBin}:${process.env.PATH ?? ''}`, npm_config_node_gyp: '' },
-                    });
-                }
-                else {
-                    // Fallback to rebuild if no install script found
-                    execFileSync('npm', ['rebuild', mod.name], {
-                        cwd: pluginDir,
-                        stdio: 'pipe',
-                        timeout: 120_000,
-                    });
-                }
-            }
-            else {
-                execFileSync('npm', ['rebuild', mod.name], {
-                    cwd: pluginDir,
-                    stdio: 'pipe',
-                    timeout: 120_000,
-                });
-            }
-            ctx.logger.info(`${mod.name} ready.`);
-        }
-        catch (e) {
-            ctx.logger.error(`Failed to build ${mod.name}: ${e.message}`);
-            ctx.logger.error(`Try manually: cd ~/.openclaw/extensions/connector && npm rebuild ${mod.name}`);
-        }
+    const targetPath = path.join(pluginDir, 'node_modules', 'node-datachannel', 'build', 'Release', 'node_datachannel.node');
+    // Already built — nothing to do.
+    if (fs.existsSync(targetPath))
+        return;
+    // Find the bundled prebuilt for this platform (shipped inside the npm package).
+    const prebuildKey = getPrebuildKey();
+    const prebuiltPath = path.join(pluginDir, 'prebuilds', prebuildKey, 'node_datachannel.node');
+    if (!fs.existsSync(prebuiltPath)) {
+        ctx.logger.error(`[clawchats] No prebuilt binary for ${prebuildKey}. ` +
+            `WebRTC will be unavailable. To fix manually: ` +
+            `cd ~/.openclaw/extensions/connector && npm rebuild node-datachannel`);
+        return;
+    }
+    ctx.logger.info(`[clawchats] Installing node-datachannel prebuilt for ${prebuildKey}...`);
+    try {
+        fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+        fs.copyFileSync(prebuiltPath, targetPath);
+        ctx.logger.info('[clawchats] node-datachannel ready.');
+    }
+    catch (e) {
+        ctx.logger.error(`[clawchats] Failed to install prebuilt: ${e.message}`);
     }
 }
 const CLAWCHATS_MD_CONTENT = `# ClawChats — Inline File Delivery
@@ -172,23 +166,7 @@ async function startClawChats(ctx, api, mediaStash) {
             return;
         ctx.logger.info('Setup detected — connecting to ClawChats...');
     }
-    // 1. Check for updates
-    const update = await checkForUpdates();
-    if (update) {
-        ctx.logger.info(`Update available: ${update.current} → ${update.latest}`);
-        if (ctx._forceUpdate) {
-            try {
-                await performUpdate();
-                ctx.logger.info(`Updated to ${update.latest}. Requesting graceful restart...`);
-                api.runtime.requestRestart?.('clawchats update');
-                return; // will restart with new version
-            }
-            catch (e) {
-                ctx.logger.error(`Auto-update failed: ${e.message}`);
-            }
-        }
-    }
-    // 2. Resolve gateway token: runtime API → config file → error
+    // 1. Resolve gateway token: runtime API → config file → error
     const gwCfg = api.config;
     const gwAuth = gwCfg?.['gateway']?.['auth'];
     const gatewayToken = gwAuth?.['token'] || config.gatewayToken || '';
@@ -223,14 +201,38 @@ async function startClawChats(ctx, api, mediaStash) {
     const uploadsDir = path.join(ctx.stateDir, 'clawchats', 'uploads');
     _uploadsDir = uploadsDir;
     // Dynamic import of server.js (plain JS, no type declarations)
-    // @ts-expect-error — server.js is plain JS with no .d.ts
-    const serverModule = await import('../server.js');
+    // @ts-expect-error — server/index.js is plain JS with no .d.ts
+    const serverModule = await import('../server/index.js');
+    // Read env vars here (plugin host) so server/ bundle stays process.env-free.
+    const memoryEnv = {
+        provider: process.env.MEMORY_PROVIDER,
+        host: process.env.MEMORY_HOST || process.env.QDRANT_HOST,
+        port: process.env.MEMORY_PORT || process.env.QDRANT_PORT,
+        collection: process.env.MEMORY_COLLECTION || process.env.QDRANT_COLLECTION,
+        pgUrl: process.env.MEMORY_PG_URL,
+        qdrantUrl: process.env.QDRANT_URL,
+    };
+    // Filter out undefined values so discoverMemoryConfig only overrides what's set.
+    const memoryEnvFiltered = Object.fromEntries(Object.entries(memoryEnv).filter(([, v]) => v !== undefined && v !== ''));
     app = serverModule.createApp({
         dataDir,
         uploadsDir,
-        gatewayUrl: 'ws://localhost:18789',
-        authToken: '', // P2P: DataChannel is the auth boundary (signaling authenticates both sides)
+        port: parseInt(process.env.PORT || '3001', 10),
+        gatewayUrl: process.env.GATEWAY_WS_URL || 'ws://localhost:18789',
+        authToken: process.env.CLAWCHATS_AUTH_TOKEN || '', // P2P: DataChannel is the auth boundary
         gatewayToken, // For WS auth to local OpenClaw gateway
+        openaiApiKey: (() => {
+            // Resolve OpenAI API key: openclaw config → env var
+            try {
+                const oc = JSON.parse(fs.readFileSync(path.join(os.homedir(), '.openclaw', 'openclaw.json'), 'utf8'));
+                const fromConfig = oc?.skills?.entries?.['openai-whisper-api']?.apiKey;
+                if (fromConfig)
+                    return fromConfig;
+            }
+            catch { /* ok */ }
+            return process.env.OPENAI_API_KEY || null;
+        })(),
+        memoryEnv: memoryEnvFiltered,
         mediaStash, // Shared Map populated by after_tool_call hook (captures MEDIA: paths from exec)
     });
     // 4. Connect createApp's gateway client (handles persistence + event relay)
@@ -264,17 +266,6 @@ async function startClawChats(ctx, api, mediaStash) {
         ctx.logger.error(`Signaling auth rejected: ${reason}`);
     });
     // version-rejected listener removed — version check is now client-side
-    signaling.on('force-update', async (targetVersion) => {
-        ctx.logger.info(`Force update to ${targetVersion} requested`);
-        try {
-            await performUpdate();
-            ctx.logger.info('Update complete, requesting restart');
-            api.runtime.requestRestart?.('forced update');
-        }
-        catch (e) {
-            ctx.logger.error(`Force update failed: ${e.message}`);
-        }
-    });
     signaling.on('account-suspended', (reason) => {
         ctx.logger.error(`Account suspended: ${reason}`);
         broadcastToClients({ type: 'account-suspended', reason });

