@controlflow-ai/daemon 0.1.1 → 0.1.2

package/src/console.ts

@@ -4,6 +4,9 @@ import { boolFlag, parseArgs, flag, numberFlag } from './args.js';
 import { LockClient } from './client.js';
 import { defaultServerUrl } from './config.js';
 import { formatMessages } from './format.js';
+import { defaultLarkConfigPath, findCredentialByAgent, loadLarkCredentials, saveLarkCredentials, unbindCredentialAgent, upsertCredential } from './lark/credentials.js';
+import { registerLarkAppFromDeviceFlow, resolveLarkBotInfo, type LarkBotInfoResult } from './lark/setup.js';
+import type { LarkRegistrationComplete } from './lark/app-registration.js';
 import type { Computer, ProvisionedComputer } from './types.js';
 
 interface Prompt {
@@ -26,11 +29,12 @@ Usage:
   bun run src/console.ts agents list [--json]
   bun run src/console.ts agents onboard [--interactive] [--key <agent-key>] [--name <display-name>] [--runtime codex] [--computer-id <machine>]
   bun run src/console.ts agents create --key <agent-key> --name <display-name> [--runtime neeko|coco|coco-stream-json|codex] [--desc <description>]
-  bun run src/console.ts agents update --key <agent-key> --runtime neeko|coco|coco-stream-json|codex
+  bun run src/console.ts agents update [--interactive] --key <agent-key> [--runtime neeko|coco|coco-stream-json|codex]
+      [--lark-app-id <id> --lark-app-secret <secret>] [--lark-label <name>] [--lark-config <path>] [--rebind-lark] [--unbind-lark] [--no-reload]
   bun run src/console.ts lark-users list [--json]
   bun run src/console.ts lark-users add [--interactive] --user-id <union-id> [--name <display-name>]
   bun run src/console.ts lark-users delete --user-id <union-id>
-  bun run src/console.ts lark <setup|list|daemon|events|send> [flags]
+  bun run src/console.ts lark <list|daemon|events|send> [flags]
 
 Environment:
   PAL_SERVER=${defaultServerUrl()}
@@ -44,6 +48,83 @@ async function requestJson<T>(url: string, init?: RequestInit): Promise<T> {
   return payload.data as T;
 }
 
+async function reloadLarkIntegration(serverUrl: string): Promise<void> {
+  const response = await fetch(`${serverUrl.replace(/\/$/, '')}/api/lark/reload`, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({}),
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    console.warn(`Lark bot config saved, but server reload failed (${response.status}): ${text}`);
+    return;
+  }
+  console.log('Lark integration reloaded.');
+}
+
+async function resolveBotInfoForConsole(appId: string, appSecret: string): Promise<LarkBotInfoResult> {
+  if (process.env.NODE_ENV === 'test' && process.env.PAL_TEST_LARK_BOT_OPEN_ID) {
+    return { ok: true, openId: process.env.PAL_TEST_LARK_BOT_OPEN_ID };
+  }
+  return resolveLarkBotInfo(appId, appSecret);
+}
+
+async function registerLarkAppForConsole(): Promise<LarkRegistrationComplete | null> {
+  if (process.env.NODE_ENV === 'test' && process.env.PAL_TEST_LARK_REGISTRATION_APP_ID && process.env.PAL_TEST_LARK_REGISTRATION_APP_SECRET) {
+    console.log('Create a Feishu app by scanning this QR code or opening the link:');
+    console.log('https://example.test/lark-registration');
+    return {
+      appId: process.env.PAL_TEST_LARK_REGISTRATION_APP_ID,
+      appSecret: process.env.PAL_TEST_LARK_REGISTRATION_APP_SECRET,
+      tenantBrand: 'feishu',
+      userOpenId: process.env.PAL_TEST_LARK_REGISTRATION_USER_OPEN_ID,
+    };
+  }
+  return registerLarkAppFromDeviceFlow({ log: console });
+}
+
+function larkConfigPath(flags: Record<string, string | boolean>): string {
+  return flag(flags, 'lark-config') ?? flag(flags, 'config') ?? defaultLarkConfigPath();
+}
+
+async function unbindLarkBotFromAgent(serverClient: LockClient, flags: Record<string, string | boolean>, agentKey: string): Promise<void> {
+  const configPath = larkConfigPath(flags);
+  const store = loadLarkCredentials(configPath);
+  const result = unbindCredentialAgent(store, agentKey);
+  if (!result.changed) {
+    console.log(`Agent ${agentKey} has no Lark bot binding.`);
+    return;
+  }
+  saveLarkCredentials(result.store, configPath);
+  console.log(`Lark bot ${result.unbound!.appId} unbound from agent ${agentKey}.`);
+  if (!boolFlag(flags, 'no-reload')) await reloadLarkIntegration(serverClient.baseUrl);
+}
+
+async function bindLarkBotToAgent(serverClient: LockClient, flags: Record<string, string | boolean>, agentKey: string): Promise<void> {
+  const appId = flag(flags, 'lark-app-id') ?? flag(flags, 'app-id');
+  const appSecret = flag(flags, 'lark-app-secret') ?? flag(flags, 'app-secret');
+  if (!appId && !appSecret) return;
+  if (!appId || !appSecret) throw new Error('--lark-app-id and --lark-app-secret are required together');
+
+  const botInfo = await resolveBotInfoForConsole(appId, appSecret);
+  if (!botInfo.ok) throw new Error(`could not resolve Lark bot open_id (${botInfo.error}): ${botInfo.message}`);
+
+  const configPath = larkConfigPath(flags);
+  const store = loadLarkCredentials(configPath);
+  const result = upsertCredential(store, {
+    appId,
+    appSecret,
+    label: flag(flags, 'lark-label') ?? flag(flags, 'label'),
+    agent: agentKey,
+    botOpenId: botInfo.openId,
+  }, { rebind: boolFlag(flags, 'rebind-lark') });
+  saveLarkCredentials(result.store, configPath);
+
+  const moved = result.unbound.length > 0 ? `; moved from ${result.unbound.map((bot) => bot.appId).join(', ')}` : '';
+  console.log(`Lark bot ${appId} bound to agent ${agentKey}${moved}.`);
+  if (!boolFlag(flags, 'no-reload')) await reloadLarkIntegration(serverClient.baseUrl);
+}
+
 function printJson(value: unknown): void {
   console.log(JSON.stringify(value, null, 2));
 }
@@ -132,12 +213,35 @@ async function askComputerId(prompt: Prompt, computers: Computer[]): Promise<str
   }
 }
 
