@controlflow-ai/daemon 0.1.0 → 0.1.2

package/src/db.ts

@@ -1,10 +1,13 @@
 import { Database, type SQLQueryBindings } from 'bun:sqlite';
 import { createHash, randomBytes } from 'node:crypto';
+import { isAbsolute } from 'node:path';
 import { ensureParentDir } from './config.js';
 import { runMigrations } from './migrations.js';
 import { artifactExpiry, generateArtifactToken, hashArtifactToken, validateArtifactContent } from './artifacts.js';
 import { palIdentityHandle } from './provider-identity.js';
-import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
+import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkAuthorizedUser, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, Project, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
+
+export const ALL_AGENTS_MENTION = '__pal_all_agents__';
 
 export interface CreateMessageInput {
   chatId?: string;
@@ -83,6 +86,7 @@ export interface ConnectComputerResult {
   computer: Computer;
   connection: ComputerConnection;
   token: string;
+  localControlToken: string;
   daemon: DaemonInstance;
   agents: ComputerAgentAssignment[];
 }
@@ -354,6 +358,19 @@ function rowToComputerAgentAssignment(row: Record<string, unknown>): ComputerAge
   };
 }
 
+function rowToProject(row: Record<string, unknown>): Project {
+  return {
+    id: String(row.id),
+    name: String(row.name),
+    computer_id: String(row.computer_id),
+    computer_name: row.computer_name === null || row.computer_name === undefined ? null : String(row.computer_name),
+    root_path: String(row.root_path),
+    room_count: Number(row.room_count ?? 0),
+    created_at: String(row.created_at),
+    updated_at: String(row.updated_at),
+  };
+}
+
 function rowToMessage(row: Record<string, unknown>): Message {
   return {
     id: Number(row.id),
@@ -529,6 +546,16 @@ function rowToChannelAccount(row: Record<string, unknown>): ChannelAccount {
   };
 }
 
+function rowToLarkAuthorizedUser(row: Record<string, unknown>): LarkAuthorizedUser {
+  return {
+    id: String(row.id),
+    user_id: String(row.user_id),
+    display_name: row.display_name === null || row.display_name === undefined ? null : String(row.display_name),
+    created_at: String(row.created_at),
+    updated_at: String(row.updated_at),
+  };
+}
+
 function rowToPalIdentity(row: Record<string, unknown>): PalIdentity {
   return {
     id: String(row.id),
@@ -800,6 +827,68 @@ export class MessageStore {
     return this.getChatById(id)!;
   }
 