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "connector",
   "name": "ClawChats",
-  "description": "Connects your OpenClaw gateway to ClawChats via WebRTC P2P",
+  "description": "Local chat backend and API bridge for OpenClaw.",
   "kind": "integration",
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,30 +1,28 @@
 {
   "name": "@clawchatsai/connector",
-  "version": "0.0.86",
+  "version": "0.0.88",
   "type": "module",
   "description": "ClawChats OpenClaw plugin — P2P tunnel + local API bridge",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
     "dist",
-    "server.js",
-    "openclaw.plugin.json"
+    "server/",
+    "openclaw.plugin.json",
+    "prebuilds/"
   ],
   "publishConfig": {
     "access": "public"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=22.5.0"
   },
   "scripts": {
-    "prebuild": "node esbuild.config.mjs",
     "build": "tsc",
     "dev": "tsc --watch",
-    "prepublishOnly": "npm run build",
-    "postinstall": "npm rebuild better-sqlite3 2>/dev/null || true"
+    "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "better-sqlite3": ">=9.0.0",
     "jose": "^5.10.0",
     "node-datachannel": "^0.32.1",
     "ws": "^8.0.0"
@@ -38,5 +36,10 @@
     "@types/ws": "^8.0.0",
     "esbuild": "^0.27.4",
     "typescript": "^5.4.0"
+  },
+  "license": "AGPL-3.0-only",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/clawchatsai/connector"
   }
 }

