@controlflow-ai/daemon 0.1.0

package/src/app.ts

@@ -0,0 +1,745 @@
+import { artifactHeaders, artifactViewerHtml } from './artifacts.js';
+import { MessageStore } from './db.js';
+import { failure, HttpError, json, numberParam, readJson, stringParam } from './http.js';
+import { assertServerAuth } from './server-auth.js';
+import { dashboardHtml } from './web.js';
+import type { RunAction, RunStatus } from './types.js';
+import { createLarkApiClient, sendTextMessage } from './lark/ws-daemon.js';
+import { boundAgents, loadLarkCredentials, type LarkCredentialStore } from './lark/credentials.js';
+
+interface SendBody {
+  chat?: string;
+  room?: string;
+  chat_id?: string;
+  room_id?: string;
+  parent_id?: number;
+  channel_id?: string | null;
+  sender?: string;
+  recipient?: string | null;
+  content?: string;
+  type?: 'message' | 'system';
+  idempotency_key?: string | null;
+  mentions?: string[];
+}
+
+interface CreateRoomBody {
+  name?: string;
+  kind?: 'group' | 'dm';
+}
+
+interface StartRunBody {
+  message_id?: number;
+  agent?: string;
+  cwd?: string;
+  attempt?: number;
+  pid?: number | null;
+  session_id?: string | null;
+  trigger_message_id?: number | null;
+  daemon_id?: string | null;
+  connection_id?: string | null;
+  computer_id?: string | null;
+  runtime_provider?: string | null;
+  runtime_invocation_id?: string | null;
+  delivery_id?: string | null;
+}
+
+interface RegisterDaemonBody {
+  id?: string;
+  name?: string;
+  host?: string;
+  local_url?: string;
+  server_url?: string;
+  agents?: Array<{ agent?: string; cwd?: string; capabilities?: Record<string, unknown> }>;
+}
+
+interface ProvisionComputerBody {
+  name?: string;
+  server_url?: string;
+  package_name?: string;
+}
+
+interface ConnectComputerBody {
+  computer_id?: string;
+  secret?: string;
+  api_key?: string;
+  name?: string;
+  host?: string;
+  local_url?: string;
+  server_url?: string;
+  agents?: Array<{ agent?: string; cwd?: string; capabilities?: Record<string, unknown> }>;
+}
+
+interface AssignAgentBody {
+  computer_id?: string;
+}
+
+interface OnboardAgentBody {
+  agent_key?: string;
+  display_name?: string;
+  runtime?: string | null;
+  description?: string | null;
+  computer_id?: string;
+}
+
+interface CreateDeliveryBody {
+  message_id?: number;
+  agent?: string;
+}
+
+interface ClaimDeliveryBody {
+  daemon_id?: string;
+  connection_id?: string | null;
+  computer_id?: string | null;
+  lease_ms?: number;
+}
+
+interface SessionBody {
+  chat_id?: string;
+  agent?: string;
+  daemon_id?: string;
+  connection_id?: string | null;
+  computer_id?: string | null;
+  runtime_provider?: string | null;
+  cwd?: string;
+  last_message_id?: number | null;
+}
+
+interface RuntimeSessionBody {
+  runtime_session_id?: string;
+}
+
+interface FinishDeliveryBody {
+  daemon_id?: string;
+  connection_id?: string | null;
+  claim_token?: string;
+  run_id?: string;
+  error?: string;
+}
+
+interface ArtifactBody {
+  content_base64?: string;
+  mime_type?: string;
+  title?: string;
+  filename?: string;
+  ttl_seconds?: number;
+  source_path?: string;
+  path?: string;
+}
+
+interface RunPidBody {
+  pid?: number | null;
+}
+
+interface FinishRunBody {
+  status?: RunStatus;
+  exit_code?: number | null;
+  output?: string;
+}
+
+export function resolveLarkOutboundRoute(store: MessageStore, credentials: LarkCredentialStore, sender: string, chatId: string) {
+  for (const bot of credentials.bots) {
+    if (!boundAgents(bot).includes(sender)) continue;
+    const larkChannel = store.findLarkChannelForChat(chatId, bot.appId);
+    if (!larkChannel) continue;
+    return { ...larkChannel, bot };
+  }
+  return null;
+}
+
+function routeNotFound(): Response {
+  return Response.json({ ok: false, code: 'NOT_FOUND', message: 'not found' }, { status: 404 });
+}
+
+function html(body: string): Response {