+  createProject(input: { name: string; computerId: string; rootPath: string }): Project {
+    const name = input.name.trim();
+    const computerId = input.computerId.trim();
+    const rootPath = input.rootPath.trim();
+    if (!name) throw new Error('project name is required');
+    if (!computerId) throw new Error('computer_id is required');
+    if (!rootPath) throw new Error('root_path is required');
+    if (!isAbsolute(rootPath)) throw new Error('root_path must be absolute');
+    const computer = this.getComputer(computerId);
+    if (!computer) throw new Error(`computer ${computerId} not found`);
+
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO projects (id, name, computer_id, root_path, created_at, updated_at)
+      VALUES (?, ?, ?, ?, datetime('now'), datetime('now'))
+    `).run(id, name, computerId, rootPath);
+    return this.getProject(id)!;
+  }
+
+  getProject(id: string): Project | null {
+    const row = this.db.query(`
+      SELECT p.*, c.name AS computer_name, COUNT(ch.id) AS room_count
+      FROM projects p
+      LEFT JOIN computers c ON c.id = p.computer_id
+      LEFT JOIN chats ch ON ch.project_id = p.id
+      WHERE p.id = ?
+      GROUP BY p.id
+    `).get(id.trim()) as Record<string, unknown> | null;
+    return row ? rowToProject(row) : null;
+  }
+
+  listProjects(limit = 50): Project[] {
+    const rows = this.db.query(`
+      SELECT p.*, c.name AS computer_name, COUNT(ch.id) AS room_count
+      FROM projects p
+      LEFT JOIN computers c ON c.id = p.computer_id
+      LEFT JOIN chats ch ON ch.project_id = p.id
+      GROUP BY p.id
+      ORDER BY p.updated_at DESC, p.created_at DESC
+      LIMIT ?
+    `).all(limitValue(limit, 50)) as Record<string, unknown>[];
+    return rows.map(rowToProject);
+  }
+
+  createProjectRoom(input: { projectId: string; name: string; kind?: ChatKind }): Chat {
+    const project = this.getProject(input.projectId);
+    if (!project) throw new Error(`project ${input.projectId} was not found`);
+    const kind = input.kind ?? 'group';
+    if (kind !== 'group' && kind !== 'dm') throw new Error('kind must be group or dm');
+    const chatName = normalizeChatName(input.name);
+    if (!chatName) throw new Error('room name is required');
+    if (this.getChatByName(chatName)) throw new Error(`room ${chatName} already exists`);
+
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO chats (id, name, kind, provider, capabilities_json, project_id)
+      VALUES (?, ?, ?, 'web', ?, ?)
+    `).run(id, chatName, kind, kind === 'dm' ? '{"topics":"unsupported"}' : '{"topics":"native"}', project.id);
+    this.db.query(`UPDATE projects SET updated_at = datetime('now') WHERE id = ?`).run(project.id);
+    return this.getChatById(id)!;
+  }
+
   updateRoomDisplayName(roomId: string, displayName: string | null): Chat {
     const room = this.getChatById(roomId);
     if (!room) throw new Error(`room ${roomId} was not found`);
@@ -852,6 +941,43 @@ export class MessageStore {
     return this.db.query('SELECT * FROM chat_stats ORDER BY COALESCE(last_message_at, created_at) DESC').all() as Chat[];
   }
 
+  listLarkAuthorizedUsers(): LarkAuthorizedUser[] {
+    const rows = this.db.query('SELECT * FROM lark_authorized_users ORDER BY COALESCE(display_name, user_id), user_id').all() as Record<string, unknown>[];
+    return rows.map(rowToLarkAuthorizedUser);
+  }
+
+  upsertLarkAuthorizedUser(input: { userId: string; displayName?: string | null }): LarkAuthorizedUser {
+    const userId = input.userId.trim();
+    if (!userId) throw new Error('lark user_id is required');
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO lark_authorized_users (id, user_id, display_name, created_at, updated_at)
+      VALUES (?, ?, ?, datetime('now'), datetime('now'))
+      ON CONFLICT(user_id) DO UPDATE SET
+        display_name = excluded.display_name,
+        updated_at = datetime('now')
+    `).run(id, userId, input.displayName?.trim() || null);
+    return this.getLarkAuthorizedUser(userId)!;
+  }
+
+  getLarkAuthorizedUser(userId: string): LarkAuthorizedUser | null {
+    const normalized = userId.trim();
+    if (!normalized) return null;
+    const row = this.db.query('SELECT * FROM lark_authorized_users WHERE user_id = ?').get(normalized) as Record<string, unknown> | null;
+    return row ? rowToLarkAuthorizedUser(row) : null;
+  }
+
+  isLarkAuthorizedUser(userId: string | null | undefined): boolean {
+    if (!userId?.trim()) return false;
+    return this.getLarkAuthorizedUser(userId) !== null;
+  }
+
+  deleteLarkAuthorizedUser(userId: string): boolean {
+    const normalized = userId.trim();
+    if (!normalized) return false;
+    return this.db.query('DELETE FROM lark_authorized_users WHERE user_id = ?').run(normalized).changes > 0;
+  }
+
   listLarkGroupRoomMappings(): LarkGroupRoomMapping[] {
     const rows = this.db.query(`
       SELECT DISTINCT
@@ -2146,7 +2272,7 @@ export class MessageStore {
       VALUES (?, ?, ?, 'offline', NULL, NULL, datetime('now'))
     `).run(id, name, hashSecret(apiKey));
 