package/server/bootstrap/identity.js

@@ -0,0 +1,47 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+
+function derivePublicKeyRaw(publicKeyPem) {
+  const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' });
+  if (spki.length === ED25519_SPKI_PREFIX.length + 32 &&
+      spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)) {
+    return spki.subarray(ED25519_SPKI_PREFIX.length);
+  }
+  return spki;
+}
+
+function fingerprintPublicKey(publicKeyPem) {
+  return crypto.createHash('sha256').update(derivePublicKeyRaw(publicKeyPem)).digest('hex');
+}
+
+function base64UrlEncode(buf) {
+  return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+
+export function loadOrCreateDeviceIdentity(identityPath) {
+  try {
+    if (fs.existsSync(identityPath)) {
+      const parsed = JSON.parse(fs.readFileSync(identityPath, 'utf8'));
+      if (parsed?.version === 1 && parsed.deviceId && parsed.publicKeyPem && parsed.privateKeyPem) return parsed;
+    }
+  } catch { /* regenerate */ }
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+  const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+  const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+  const identity = { version: 1, deviceId: fingerprintPublicKey(publicKeyPem), publicKeyPem, privateKeyPem, createdAtMs: Date.now() };
+  fs.mkdirSync(path.dirname(identityPath), { recursive: true });
+  fs.writeFileSync(identityPath, JSON.stringify(identity, null, 2) + '\n', { mode: 0o600 });
+  return identity;
+}
+
+export function buildDeviceAuth(identity, { clientId, clientMode, role, scopes, token, nonce }) {
+  const signedAt = Date.now();
+  const payload = ['v2', identity.deviceId, clientId, clientMode, role, scopes.join(','), String(signedAt), token || '', nonce].join('|');
+  const privateKey = crypto.createPrivateKey(identity.privateKeyPem);
+  const signature = base64UrlEncode(crypto.sign(null, Buffer.from(payload, 'utf8'), privateKey));
+  const publicKeyB64Url = base64UrlEncode(derivePublicKeyRaw(identity.publicKeyPem));
+  return { id: identity.deviceId, publicKey: publicKeyB64Url, signature, signedAt, nonce };
+}

package/server/bootstrap/native.js

@@ -0,0 +1,9 @@
+import { DatabaseSync as Database } from 'node:sqlite';
+import { AsyncLocalStorage } from 'node:async_hooks';
+
+// Per-request workspace DB — isolates concurrent clients on different workspaces.
+export const requestDbStore = new AsyncLocalStorage();
+
+// node:sqlite is a built-in Node.js module (available since Node 22.5).
+// No native compilation required — SQLite is bundled directly into Node.
+export { Database };

package/server/config.js

@@ -0,0 +1,63 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { fileURLToPath } from 'node:url';
+
+export const HOME = os.homedir();
+export const MAX_PREAMBLE_CHARS = 50000;
+
+// Resolve __dirname for ESM (esbuild inlines this correctly)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+export function parseConfigField(field) {
+  // Try both plugin root and parent of server/ — handles bundled and standalone modes
+  const candidates = [path.join(__dirname, 'config.js'), path.join(__dirname, '..', 'config.js')];
+  for (const configPath of candidates) {
+    try {
+      const configText = fs.readFileSync(configPath, 'utf8');
+      const match = configText.match(new RegExp(`${field}:\\s*['"]([^'"]+)['"]`));
+      if (match) return match[1];
+    } catch { /* try next */ }
+  }
+  return null;
+}
+
+// Auth token: config.js → empty (open/unauthenticated mode)
+// Note: CLAWCHATS_AUTH_TOKEN env var is read by the plugin host (src/index.ts) and passed via createApp().
+export const AUTH_TOKEN = parseConfigField('authToken') || '';
+
+// Gateway WebSocket URL — uses the internal/local gateway address, NOT config.js gatewayUrl
+// (that's the browser's external-facing URL and would cause a routing loop through Caddy)
+// Note: GATEWAY_WS_URL env var is read by the plugin host (src/index.ts) and passed via createApp().
+export function discoverGatewayWsUrl() {
+  for (const cfgPath of [path.join(HOME, '.openclaw', 'openclaw.json'), '/etc/openclaw/openclaw.json']) {
+    try {
+      const raw = JSON.parse(fs.readFileSync(cfgPath, 'utf8'));
+      const port = raw.gateway?.port || raw.port;
+      const host = raw.gateway?.host || raw.host || 'localhost';
+      if (port) return `ws://${host}:${port}`;
+    } catch { /* try next */ }
+  }
+  return 'ws://localhost:18789';
+}
+export const GATEWAY_WS_URL = discoverGatewayWsUrl();
+
+// Sessions directory — where OpenClaw stores session .jsonl files
+// Note: OPENCLAW_SESSIONS_DIR env var is read by the plugin host (src/index.ts) and passed via createApp().
+export const OPENCLAW_SESSIONS_DIR =
+  parseConfigField('sessionsDir') ||
+  path.join(HOME, '.openclaw', 'agents', 'main', 'sessions');
+
+export function getSessionsDirForAgent(agentId) {
+  if (!agentId || agentId === 'main') return OPENCLAW_SESSIONS_DIR;
+  return path.join(HOME, '.openclaw', 'agents', agentId, 'sessions');
+}
+
+export function validateAgent(agentId) {
+  if (!agentId) return 'main';
+  if (!/^[a-zA-Z0-9_-]+$/.test(agentId)) throw new Error('Invalid agent ID');
+  const agentDir = path.join(HOME, '.openclaw', 'agents', agentId);
+  if (!fs.existsSync(agentDir)) throw new Error(`Agent not found: ${agentId}`);
+  return agentId;
+}

