@controlflow-ai/daemon 0.1.0 → 0.1.1

package/README.md

@@ -267,9 +267,17 @@ The daemon creates one local API for CLI calls, connects the computer to the ser
 | `LOCK_DAEMON_URL` | `http://127.0.0.1:4137` | Local daemon API URL used by `bun run cli` |
 | `LOCK_DAEMON_TOKEN` | token file fallback | Local daemon API bearer token |
 | `PAL_LARK_CONFIG` | `$PAL_HOME/lark.json` | Lark bot credential file |
-| `PAL_OWNER_LARK_UNION_ID` | - | Optional Lark sender allowlist for business ingest |
 | `PAL_LARK_ACTION_REACTION_EMOJI` | `Typing` | Reaction added when Lark delivery is created |
 
+Lark sender authorization is stored in Pal's database. Manage authorized Lark
+users from the Web Settings Access tab or with:
+
+```bash
+bun run console -- lark-users list
+bun run console -- lark-users add --user-id <union-id> --name "Display Name"
+bun run console -- lark-users delete --user-id <union-id>
+```
+
 ## Runtime Semantics
 
 - Rooms are the primary conversation container; `chat` remains as a compatibility alias in several APIs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@controlflow-ai/daemon",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "scripts": {
     "server": "bun run src/server.ts",

package/src/app.ts

@@ -5,7 +5,9 @@ import { assertServerAuth } from './server-auth.js';
 import { dashboardHtml } from './web.js';
 import type { RunAction, RunStatus } from './types.js';
 import { createLarkApiClient, sendTextMessage } from './lark/ws-daemon.js';
-import { boundAgents, loadLarkCredentials, type LarkCredentialStore } from './lark/credentials.js';
+import { boundAgents, defaultLarkConfigPath, loadLarkCredentials, type LarkCredentialStore } from './lark/credentials.js';
+import { persistLarkCredential, resolveLarkBotInfo } from './lark/setup.js';
+import { tailscaleAddress } from './network.js';
 
 interface SendBody {
   chat?: string;
@@ -81,6 +83,19 @@ interface OnboardAgentBody {
   computer_id?: string;
 }
 
+interface LarkSetupBody {
+  app_id?: string;
+  app_secret?: string;
+  label?: string;
+  agent?: string;
+  config?: string;
+}
+
+interface LarkAuthorizedUserBody {
+  user_id?: string;
+  display_name?: string | null;
+}
+
 interface CreateDeliveryBody {
   message_id?: number;
   agent?: string;
@@ -192,6 +207,17 @@ export function route(store: MessageStore, request: Request): Promise<Response>
     return json({ status: 'ok' });
   }
 
+  if (request.method === 'GET' && pathname === '/api/server/access') {
+    const requestUrl = new URL(request.url);
+    const port = requestUrl.port || (requestUrl.protocol === 'https:' ? '443' : '80');
+    const tailscaleHost = tailscaleAddress();
+    return json({
+      localUrl: `${requestUrl.protocol}//127.0.0.1:${port}`,
+      tailscaleUrl: tailscaleHost ? `${requestUrl.protocol}//${tailscaleHost}:${port}` : null,
+      tailscaleHost,
+    });
+  }
+
   if (request.method === 'GET' && pathname === '/api/computers') {
     return json({ computers: store.listComputers(numberParam(url, 'limit', 50)) });
   }
@@ -417,6 +443,78 @@ export function route(store: MessageStore, request: Request): Promise<Response>
     return json({ sessions: store.listSessions(numberParam(url, 'limit', 50)) });
   }
 
+  if (request.method === 'GET' && pathname === '/api/lark/config') {
+    const path = stringParam(url, 'config') ?? defaultLarkConfigPath();
+    const credentials = loadLarkCredentials(path);
+    return json({
+      path,
+      bots: credentials.bots.map((bot) => ({
+        appId: bot.appId,
+        label: bot.label ?? null,
+        agent: bot.agent ?? null,
+        boundAgents: boundAgents(bot),
+        botOpenId: bot.botOpenId ?? null,
+        hasSecret: Boolean(bot.appSecret),
+      })),
+    });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/lark/authorized-users') {
+    return json({ users: store.listLarkAuthorizedUsers() });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/lark/authorized-users') {
+    return readJson<LarkAuthorizedUserBody>(request).then((body) => {
+      const userId = body.user_id?.trim();
+      if (!userId) throw new HttpError(400, 'MISSING_USER_ID', 'user_id is required');
+      const user = store.upsertLarkAuthorizedUser({ userId, displayName: body.display_name });
+      return json({ user }, 201);
+    });
+  }
+
+  const larkAuthorizedUserMatch = pathname.match(/^\/api\/lark\/authorized-users\/([^/]+)$/);
+  if (request.method === 'DELETE' && larkAuthorizedUserMatch) {
+    const userId = decodeURIComponent(larkAuthorizedUserMatch[1]!);
+    const deleted = store.deleteLarkAuthorizedUser(userId);
+    if (!deleted) throw new HttpError(404, 'LARK_USER_NOT_FOUND', 'authorized Lark user was not found');
+    return json({ deleted: true });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/lark/setup') {
+    return readJson<LarkSetupBody>(request).then(async (body) => {
+      const appId = body.app_id?.trim();
+      const appSecret = body.app_secret?.trim();
+      const agent = body.agent?.trim();
+      const label = body.label?.trim();
+      const configPath = body.config?.trim() || defaultLarkConfigPath();
+      if (!appId) throw new HttpError(400, 'MISSING_APP_ID', 'app_id is required');
+      if (!appSecret) throw new HttpError(400, 'MISSING_APP_SECRET', 'app_secret is required');
+      if (!agent) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      if (!store.getAgent(agent)) throw new HttpError(404, 'AGENT_NOT_FOUND', `agent ${agent} not found`);
+
+      const botInfo = await resolveLarkBotInfo(appId, appSecret);
+      if (!botInfo.ok) {
+        throw new HttpError(400, 'LARK_CREDENTIALS_REJECTED', `could not resolve bot open_id (${botInfo.error}): ${botInfo.message}`);
+      }
+
+      const result = persistLarkCredential({
+        appId,
+        appSecret,
+        label,
+        agent,
+        botOpenId: botInfo.openId,
+        configPath,
+      });
+      const account = store.registerChannelAccount({
+        name: label || botInfo.appName || appId,
+        appId,
+        botOpenId: botInfo.openId,
+        agent,
+      });
+      return json({ ...result, appName: botInfo.appName ?? null, account }, 201);
+    });
+  }
+
   const sessionRunsMatch = pathname.match(/^\/api\/sessions\/([^/]+)\/runs$/);
   if (request.method === 'GET' && sessionRunsMatch) {
     return json({ runs: store.listRunsForSession(sessionRunsMatch[1]!, numberParam(url, 'limit', 50)) });

package/src/console.ts

@@ -4,7 +4,7 @@ import { boolFlag, parseArgs, flag, numberFlag } from './args.js';
 import { LockClient } from './client.js';
 import { defaultServerUrl } from './config.js';
 import { formatMessages } from './format.js';
-import type { Computer } from './types.js';
+import type { Computer, ProvisionedComputer } from './types.js';
 
 interface Prompt {
   askLine(label: string): Promise<string>;
@@ -21,10 +21,15 @@ Usage:
   bun run src/console.ts inbox --agent neeko [--after 0] [--limit 50] [--json]
   bun run src/console.ts runs [--json]
   bun run src/console.ts run-action <run-id> kill|restart
+  bun run src/console.ts computers list [--json]
+  bun run src/console.ts computer onboard [--interactive] [--name <display-name>] [--server-url <url>] [--package-name <npm-package>]
   bun run src/console.ts agents list [--json]
   bun run src/console.ts agents onboard [--interactive] [--key <agent-key>] [--name <display-name>] [--runtime codex] [--computer-id <machine>]
   bun run src/console.ts agents create --key <agent-key> --name <display-name> [--runtime neeko|coco|coco-stream-json|codex] [--desc <description>]
   bun run src/console.ts agents update --key <agent-key> --runtime neeko|coco|coco-stream-json|codex
+  bun run src/console.ts lark-users list [--json]
+  bun run src/console.ts lark-users add [--interactive] --user-id <union-id> [--name <display-name>]
+  bun run src/console.ts lark-users delete --user-id <union-id>
   bun run src/console.ts lark <setup|list|daemon|events|send> [flags]
 
