@controlflow-ai/daemon 0.1.0 → 0.1.2

package/README.md

@@ -103,32 +103,24 @@ bun run console -- agents list [--json]
 # Create or update an agent record
 bun run console -- agents create --key <agent-key> --name <display-name> [--runtime neeko|coco|codex] [--desc <description>]
 
-# Create/update an agent and optionally assign it to a computer
+# Create/update an agent, optionally assign it to a computer, and optionally set up Lark at the end
 bun run console -- agents onboard --key <agent-key> --name <display-name> [--runtime codex] [--desc <description>] [--computer-id <machine-id>]
+bun run console -- agents onboard --interactive
 
-# Update only the runtime
-bun run console -- agents update --key <agent-key> --runtime neeko|coco|codex
+# Update runtime and/or manage the Lark bot bound to the agent
+bun run console -- agents update --key <agent-key> [--runtime neeko|coco|codex]
+bun run console -- agents update --key <agent-key> --lark-app-id <app-id> --lark-app-secret <app-secret> [--lark-label <name>] [--rebind-lark]
+bun run console -- agents update --key <agent-key> --unbind-lark
+bun run console -- agents update --interactive
 ```
 
 `codex` is the validated runtime for the current demo environment. Do not use `neeko` or `coco` until their binaries and adapters are available on the runtime host.
 
+`agents onboard --interactive` asks at the end whether to set up a Lark bot. Lark setup can create a Feishu app by QR scan/open-link, or accept a pasted App ID/App Secret. `agents update --interactive` manages Lark binding, rebind, and unbind for existing agents.
+
 ### Lark Bots
 
 ```bash
-# Configure a bot, resolve its bot open_id, bind it to an agent, and ask the running server to reload Lark
-bun run console -- lark setup --app-id <app-id> --app-secret <app-secret> --label <name> --agent <agent-key>
-
-# Configure a bot and create/update the bound agent in one command
-bun run console -- lark setup \
-  --app-id <app-id> \
-  --app-secret <app-secret> \
-  --label <name> \
-  --agent codex \
-  --create-agent \
-  --agent-name "Codex" \
-  --runtime codex \
-  --computer-id <machine-id>
-
 # List configured bots; secrets are redacted
 bun run console -- lark list
 
@@ -139,7 +131,9 @@ bun run console -- lark events --limit 20
 bun run console -- lark send --app-id <app-id> --to <receive_id> [--to-type chat_id|open_id|union_id|email|user_id] "Hello"
 ```
 
-`lark setup` writes `~/.pal/lark.json` or `PAL_LARK_CONFIG` with mode `0600`. By default it calls `POST /api/lark/reload` on the running server after a successful write. Use `--no-reload` when you want to edit or validate the file first, then trigger reload manually:
+Lark bot binding is managed as part of agent settings. `agents update --lark-app-id ... --lark-app-secret ...` validates the credential, resolves `bot open_id`, writes `~/.pal/lark.json` or `PAL_LARK_CONFIG`, and asks the running server to reload Lark integration. An agent may only be bound to one Lark bot at a time; use `--rebind-lark` to move that agent from its previous bot to the new bot, or `--unbind-lark` to clear the binding while keeping the credential.
+
+The Lark config file is written with mode `0600`. Use `--no-reload` when you want to edit or validate the file first, then trigger reload manually:
 
 ```bash
 curl -s -X POST http://127.0.0.1:4127/api/lark/reload
@@ -267,9 +261,17 @@ The daemon creates one local API for CLI calls, connects the computer to the ser
 | `LOCK_DAEMON_URL` | `http://127.0.0.1:4137` | Local daemon API URL used by `bun run cli` |
 | `LOCK_DAEMON_TOKEN` | token file fallback | Local daemon API bearer token |
 | `PAL_LARK_CONFIG` | `$PAL_HOME/lark.json` | Lark bot credential file |
-| `PAL_OWNER_LARK_UNION_ID` | - | Optional Lark sender allowlist for business ingest |
 | `PAL_LARK_ACTION_REACTION_EMOJI` | `Typing` | Reaction added when Lark delivery is created |
 