+  return new Response(body, { headers: { 'content-type': 'text/html; charset=utf-8' } });
+}
+
+function daemonAuthFromRequest(request: Request): { computerId: string; connectionId: string; token: string } | null {
+  const computerId = request.headers.get('x-pal-computer-id')?.trim();
+  const connectionId = request.headers.get('x-pal-connection-id')?.trim();
+  const token = request.headers.get('x-pal-connection-token')?.trim();
+  if (!computerId && !connectionId && !token) return null;
+  if (!computerId || !connectionId || !token) throw new HttpError(401, 'MISSING_CONNECTION_AUTH', 'computer connection auth is incomplete');
+  return { computerId, connectionId, token };
+}
+
+function assertDaemonConnection(store: MessageStore, request: Request): { computerId: string; connectionId: string } | null {
+  const auth = daemonAuthFromRequest(request);
+  if (!auth) return null;
+  try {
+    const connection = store.assertActiveComputerConnection(auth);
+    return { computerId: connection.computer_id, connectionId: connection.id };
+  } catch {
+    throw new HttpError(401, 'CONNECTION_REVOKED', 'computer connection is not active');
+  }
+}
+
+function requireDaemonConnection(store: MessageStore, request: Request): { computerId: string; connectionId: string } {
+  const connection = assertDaemonConnection(store, request);
+  if (!connection) throw new HttpError(401, 'CONNECTION_REVOKED', 'computer connection auth is required');
+  return connection;
+}
+
+export function route(store: MessageStore, request: Request): Promise<Response> | Response {
+  const url = new URL(request.url);
+  const { pathname } = url;
+
+  if (request.method === 'GET' && pathname === '/') {
+    return html(dashboardHtml());
+  }
+
+  if (request.method === 'GET' && pathname === '/health') {
+    return json({ status: 'ok' });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/computers') {
+    return json({ computers: store.listComputers(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/computers/provision') {
+    return readJson<ProvisionComputerBody>(request).then((body) => {
+      const result = store.provisionComputer({
+        name: body.name,
+        serverUrl: body.server_url,
+        packageName: body.package_name,
+      });
+      return json(result, 201);
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/computers/connect') {
+    return readJson<ConnectComputerBody>(request).then((body) => {
+      if (!body.api_key?.trim() && !body.computer_id?.trim()) throw new HttpError(400, 'MISSING_COMPUTER_ID', 'computer_id or api_key is required');
+      if (!body.api_key?.trim() && !body.secret?.trim()) throw new HttpError(400, 'MISSING_COMPUTER_SECRET', 'secret or api_key is required');
+      const result = store.connectComputer({
+        computerId: body.computer_id,
+        secret: body.secret,
+        apiKey: body.api_key,
+        name: body.name,
+        host: body.host,
+        localUrl: body.local_url,
+        serverUrl: body.server_url,
+        agents: body.agents?.map((agent) => ({
+          agent: agent.agent ?? '',
+          cwd: agent.cwd,
+          capabilities: agent.capabilities,
+        })),
+      });
+      return json(result, 201);
+    });
+  }
+
+  const computerHeartbeatMatch = pathname.match(/^\/api\/computers\/([^/]+)\/heartbeat$/);
+  if (request.method === 'POST' && computerHeartbeatMatch) {
+    const auth = daemonAuthFromRequest(request);
+    if (!auth || auth.computerId !== computerHeartbeatMatch[1]) {
+      throw new HttpError(401, 'CONNECTION_REVOKED', 'computer connection is not active');
+    }
+    try {
+      return json(store.heartbeatComputer(auth));
+    } catch {
+      throw new HttpError(401, 'CONNECTION_REVOKED', 'computer connection is not active');
+    }
+  }
+
+  const artifactViewMatch = pathname.match(/^\/artifacts\/([a-f0-9]{64})$/);
+  if (request.method === 'GET' && artifactViewMatch) {