 Environment:
@@ -32,6 +37,13 @@ Environment:
 `;
 }
 
+async function requestJson<T>(url: string, init?: RequestInit): Promise<T> {
+  const response = await fetch(url, init);
+  const payload = await response.json() as { data?: T; message?: string; code?: string };
+  if (!response.ok) throw new Error(payload.message ?? payload.code ?? `request failed: ${response.status}`);
+  return payload.data as T;
+}
+
 function printJson(value: unknown): void {
   console.log(JSON.stringify(value, null, 2));
 }
@@ -120,6 +132,50 @@ async function askComputerId(prompt: Prompt, computers: Computer[]): Promise<str
   }
 }
 
+async function collectComputerOnboardInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ name: string; serverUrl: string; packageName: string }> {
+  const hasAnyProvisionFlag = Boolean(flag(flags, 'name') || flag(flags, 'server-url') || flag(flags, 'package-name'));
+  const interactive = boolFlag(flags, 'interactive') || (!hasAnyProvisionFlag && process.stdin.isTTY === true);
+  const defaultName = flag(flags, 'name') ?? 'Local computer';
+  const defaultServerUrl = flag(flags, 'server-url') ?? serverClient.baseUrl;
+  const defaultPackageName = flag(flags, 'package-name') ?? '@slock-ai/daemon@latest';
+
+  if (!interactive) {
+    return {
+      name: defaultName,
+      serverUrl: defaultServerUrl,
+      packageName: defaultPackageName,
+    };
+  }
+
+  const prompt = await createPrompt();
+  try {
+    console.log('Computer onboarding');
+    console.log('Provision a computer credential and daemon start command.');
+    const name = await askRequired(prompt, 'Computer display name', defaultName);
+    const serverUrl = await askRequired(prompt, 'Server URL', defaultServerUrl);
+    const packageName = await askRequired(prompt, 'Daemon package', defaultPackageName);
+    console.log('');
+    console.log('Summary:');
+    console.log(`  name: ${name}`);
+    console.log(`  server_url: ${serverUrl}`);
+    console.log(`  package_name: ${packageName}`);
+    if (!await askYesNo(prompt, 'Provision this computer?', true)) throw new Error('computer onboarding cancelled');
+    return { name, serverUrl, packageName };
+  } finally {
+    prompt.close();
+  }
+}
+
+function printProvisionedComputer(provisioned: ProvisionedComputer): void {
+  console.log('Computer onboarded');
+  console.log(`  id: ${provisioned.computer.id}`);
+  console.log(`  name: ${provisioned.computer.name}`);
+  console.log(`  status: ${provisioned.computer.status}`);
+  console.log('');
+  console.log('Daemon command:');
+  console.log(provisioned.command);
+}
+
 async function collectOnboardInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ agentKey: string; displayName: string; runtime: string; desc: string | null; computerId: string | undefined }> {
   const hasRequiredFlags = Boolean(flag(flags, 'key') && flag(flags, 'name'));
   const interactive = boolFlag(flags, 'interactive') || (!hasRequiredFlags && process.stdin.isTTY === true);
@@ -166,6 +222,31 @@ async function collectOnboardInput(serverClient: LockClient, flags: Record<strin
   }
 }
 
+async function collectLarkUserInput(flags: Record<string, string | boolean>): Promise<{ userId: string; displayName: string | null }> {
+  const userIdFlag = flag(flags, 'user-id') ?? flag(flags, 'id');
+  const interactive = boolFlag(flags, 'interactive') || (!userIdFlag && process.stdin.isTTY === true);
+  if (!interactive) {
+    if (!userIdFlag) throw new Error('lark-users add requires --user-id when not running interactively');
+    return { userId: userIdFlag, displayName: flag(flags, 'name') ?? null };
+  }
+
+  const prompt = await createPrompt();
+  try {
+    console.log('Lark authorized user');
+    const userId = await askRequired(prompt, 'Lark user ID', userIdFlag ?? '');
+    const displayName = await ask(prompt, 'Display name (optional)', flag(flags, 'name') ?? '');
+    console.log('');
+    console.log('Summary:');
+    console.log(`  user_id: ${userId}`);
+    console.log(`  display_name: ${displayName || '-'}`);
+    if (!await askYesNo(prompt, 'Authorize this Lark user?', true)) throw new Error('lark user add cancelled');
+    return { userId, displayName: displayName || null };
+  } finally {
+    prompt.close();
+  }
+}
+
+
 async function main(): Promise<void> {
   const args = parseArgs();
   const serverClient = new LockClient(flag(args.flags, 'server'));
@@ -247,6 +328,40 @@ async function main(): Promise<void> {
     return;
   }
 
+  if (args.command === 'computer' || args.command === 'computers') {
+    const sub = args.values[0];
+
+    if (sub === 'list') {
+      const computers = await serverClient.listComputers();
+      if (args.flags.json) {
+        printJson(computers);
+      } else {
+        for (const computer of computers) {
+          const seen = computer.last_seen_at ? ` last_seen=${computer.last_seen_at}` : '';
+          console.log(`${computer.id} name="${computer.name}" status=${computer.status}${seen}`);
+        }
+      }
+      return;
+    }
+
+    if (sub === 'onboard') {
+      const input = await collectComputerOnboardInput(serverClient, args.flags);
+      const provisioned = await serverClient.provisionComputer({
+        name: input.name,
+        server_url: input.serverUrl,
+        package_name: input.packageName,
+      });
+      if (args.flags.json) {
+        printJson(provisioned);
+      } else {
+        printProvisionedComputer(provisioned);
+      }
+      return;
+    }
+
+    throw new Error(`unknown ${args.command} subcommand: ${sub ?? '(none)'}\n\n${usage()}`);
+  }
+
   if (args.command === 'agents') {
     const sub = args.values[0];
 
@@ -331,6 +446,46 @@ async function main(): Promise<void> {
     throw new Error(`unknown agents subcommand: ${sub ?? '(none)'}\n\n${usage()}`);
   }
 