+Lark sender authorization is stored in Pal's database. Manage authorized Lark
+users from the Web Settings Access tab or with:
+
+```bash
+bun run console -- lark-users list
+bun run console -- lark-users add --user-id <union-id> --name "Display Name"
+bun run console -- lark-users delete --user-id <union-id>
+```
+
 ## Runtime Semantics
 
 - Rooms are the primary conversation container; `chat` remains as a compatibility alias in several APIs.

package/package.json

@@ -1,22 +1,33 @@
 {
   "name": "@controlflow-ai/daemon",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "type": "module",
   "scripts": {
     "server": "bun run src/server.ts",
     "daemon": "bun run src/daemon.ts",
     "cli": "bun run src/cli.ts",
     "console": "bun run src/console.ts",
+    "web:dev": "vite --config web/app/vite.config.ts --host 127.0.0.1",
+    "web:build": "vite build --config web/app/vite.config.ts",
+    "web:preview": "vite preview --config web/app/vite.config.ts --host 127.0.0.1",
     "typecheck": "tsc --noEmit",
     "test": "bun test",
     "check": "bun run typecheck && bun test"
   },
   "devDependencies": {
     "@types/bun": "latest",
-    "typescript": "^5.9.3"
+    "@types/qrcode": "^1.5.6",
+    "@types/react": "^19.2.15",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^6.0.2",
+    "typescript": "^5.9.3",
+    "vite": "^8.0.14"
   },
   "dependencies": {
-    "@larksuiteoapi/node-sdk": "^1.59.0"
+    "@larksuiteoapi/node-sdk": "^1.59.0",
+    "qrcode": "^1.5.4",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6"
   },
   "bin": {
     "daemon": "bin/daemon.js",

package/src/agent-runtime.ts

@@ -9,6 +9,15 @@ export interface AgentRuntimeRunInput {
   cwd: string;
   agentHome?: string;
   projectCwd?: string;
+  projectContext?: {
+    id: string;
+    name: string;
+    rootPath: string;
+    computerId: string;
+    computerName?: string | null;
+    accessible: boolean;
+    currentComputerId?: string | null;
+  };
   extraArgs: string[];
   localDaemonUrl?: string;
   localDaemonToken?: string;
@@ -69,6 +78,11 @@ export function buildPalPrompt(input: AgentRuntimeRunInput): string {
   const chatName = sanitizeProviderIds(input.message.chat_name);
   const sender = sanitizeProviderIds(input.message.sender);
   const content = sanitizeProviderIds(input.message.content);
+  const projectContext = input.projectContext
+    ? input.projectContext.accessible
+      ? `\nProject context:\n- You are working in project: ${sanitizeProviderIds(input.projectContext.name)}\n- Project computer: ${sanitizeProviderIds(input.projectContext.computerName || input.projectContext.computerId)}\n- Project path: ${input.projectContext.rootPath}\n- This agent is running on the project computer and can use the project workspace path above.`
+      : `\nProject context:\n- This room belongs to project: ${sanitizeProviderIds(input.projectContext.name)}\n- Project computer: ${sanitizeProviderIds(input.projectContext.computerName || input.projectContext.computerId)}\n- Project path: ${input.projectContext.rootPath}\n- This agent is currently running on computer: ${sanitizeProviderIds(input.projectContext.currentComputerId || 'unknown')}\n- The computers differ, so the project path is temporarily not accessible from this agent run. Do not claim to inspect or change that path unless access is restored.`
+    : '';
 
   return `You are ${input.agent}, a long-running PAL coding agent connected to the pal chat server.
 