+    const artifact = store.getArtifactByToken(artifactViewMatch[1]!);
+    if (!artifact) return routeNotFound();
+    return new Response(artifactViewerHtml(artifact.content, artifact.mime_type), { headers: artifactHeaders() });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/workbench/artifacts') {
+    return json({ artifacts: store.listWorkbenchArtifacts(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/artifacts') {
+    assertServerAuth(request);
+    return json({ artifacts: store.listArtifacts(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/artifacts') {
+    try {
+      assertServerAuth(request);
+    } catch (error) {
+      if (error instanceof HttpError) {
+        if (!assertDaemonConnection(store, request)) throw error;
+      } else {
+        throw error;
+      }
+    }
+    return readJson<ArtifactBody>(request).then((body) => {
+      if (body.source_path || body.path) throw new HttpError(400, 'PATH_NOT_ALLOWED', 'artifact upload must include content, not a path');
+      if (!body.content_base64) throw new HttpError(400, 'MISSING_CONTENT', 'content_base64 is required');
+      if (!body.mime_type?.trim()) throw new HttpError(400, 'MISSING_MIME', 'mime_type is required');
+      const content = Uint8Array.from(Buffer.from(body.content_base64, 'base64'));
+      const result = store.createArtifact({
+        title: body.title,
+        filename: body.filename,
+        mimeType: body.mime_type,
+        content,
+        ttlSeconds: body.ttl_seconds,
+      });
+      return json({ artifact: result.artifact, token: result.token, url: `/artifacts/${result.token}` }, 201);
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/artifacts/cleanup') {
+    assertServerAuth(request);
+    return json({ deleted: store.cleanupArtifacts() });
+  }
+
+  const artifactRevokeMatch = pathname.match(/^\/api\/artifacts\/([^/]+)\/revoke$/);
+  if (request.method === 'POST' && artifactRevokeMatch) {
+    assertServerAuth(request);
+    return json({ artifact: store.revokeArtifact(artifactRevokeMatch[1]!) });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/chats') {
+    return json({ chats: store.listChats() });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/rooms') {
+    return json({ rooms: store.listChats() });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/rooms') {
+    return readJson<CreateRoomBody>(request).then((body) => {
+      if (!body.name?.trim()) throw new HttpError(400, 'MISSING_ROOM_NAME', 'name is required');
+      if (body.kind && body.kind !== 'group' && body.kind !== 'dm') throw new HttpError(400, 'BAD_ROOM_KIND', 'kind must be group or dm');
+      const room = store.getOrCreateChat(body.name, body.kind ?? 'group');
+      return json({ room }, 201);
+    });
+  }
+
+  const roomMembersMatch = pathname.match(/^\/api\/rooms\/([^/]+)\/members$/);
+  if (request.method === 'GET' && roomMembersMatch) {
+    const room = store.resolveRoom(decodeURIComponent(roomMembersMatch[1]!));
+    if (!room) throw new HttpError(404, 'ROOM_NOT_FOUND', 'room not found');
+    return json({
+      room,
+      participants: store.listRoomParticipants(room.id),
+      completeness: 'Human members come from lark_member_api snapshots. Bot members are known/observed only; Feishu member-list API filters bots.',
+    });
+  }
+
+  const roomMentionablesMatch = pathname.match(/^\/api\/rooms\/([^/]+)\/mentionables$/);
+  if (request.method === 'GET' && roomMentionablesMatch) {
+    const room = store.resolveRoom(decodeURIComponent(roomMentionablesMatch[1]!));
+    if (!room) throw new HttpError(404, 'ROOM_NOT_FOUND', 'room not found');
+    return json({
+      room,
+      participants: store.listMentionableRoomParticipants(room.id),
+      completeness: room.provider === 'lark'
+        ? 'Feishu completion currently includes observed members and known bots only. Full member completion requires im:chat.members:read.'