-    const packageName = input.packageName?.trim() || '@slock-ai/daemon@latest';
+    const packageName = input.packageName?.trim() || '@controlflow-ai/daemon@latest';
     const serverUrl = input.serverUrl?.trim() || 'http://127.0.0.1:4127';
     const command = `npx ${packageName} --server-url ${serverUrl} --api-key ${apiKey} # ${name}`;
     return { computer: this.getComputer(id)!, api_key: apiKey, command };
@@ -2167,6 +2293,7 @@ export class MessageStore {
 
     const connectionId = crypto.randomUUID();
     const token = generateConnectionToken();
+    const localControlToken = generateConnectionToken();
     const tokenHash = hashSecret(token);
     const revokedRows = this.db.query(`
       SELECT id FROM computer_connections
@@ -2221,9 +2348,9 @@ export class MessageStore {
         }
       }
       this.db.query(`
-        INSERT INTO computer_connections (id, computer_id, token_hash, epoch, status, connected_at, last_heartbeat_at)
-        VALUES (?, ?, ?, ?, 'active', datetime('now'), datetime('now'))
-      `).run(connectionId, computerId, tokenHash, epoch);
+        INSERT INTO computer_connections (id, computer_id, token_hash, local_control_token, epoch, status, connected_at, last_heartbeat_at)
+        VALUES (?, ?, ?, ?, ?, 'active', datetime('now'), datetime('now'))
+      `).run(connectionId, computerId, tokenHash, localControlToken, epoch);
       this.db.query(`
         INSERT INTO daemon_instances (id, name, host, local_url, server_url, status, last_seen_at)
         VALUES (?, ?, ?, ?, ?, 'online', datetime('now'))
@@ -2254,11 +2381,30 @@ export class MessageStore {
       computer: this.getComputer(computerId)!,
       connection: this.getComputerConnection(connectionId)!,
       token,
+      localControlToken,
       daemon: this.getDaemon(connectionId)!,
       agents: this.listComputerAgentAssignments(computerId),
     };
   }
 
+  getComputerLocalControl(computerId: string): { computer: Computer; connection: ComputerConnection; daemon: DaemonInstance; token: string } | null {
+    const computer = this.getComputer(computerId);
+    if (!computer || computer.status !== 'online' || !computer.active_connection_id) return null;
+    const connection = this.getComputerConnection(computer.active_connection_id);
+    if (!connection || connection.status !== 'active') return null;
+    const row = this.db.query(`
+      SELECT local_control_token
+      FROM computer_connections
+      WHERE id = ? AND computer_id = ? AND status = 'active'
+      LIMIT 1
+    `).get(connection.id, computer.id) as { local_control_token: string | null } | null;
+    const token = row?.local_control_token?.trim();
+    if (!token) return null;
+    const daemon = this.getDaemon(connection.id);
+    if (!daemon || daemon.status !== 'online' || !daemon.local_url.trim()) return null;
+    return { computer, connection, daemon, token };
+  }
+
   closeStaleComputerConnections(timeoutMs: number, now = new Date()): number {
     if (!Number.isFinite(timeoutMs) || timeoutMs < 0) throw new Error('timeoutMs must be non-negative');
     const cutoff = new Date(now.getTime() - timeoutMs).toISOString();
@@ -2431,7 +2577,11 @@ export class MessageStore {
     if (!room) throw new Error(`room ${message.chat_id} was not found`);
     const candidates = new Set<string>();
     if (message.recipient && this.getAgent(message.recipient)) candidates.add(message.recipient);
+    if ((message.mentions ?? []).includes(ALL_AGENTS_MENTION)) {
+      for (const agent of this.listRoomAgents(room)) candidates.add(agent);
+    }
     for (const mention of message.mentions ?? []) {
+      if (mention === ALL_AGENTS_MENTION) continue;
       if (this.getAgent(mention)) candidates.add(mention);
     }
     if (room.kind === 'dm') {
@@ -2460,9 +2610,34 @@ export class MessageStore {
     return deliveries;
   }
 