+  if (args.command === 'lark-users') {
+    const sub = args.values[0];
+
+    if (sub === 'list') {
+      const data = await requestJson<{ users: Array<Record<string, unknown>> }>(`${serverClient.baseUrl}/api/lark/authorized-users`);
+      if (args.flags.json) {
+        printJson(data.users);
+      } else if (data.users.length === 0) {
+        console.log('No authorized Lark users.');
+      } else {
+        for (const user of data.users) {
+          console.log(`${user.user_id} name="${user.display_name ?? '-'}" added=${user.created_at}`);
+        }
+      }
+      return;
+    }
+
+    if (sub === 'add') {
+      const input = await collectLarkUserInput(args.flags);
+      const data = await requestJson<{ user: Record<string, unknown> }>(`${serverClient.baseUrl}/api/lark/authorized-users`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ user_id: input.userId, display_name: input.displayName }),
+      });
+      if (args.flags.json) printJson(data.user);
+      else console.log(`Authorized Lark user ${data.user.user_id}`);
+      return;
+    }
+
+    if (sub === 'delete' || sub === 'remove') {
+      const userId = flag(args.flags, 'user-id') ?? flag(args.flags, 'id') ?? args.values[1];
+      if (!userId) throw new Error('--user-id is required');
+      await requestJson<{ deleted: boolean }>(`${serverClient.baseUrl}/api/lark/authorized-users/${encodeURIComponent(userId)}`, { method: 'DELETE' });
+      console.log(`Deleted Lark user ${userId}`);
+      return;
+    }
+
+    throw new Error(`unknown lark-users subcommand: ${sub ?? '(none)'}\n\n${usage()}`);
+  }
+
   if (args.command === 'lark') {
     const { runLarkCli } = await import('./lark/cli.js');
     const code = await runLarkCli({

package/src/db.ts

@@ -4,7 +4,9 @@ import { ensureParentDir } from './config.js';
 import { runMigrations } from './migrations.js';
 import { artifactExpiry, generateArtifactToken, hashArtifactToken, validateArtifactContent } from './artifacts.js';
 import { palIdentityHandle } from './provider-identity.js';
-import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
+import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkAuthorizedUser, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
+
+export const ALL_AGENTS_MENTION = '__pal_all_agents__';
 
 export interface CreateMessageInput {
   chatId?: string;
@@ -529,6 +531,16 @@ function rowToChannelAccount(row: Record<string, unknown>): ChannelAccount {
   };
 }
 
+function rowToLarkAuthorizedUser(row: Record<string, unknown>): LarkAuthorizedUser {
+  return {
+    id: String(row.id),
+    user_id: String(row.user_id),
+    display_name: row.display_name === null || row.display_name === undefined ? null : String(row.display_name),
+    created_at: String(row.created_at),
+    updated_at: String(row.updated_at),
+  };
+}
+
 function rowToPalIdentity(row: Record<string, unknown>): PalIdentity {
   return {
     id: String(row.id),
@@ -852,6 +864,43 @@ export class MessageStore {
     return this.db.query('SELECT * FROM chat_stats ORDER BY COALESCE(last_message_at, created_at) DESC').all() as Chat[];
   }
 
+  listLarkAuthorizedUsers(): LarkAuthorizedUser[] {
+    const rows = this.db.query('SELECT * FROM lark_authorized_users ORDER BY COALESCE(display_name, user_id), user_id').all() as Record<string, unknown>[];
+    return rows.map(rowToLarkAuthorizedUser);
+  }
+
+  upsertLarkAuthorizedUser(input: { userId: string; displayName?: string | null }): LarkAuthorizedUser {
+    const userId = input.userId.trim();
+    if (!userId) throw new Error('lark user_id is required');
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO lark_authorized_users (id, user_id, display_name, created_at, updated_at)
+      VALUES (?, ?, ?, datetime('now'), datetime('now'))
+      ON CONFLICT(user_id) DO UPDATE SET
+        display_name = excluded.display_name,
+        updated_at = datetime('now')
+    `).run(id, userId, input.displayName?.trim() || null);
+    return this.getLarkAuthorizedUser(userId)!;
+  }
+
+  getLarkAuthorizedUser(userId: string): LarkAuthorizedUser | null {
+    const normalized = userId.trim();
+    if (!normalized) return null;
+    const row = this.db.query('SELECT * FROM lark_authorized_users WHERE user_id = ?').get(normalized) as Record<string, unknown> | null;
+    return row ? rowToLarkAuthorizedUser(row) : null;
+  }
+
+  isLarkAuthorizedUser(userId: string | null | undefined): boolean {
+    if (!userId?.trim()) return false;
+    return this.getLarkAuthorizedUser(userId) !== null;
+  }
+
+  deleteLarkAuthorizedUser(userId: string): boolean {
+    const normalized = userId.trim();
+    if (!normalized) return false;
+    return this.db.query('DELETE FROM lark_authorized_users WHERE user_id = ?').run(normalized).changes > 0;
+  }
+
   listLarkGroupRoomMappings(): LarkGroupRoomMapping[] {
     const rows = this.db.query(`
       SELECT DISTINCT
@@ -2146,7 +2195,7 @@ export class MessageStore {
       VALUES (?, ?, ?, 'offline', NULL, NULL, datetime('now'))
     `).run(id, name, hashSecret(apiKey));
 
-    const packageName = input.packageName?.trim() || '@slock-ai/daemon@latest';
+    const packageName = input.packageName?.trim() || '@controlflow-ai/daemon@latest';
     const serverUrl = input.serverUrl?.trim() || 'http://127.0.0.1:4127';
     const command = `npx ${packageName} --server-url ${serverUrl} --api-key ${apiKey} # ${name}`;
     return { computer: this.getComputer(id)!, api_key: apiKey, command };
@@ -2431,7 +2480,11 @@ export class MessageStore {
     if (!room) throw new Error(`room ${message.chat_id} was not found`);
     const candidates = new Set<string>();
     if (message.recipient && this.getAgent(message.recipient)) candidates.add(message.recipient);
+    if ((message.mentions ?? []).includes(ALL_AGENTS_MENTION)) {
+      for (const agent of this.listRoomAgents(room)) candidates.add(agent);
+    }
     for (const mention of message.mentions ?? []) {
+      if (mention === ALL_AGENTS_MENTION) continue;
       if (this.getAgent(mention)) candidates.add(mention);
     }
     if (room.kind === 'dm') {
@@ -2460,9 +2513,34 @@ export class MessageStore {
     return deliveries;
   }
 
+  private listRoomAgents(room: Chat): string[] {
+    if (room.provider === 'web') {
+      const rows = this.db.query(`
+        SELECT participant_id AS agent
+        FROM room_participants
+        WHERE room_id = ? AND kind = 'agent' AND status = 'active'
+      `).all(room.id) as Array<{ agent: string }>;
+      return rows.map((row) => row.agent).filter((agent) => Boolean(this.getAgent(agent)));
+    }
+
+    const rows = this.db.query(`
+      SELECT DISTINCT pa.agent AS agent
+      FROM provider_accounts pa
+      INNER JOIN provider_conversations pc ON pc.provider_account_id = pa.id
+      WHERE pa.provider = ? AND pa.status = 'active' AND pc.room_id = ?
+      UNION
+      SELECT DISTINCT ca.agent AS agent
+      FROM channel_accounts ca
+      INNER JOIN channel_conversations cc ON cc.channel_account_id = ca.id
+      WHERE ca.channel = ? AND ca.status = 'active' AND cc.lock_chat_id = ? AND ca.agent IS NOT NULL AND ca.agent != ''
+    `).all(room.provider, room.id, room.provider, room.id) as Array<{ agent: string }>;
+    return rows.map((row) => row.agent).filter((agent) => Boolean(this.getAgent(agent)));
+  }
+
   private shouldCreateDeliveryForAgent(message: Message, room: Chat, agent: string): boolean {
     if (!this.canAgentParticipateInRoom(agent, room)) return false;
-    const direct = message.recipient === agent || (message.mentions ?? []).includes(agent);
+    const allAgentsMentioned = (message.mentions ?? []).includes(ALL_AGENTS_MENTION);
+    const direct = allAgentsMentioned || message.recipient === agent || (message.mentions ?? []).includes(agent);
     if (room.kind === 'dm') return direct || message.recipient === null;
     const subscription = this.getAgentRoomSubscription(agent, room.id);
     const mode = subscription?.mode ?? 'mentions';

package/src/lark/event-router.ts

@@ -1,4 +1,5 @@
 import type { MessageStore, CreateMessageInput } from '../db.js';
+import { ALL_AGENTS_MENTION } from '../db.js';
 import type { Message } from '../types.js';
 import { palIdentityHandle } from '../provider-identity.js';
 