+async function listAgentRecords(serverClient: LockClient): Promise<Array<Record<string, unknown>>> {
+  const response = await fetch(`${serverClient.baseUrl}/api/agents`);
+  const payload = await response.json() as { data?: { agents: Array<Record<string, unknown>> }; message?: string };
+  if (!response.ok) throw new Error(payload.message ?? `list failed: ${response.status}`);
+  return payload.data?.agents ?? [];
+}
+
+async function askAgentKey(prompt: Prompt, agents: Array<Record<string, unknown>>, defaultValue = ''): Promise<string> {
+  if (agents.length === 0) throw new Error('No agents found. Set up an agent first with "bun run console -- agents onboard".');
+
+  console.log('Agents:');
+  agents.forEach((agent, index) => {
+    console.log(`  ${index + 1}. ${agent.display_name} (${agent.agent_key}) runtime=${agent.runtime ?? '-'}`);
+  });
+
+  while (true) {
+    const answer = await ask(prompt, 'Choose agent', defaultValue);
+    const selected = agents[Number(answer) - 1] ?? agents.find((agent) => agent.agent_key === answer);
+    if (selected?.agent_key) return String(selected.agent_key);
+    console.log('Choose a listed number or agent key.');
+  }
+}
+
 async function collectComputerOnboardInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ name: string; serverUrl: string; packageName: string }> {
   const hasAnyProvisionFlag = Boolean(flag(flags, 'name') || flag(flags, 'server-url') || flag(flags, 'package-name'));
   const interactive = boolFlag(flags, 'interactive') || (!hasAnyProvisionFlag && process.stdin.isTTY === true);
   const defaultName = flag(flags, 'name') ?? 'Local computer';
   const defaultServerUrl = flag(flags, 'server-url') ?? serverClient.baseUrl;
-  const defaultPackageName = flag(flags, 'package-name') ?? '@slock-ai/daemon@latest';
+  const defaultPackageName = flag(flags, 'package-name') ?? '@controlflow-ai/daemon@latest';
 
   if (!interactive) {
     return {
@@ -176,7 +280,56 @@ function printProvisionedComputer(provisioned: ProvisionedComputer): void {
   console.log(provisioned.command);
 }
 