@@ -79,6 +93,7 @@ Workspace contract:
 - Your cwd is for identity, memory, recovery state, scratch files, and durable local notes.
 - Your cwd is not the project repository.
 - The project workspace for source inspection, code changes, tests, and Git work is: ${projectCwd}
+${projectContext}
 
 Startup recovery:
 - Read MEMORY.md in your cwd first when it exists.

package/src/app.ts

@@ -1,11 +1,18 @@
 import { artifactHeaders, artifactViewerHtml } from './artifacts.js';
+import { existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { join } from 'node:path';
+import QRCode from 'qrcode';
 import { MessageStore } from './db.js';
 import { failure, HttpError, json, numberParam, readJson, stringParam } from './http.js';
 import { assertServerAuth } from './server-auth.js';
 import { dashboardHtml } from './web.js';
 import type { RunAction, RunStatus } from './types.js';
 import { createLarkApiClient, sendTextMessage } from './lark/ws-daemon.js';
-import { boundAgents, loadLarkCredentials, type LarkCredentialStore } from './lark/credentials.js';
+import { boundAgents, defaultLarkConfigPath, loadLarkCredentials, type LarkCredentialStore } from './lark/credentials.js';
+import { persistLarkCredential, resolveLarkBotInfo } from './lark/setup.js';
+import { beginLarkAppRegistration, pollLarkAppRegistration, type LarkRegistrationComplete } from './lark/app-registration.js';
+import { tailscaleAddress } from './network.js';
 
 interface SendBody {
   chat?: string;
@@ -27,6 +34,12 @@ interface CreateRoomBody {
   kind?: 'group' | 'dm';
 }
 
+interface CreateProjectBody {
+  name?: string;
+  computer_id?: string;
+  root_path?: string;
+}
+
 interface StartRunBody {
   message_id?: number;
   agent?: string;
@@ -69,6 +82,25 @@ interface ConnectComputerBody {
   agents?: Array<{ agent?: string; cwd?: string; capabilities?: Record<string, unknown> }>;
 }
 
+async function fetchDaemonJson<T>(input: { localUrl: string; token: string; path: string }): Promise<T> {
+  const base = input.localUrl.replace(/\/$/, '');
+  const response = await fetch(`${base}${input.path}`, {
+    headers: { authorization: `Bearer ${input.token}` },
+  });
+  const payload = await response.json().catch(() => ({})) as { ok?: boolean; data?: T; message?: string; code?: string };
+  if (!response.ok || payload.ok === false) {
+    throw new HttpError(response.status || 502, payload.code || 'DAEMON_REQUEST_FAILED', payload.message || 'daemon request failed');
+  }
+  return (payload.data ?? {}) as T;
+}
+
+async function validateRemoteProjectPath(store: MessageStore, computerId: string, rootPath: string): Promise<void> {
+  const control = store.getComputerLocalControl(computerId);
+  if (!control) throw new HttpError(409, 'COMPUTER_NOT_BROWSABLE', 'computer is not online or does not expose a local filesystem browser');
+  const params = new URLSearchParams({ path: rootPath, validate: 'directory', show_hidden: 'true' });
+  await fetchDaemonJson({ localUrl: control.daemon.local_url, token: control.token, path: `/local/files?${params}` });
+}
+
 interface AssignAgentBody {
   computer_id?: string;
 }
@@ -81,6 +113,20 @@ interface OnboardAgentBody {
   computer_id?: string;
 }
 
+interface LarkSetupBody {
+  app_id?: string;
+  app_secret?: string;
+  registration_id?: string;
+  label?: string;
+  agent?: string;
+  config?: string;
+}
+
+interface LarkAuthorizedUserBody {
+  user_id?: string;
+  display_name?: string | null;
+}
+
 interface CreateDeliveryBody {
   message_id?: number;
   agent?: string;
@@ -154,6 +200,89 @@ function html(body: string): Response {
   return new Response(body, { headers: { 'content-type': 'text/html; charset=utf-8' } });
 }
 