+  private listRoomAgents(room: Chat): string[] {
+    if (room.provider === 'web') {
+      const rows = this.db.query(`
+        SELECT participant_id AS agent
+        FROM room_participants
+        WHERE room_id = ? AND kind = 'agent' AND status = 'active'
+      `).all(room.id) as Array<{ agent: string }>;
+      return rows.map((row) => row.agent).filter((agent) => Boolean(this.getAgent(agent)));
+    }
+
+    const rows = this.db.query(`
+      SELECT DISTINCT pa.agent AS agent
+      FROM provider_accounts pa
+      INNER JOIN provider_conversations pc ON pc.provider_account_id = pa.id
+      WHERE pa.provider = ? AND pa.status = 'active' AND pc.room_id = ?
+      UNION
+      SELECT DISTINCT ca.agent AS agent
+      FROM channel_accounts ca
+      INNER JOIN channel_conversations cc ON cc.channel_account_id = ca.id
+      WHERE ca.channel = ? AND ca.status = 'active' AND cc.lock_chat_id = ? AND ca.agent IS NOT NULL AND ca.agent != ''
+    `).all(room.provider, room.id, room.provider, room.id) as Array<{ agent: string }>;
+    return rows.map((row) => row.agent).filter((agent) => Boolean(this.getAgent(agent)));
+  }
+
   private shouldCreateDeliveryForAgent(message: Message, room: Chat, agent: string): boolean {
     if (!this.canAgentParticipateInRoom(agent, room)) return false;
-    const direct = message.recipient === agent || (message.mentions ?? []).includes(agent);
+    const allAgentsMentioned = (message.mentions ?? []).includes(ALL_AGENTS_MENTION);
+    const direct = allAgentsMentioned || message.recipient === agent || (message.mentions ?? []).includes(agent);
     if (room.kind === 'dm') return direct || message.recipient === null;
     const subscription = this.getAgentRoomSubscription(agent, room.id);
     const mode = subscription?.mode ?? 'mentions';