+        : 'Web rooms include active room participants and local agents.',
+    });
+  }
+
+  const transcriptReadMatch = pathname.match(/^\/api\/transcripts\/([^/]+)\/messages$/);
+  if (request.method === 'GET' && transcriptReadMatch) {
+    return json({ messages: store.listTranscriptMessagesReadOnly(transcriptReadMatch[1]!, numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/agents') {
+    return json({ agents: store.listAgents(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/agents/onboard') {
+    return readJson<OnboardAgentBody>(request).then((body) => {
+      const agentKey = body.agent_key?.trim();
+      const displayName = body.display_name?.trim();
+      if (!agentKey) throw new HttpError(400, 'MISSING_AGENT_KEY', 'agent_key is required');
+      if (!displayName) throw new HttpError(400, 'MISSING_DISPLAY_NAME', 'display_name is required');
+      const agent = store.upsertAgent({
+        agent_key: agentKey,
+        display_name: displayName,
+        description: body.description ?? null,
+        runtime: body.runtime ?? 'codex',
+      });
+      const assignment = body.computer_id?.trim()
+        ? store.assignAgentToComputer({ agent: agentKey, computerId: body.computer_id })
+        : null;
+      return json({ agent, assignment }, 201);
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/agents') {
+    return readJson<Record<string, unknown>>(request).then((body) => {
+      const validation = store.validateAgentSchema(body);
+      if (!validation.ok) {
+        throw new HttpError(400, 'VALIDATION_ERROR', validation.diagnostics.map((d) => `${d.code}: ${d.message}`).join('; '));
+      }
+      const agent = store.upsertAgent({
+        id: typeof body.id === 'string' ? body.id : undefined,
+        agent_key: String(body.agent_key),
+        display_name: String(body.display_name),
+        description: body.description === null ? null : typeof body.description === 'string' ? body.description : null,
+        runtime: body.runtime === null ? null : typeof body.runtime === 'string' ? body.runtime : null,
+      });
+      return json({ agent }, 201);
+    });
+  }
+
+  const agentPatchMatch = pathname.match(/^\/api\/agents\/([^/]+)$/);
+  if (request.method === 'PATCH' && agentPatchMatch) {
+    return readJson<Record<string, unknown>>(request).then((body) => {
+      const agentKey = agentPatchMatch[1]!;
+      const existing = store.getAgent(agentKey);
+      if (!existing) throw new HttpError(404, 'AGENT_NOT_FOUND', `agent ${agentKey} not found`);
+
+      if ('runtime' in body) {
+        const runtime = body.runtime === null ? null : typeof body.runtime === 'string' ? body.runtime : undefined;
+        if (runtime !== undefined) {
+          const updated = store.updateAgentRuntime(agentKey, runtime);
+          return json({ agent: updated });
+        }
+      }
+
+      return json({ agent: existing });
+    });
+  }
+
+  const agentAssignmentMatch = pathname.match(/^\/api\/agents\/([^/]+)\/assignment$/);
+  if (request.method === 'POST' && agentAssignmentMatch) {
+    return readJson<AssignAgentBody>(request).then((body) => {
+      const agentKey = agentAssignmentMatch[1]!;
+      if (!body.computer_id?.trim()) throw new HttpError(400, 'MISSING_COMPUTER_ID', 'computer_id is required');
+      const assignment = store.assignAgentToComputer({
+        agent: agentKey,
+        computerId: body.computer_id,
+      });
+      return json({ assignment }, 201);
+    });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/sessions') {
+    return json({ sessions: store.listSessions(numberParam(url, 'limit', 50)) });
+  }
+
+  const sessionRunsMatch = pathname.match(/^\/api\/sessions\/([^/]+)\/runs$/);
+  if (request.method === 'GET' && sessionRunsMatch) {
+    return json({ runs: store.listRunsForSession(sessionRunsMatch[1]!, numberParam(url, 'limit', 50)) });