+const webDistDir = fileURLToPath(new URL('../web/app/dist/', import.meta.url));
+
+interface PendingLarkRegistration {
+  id: string;
+  deviceCode: string;
+  url: string;
+  qrDataUrl: string;
+  expiresAt: number;
+  interval: number;
+  completed?: LarkRegistrationComplete;
+}
+
+const larkRegistrations = new Map<string, PendingLarkRegistration>();
+
+function pruneLarkRegistrations(): void {
+  const now = Date.now();
+  for (const [id, registration] of larkRegistrations) {
+    if (registration.expiresAt < now - 60_000) larkRegistrations.delete(id);
+  }
+}
+
+function larkRegistrationPublic(entry: PendingLarkRegistration, status: 'pending' | 'complete' = entry.completed ? 'complete' : 'pending') {
+  return {
+    id: entry.id,
+    status,
+    url: entry.url,
+    qrDataUrl: entry.qrDataUrl,
+    expiresAt: new Date(entry.expiresAt).toISOString(),
+    interval: entry.interval,
+    appId: entry.completed?.appId ?? null,
+    tenantBrand: entry.completed?.tenantBrand ?? null,
+    userOpenId: entry.completed?.userOpenId ?? null,
+  };
+}
+
+async function pollStoredLarkRegistration(id: string): Promise<PendingLarkRegistration> {
+  pruneLarkRegistrations();
+  const entry = larkRegistrations.get(id);
+  if (!entry) throw new HttpError(404, 'LARK_REGISTRATION_NOT_FOUND', 'registration was not found or has expired');
+  if (entry.completed) return entry;
+  if (Date.now() > entry.expiresAt) {
+    larkRegistrations.delete(id);
+    throw new HttpError(410, 'LARK_REGISTRATION_EXPIRED', 'registration link expired');
+  }
+  const result = await pollLarkAppRegistration({ deviceCode: entry.deviceCode });
+  if (result.status === 'pending') return entry;
+  if (result.status === 'slow_down') {
+    entry.interval = Math.max(entry.interval + 5, result.interval);
+    return entry;
+  }
+  if (result.status === 'complete') {
+    entry.completed = result.registration;
+    return entry;
+  }
+  throw new HttpError(400, 'LARK_REGISTRATION_FAILED', result.message);
+}
+
+function webAssetContentType(pathname: string): string {
+  if (pathname.endsWith('.js')) return 'text/javascript; charset=utf-8';
+  if (pathname.endsWith('.css')) return 'text/css; charset=utf-8';
+  if (pathname.endsWith('.svg')) return 'image/svg+xml';
+  if (pathname.endsWith('.png')) return 'image/png';
+  if (pathname.endsWith('.jpg') || pathname.endsWith('.jpeg')) return 'image/jpeg';
+  if (pathname.endsWith('.webp')) return 'image/webp';
+  if (pathname.endsWith('.ico')) return 'image/x-icon';
+  return 'application/octet-stream';
+}
+
+function builtWebIndex(): Response | null {
+  const indexPath = join(webDistDir, 'index.html');
+  if (!existsSync(indexPath)) return null;
+  return new Response(Bun.file(indexPath), { headers: { 'content-type': 'text/html; charset=utf-8' } });
+}
+
+function builtWebAsset(pathname: string): Response | null {
+  if (!pathname.startsWith('/assets/')) return null;
+  const relative = decodeURIComponent(pathname.slice('/assets/'.length));
+  if (!relative || relative.includes('..') || relative.includes('/') || relative.includes('\\')) return null;
+  const assetPath = join(webDistDir, 'assets', relative);
+  if (!existsSync(assetPath)) return null;
+  return new Response(Bun.file(assetPath), { headers: { 'content-type': webAssetContentType(assetPath) } });
+}
+
 function daemonAuthFromRequest(request: Request): { computerId: string; connectionId: string; token: string } | null {
   const computerId = request.headers.get('x-pal-computer-id')?.trim();
   const connectionId = request.headers.get('x-pal-connection-id')?.trim();
@@ -185,13 +314,29 @@ export function route(store: MessageStore, request: Request): Promise<Response>
   const { pathname } = url;
 
   if (request.method === 'GET' && pathname === '/') {
-    return html(dashboardHtml());
+    return builtWebIndex() ?? html(dashboardHtml());
+  }
+
+  if (request.method === 'GET') {
+    const asset = builtWebAsset(pathname);
+    if (asset) return asset;
   }
 
   if (request.method === 'GET' && pathname === '/health') {
     return json({ status: 'ok' });
   }
 