package/src/lark/app-registration.ts

@@ -0,0 +1,141 @@
+export type LarkRegistrationTenantBrand = 'feishu' | 'lark';
+
+export interface LarkRegistrationBegin {
+  deviceCode: string;
+  url: string;
+  expiresIn: number;
+  interval: number;
+}
+
+export interface LarkRegistrationComplete {
+  appId: string;
+  appSecret: string;
+  tenantBrand: LarkRegistrationTenantBrand;
+  userOpenId?: string;
+}
+
+export type LarkRegistrationPollResult =
+  | { status: 'pending' }
+  | { status: 'slow_down'; interval: number }
+  | { status: 'complete'; registration: LarkRegistrationComplete }
+  | { status: 'denied' | 'expired' | 'error'; message: string };
+
+export type RegistrationFetchLike = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
+
+const FEISHU_ACCOUNTS_ORIGIN = 'https://accounts.feishu.cn';
+const LARK_ACCOUNTS_ORIGIN = 'https://accounts.larksuite.com';
+const REGISTRATION_PATH = '/oauth/v1/app/registration';
+
+interface RegistrationBeginBody {
+  device_code?: unknown;
+  verification_uri_complete?: unknown;
+  expires_in?: unknown;
+  interval?: unknown;
+  error?: unknown;
+  error_description?: unknown;
+}
+
+interface RegistrationPollBody {
+  client_id?: unknown;
+  client_secret?: unknown;
+  user_info?: { tenant_brand?: unknown; open_id?: unknown };
+  error?: unknown;
+  error_description?: unknown;
+}
+
+function sanitizeMessage(message: unknown): string {
+  return String(message ?? 'unknown').replace(/[A-Za-z0-9_-]{30,}/g, '***');
+}
+
+async function postRegistration(origin: string, params: Record<string, string>, fetchImpl: RegistrationFetchLike): Promise<unknown> {
+  const response = await fetchImpl(`${origin}${REGISTRATION_PATH}`, {
+    method: 'POST',
+    headers: { 'content-type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams(params).toString(),
+  });
+  const body = await response.json().catch(() => ({}));
+  if (!response.ok && !(body && typeof body === 'object' && 'error' in body)) {
+    throw new Error(`registration request failed: HTTP ${response.status}`);
+  }
+  return body;
+}
+
+export async function beginLarkAppRegistration(options: {
+  fetchImpl?: RegistrationFetchLike;
+  source?: string;
+} = {}): Promise<LarkRegistrationBegin> {
+  const fetchImpl = options.fetchImpl ?? fetch;
+  const body = await postRegistration(FEISHU_ACCOUNTS_ORIGIN, {
+    action: 'begin',
+    archetype: 'PersonalAgent',
+    auth_method: 'client_secret',
+    request_user_info: 'open_id',
+  }, fetchImpl) as RegistrationBeginBody;
+
+  if (typeof body.error === 'string') {
+    throw new Error(sanitizeMessage(body.error_description ?? body.error));
+  }
+  if (typeof body.device_code !== 'string' || typeof body.verification_uri_complete !== 'string') {
+    throw new Error('registration begin response did not include device_code and verification_uri_complete');
+  }
+
+  const url = new URL(body.verification_uri_complete);
+  url.searchParams.set('from', 'sdk');
+  url.searchParams.set('source', `node-sdk/${options.source ?? 'pal'}`);
+  url.searchParams.set('tp', 'sdk');
+
+  return {
+    deviceCode: body.device_code,
+    url: url.toString(),
+    expiresIn: typeof body.expires_in === 'number' ? body.expires_in : 600,
+    interval: typeof body.interval === 'number' ? body.interval : 5,
+  };
+}
+
+export async function pollLarkAppRegistration(options: {
+  deviceCode: string;
+  fetchImpl?: RegistrationFetchLike;
+  origin?: 'feishu' | 'lark';
+}): Promise<LarkRegistrationPollResult> {
+  const fetchImpl = options.fetchImpl ?? fetch;
+  const origin = options.origin === 'lark' ? LARK_ACCOUNTS_ORIGIN : FEISHU_ACCOUNTS_ORIGIN;
+  let body: RegistrationPollBody;
+  try {
+    body = await postRegistration(origin, {
+      action: 'poll',
+      device_code: options.deviceCode,
+    }, fetchImpl) as RegistrationPollBody;
+  } catch (error) {
+    return {
+      status: 'error',
+      message: error instanceof Error ? sanitizeMessage(error.message) : sanitizeMessage(error),
+    };
+  }
+
+  if (typeof body.client_id === 'string' && typeof body.client_secret === 'string') {
+    const tenantBrand: LarkRegistrationTenantBrand = body.user_info?.tenant_brand === 'lark' ? 'lark' : 'feishu';
+    const openId = typeof body.user_info?.open_id === 'string' && body.user_info.open_id.startsWith('ou_')
+      ? body.user_info.open_id
+      : undefined;
+    return {
+      status: 'complete',
+      registration: {
+        appId: body.client_id,
+        appSecret: body.client_secret,
+        tenantBrand,
+        userOpenId: openId,
+      },
+    };
+  }
+
+  if (body.user_info?.tenant_brand === 'lark' && options.origin !== 'lark') {
+    return pollLarkAppRegistration({ ...options, origin: 'lark' });
+  }
+
+  const error = typeof body.error === 'string' ? body.error : '';
+  if (error === 'authorization_pending' || !error) return { status: 'pending' };
+  if (error === 'slow_down') return { status: 'slow_down', interval: 10 };
+  if (error === 'access_denied') return { status: 'denied', message: 'user denied app registration' };
+  if (error === 'expired_token') return { status: 'expired', message: 'registration QR code expired' };
+  return { status: 'error', message: sanitizeMessage(body.error_description ?? error) };
+}