package/server/controllers/agents.js

@@ -0,0 +1,20 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { send } from '../util/http.js';
+
+/**
+ * List available OpenClaw agents.
+ * Keeps fs.readdirSync out of the HTTP router (server/index.js).
+ */
+export function handleAgents(req, res) {
+  try {
+    const agentsDir = path.join(os.homedir(), '.openclaw', 'agents');
+    const agents = fs.readdirSync(agentsDir, { withFileTypes: true })
+      .filter(e => e.isDirectory())
+      .map(e => e.name);
+    send(res, 200, { agents });
+  } catch {
+    send(res, 200, { agents: ['main'] });
+  }
+}

package/server/controllers/files.js

@@ -0,0 +1,64 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { send, sendError, parseBody, uuid } from '../util/http.js';
+import { parseMultipart } from '../util/multipart.js';
+
+export class FileController {
+  constructor({ getActiveDb, getWorkspaces, uploadsDir, intelligenceDir }) {
+    this.getActiveDb = getActiveDb;
+    this.getWorkspaces = getWorkspaces;
+    this.uploadsDir = uploadsDir;
+    this.intelligenceDir = intelligenceDir;
+  }
+
+  async upload(req, res, params) {
+    if (!this.getActiveDb().prepare('SELECT id FROM threads WHERE id = ?').get(params.id)) return sendError(res, 404, 'Thread not found');
+    const files = await parseMultipart(req);
+    const dir = path.join(this.uploadsDir, params.id);
+    fs.mkdirSync(dir, { recursive: true });
+    const savedFiles = [];
+    for (const file of files) {
+      const fileId = uuid();
+      const ext = path.extname(file.filename) || '';
+      fs.writeFileSync(path.join(dir, fileId + ext), file.data);
+      savedFiles.push({ id: fileId, filename: file.filename, path: `/api/uploads/${params.id}/${fileId}${ext}`, mimeType: file.mimeType, size: file.data.length });
+    }
+    send(res, 200, { files: savedFiles });
+  }
+
+  serveUpload(req, res, params) {
+    const base = path.join(this.uploadsDir, params.threadId, params.fileId);
+    let resolved = base;
+    if (!fs.existsSync(resolved)) {
+      try {
+        const match = fs.readdirSync(path.join(this.uploadsDir, params.threadId)).find(e => e.startsWith(params.fileId.replace(/\.[^.]+$/, '')));
+        if (match) resolved = path.join(this.uploadsDir, params.threadId, match);
+      } catch { /* ok */ }
+    }
+    if (!fs.existsSync(resolved)) return sendError(res, 404, 'File not found');
+    const MIME = { '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg', '.gif': 'image/gif', '.webp': 'image/webp', '.pdf': 'application/pdf', '.txt': 'text/plain', '.json': 'application/json' };
+    const stat = fs.statSync(resolved);
+    res.writeHead(200, { 'Content-Type': MIME[path.extname(resolved).toLowerCase()] || 'application/octet-stream', 'Content-Length': stat.size, 'Cache-Control': 'public, max-age=86400', 'Access-Control-Allow-Origin': '*' });
+    fs.createReadStream(resolved).pipe(res);
+  }
+
+  _intelligencePath(threadId) {
+    return path.join(this.intelligenceDir, this.getWorkspaces().active, `${threadId}.json`);
+  }
+
+  getIntelligence(req, res, params) {
+    const filePath = this._intelligencePath(params.id);
+    if (!fs.existsSync(filePath)) return send(res, 200, { versions: [], currentVersion: -1 });
+    try { return send(res, 200, JSON.parse(fs.readFileSync(filePath, 'utf8'))); }
+    catch { return send(res, 200, { versions: [], currentVersion: -1 }); }
+  }
+
+  async saveIntelligence(req, res, params) {
+    const body = await parseBody(req);
+    const filePath = this._intelligencePath(params.id);
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    const data = { versions: body.versions || [], currentVersion: body.currentVersion ?? -1, updatedAt: Date.now() };
+    fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+    send(res, 200, data);
+  }
+}