+  if (request.method === 'GET' && pathname === '/api/server/access') {
+    const requestUrl = new URL(request.url);
+    const port = requestUrl.port || (requestUrl.protocol === 'https:' ? '443' : '80');
+    const tailscaleHost = tailscaleAddress();
+    return json({
+      localUrl: `${requestUrl.protocol}//127.0.0.1:${port}`,
+      tailscaleUrl: tailscaleHost ? `${requestUrl.protocol}//${tailscaleHost}:${port}` : null,
+      tailscaleHost,
+    });
+  }
+
   if (request.method === 'GET' && pathname === '/api/computers') {
     return json({ computers: store.listComputers(numberParam(url, 'limit', 50)) });
   }
@@ -225,7 +370,14 @@ export function route(store: MessageStore, request: Request): Promise<Response>
           capabilities: agent.capabilities,
         })),
       });
-      return json(result, 201);
+      return json({
+        computer: result.computer,
+        connection: result.connection,
+        token: result.token,
+        local_control_token: result.localControlToken,
+        daemon: result.daemon,
+        agents: result.agents,
+      }, 201);
     });
   }
 
@@ -303,6 +455,37 @@ export function route(store: MessageStore, request: Request): Promise<Response>
     return json({ rooms: store.listChats() });
   }
 
+  if (request.method === 'GET' && pathname === '/api/projects') {
+    return json({ projects: store.listProjects(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/projects') {
+    return readJson<CreateProjectBody>(request).then(async (body) => {
+      const name = body.name?.trim();
+      const computerId = body.computer_id?.trim();
+      const rootPath = body.root_path?.trim();
+      if (!name) throw new HttpError(400, 'MISSING_PROJECT_NAME', 'name is required');
+      if (!computerId) throw new HttpError(400, 'MISSING_COMPUTER_ID', 'computer_id is required');
+      if (!rootPath) throw new HttpError(400, 'MISSING_ROOT_PATH', 'root_path is required');
+      await validateRemoteProjectPath(store, computerId, rootPath);
+      const project = store.createProject({ name, computerId, rootPath });
+      return json({ project }, 201);
+    });
+  }
+
+  const computerFilesMatch = pathname.match(/^\/api\/computers\/([^/]+)\/files$/);
+  if (request.method === 'GET' && computerFilesMatch) {
+    const computerId = decodeURIComponent(computerFilesMatch[1]!);
+    const control = store.getComputerLocalControl(computerId);
+    if (!control) throw new HttpError(409, 'COMPUTER_NOT_BROWSABLE', 'computer is not online or does not expose a local filesystem browser');
+    const params = new URLSearchParams();
+    const browsePath = stringParam(url, 'path');
+    if (browsePath) params.set('path', browsePath);
+    if (url.searchParams.get('show_hidden') === 'true') params.set('show_hidden', 'true');
+    return fetchDaemonJson({ localUrl: control.daemon.local_url, token: control.token, path: `/local/files${params.size ? `?${params}` : ''}` })
+      .then((data) => json(data));
+  }
+
   if (request.method === 'POST' && pathname === '/api/rooms') {
     return readJson<CreateRoomBody>(request).then((body) => {
       if (!body.name?.trim()) throw new HttpError(400, 'MISSING_ROOM_NAME', 'name is required');
@@ -312,6 +495,20 @@ export function route(store: MessageStore, request: Request): Promise<Response>
     });
   }
 