package/src/lark/cli.ts

@@ -1,5 +1,5 @@
 import { readFileSync } from 'node:fs';
-import { defaultDbPath, defaultServerUrl } from '../config.js';
+import { defaultDbPath } from '../config.js';
 import { MessageStore } from '../db.js';
 import {
   boundAgents,
@@ -11,12 +11,6 @@ import { countInboundEvents, listRecentInboundEvents } from './inbound-events.js
 import { extractMentionOpenIds, ingestLarkMessage, type LarkMessageEnvelope } from './event-router.js';
 import { ChatDispatcher, chatKeyOf, parseReceivePolicy, PeriodicQueue, shouldAcceptForAgent, type DispatchInput, type ReceivePolicy } from './dispatcher.js';
 import { parseRuntimeSpec } from './agent-runtime.js';
-import {
-  formatLarkSetupNextSteps,
-  persistLarkCredential,
-  resolveLarkBotInfo,
-  runInteractiveLarkSetup,
-} from './setup.js';
 import { createLarkApiClient, sendTextMessage, startLarkDaemon } from './ws-daemon.js';
 
 export interface LarkCliArgs {
@@ -44,69 +38,6 @@ function flagBool(flags: Record<string, unknown>, key: string): boolean {
   return flags[key] === true;
 }
 
-async function postJson(url: string, body: unknown): Promise<{ ok: boolean; status: number; text: string }> {
-  try {
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: { 'content-type': 'application/json' },
-      body: JSON.stringify(body),
-    });
-    return { ok: response.ok, status: response.status, text: await response.text() };
-  } catch (error) {
-    return { ok: false, status: 0, text: error instanceof Error ? error.message : String(error) };
-  }
-}
-
-async function listAgentsForSetup(serverUrl: string): Promise<Array<{ agent_key: string; display_name: string; runtime?: string | null }>> {
-  const response = await fetch(`${serverUrl.replace(/\/$/, '')}/api/agents`);
-  const payload = await response.json() as { ok?: boolean; data?: { agents?: Array<{ agent_key?: unknown; display_name?: unknown; runtime?: unknown }> }; message?: string };
-  if (!response.ok || payload.ok === false) {
-    throw new Error(payload.message ?? `agent list failed: ${response.status}`);
-  }
-  return (payload.data?.agents ?? [])
-    .filter((agent) => typeof agent.agent_key === 'string' && typeof agent.display_name === 'string')
-    .map((agent) => ({
-      agent_key: String(agent.agent_key),
-      display_name: String(agent.display_name),
-      runtime: agent.runtime === null || typeof agent.runtime === 'string' ? agent.runtime : undefined,
-    }));
-}
-
-async function onboardAgentForLark(flags: Record<string, unknown>, log: NonNullable<RunOptions['log']>, agent: string | undefined): Promise<boolean> {
-  if (!flagBool(flags, 'create-agent')) return true;
-  if (!agent) {
-    (log.error ?? console.error)('lark setup --create-agent requires --agent');
-    return false;
-  }
-  const serverUrl = flagString(flags, 'server') ?? defaultServerUrl();
-  const displayName = flagString(flags, 'agent-name') ?? agent;
-  const runtime = flagString(flags, 'runtime') ?? 'codex';
-  const computerId = flagString(flags, 'computer-id');
-  const result = await postJson(`${serverUrl.replace(/\/$/, '')}/api/agents/onboard`, {
-    agent_key: agent,
-    display_name: displayName,
-    runtime,
-    computer_id: computerId,
-  });
-  if (!result.ok) {
-    (log.error ?? console.error)(`agent onboard failed (${result.status || 'network'}): ${result.text}`);
-    return false;
-  }
-  (log.log ?? console.log)(`[lark setup] agent onboarded: ${agent}`);
-  return true;
-}
-
-async function reloadLarkIntegration(flags: Record<string, unknown>, log: NonNullable<RunOptions['log']>): Promise<void> {
-  if (flagBool(flags, 'no-reload')) return;
-  const serverUrl = flagString(flags, 'server') ?? defaultServerUrl();
-  const result = await postJson(`${serverUrl.replace(/\/$/, '')}/api/lark/reload`, {});
-  if (result.ok) {
-    (log.log ?? console.log)('[lark setup] server lark integration reloaded');
-  } else {
-    (log.warn ?? console.warn)(`[lark setup] saved config, but server reload failed (${result.status || 'network'}): ${result.text}`);
-  }
-}
-
 export async function runLarkCli(options: RunOptions): Promise<number> {
   const { argv } = options;
   const log = options.log ?? {};
@@ -118,58 +49,8 @@ export async function runLarkCli(options: RunOptions): Promise<number> {
   }
 