+  }
+
+  const roomInviteMatch = pathname.match(/^\/api\/rooms\/([^/]+)\/agents$/);
+  if (request.method === 'POST' && roomInviteMatch) {
+    return readJson<{ agent?: string; mode?: string }>(request).then((body) => {
+      const room = store.resolveRoom(decodeURIComponent(roomInviteMatch[1]!));
+      if (!room) throw new HttpError(404, 'ROOM_NOT_FOUND', 'room not found');
+      if (!body.agent?.trim()) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      const mode = body.mode as import('./types.js').AgentRoomSubscriptionMode | undefined;
+      const result = store.inviteAgentToRoom({ roomId: room.id, agent: body.agent, mode });
+      return json(result, 201);
+    });
+  }
+
+  const roomTopicMatch = pathname.match(/^\/api\/rooms\/([^/]+)\/topics$/);
+  if (request.method === 'POST' && roomTopicMatch) {
+    return readJson<{ name?: string; created_by?: string | null }>(request).then((body) => {
+      const room = store.resolveRoom(decodeURIComponent(roomTopicMatch[1]!));
+      if (!room) throw new HttpError(404, 'ROOM_NOT_FOUND', 'room not found');
+      if (!body.name?.trim()) throw new HttpError(400, 'MISSING_TOPIC_NAME', 'name is required');
+      const channel = store.createRoomChannel({ roomId: room.id, name: body.name, createdBy: body.created_by });
+      return json({ channel }, 201);
+    });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/messages') {
+    const messages = store.listMessages({
+      chatName: stringParam(url, 'chat'),
+      chatId: stringParam(url, 'chat_id'),
+      parentId: numberParam(url, 'parent_id'),
+      after: numberParam(url, 'after'),
+      limit: numberParam(url, 'limit', 50),
+      q: stringParam(url, 'q'),
+    });
+    return json({ messages });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/inbox') {
+    const agent = stringParam(url, 'agent');
+    if (!agent) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+    const messages = store.listInbox(agent, numberParam(url, 'after', 0), numberParam(url, 'limit', 50));
+    return json({ messages });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/daemons') {
+    return readJson<RegisterDaemonBody>(request).then((body) => {
+      if (!body.name?.trim()) throw new HttpError(400, 'MISSING_NAME', 'name is required');
+      const daemon = store.registerDaemon({
+        id: body.id,
+        name: body.name,
+        host: body.host,
+        localUrl: body.local_url,
+        serverUrl: body.server_url,
+        agents: body.agents?.map((agent) => ({
+          agent: agent.agent ?? '',
+          cwd: agent.cwd,
+          capabilities: agent.capabilities,
+        })),
+      });
+      return json({ daemon }, 201);
+    });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/deliveries') {
+    const agent = stringParam(url, 'agent');
+    if (agent) {
+      return json({ deliveries: store.listDeliveries(agent, stringParam(url, 'status') ?? 'pending', numberParam(url, 'limit', 50)) });
+    }
+    return json({ deliveries: store.listAllDeliveries(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/deliveries') {
+    return readJson<CreateDeliveryBody>(request).then((body) => {
+      if (!body.message_id) throw new HttpError(400, 'MISSING_MESSAGE_ID', 'message_id is required');
+      if (!body.agent?.trim()) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      const delivery = store.createDelivery({ messageId: body.message_id, agent: body.agent });
+      return json({ delivery }, 201);
+    });
+  }
+
+  const deliveryClaimMatch = pathname.match(/^\/api\/deliveries\/([^/]+)\/claim$/);
+  if (request.method === 'POST' && deliveryClaimMatch) {
+    return readJson<ClaimDeliveryBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const ownerId = connection?.connectionId ?? body.connection_id ?? body.daemon_id;