+  const projectRoomsMatch = pathname.match(/^\/api\/projects\/([^/]+)\/rooms$/);
+  if (request.method === 'POST' && projectRoomsMatch) {
+    return readJson<CreateRoomBody>(request).then((body) => {
+      if (!body.name?.trim()) throw new HttpError(400, 'MISSING_ROOM_NAME', 'name is required');
+      if (body.kind && body.kind !== 'group' && body.kind !== 'dm') throw new HttpError(400, 'BAD_ROOM_KIND', 'kind must be group or dm');
+      const room = store.createProjectRoom({
+        projectId: decodeURIComponent(projectRoomsMatch[1]!),
+        name: body.name,
+        kind: body.kind ?? 'group',
+      });
+      return json({ room }, 201);
+    });
+  }
+
   const roomMembersMatch = pathname.match(/^\/api\/rooms\/([^/]+)\/members$/);
   if (request.method === 'GET' && roomMembersMatch) {
     const room = store.resolveRoom(decodeURIComponent(roomMembersMatch[1]!));
@@ -417,6 +614,120 @@ export function route(store: MessageStore, request: Request): Promise<Response>
     return json({ sessions: store.listSessions(numberParam(url, 'limit', 50)) });
   }
 
+  if (request.method === 'GET' && pathname === '/api/lark/config') {
+    const path = stringParam(url, 'config') ?? defaultLarkConfigPath();
+    const credentials = loadLarkCredentials(path);
+    return json({
+      path,
+      bots: credentials.bots.map((bot) => ({
+        appId: bot.appId,
+        label: bot.label ?? null,
+        agent: bot.agent ?? null,
+        boundAgents: boundAgents(bot),
+        botOpenId: bot.botOpenId ?? null,
+        hasSecret: Boolean(bot.appSecret),
+      })),
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/lark/registration') {
+    return (async () => {
+      pruneLarkRegistrations();
+      const begin = await beginLarkAppRegistration({ source: 'pal-web' });
+      const id = crypto.randomUUID();
+      const qrDataUrl = await QRCode.toDataURL(begin.url, {
+        margin: 1,
+        width: 220,
+        color: { dark: '#181714', light: '#ffffff' },
+      });
+      const entry: PendingLarkRegistration = {
+        id,
+        deviceCode: begin.deviceCode,
+        url: begin.url,
+        qrDataUrl,
+        expiresAt: Date.now() + begin.expiresIn * 1000,
+        interval: begin.interval,
+      };
+      larkRegistrations.set(id, entry);
+      return json(larkRegistrationPublic(entry), 201);
+    })();
+  }
+
+  const larkRegistrationMatch = pathname.match(/^\/api\/lark\/registration\/([^/]+)$/);
+  if (request.method === 'GET' && larkRegistrationMatch) {
+    return (async () => {
+      const entry = await pollStoredLarkRegistration(decodeURIComponent(larkRegistrationMatch[1]!));
+      return json(larkRegistrationPublic(entry));
+    })();
+  }
+
+  if (request.method === 'GET' && pathname === '/api/lark/authorized-users') {
+    return json({ users: store.listLarkAuthorizedUsers() });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/lark/authorized-users') {
+    return readJson<LarkAuthorizedUserBody>(request).then((body) => {
+      const userId = body.user_id?.trim();
+      if (!userId) throw new HttpError(400, 'MISSING_USER_ID', 'user_id is required');
+      const user = store.upsertLarkAuthorizedUser({ userId, displayName: body.display_name });
+      return json({ user }, 201);
+    });
+  }
+
+  const larkAuthorizedUserMatch = pathname.match(/^\/api\/lark\/authorized-users\/([^/]+)$/);
+  if (request.method === 'DELETE' && larkAuthorizedUserMatch) {
+    const userId = decodeURIComponent(larkAuthorizedUserMatch[1]!);
+    const deleted = store.deleteLarkAuthorizedUser(userId);
+    if (!deleted) throw new HttpError(404, 'LARK_USER_NOT_FOUND', 'authorized Lark user was not found');
+    return json({ deleted: true });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/lark/setup') {
+    return readJson<LarkSetupBody>(request).then(async (body) => {
+      const registrationId = body.registration_id?.trim();
+      let appId = body.app_id?.trim();
+      let appSecret = body.app_secret?.trim();
+      const agent = body.agent?.trim();
+      const label = body.label?.trim();
+      const configPath = body.config?.trim() || defaultLarkConfigPath();
+      if (registrationId) {
+        const registration = await pollStoredLarkRegistration(registrationId);
+        if (!registration.completed) throw new HttpError(409, 'LARK_REGISTRATION_PENDING', 'registration has not completed yet');
+        if (registration.completed.tenantBrand === 'lark') {
+          throw new HttpError(400, 'LARK_TENANT_UNSUPPORTED', 'Lark international tenants are not supported yet; use a Feishu tenant');
+        }
+        appId = registration.completed.appId;
+        appSecret = registration.completed.appSecret;
+      }
+      if (!appId) throw new HttpError(400, 'MISSING_APP_ID', 'app_id is required');
+      if (!appSecret) throw new HttpError(400, 'MISSING_APP_SECRET', 'app_secret is required');
+      if (!agent) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      if (!store.getAgent(agent)) throw new HttpError(404, 'AGENT_NOT_FOUND', `agent ${agent} not found`);
+
+      const botInfo = await resolveLarkBotInfo(appId, appSecret);
+      if (!botInfo.ok) {
+        throw new HttpError(400, 'LARK_CREDENTIALS_REJECTED', `could not resolve bot open_id (${botInfo.error}): ${botInfo.message}`);
+      }
+
+      const result = persistLarkCredential({
+        appId,
+        appSecret,
+        label,
+        agent,
+        botOpenId: botInfo.openId,
+        configPath,
+      });
+      const account = store.registerChannelAccount({
+        name: label || botInfo.appName || appId,
+        appId,
+        botOpenId: botInfo.openId,
+        agent,
+      });
+      if (registrationId) larkRegistrations.delete(registrationId);
+      return json({ ...result, appName: botInfo.appName ?? null, account }, 201);
+    });
+  }
+
   const sessionRunsMatch = pathname.match(/^\/api\/sessions\/([^/]+)\/runs$/);
   if (request.method === 'GET' && sessionRunsMatch) {
     return json({ runs: store.listRunsForSession(sessionRunsMatch[1]!, numberParam(url, 'limit', 50)) });