@@ -82,6 +83,22 @@ export function extractMentionOpenIds(envelope: LarkMessageEnvelope): string[] {
   return ids;
 }
 
+function isAllMention(mention: NonNullable<NonNullable<LarkMessageEnvelope['message']>['mentions']>[number]): boolean {
+  const key = mention.key?.trim().toLowerCase();
+  const name = mention.name?.trim().toLowerCase();
+  const openId = mention.id?.open_id?.trim().toLowerCase();
+  return key === '@all' || key === 'all' || name === 'all' || name === '所有人' || openId === 'all';
+}
+
+export function mentionsAllAgents(envelope: LarkMessageEnvelope): boolean {
+  const mentions = envelope.message?.mentions ?? [];
+  for (const mention of mentions) {
+    if (isAllMention(mention)) return true;
+  }
+  const raw = parseLarkTextContent(envelope.message?.content, envelope.message?.message_type).toLowerCase();
+  return /(^|\s)@(all|所有人)(\s|$)/u.test(raw);
+}
+
 function normalizeMappedMentions(values: Array<string | null>): string[] {
   const out: string[] = [];
   const seen = new Set<string>();
@@ -124,8 +141,11 @@ export function mapLarkMessageToCreateInput(input: MapLarkMessageInput): MapLark
   const text = parseLarkTextContent(msg.content, msg.message_type);
   if (!text.trim()) return { status: 'skipped', reason: 'empty_text' };
 
-  const firstMention = msg.mentions?.find((m) => m.id?.open_id)?.id?.open_id;
-  const mappedMentions = normalizeMappedMentions(msg.mentions?.map((m) => m.id?.open_id ? input.recipientByMentionOpenId?.get(m.id.open_id) ?? null : null) ?? []);
+  const firstMention = msg.mentions?.find((m) => m.id?.open_id && !isAllMention(m))?.id?.open_id;
+  const mappedMentions = normalizeMappedMentions([
+    ...(mentionsAllAgents(envelope) ? [ALL_AGENTS_MENTION] : []),
+    ...(msg.mentions?.map((m) => m.id?.open_id ? input.recipientByMentionOpenId?.get(m.id.open_id) ?? null : null) ?? []),
+  ]);
   const recipient = input.recipientOverride !== undefined
     ? input.recipientOverride
     : firstMention ? input.recipientByMentionOpenId?.get(firstMention) ?? firstMention : null;

package/src/lark/server-integration.ts

@@ -52,10 +52,6 @@ function mentionsBotLabel(envelope: LarkMessageEnvelope, bot: LarkCredential): b
 }
 
 
-function configuredOwnerUnionId(): string | null {
-  return process.env.PAL_OWNER_LARK_UNION_ID?.trim() || process.env.PAL_LARK_OWNER_UNION_ID?.trim() || null;
-}
-
 function senderUnionId(envelope: LarkMessageEnvelope): string | null {
   return envelope.sender?.sender_id?.union_id?.trim() || null;
 }
@@ -261,18 +257,15 @@ export function startLarkOnServer(options: LarkServerIntegrationOptions): LarkSe
       if (envelope === 'im.message.receive_v1') {
         try {
           const larkEnvelope = data as LarkMessageEnvelope;
-          const ownerUnionId = configuredOwnerUnionId();
-          if (ownerUnionId) {
-            const identity = await resolveSenderUnionId({ bot, envelope: larkEnvelope, store: msgStore });
-            if (identity.status === 'pending') {
-              msgStore.recordPendingInboundEvent({ rawEventId: storeResult.event_id, provider: 'lark', reason: 'missing_union_id', error: identity.reason });
-              log.warn(`[lark/${bot.appId}] sender union_id lookup pending: ${identity.reason}`);
-              return;
-            }
-            if (identity.status !== 'resolved' || identity.unionId !== ownerUnionId) {
-              log.log(`[lark/${bot.appId}] business ingest skipped sender_union=${identity.status === 'resolved' ? identity.unionId : '-'} owner_configured=true`);
-              return;
-            }
+          const identity = await resolveSenderUnionId({ bot, envelope: larkEnvelope, store: msgStore });
+          if (identity.status === 'pending') {
+            msgStore.recordPendingInboundEvent({ rawEventId: storeResult.event_id, provider: 'lark', reason: 'missing_lark_sender_user_id', error: identity.reason });
+            log.warn(`[lark/${bot.appId}] sender union_id lookup pending: ${identity.reason}`);
+            return;
+          }
+          if (identity.status !== 'resolved' || !msgStore.isLarkAuthorizedUser(identity.unionId)) {
+            log.log(`[lark/${bot.appId}] business ingest skipped sender_union=${identity.status === 'resolved' ? identity.unionId : '-'} authorized=false`);
+            return;
           }
           const agents = boundAgents(bot);
           const mentionOpenIds = extractMentionOpenIds(larkEnvelope);

package/src/migrations/022_lark_authorized_users.ts

@@ -0,0 +1,16 @@
+import type { Database } from 'bun:sqlite';
+
+export const version = 22;
+export const name = 'lark_authorized_users';
+
+export function up(db: Database): void {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS lark_authorized_users (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL UNIQUE,
+      display_name TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+  `);
+}

package/src/migrations.ts

@@ -20,6 +20,7 @@ import * as roomDisplayNames from './migrations/018_room_display_names.js';
 import * as computerConnections from './migrations/019_computer_connections.js';
 import * as computerAgentAssignments from './migrations/020_computer_agent_assignments.js';
 import * as providerIdentityBindings from './migrations/021_provider_identity_bindings.js';
+import * as larkAuthorizedUsers from './migrations/022_lark_authorized_users.js';
 
 interface Migration {
   version: number;
@@ -27,7 +28,7 @@ interface Migration {
   up(db: Database): void;
 }
 
-const migrations: Migration[] = [initial, daemonDeliveries, sessionsRuns, messageIdempotency, artifacts, larkChannelFoundation, agentsA0, b0ChatHistory, b0TranscriptIngestSeq, b0TranscriptShadowExternalIds, b0ChannelConversationAuditOnly, b0CrossConversationInvariant, b10EngInboundRawEvents, agentsRuntime, agentRuntimeSessions, roomParticipants, unifiedRoomDelivery, roomDisplayNames, computerConnections, computerAgentAssignments, providerIdentityBindings].sort((a, b) => a.version - b.version);
+const migrations: Migration[] = [initial, daemonDeliveries, sessionsRuns, messageIdempotency, artifacts, larkChannelFoundation, agentsA0, b0ChatHistory, b0TranscriptIngestSeq, b0TranscriptShadowExternalIds, b0ChannelConversationAuditOnly, b0CrossConversationInvariant, b10EngInboundRawEvents, agentsRuntime, agentRuntimeSessions, roomParticipants, unifiedRoomDelivery, roomDisplayNames, computerConnections, computerAgentAssignments, providerIdentityBindings, larkAuthorizedUsers].sort((a, b) => a.version - b.version);
 
 function assertContiguousMigrations(): void {
   for (let index = 0; index < migrations.length; index += 1) {

package/src/network.ts

@@ -0,0 +1,24 @@
+import { networkInterfaces } from 'node:os';
+
+export function tailscaleAddress(): string | null {
+  const interfaces = networkInterfaces();
+  for (const [name, entries] of Object.entries(interfaces)) {
+    for (const entry of entries ?? []) {
+      if (entry.family !== 'IPv4' || entry.internal) continue;
+      if (name.toLowerCase().startsWith('tailscale') || isTailscaleIPv4(entry.address)) {
+        return entry.address;
+      }
+    }
+  }
+  return null;
+}
+
+function isTailscaleIPv4(address: string): boolean {
+  const parts = address.split('.').map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return false;
+  return parts[0] === 100 && parts[1]! >= 64 && parts[1]! <= 127;
+}
+
+export function isLoopbackHost(host: string): boolean {
+  return host === '127.0.0.1' || host === 'localhost' || host === '::1';
+}