+      if (!ownerId?.trim()) throw new HttpError(400, 'MISSING_DAEMON_ID', 'daemon_id or connection auth is required');
+      const delivery = store.claimDelivery(deliveryClaimMatch[1]!, {
+        daemonId: ownerId,
+        connectionId: connection?.connectionId ?? body.connection_id,
+        computerId: connection?.computerId ?? body.computer_id,
+        leaseMs: body.lease_ms,
+      });
+      return json({ delivery });
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/sessions') {
+    return readJson<SessionBody>(request).then((body) => {
+      if (!body.chat_id?.trim()) throw new HttpError(400, 'MISSING_CHAT_ID', 'chat_id is required');
+      if (!body.agent?.trim()) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      const connection = requireDaemonConnection(store, request);
+      const ownerId = connection?.connectionId ?? body.connection_id ?? body.daemon_id;
+      if (!ownerId?.trim()) throw new HttpError(400, 'MISSING_DAEMON_ID', 'daemon_id or connection auth is required');
+      const daemon = store.getDaemon(ownerId);
+      if (!daemon) throw new HttpError(404, 'DAEMON_NOT_FOUND', 'daemon was not registered');
+      if (!store.daemonHasAgent(ownerId, body.agent)) {
+        throw new HttpError(400, 'DAEMON_AGENT_NOT_REGISTERED', 'daemon has not registered this agent');
+      }
+      const session = store.getOrCreateSession({
+        chatId: body.chat_id,
+        agent: body.agent,
+        daemonId: ownerId,
+        cwd: body.cwd ?? '',
+        lastMessageId: body.last_message_id,
+        computerId: connection?.computerId ?? body.computer_id,
+        runtimeProvider: body.runtime_provider,
+      });
+      return json({ session }, 201);
+    });
+  }
+
+  const runtimeSessionMatch = pathname.match(/^\/api\/sessions\/([^/]+)\/runtime-session$/);
+  if (request.method === 'POST' && runtimeSessionMatch) {
+    return readJson<RuntimeSessionBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const existing = store.getSession(runtimeSessionMatch[1]!);
+      if (!existing) throw new HttpError(404, 'SESSION_NOT_FOUND', 'session was not found');
+      if (existing.daemon_id !== connection.connectionId) throw new HttpError(403, 'SESSION_CONNECTION_MISMATCH', 'session belongs to another connection');
+      if (!body.runtime_session_id?.trim()) throw new HttpError(400, 'MISSING_RUNTIME_SESSION_ID', 'runtime_session_id is required');
+      const session = store.updateSessionRuntimeSessionId(runtimeSessionMatch[1]!, body.runtime_session_id);
+      return json({ session });
+    });
+  }
+
+  const deliveryAckMatch = pathname.match(/^\/api\/deliveries\/([^/]+)\/ack$/);
+  if (request.method === 'POST' && deliveryAckMatch) {
+    return readJson<FinishDeliveryBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const ownerId = connection?.connectionId ?? body.connection_id ?? body.daemon_id;
+      if (!ownerId?.trim()) throw new HttpError(400, 'MISSING_DAEMON_ID', 'daemon_id or connection auth is required');
+      if (!body.claim_token?.trim()) throw new HttpError(400, 'MISSING_CLAIM_TOKEN', 'claim_token is required');
+      const delivery = store.ackDelivery(deliveryAckMatch[1]!, {
+        daemonId: ownerId,
+        connectionId: connection?.connectionId ?? body.connection_id,
+        claimToken: body.claim_token,
+        runId: body.run_id,
+      });
+      return json({ delivery });
+    });
+  }
+
+  const deliveryFailMatch = pathname.match(/^\/api\/deliveries\/([^/]+)\/fail$/);
+  if (request.method === 'POST' && deliveryFailMatch) {
+    return readJson<FinishDeliveryBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const ownerId = connection?.connectionId ?? body.connection_id ?? body.daemon_id;
+      if (!ownerId?.trim()) throw new HttpError(400, 'MISSING_DAEMON_ID', 'daemon_id or connection auth is required');