package/src/client.ts

@@ -1,6 +1,6 @@
 import { defaultServerToken, defaultServerUrl } from './config.js';
 import { serverAuthHeaders } from './server-auth.js';
-import type { AgentRoomSubscriptionMode, AgentRun, AgentSession, ApiResponse, Chat, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, Message, MessageDelivery, ProvisionedComputer, RoomChannel, RoomParticipant, RunAction } from './types.js';
+import type { AgentRoomSubscriptionMode, AgentRun, AgentSession, ApiResponse, Chat, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, Message, MessageDelivery, ProvisionedComputer, RemoteFileList, RoomChannel, RoomParticipant, RunAction } from './types.js';
 
 export interface SendRequest {
   chat?: string;
@@ -182,8 +182,16 @@ export class LockClient {
     return data.computers;
   }
 
-  async connectComputer(input: ConnectComputerRequest): Promise<{ computer: Computer; connection: ComputerConnection; token: string; daemon: DaemonInstance; agents: ComputerAgentAssignment[] }> {
-    const data = await this.post<{ computer: Computer; connection: ComputerConnection; token: string; daemon: DaemonInstance; agents: ComputerAgentAssignment[] }>('/api/computers/connect', input);
+  async connectComputer(input: ConnectComputerRequest): Promise<{ computer: Computer; connection: ComputerConnection; token: string; local_control_token?: string; daemon: DaemonInstance; agents: ComputerAgentAssignment[] }> {
+    const data = await this.post<{ computer: Computer; connection: ComputerConnection; token: string; local_control_token?: string; daemon: DaemonInstance; agents: ComputerAgentAssignment[] }>('/api/computers/connect', input);
+    return data;
+  }
+
+  async listComputerFiles(computerId: string, input: { path?: string; show_hidden?: boolean } = {}): Promise<RemoteFileList> {
+    const params = new URLSearchParams();
+    if (input.path) params.set('path', input.path);
+    if (input.show_hidden) params.set('show_hidden', 'true');
+    const data = await this.get<RemoteFileList>(`/api/computers/${encodeURIComponent(computerId)}/files${params.size ? `?${params}` : ''}`);
     return data;
   }