package/src/server.ts

@@ -3,25 +3,37 @@ import { DEFAULT_HOST, DEFAULT_PORT, defaultDbPath } from './config.js';
 import { MessageStore } from './db.js';
 import { handleRequest } from './app.js';
 import { startLarkOnServer } from './lark/server-integration.js';
+import { isLoopbackHost, tailscaleAddress } from './network.js';
 
 const dbPath = defaultDbPath();
 const store = new MessageStore(dbPath);
 const port = Number(process.env.PAL_PORT ?? DEFAULT_PORT);
 const host = process.env.PAL_HOST ?? DEFAULT_HOST;
+const tailscaleHost = process.env.PAL_TAILSCALE_HOST ?? tailscaleAddress();
+
+function fetch(request: Request): Promise<Response> | Response {
+  const url = new URL(request.url);
+  if (request.method === 'POST' && url.pathname === '/api/lark/reload') {
+    return reloadLarkIntegration();
+  }
+  return handleRequest(store, request);
+}
 
 const server = Bun.serve({
   hostname: host,
   port,
-  async fetch(request) {
-    const url = new URL(request.url);
-    if (request.method === 'POST' && url.pathname === '/api/lark/reload') {
-      return reloadLarkIntegration();
-    }
-    return handleRequest(store, request);
-  },
+  fetch,
 });
+const tailscaleServer = tailscaleHost && isLoopbackHost(host)
+  ? Bun.serve({ hostname: tailscaleHost, port, fetch })
+  : null;
 
 console.log(`pal server listening on http://${server.hostname}:${server.port}`);
+if (tailscaleServer) {
+  console.log(`pal server also listening on Tailscale http://${tailscaleServer.hostname}:${tailscaleServer.port}`);
+} else if (tailscaleHost) {
+  console.log(`pal server Tailscale address: http://${tailscaleHost}:${server.port}`);
+}
 console.log(`database: ${dbPath}`);
 
 function startLarkIntegration() {
@@ -50,11 +62,13 @@ if (larkIntegration.handles.length > 0) {
 
 process.on('SIGINT', () => {
   larkIntegration.stop();
+  tailscaleServer?.stop();
   server.stop();
   process.exit(0);
 });
 process.on('SIGTERM', () => {
   larkIntegration.stop();
+  tailscaleServer?.stop();
   server.stop();
   process.exit(0);
 });

package/src/types.ts

@@ -228,6 +228,14 @@ export interface ChannelAccount {
   updated_at: string;
 }
 
+export interface LarkAuthorizedUser {
+  id: string;
+  user_id: string;
+  display_name: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
 export interface PalIdentity {
   id: string;
   kind: PalIdentityKind;