+      if (!body.claim_token?.trim()) throw new HttpError(400, 'MISSING_CLAIM_TOKEN', 'claim_token is required');
+      const delivery = store.failDelivery(deliveryFailMatch[1]!, {
+        daemonId: ownerId,
+        connectionId: connection?.connectionId ?? body.connection_id,
+        claimToken: body.claim_token,
+        runId: body.run_id,
+        error: body.error,
+      });
+      return json({ delivery });
+    });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/messages') {
+    return readJson<SendBody>(request).then(async (body) => {
+      const connection = assertDaemonConnection(store, request);
+      const sender = body.sender?.trim();
+      const content = body.content?.trim();
+      if (!sender) throw new HttpError(400, 'MISSING_SENDER', 'sender is required');
+      if (!content) throw new HttpError(400, 'MISSING_CONTENT', 'content is required');
+
+      const targetRoom = body.parent_id !== undefined
+        ? store.getMessage(body.parent_id)?.chat_id
+        : body.room_id ?? body.chat_id;
+      const target = targetRoom
+        ? store.getChatById(targetRoom)
+        : (body.room || body.chat) ? store.resolveRoom(body.room ?? body.chat ?? '') : null;
+      if (target && !store.canSendWebMessageToRoom({ room: target, sender })) {
+        throw new HttpError(403, 'EXTERNAL_ROOM_READ_ONLY', 'external provider rooms are read-only for web human senders');
+      }
+      if (store.getAgent(sender) || store.hasDaemonAgent(sender)) {
+        if (!connection) throw new HttpError(401, 'CONNECTION_REVOKED', 'computer connection auth is required for agent-authored messages');
+        if (!store.daemonHasAgent(connection.connectionId, sender)) {
+          throw new HttpError(403, 'CONNECTION_AGENT_NOT_REGISTERED', 'connection has not registered this agent');
+        }
+      }
+
+      const message = store.createMessage({
+        chatId: body.room_id ?? body.chat_id,
+        chatName: body.room ?? body.chat,
+        parentId: body.parent_id,
+        channelId: body.channel_id,
+        sender,
+        recipient: body.recipient,
+        content,
+        type: body.type,
+        idempotencyKey: body.idempotency_key,
+        mentions: body.mentions,
+      });
+      const deliveries = store.resolveDeliveriesForMessage(message.id);
+
+      // If this chat has a bound Lark channel, forward bound agent replies to Lark.
+      const credentials = loadLarkCredentials();
+      const outboundRoute = resolveLarkOutboundRoute(store, credentials, sender, message.chat_id);
+      if (outboundRoute) {
+        const { conversation, bot } = outboundRoute;
+        try {
+          const client = createLarkApiClient(bot.appId, bot.appSecret);
+          const result = await sendTextMessage({
+            client,
+            receiveIdType: 'chat_id',
+            receiveId: conversation.external_chat_id,
+            text: content,
+          });
+          console.log(`[lark] forwarded message to chat=${conversation.external_chat_id} messageId=${result.messageId ?? '-'}`);
+        } catch (err) {
+          console.warn(`[lark] failed to forward message to chat=${conversation.external_chat_id}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      }
+
+      return json({ message, deliveries }, 201);
+    });
+  }
+
+  if (request.method === 'GET' && pathname === '/api/runs') {
+    return json({ runs: store.listRuns(numberParam(url, 'limit', 50)) });
+  }
+
+  if (request.method === 'POST' && pathname === '/api/runs') {
+    return readJson<StartRunBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      if (!body.message_id) throw new HttpError(400, 'MISSING_MESSAGE_ID', 'message_id is required');
+      if (!body.agent?.trim()) throw new HttpError(400, 'MISSING_AGENT', 'agent is required');