-async function collectOnboardInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ agentKey: string; displayName: string; runtime: string; desc: string | null; computerId: string | undefined }> {
+async function collectLarkBindFlags(prompt: Prompt, flags: Record<string, string | boolean>, agentKey: string, existingAppId?: string): Promise<Record<string, string | boolean>> {
+  const configPath = larkConfigPath(flags);
+  console.log('Lark bot setup');
+  console.log('  1. Scan or open link to create app');
+  console.log('  2. Paste App ID / App Secret');
+  const method = await ask(prompt, 'Setup method', '1');
+
+  let appId = flag(flags, 'lark-app-id') ?? flag(flags, 'app-id');
+  let appSecret = flag(flags, 'lark-app-secret') ?? flag(flags, 'app-secret');
+  let scannedUserOpenId: string | undefined;
+  if (method !== '2' && (!appId || !appSecret)) {
+    const registration = await registerLarkAppForConsole().catch((error) => {
+      console.warn(`App registration failed: ${error instanceof Error ? error.message : String(error)}`);
+      return null;
+    });
+    if (registration?.tenantBrand === 'lark') {
+      throw new Error('Lark international tenants are not supported yet; use a Feishu tenant');
+    }
+    if (registration) {
+      appId = registration.appId;
+      appSecret = registration.appSecret;
+      scannedUserOpenId = registration.userOpenId;
+      console.log(`App created: ${appId}`);
+    } else {
+      console.warn('Falling back to manual App ID / App Secret entry.');
+    }
+  }
+
+  appId = appId || await askRequired(prompt, 'Lark App ID', existingAppId ?? '');
+  appSecret = appSecret || await askRequired(prompt, 'Lark App Secret');
+  const label = await ask(prompt, 'Bot label (optional)', flag(flags, 'lark-label') ?? flag(flags, 'label') ?? '');
+  if (scannedUserOpenId) {
+    console.log(`Scanner open_id ${scannedUserOpenId} was detected; add it under Lark authorized users if this user should operate Pal.`);
+  }
+
+  const isChangingBot = Boolean(existingAppId && existingAppId !== appId);
+  const rebind = boolFlag(flags, 'rebind-lark') || (isChangingBot && await askYesNo(prompt, `Move ${agentKey} from ${existingAppId} to ${appId}?`, false));
+  if (isChangingBot && !rebind) throw new Error('Lark bot rebind cancelled');
+
+  return {
+    ...flags,
+    'lark-app-id': appId,
+    'lark-app-secret': appSecret,
+    'lark-config': configPath,
+    ...(label ? { 'lark-label': label } : {}),
+    ...(rebind ? { 'rebind-lark': true } : {}),
+  };
+}
+
+async function collectOnboardInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ agentKey: string; displayName: string; runtime: string; desc: string | null; computerId: string | undefined; larkFlags?: Record<string, string | boolean> }> {
   const hasRequiredFlags = Boolean(flag(flags, 'key') && flag(flags, 'name'));
   const interactive = boolFlag(flags, 'interactive') || (!hasRequiredFlags && process.stdin.isTTY === true);
   if (!interactive) {
@@ -187,6 +340,7 @@ async function collectOnboardInput(serverClient: LockClient, flags: Record<strin
       runtime: flag(flags, 'runtime') ?? 'codex',
       desc: flag(flags, 'desc') ?? null,
       computerId: flag(flags, 'computer-id'),
+      larkFlags: flag(flags, 'lark-app-id') || flag(flags, 'app-id') ? flags : undefined,
     };
   }
 