package/src/web.ts

@@ -63,8 +63,9 @@ export function dashboardHtml(): string {
       grid-template-columns: 300px minmax(360px, 1fr) 330px;
       gap: 14px;
       width: min(1540px, calc(100vw - 28px));
-      min-height: calc(100vh - 28px);
+      height: calc(100vh - 28px);
       margin: 14px auto;
+      overflow: hidden;
     }
     .panel {
       min-width: 0;
@@ -115,7 +116,7 @@ export function dashboardHtml(): string {
     }
     .pill.good { color: var(--active); border-color: #a7d7c4; background: var(--active-soft); }
     .pill.blue { color: var(--blue); border-color: #b7c8f6; background: var(--blue-soft); }
-    .chat { display: grid; grid-template-rows: auto 1fr auto; overflow: hidden; }
+    .chat { display: grid; grid-template-rows: auto minmax(0, 1fr) auto; overflow: hidden; min-height: 0; }
     .panel-head { display: flex; align-items: center; justify-content: space-between; gap: 14px; min-height: 74px; min-width: 0; background: var(--panel); }
     .panel-head > div { min-width: 0; }
     .panel-head h2 { margin: 0; font-size: 22px; letter-spacing: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
@@ -138,6 +139,94 @@ export function dashboardHtml(): string {
     .split { display: grid; grid-template-columns: minmax(0, 1fr) 120px; gap: 8px; }
     .toolbox { display: grid; gap: 8px; background: var(--panel-2); }
     .section-title { margin: 0; color: var(--muted); font-size: 12px; font-weight: 900; letter-spacing: .12em; text-transform: uppercase; }
+    .field { display: grid; gap: 5px; }
+    .field span { color: var(--muted); font-size: 11px; font-weight: 900; text-transform: uppercase; letter-spacing: .08em; }
+    .settings-trigger { white-space: nowrap; }
+    .settings-backdrop {
+      position: fixed;
+      inset: 0;
+      z-index: 40;
+      display: none;
+      padding: 18px;
+      background: rgba(24, 23, 20, .28);
+    }
+    .settings-backdrop.open { display: grid; place-items: center; }
+    .settings-dialog {
+      display: grid;
+      grid-template-rows: auto 1fr;
+      width: min(1120px, 100%);
+      max-height: min(860px, calc(100vh - 36px));
+      border: 1px solid var(--ink);
+      background: var(--panel);
+      box-shadow: var(--shadow);
+      overflow: hidden;
+    }
+    .settings-head {
+      display: flex;
+      justify-content: space-between;
+      gap: 14px;
+      padding: 16px;
+      border-bottom: 1px solid var(--line);
+      background: #fffdf8;
+    }
+    .settings-head h2 { margin: 0; font-size: 24px; letter-spacing: 0; }
+    .settings-body {
+      display: grid;
+      grid-template-columns: 210px minmax(0, 1fr);
+      min-height: 0;
+      overflow: hidden;
+    }
+    .settings-nav {
+      display: grid;
+      align-content: start;
+      gap: 8px;
+      padding: 14px;
+      border-right: 1px solid var(--line);
+      background: var(--panel-2);
+      overflow: auto;
+    }
+    .settings-tab {
+      width: 100%;
+      background: transparent;
+      color: var(--ink);
+      border-color: var(--line);
+      text-align: left;
+    }
+    .settings-tab.active { background: var(--ink); color: #fffaf1; border-color: var(--ink); }
+    .settings-content { overflow: auto; padding: 16px; }
+    .settings-pane { display: none; gap: 12px; }
+    .settings-pane.active { display: grid; }
+    .settings-section-head {
+      display: flex;
+      align-items: start;
+      justify-content: space-between;
+      gap: 12px;
+      padding-bottom: 10px;
+      border-bottom: 1px solid var(--line);
+    }
+    .settings-section-head h3 { margin: 0; font-size: 18px; letter-spacing: 0; }
+    .settings-section-head .meta { max-width: 620px; }
+    .setup-grid { display: grid; grid-template-columns: minmax(0, 1fr); gap: 12px; }
+    .setup-panel { display: grid; gap: 8px; padding: 12px; border: 1px solid var(--line); background: #fffdf8; }
+    .setup-panel.collapsed { display: none; }
+    .setup-panel .section-title { color: var(--ink); }
+    .setup-actions { display: grid; grid-template-columns: 1fr auto; gap: 8px; }
+    .summary-panel { display: grid; gap: 8px; padding: 12px; border: 1px solid var(--line); background: var(--active-soft); }
+    .settings-list { display: grid; gap: 8px; }
+    .settings-row {
+      display: grid;
+      grid-template-columns: minmax(0, 1fr) auto;
+      gap: 10px;
+      align-items: start;
+      padding: 11px;
+      border: 1px solid var(--line);
+      background: #fffdf8;
+    }
+    .settings-row strong { display: block; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+    .settings-row .meta { overflow-wrap: anywhere; word-break: break-word; }
+    .command-wrap { display: grid; gap: 7px; }
+    .command-wrap textarea { font-family: var(--mono); font-size: 11px; min-height: 104px; }
+    .secret-note { color: var(--faint); font-size: 11px; line-height: 1.4; }
     .empty, .error, .readonly-note { border: 1px dashed var(--line); padding: 18px; text-align: center; background: rgba(255, 253, 248, .65); }
     .error { display: none; color: var(--danger); border-color: rgba(163, 58, 43, .35); background: #fff1ee; }
     .readonly-note { color: var(--muted); line-height: 1.5; }
@@ -188,12 +277,14 @@ export function dashboardHtml(): string {
       .app { grid-template-columns: 280px minmax(0, 1fr); }
       .inspector { grid-column: 1 / -1; grid-template-rows: auto auto; }
       .inspector .agents { max-height: 320px; }
+      .settings-body, .setup-grid, .settings-row { grid-template-columns: 1fr; }
+      .settings-nav { grid-template-columns: repeat(2, minmax(0, 1fr)); border-right: 0; border-bottom: 1px solid var(--line); }
     }
     @media (max-width: 760px) {
-      .app { width: 100%; min-height: 100vh; margin: 0; grid-template-columns: 1fr; }
+      .app { width: 100%; height: 100vh; margin: 0; grid-template-columns: 1fr; overflow: auto; }
       .sidebar, .inspector { max-height: none; }
-      .chat { min-height: 68vh; }
-      .composer-controls, .split, .form-row { grid-template-columns: 1fr; }
+      .chat { height: 100vh; min-height: 0; }
+      .composer-controls, .split, .form-row, .setup-actions { grid-template-columns: 1fr; }
       .message { max-width: 100%; }
     }
   </style>
@@ -246,6 +337,7 @@ export function dashboardHtml(): string {
           <h2>Agents</h2>
           <div class="meta">Use runtime=codex for executable demo agents.</div>
         </div>
+        <button id="open-settings" class="secondary settings-trigger" type="button">Settings</button>
       </header>
       <div class="toolbox">
         <form id="invite-form" class="split">
@@ -259,29 +351,135 @@ export function dashboardHtml(): string {
           </select>
           <button>Invite</button>
         </form>
-        <form id="agent-form" class="create-agent">
-          <p class="section-title">Create or Update Agent</p>
-          <input id="agent-key" placeholder="codex" autocomplete="off" required>
-          <input id="agent-name" placeholder="Codex" autocomplete="off" required>
-          <input id="agent-runtime" placeholder="codex" autocomplete="off">
-          <input id="agent-computer" placeholder="machine id" autocomplete="off">
-          <button>Create agent</button>
-        </form>
-        <form id="computer-form" class="create-agent">
-          <p class="section-title">Provision Computer</p>
-          <input id="computer-name" placeholder="Bill's Team" autocomplete="off">
-          <button>Generate command</button>
-          <textarea id="computer-command" readonly rows="4" placeholder="Daemon command"></textarea>
-        </form>
         <div id="members" class="members"></div>
       </div>
       <div id="agents" class="agents"></div>
     </aside>
   </main>
+  <section id="settings-backdrop" class="settings-backdrop" aria-hidden="true">
+    <div class="settings-dialog" role="dialog" aria-modal="true" aria-labelledby="settings-title">
+      <header class="settings-head">
+        <div>
+          <h2 id="settings-title">Settings</h2>
+          <div class="meta">Configure access, agents, computers, and Feishu/Lark from one place.</div>
+        </div>
+        <button id="close-settings" class="secondary icon" type="button" aria-label="Close settings">×</button>
+      </header>
+      <div class="settings-body">
+        <nav class="settings-nav" aria-label="Settings sections">
+          <button class="settings-tab active" type="button" data-settings-tab="access">Access</button>
+          <button class="settings-tab" type="button" data-settings-tab="agents">Agents</button>
+          <button class="settings-tab" type="button" data-settings-tab="computers">Computers</button>
+          <button class="settings-tab" type="button" data-settings-tab="lark">Lark</button>
+        </nav>
+        <div class="settings-content">
+          <section id="settings-access" class="settings-pane active">
+            <div class="summary-panel">
+              <p class="section-title">Server Access</p>
+              <div id="server-access" class="meta">Listening locally. Tailscale address is detected on load.</div>
+            </div>
+            <div class="settings-section-head">
+              <div>
+                <h3>Lark Users</h3>
+                <div class="meta">Only listed Lark user IDs may trigger inbound bot handling.</div>
+              </div>
+              <button class="secondary" type="button" data-add-panel="lark-user-form">Add User</button>
+            </div>
+            <div class="setup-grid">
+              <div id="settings-lark-user-list" class="settings-list"></div>
+              <form id="lark-user-form" class="setup-panel collapsed">
+                <p class="section-title">Authorized Lark User</p>