+      if (!body.cwd?.trim()) throw new HttpError(400, 'MISSING_CWD', 'cwd is required');
+      const ownerId = connection?.connectionId ?? body.connection_id ?? body.daemon_id;
+      if (!ownerId?.trim()) throw new HttpError(400, 'MISSING_DAEMON_ID', 'daemon_id or connection auth is required');
+      if (!store.daemonHasAgent(ownerId, body.agent)) {
+        throw new HttpError(400, 'DAEMON_AGENT_NOT_REGISTERED', 'daemon has not registered this agent');
+      }
+      const run = store.startRun({
+        messageId: body.message_id,
+        agent: body.agent,
+        cwd: body.cwd,
+        attempt: body.attempt ?? 1,
+        pid: body.pid ?? null,
+        sessionId: body.session_id,
+        triggerMessageId: body.trigger_message_id,
+        daemonId: ownerId,
+        connectionId: connection?.connectionId ?? body.connection_id,
+        computerId: connection?.computerId ?? body.computer_id,
+        runtimeProvider: body.runtime_provider,
+        runtimeInvocationId: body.runtime_invocation_id,
+        deliveryId: body.delivery_id,
+      });
+      return json({ run }, 201);
+    });
+  }
+
+  const messageMatch = pathname.match(/^\/api\/messages\/(\d+)$/);
+  if (request.method === 'GET' && messageMatch) {
+    const message = store.getMessage(Number(messageMatch[1]));
+    if (!message) throw new HttpError(404, 'MESSAGE_NOT_FOUND', 'message not found');
+    return json({ message });
+  }
+
+  const runMatch = pathname.match(/^\/api\/runs\/([^/]+)$/);
+  if (request.method === 'GET' && runMatch) {
+    const run = store.getRun(runMatch[1]!);
+    if (!run) throw new HttpError(404, 'RUN_NOT_FOUND', 'run not found');
+    return json({ run });
+  }
+
+  const pidMatch = pathname.match(/^\/api\/runs\/([^/]+)\/pid$/);
+  if (request.method === 'POST' && pidMatch) {
+    return readJson<RunPidBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const runBefore = store.getRun(pidMatch[1]!);
+      if (!runBefore) throw new HttpError(404, 'RUN_NOT_FOUND', 'run not found');
+      if (connection && runBefore?.connection_id !== connection.connectionId) throw new HttpError(403, 'RUN_CONNECTION_MISMATCH', 'run belongs to another connection');
+      store.setRunPid(pidMatch[1]!, body.pid ?? null);
+      const run = store.getRun(pidMatch[1]!);
+      if (!run) throw new HttpError(404, 'RUN_NOT_FOUND', 'run not found');
+      return json({ run });
+    });
+  }
+
+  const finishMatch = pathname.match(/^\/api\/runs\/([^/]+)\/finish$/);
+  if (request.method === 'POST' && finishMatch) {
+    return readJson<FinishRunBody>(request).then((body) => {
+      const connection = requireDaemonConnection(store, request);
+      const runBefore = store.getRun(finishMatch[1]!);
+      if (!runBefore) throw new HttpError(404, 'RUN_NOT_FOUND', 'run not found');
+      if (connection && runBefore?.connection_id !== connection.connectionId) throw new HttpError(403, 'RUN_CONNECTION_MISMATCH', 'run belongs to another connection');
+      if (!body.status) throw new HttpError(400, 'MISSING_STATUS', 'status is required');
+      store.finishRun(finishMatch[1]!, { status: body.status, exitCode: body.exit_code, output: body.output });
+      const run = store.getRun(finishMatch[1]!);
+      if (!run) throw new HttpError(404, 'RUN_NOT_FOUND', 'run not found');
+      return json({ run });
+    });
+  }
+
+  const actionMatch = pathname.match(/^\/api\/runs\/([^/]+)\/(kill|restart)$/);
+  if (request.method === 'POST' && actionMatch) {
+    const run = store.requestRunAction(actionMatch[1]!, actionMatch[2] as RunAction);
+    return json({ run });
+  }
+
+  return routeNotFound();
+}
+
+export async function handleRequest(store: MessageStore, request: Request): Promise<Response> {
+  try {
+    return await route(store, request);
+  } catch (error) {
+    return failure(error);
+  }
+}