   if (sub === 'setup') {
-    const appId = flagString(argv.flags, 'app-id');
-    const appSecret = flagString(argv.flags, 'app-secret');
-    const label = flagString(argv.flags, 'label');
-    const agent = flagString(argv.flags, 'agent');
-    const path = flagString(argv.flags, 'config') ?? defaultLarkConfigPath();
-    if ('agents' in argv.flags) {
-      (log.error ?? console.error)('lark setup no longer supports --agents; bind one bot to one agent with --agent');
-      return 2;
-    }
-    if (!appId && !appSecret) {
-      const result = await runInteractiveLarkSetup({
-        configPath: path,
-        log: {
-          log: log.log ?? console.log,
-          warn: log.warn ?? console.warn,
-          error: log.error ?? console.error,
-        },
-        ask: options.setupAsk,
-        listAgents: () => listAgentsForSetup(flagString(argv.flags, 'server') ?? defaultServerUrl()),
-      });
-      if (result) await reloadLarkIntegration(argv.flags, log);
-      return result ? 0 : 2;
-    }
-    if (!appId || !appSecret) {
-      (log.error ?? console.error)('lark setup requires --app-id and --app-secret');
-      return 2;
-    }
-    if (!(await onboardAgentForLark(argv.flags, log, agent))) return 2;
-    const botInfo = await resolveLarkBotInfo(appId, appSecret);
-    if (!botInfo.ok) {
-      (log.error ?? console.error)(`lark setup could not resolve bot open_id (${botInfo.error}): ${botInfo.message}`);
-      return 2;
-    }
-    const result = persistLarkCredential({
-      appId,
-      appSecret,
-      label,
-      agent,
-      botOpenId: botInfo.openId,
-      configPath: path,
-    });
-    if (result.replaced) {
-      (log.warn ?? console.warn)(`[lark setup] overwrote existing credential for appId=${appId} in ${path}`);
-    }
-    if (flagBool(argv.flags, 'next-steps')) {
-      (log.log ?? console.log)(formatLarkSetupNextSteps(result));
-      await reloadLarkIntegration(argv.flags, log);
-      return 0;
-    }
-    printJson(result, { log: log.log });
-    await reloadLarkIntegration(argv.flags, log);
-    return 0;
+    (log.error ?? console.error)('lark setup has been removed. Bind or rebind bots with "bun run console -- agents update --key <agent> --lark-app-id <id> --lark-app-secret <secret> [--rebind-lark]".');
+    return 2;
   }
 
   if (sub === 'list') {
@@ -223,17 +104,6 @@ function printLarkUsage(log: NonNullable<RunOptions['log']>): void {
   (log.log ?? console.log)(`pal lark <subcommand> [flags]
 
 Subcommands:
-  setup [--app-id <id> --app-secret <secret>] [--label <name>] [--agent <agent-key>] [--config <path>] [--next-steps]
-        [--create-agent --agent-name <name> --runtime codex --computer-id <machine>] [--server <url>] [--no-reload]
-      Persist a (appId, appSecret) credential pair to ~/.pal/lark.json (0600).
-      With no app-id/app-secret flags, starts an interactive setup wizard that
-      validates credentials before writing the config.
-      Overwrites if appId already present and logs a warning.
-      Setup resolves the bot open_id through Feishu's bot info API before
-      writing config. --agent binds this bot to a logical agent key. --create-agent creates or
-      updates that agent through the Pal server before writing lark.json.
-      By default setup asks the running server to reload Lark integration.
-
   list [--config <path>]
       List configured bots (secrets redacted).
 