+                <label class="field"><span>User ID</span><input id="lark-user-id" placeholder="on_xxx union id" autocomplete="off" required></label>
+                <label class="field"><span>Display name</span><input id="lark-user-name" placeholder="Optional" autocomplete="off"></label>
+                <div class="setup-actions">
+                  <button>Save user</button>
+                  <button class="secondary" type="button" data-cancel-panel="lark-user-form">Cancel</button>
+                </div>
+              </form>
+            </div>
+          </section>
+          <section id="settings-agents" class="settings-pane">
+            <div class="settings-section-head">
+              <div>
+                <h3>Agents</h3>
+                <div class="meta">Manage logical agents and assign them to an available computer.</div>
+              </div>
+              <button class="secondary" type="button" data-add-panel="agent-form">Add Agent</button>
+            </div>
+            <div class="setup-grid">
+              <div id="settings-agent-list" class="settings-list"></div>
+              <form id="agent-form" class="setup-panel collapsed">
+                <p class="section-title">Agent Onboard</p>
+                <label class="field"><span>Key</span><input id="agent-key" placeholder="codex" autocomplete="off" required></label>
+                <label class="field"><span>Name</span><input id="agent-name" placeholder="Codex" autocomplete="off" required></label>
+                <label class="field"><span>Runtime</span><select id="agent-runtime"><option value="codex">codex</option><option value="neeko">neeko</option><option value="coco">coco</option><option value="coco-stream-json">coco-stream-json</option></select></label>
+                <label class="field"><span>Computer</span><select id="agent-computer"><option value="">No assignment</option></select></label>
+                <label class="field"><span>Description</span><input id="agent-desc" placeholder="Optional" autocomplete="off"></label>
+                <div class="setup-actions">
+                  <button>Onboard agent</button>
+                  <button class="secondary" type="button" data-cancel-panel="agent-form">Cancel</button>
+                </div>
+              </form>
+            </div>
+          </section>
+          <section id="settings-computers" class="settings-pane">
+            <div class="settings-section-head">
+              <div>
+                <h3>Computers</h3>
+                <div class="meta">Provision daemon credentials and see connected machines.</div>
+              </div>
+              <button class="secondary" type="button" data-add-panel="computer-form">Add Computer</button>
+            </div>
+            <div class="setup-grid">
+              <div id="settings-computer-list" class="settings-list"></div>
+              <form id="computer-form" class="setup-panel collapsed">
+                <p class="section-title">Computer Onboard</p>
+                <label class="field"><span>Name</span><input id="computer-name" placeholder="Local computer" autocomplete="off"></label>
+                <label class="field"><span>Server URL</span><input id="computer-server" autocomplete="off"></label>
+                <label class="field"><span>Daemon package</span><input id="computer-package" value="@controlflow-ai/daemon@latest" autocomplete="off"></label>
+                <div class="setup-actions">
+                  <button>Generate command</button>
+                  <button id="copy-command" class="secondary" type="button">Copy</button>
+                </div>
+                <button class="secondary" type="button" data-cancel-panel="computer-form">Cancel</button>
+                <div class="command-wrap">
+                  <textarea id="computer-command" readonly rows="4" placeholder="Daemon command"></textarea>
+                </div>
+              </form>
+            </div>
+          </section>
+          <section id="settings-lark" class="settings-pane">
+            <div class="settings-section-head">
+              <div>
+                <h3>Lark</h3>
+                <div class="meta">Bind Feishu/Lark bot credentials to a Pal agent. Secrets stay in the local runtime profile.</div>
+              </div>
+              <button class="secondary" type="button" data-add-panel="lark-form">Add Lark Bot</button>
+            </div>
+            <div class="setup-grid">
+              <div id="settings-lark-list" class="settings-list"></div>
+              <form id="lark-form" class="setup-panel collapsed">
+                <p class="section-title">Lark Setup</p>
+                <label class="field"><span>Bind agent</span><select id="lark-agent"></select></label>
+                <label class="field"><span>Label</span><input id="lark-label" placeholder="Team bot" autocomplete="off"></label>
+                <label class="field"><span>App ID</span><input id="lark-app-id" placeholder="cli_xxx" autocomplete="off" required></label>
+                <label class="field"><span>App Secret</span><input id="lark-app-secret" type="password" autocomplete="off" required></label>
+                <div class="secret-note">Secret is sent only to this local Pal server, validated with Feishu, and stored in the local Lark config file.</div>
+                <div class="setup-actions">
+                  <button>Save Lark bot</button>
+                  <button class="secondary" type="button" data-cancel-panel="lark-form">Cancel</button>
+                </div>
+              </form>
+            </div>
+          </section>
+        </div>
+      </div>
+    </div>
+  </section>
   <div id="error" class="error" role="alert"></div>
   <div id="toast" class="toast" role="status"></div>
 <script>
-  const state = { rooms: [], agents: [], members: [], mentionables: [], messages: [], selectedRoomId: null, mentionIndex: 0 };
+  const state = { rooms: [], agents: [], computers: [], lark: null, larkUsers: [], serverAccess: null, members: [], mentionables: [], messages: [], selectedRoomId: null, mentionIndex: 0 };
   const root = (id) => document.getElementById(id);
   const escapeHtml = (value) => String(value ?? '').replace(/[&<>'"]/g, (char) => ({ '&':'&amp;', '<':'&lt;', '>':'&gt;', "'":'&#39;', '"':'&quot;' }[char]));
   async function api(path, options) {
@@ -358,11 +556,58 @@ export function dashboardHtml(): string {
   }
   function renderAgents() {
     root('invite-agent').innerHTML = state.agents.length ? state.agents.map((agent) => '<option value="' + escapeHtml(agent.agent_key) + '">' + escapeHtml(agent.display_name) + ' · ' + escapeHtml(agent.agent_key) + '</option>').join('') : '<option value="">No agents</option>';
+    root('lark-agent').innerHTML = state.agents.length ? state.agents.map((agent) => '<option value="' + escapeHtml(agent.agent_key) + '">' + escapeHtml(agent.display_name) + ' · ' + escapeHtml(agent.agent_key) + '</option>').join('') : '<option value="">Onboard an agent first</option>';
     root('agents').innerHTML = state.agents.length ? state.agents.map((agent) => (
       '<article class="agent"><div class="agent-title"><span>' + escapeHtml(agent.display_name) + '</span>' + pill(agent.runtime || 'no runtime', agent.runtime === 'codex' ? 'good' : '') + '</div>' +
       '<div class="pills">' + pill(agent.agent_key) + pill(agent.id) + '</div>' +
       '<div class="meta">' + escapeHtml(agent.description || 'No description') + '</div></article>'
     )).join('') : empty('No agents yet. Create codex to start.');
+    root('settings-agent-list').innerHTML = state.agents.length
+      ? state.agents.map((agent) => '<article class="settings-row"><div><strong>' + escapeHtml(agent.display_name) + '</strong><div class="meta">' + escapeHtml(agent.description || 'No description') + '</div><div class="pills">' + pill(agent.agent_key, 'blue') + pill(agent.runtime || 'no runtime', agent.runtime === 'codex' ? 'good' : '') + '</div></div></article>').join('')
+      : empty('No agents yet.');
+  }
+  function renderComputers() {
+    root('agent-computer').innerHTML = '<option value="">No assignment</option>' + state.computers.map((computer) => '<option value="' + escapeHtml(computer.id) + '">' + escapeHtml(computer.name) + ' · ' + escapeHtml(computer.id) + '</option>').join('');
+    root('settings-computer-list').innerHTML = state.computers.length
+      ? state.computers.map((computer) => '<article class="settings-row"><div><strong>' + escapeHtml(computer.name) + '</strong><div class="meta">' + escapeHtml(computer.id) + '</div><div class="pills">' + pill(computer.status, computer.status === 'online' ? 'good' : '') + (computer.last_seen_at ? pill('last seen ' + computer.last_seen_at) : '') + '</div></div></article>').join('')
+      : empty('No computers yet.');
+  }
+  function renderLarkConfig() {
+    const el = root('settings-lark-list');
+    if (!el) return;
+    const bots = state.lark?.bots || [];
+    el.innerHTML = bots.length
+      ? bots.map((bot) => '<article class="settings-row"><div><strong>' + escapeHtml(bot.label || bot.appId) + '</strong><div class="meta">' + escapeHtml(bot.appId) + '</div><div class="pills">' + pill('@' + (bot.agent || '-'), 'blue') + pill(bot.botOpenId ? 'open_id resolved' : 'open_id missing', bot.botOpenId ? 'good' : '') + pill(bot.hasSecret ? 'secret stored' : 'secret missing') + '</div></div></article>').join('') + '<div class="meta">Config: ' + escapeHtml(state.lark.path || '') + '</div>'
+      : empty('No Lark bots configured yet.');
+  }
+  function renderLarkUsers() {
+    const el = root('settings-lark-user-list');
+    if (!el) return;
+    el.innerHTML = state.larkUsers.length
+      ? state.larkUsers.map((user) => '<article class="settings-row"><div><strong>' + escapeHtml(user.display_name || user.user_id) + '</strong><div class="meta">' + escapeHtml(user.user_id) + '</div><div class="pills">' + pill('authorized', 'good') + '</div></div><button class="secondary" type="button" data-delete-lark-user="' + escapeHtml(user.user_id) + '">Delete</button></article>').join('')
+      : empty('No authorized Lark users. Inbound bot messages will be ignored.');
+    [...el.querySelectorAll('[data-delete-lark-user]')].forEach((button) => {
+      button.addEventListener('click', async () => {
+        const userId = button.dataset.deleteLarkUser;
+        if (!userId) return;
+        const deleted = await api('/api/lark/authorized-users/' + encodeURIComponent(userId), { method: 'DELETE' }).catch((error) => { showError(error); return null; });
+        if (!deleted) return;
+        await loadLarkUsers();
+        showToast('Lark user removed');
+      });
+    });
+  }
+  function renderServerAccess() {
+    const access = state.serverAccess;
+    const el = root('server-access');
+    if (!el) return;
+    if (!access) {
+      el.textContent = 'Listening locally. Tailscale address is detected on load.';
+      return;
+    }
+    el.textContent = access.tailscaleUrl
+      ? 'Listening on local ' + access.localUrl + ' and Tailscale ' + access.tailscaleUrl
+      : 'Listening on local ' + access.localUrl + '. No Tailscale interface detected.';
   }
   function renderMembers() {
     root('members').innerHTML = state.members.length ? state.members.map((member) => (
@@ -370,6 +615,25 @@ export function dashboardHtml(): string {
       '<div class="pills">' + pill(member.source) + pill(member.status) + '</div></article>'
     )).join('') : empty('No known members in this room.');
   }
+  function openSettings(tab) {
+    root('settings-backdrop').classList.add('open');
+    root('settings-backdrop').setAttribute('aria-hidden', 'false');
+    selectSettingsTab(tab || 'access');
+  }
+  function closeSettings() {
+    root('settings-backdrop').classList.remove('open');
+    root('settings-backdrop').setAttribute('aria-hidden', 'true');
+  }
+  function selectSettingsTab(tab) {
+    document.querySelectorAll('.settings-tab').forEach((button) => button.classList.toggle('active', button.dataset.settingsTab === tab));
+    document.querySelectorAll('.settings-pane').forEach((pane) => pane.classList.toggle('active', pane.id === 'settings-' + tab));
+  }
+  function showPanel(id) {
+    root(id)?.classList.remove('collapsed');
+  }
+  function hidePanel(id) {
+    root(id)?.classList.add('collapsed');
+  }
   function currentMentionQuery() {
     const input = root('message-content');
     if (!input) return null;
@@ -461,6 +725,26 @@ export function dashboardHtml(): string {
     state.agents = data.agents || [];
     renderAgents();
   }
+  async function loadComputers() {
+    const data = await api('/api/computers');
+    state.computers = data.computers || [];
+    renderComputers();
+  }
+  async function loadLarkConfig() {
+    const data = await api('/api/lark/config');
+    state.lark = data;
+    renderLarkConfig();
+  }
+  async function loadLarkUsers() {
+    const data = await api('/api/lark/authorized-users');
+    state.larkUsers = data.users || [];
+    renderLarkUsers();
+  }
+  async function loadServerAccess() {
+    const data = await api('/api/server/access');
+    state.serverAccess = data;
+    renderServerAccess();
+  }
   async function loadMessages() {
     const room = activeRoom();
     if (!room) {
@@ -483,7 +767,7 @@ export function dashboardHtml(): string {
     renderMembers();
   }
   async function refresh() {
-    await Promise.all([loadRooms(), loadAgents()]);
+    await Promise.all([loadRooms(), loadAgents(), loadComputers(), loadLarkConfig(), loadLarkUsers(), loadServerAccess()]);
     await loadMessages();
   }
   window.selectRoom = async (id) => {
@@ -492,6 +776,23 @@ export function dashboardHtml(): string {
     await loadMessages().catch(showError);
   };
   root('refresh').addEventListener('click', () => refresh().catch(showError));
+  root('open-settings').addEventListener('click', () => openSettings('access'));
+  root('close-settings').addEventListener('click', closeSettings);
+  root('settings-backdrop').addEventListener('mousedown', (event) => {
+    if (event.target === root('settings-backdrop')) closeSettings();
+  });
+  document.addEventListener('keydown', (event) => {
+    if (event.key === 'Escape' && root('settings-backdrop').classList.contains('open')) closeSettings();
+  });
+  document.querySelectorAll('.settings-tab').forEach((button) => {
+    button.addEventListener('click', () => selectSettingsTab(button.dataset.settingsTab));
+  });
+  document.querySelectorAll('[data-add-panel]').forEach((button) => {
+    button.addEventListener('click', () => showPanel(button.dataset.addPanel));
+  });
+  document.querySelectorAll('[data-cancel-panel]').forEach((button) => {
+    button.addEventListener('click', () => hidePanel(button.dataset.cancelPanel));
+  });
   root('room-form').addEventListener('submit', async (event) => {
     event.preventDefault();
     const name = root('room-name').value.trim();
@@ -507,29 +808,67 @@ export function dashboardHtml(): string {
     event.preventDefault();
     const agent_key = root('agent-key').value.trim();
     const display_name = root('agent-name').value.trim();
-    const runtime = root('agent-runtime').value.trim() || null;
-    const computer_id = root('agent-computer').value.trim();
+    const runtime = root('agent-runtime').value.trim() || 'codex';
+    const computer_id = root('agent-computer').value.trim() || undefined;
+    const description = root('agent-desc').value.trim() || null;
     if (!agent_key || !display_name) return;
-    const saved = await api('/api/agents', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ agent_key, display_name, runtime }) }).catch((error) => { showError(error); return null; });
+    const saved = await api('/api/agents/onboard', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ agent_key, display_name, runtime, description, computer_id }) }).catch((error) => { showError(error); return null; });
     if (!saved) return;
-    if (computer_id) {
-      await api('/api/agents/' + encodeURIComponent(agent_key) + '/assignment', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ computer_id }) }).catch((error) => { showError(error); return null; });
-    }
     root('agent-key').value = '';
     root('agent-name').value = '';
-    root('agent-runtime').value = '';
+    root('agent-runtime').value = 'codex';
     root('agent-computer').value = '';
+    root('agent-desc').value = '';
     await loadAgents();
+    hidePanel('agent-form');
     showToast('Agent saved: @' + agent_key);
   });
   root('computer-form').addEventListener('submit', async (event) => {
     event.preventDefault();
     const name = root('computer-name').value.trim();
-    const data = await api('/api/computers/provision', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ name: name || undefined, server_url: location.origin }) }).catch((error) => { showError(error); return null; });
+    const server_url = root('computer-server').value.trim() || location.origin;
+    const package_name = root('computer-package').value.trim() || undefined;
+    const data = await api('/api/computers/provision', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ name: name || undefined, server_url, package_name }) }).catch((error) => { showError(error); return null; });
     if (!data) return;
     root('computer-command').value = data.command;
+    await loadComputers();
     showToast('Computer provisioned: ' + data.computer.id);
   });
+  root('copy-command').addEventListener('click', async () => {
+    const command = root('computer-command').value;
+    if (!command) return;
+    await navigator.clipboard?.writeText(command).catch(() => null);
+    showToast('Daemon command copied');
+  });
+  root('computer-server').value = location.origin;
+  root('lark-user-form').addEventListener('submit', async (event) => {
+    event.preventDefault();
+    const user_id = root('lark-user-id').value.trim();
+    const display_name = root('lark-user-name').value.trim() || null;
+    if (!user_id) return;
+    const saved = await api('/api/lark/authorized-users', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ user_id, display_name }) }).catch((error) => { showError(error); return null; });
+    if (!saved) return;
+    root('lark-user-id').value = '';
+    root('lark-user-name').value = '';
+    await loadLarkUsers();
+    hidePanel('lark-user-form');
+    showToast('Lark user authorized');
+  });
+  root('lark-form').addEventListener('submit', async (event) => {
+    event.preventDefault();
+    const agent = root('lark-agent').value;
+    const app_id = root('lark-app-id').value.trim();
+    const app_secret = root('lark-app-secret').value.trim();
+    const label = root('lark-label').value.trim() || undefined;
+    if (!agent || !app_id || !app_secret) return;
+    const data = await api('/api/lark/setup', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ agent, app_id, app_secret, label }) }).catch((error) => { showError(error); return null; });
+    if (!data) return;
+    root('lark-app-secret').value = '';
+    await loadLarkConfig();
+    const reload = await api('/api/lark/reload', { method: 'POST', headers: { 'content-type': 'application/json' }, body: '{}' }).catch((error) => ({ reloadError: error.message }));
+    if (!reload.reloadError) hidePanel('lark-form');
+    showToast(reload.reloadError ? 'Lark saved, reload failed: ' + reload.reloadError : 'Lark bot saved and reloaded: ' + data.appId);
+  });
   root('invite-form').addEventListener('submit', async (event) => {
     event.preventDefault();
     const room = activeRoom();