@@ -281,7 +151,7 @@ async function runDaemon(argv: LarkCliArgs, log: NonNullable<RunOptions['log']>)
   }
   const store = loadLarkCredentials(configPath);
   if (store.bots.length === 0) {
-    (log.error ?? console.error)(`No bots configured in ${configPath}. Run pal lark setup first.`);
+    (log.error ?? console.error)(`No bots configured in ${configPath}. Bind a bot with "bun run console -- agents update --key <agent> --lark-app-id <id> --lark-app-secret <secret>" first.`);
     return 2;
   }
   let targets = store.bots;

package/src/lark/credentials.ts

@@ -40,18 +40,51 @@ export function saveLarkCredentials(store: LarkCredentialStore, path: string = d
 export interface AddCredentialResult {
   store: LarkCredentialStore;
   replaced: boolean;
+  unbound: LarkCredential[];
 }
 
-export function upsertCredential(store: LarkCredentialStore, credential: LarkCredential): AddCredentialResult {
+export function findCredentialByAgent(store: LarkCredentialStore, agent: string): LarkCredential | undefined {
+  const key = agent.trim();
+  if (!key) return undefined;
+  return store.bots.find((bot) => bot.agent?.trim() === key);
+}
+
+export function unbindCredentialAgent(store: LarkCredentialStore, agent: string): { store: LarkCredentialStore; changed: boolean; unbound?: LarkCredential } {
+  const key = agent.trim();
+  if (!key) throw new Error('agent is required');
+  const index = store.bots.findIndex((bot) => bot.agent?.trim() === key);
+  if (index === -1) return { store: { bots: [...store.bots] }, changed: false };
+  const next: LarkCredentialStore = { bots: [...store.bots] };
+  const existing = next.bots[index]!;
+  const { agent: _agent, ...withoutAgent } = existing;
+  next.bots[index] = withoutAgent;
+  return { store: next, changed: true, unbound: existing };
+}
+
+export function upsertCredential(store: LarkCredentialStore, credential: LarkCredential, options: { rebind?: boolean } = {}): AddCredentialResult {
   validateCredential(credential);
   const existingIndex = store.bots.findIndex((bot) => bot.appId === credential.appId);
   const next: LarkCredentialStore = { bots: [...store.bots] };
+  const unbound: LarkCredential[] = [];
+  const agent = credential.agent?.trim();
+  if (agent) {
+    const existingAgentIndex = next.bots.findIndex((bot, index) => index !== existingIndex && bot.agent?.trim() === agent);
+    if (existingAgentIndex !== -1) {
+      const existing = next.bots[existingAgentIndex]!;
+      if (!options.rebind) {
+        throw new Error(`agent ${agent} is already bound to Lark app ${existing.appId}; pass --rebind-lark to move the binding`);
+      }
+      const { agent: _agent, ...withoutAgent } = existing;
+      next.bots[existingAgentIndex] = withoutAgent;
+      unbound.push(existing);
+    }
+  }
   if (existingIndex === -1) {
     next.bots.push(credential);
-    return { store: next, replaced: false };
+    return { store: next, replaced: false, unbound };
   }
   next.bots[existingIndex] = credential;
-  return { store: next, replaced: true };
+  return { store: next, replaced: true, unbound };
 }
 
 export function findCredential(store: LarkCredentialStore, appId: string): LarkCredential | undefined {