@@ -210,12 +364,68 @@ async function collectOnboardInput(serverClient: LockClient, flags: Record<strin
     console.log(`  description: ${desc || '-'}`);
     console.log(`  computer_id: ${computerId || '-'}`);
     if (!await askYesNo(prompt, 'Create/update this agent?', true)) throw new Error('onboarding cancelled');
+    const shouldSetupLark = await askYesNo(prompt, 'Set up a Lark bot for this agent?', false);
+    const larkFlags = shouldSetupLark ? await collectLarkBindFlags(prompt, flags, agentKey) : undefined;
     return {
       agentKey,
       displayName,
       runtime,
       desc: desc || null,
       computerId: computerId || undefined,
+      larkFlags,
+    };
+  } finally {
+    prompt.close();
+  }
+}
+
+async function collectAgentUpdateInput(serverClient: LockClient, flags: Record<string, string | boolean>): Promise<{ agentKey: string; flags: Record<string, string | boolean> }> {
+  if (flag(flags, 'runtime')) throw new Error('agents update --interactive currently supports only Lark bot binding or unbinding');
+
+  const prompt = await createPrompt();
+  try {
+    console.log('Agent Lark settings');
+    const agents = await listAgentRecords(serverClient);
+    const agentKey = await askAgentKey(prompt, agents, flag(flags, 'key') ?? (agents.length === 1 ? '1' : ''));
+    const configPath = larkConfigPath(flags);
+    const store = loadLarkCredentials(configPath);
+    const existing = findCredentialByAgent(store, agentKey);
+    if (existing) {
+      console.log(`Current Lark bot: ${existing.label ?? existing.appId} (${existing.appId})`);
+    } else {
+      console.log('Current Lark bot: -');
+    }
+
+    const defaultAction = existing ? '1' : '1';
+    console.log('Lark action:');
+    console.log(`  1. ${existing ? 'Bind/rebind bot' : 'Bind bot'}`);
+    if (existing) console.log('  2. Unbind bot');
+    const action = await ask(prompt, 'Choose action', defaultAction);
+    if (existing && (action === '2' || action.toLowerCase() === 'unbind')) {
+      if (!await askYesNo(prompt, `Unbind ${existing.appId} from ${agentKey}?`, false)) throw new Error('Lark bot unbind cancelled');
+      return {
+        agentKey,
+        flags: {
+          ...flags,
+          'lark-config': configPath,
+          'unbind-lark': true,
+        },
+      };
+    }
+
+    const larkFlags = await collectLarkBindFlags(prompt, flags, agentKey, existing?.appId);
+
+    console.log('');
+    console.log('Summary:');
+    console.log(`  agent_key: ${agentKey}`);
+    console.log(`  lark_app_id: ${flag(larkFlags, 'lark-app-id')}`);
+    console.log(`  lark_label: ${flag(larkFlags, 'lark-label') || '-'}`);
+    console.log(`  rebind: ${boolFlag(larkFlags, 'rebind-lark') ? 'yes' : 'no'}`);
+    if (!await askYesNo(prompt, 'Bind this Lark bot?', true)) throw new Error('Lark bot binding cancelled');
+
+    return {
+      agentKey,
+      flags: larkFlags,
     };
   } finally {
     prompt.close();
@@ -366,10 +576,7 @@ async function main(): Promise<void> {
     const sub = args.values[0];
 
     if (sub === 'list') {
-      const response = await fetch(`${serverClient.baseUrl}/api/agents`);
-      const payload = await response.json() as { data?: { agents: Array<Record<string, unknown>> }; message?: string };
-      if (!response.ok) throw new Error(payload.message ?? `list failed: ${response.status}`);
-      const agents = payload.data?.agents ?? [];
+      const agents = await listAgentRecords(serverClient);
       if (args.flags.json) {
         printJson(agents);
       } else {
@@ -405,7 +612,7 @@ async function main(): Promise<void> {
     }
 
     if (sub === 'onboard') {
-      const { agentKey, displayName, runtime, desc, computerId } = await collectOnboardInput(serverClient, args.flags);
+      const { agentKey, displayName, runtime, desc, computerId, larkFlags } = await collectOnboardInput(serverClient, args.flags);
       if (!agentKey) throw new Error('agent key is required');
       if (!displayName) throw new Error('display name is required');
 
@@ -422,24 +629,41 @@ async function main(): Promise<void> {
       });
       const payload = await response.json() as { data?: Record<string, unknown>; message?: string };
       if (!response.ok) throw new Error(payload.message ?? `onboard failed: ${response.status}`);
+      if (larkFlags) await bindLarkBotToAgent(serverClient, larkFlags, agentKey);
       printJson(payload.data);
       return;
     }
 
     if (sub === 'update') {
-      const agentKey = flag(args.flags, 'key');
+      const updateInput = boolFlag(args.flags, 'interactive')
+        ? await collectAgentUpdateInput(serverClient, args.flags)
+        : { agentKey: flag(args.flags, 'key') ?? '', flags: args.flags };
+      const agentKey = updateInput.agentKey;
+      const updateFlags = updateInput.flags;
       const runtime = flag(args.flags, 'runtime');
       if (!agentKey) throw new Error('--key is required');
-      if (!runtime) throw new Error('--runtime is required');
+      const hasLarkBinding = Boolean(flag(updateFlags, 'lark-app-id') || flag(updateFlags, 'app-id') || flag(updateFlags, 'lark-app-secret') || flag(updateFlags, 'app-secret'));
+      const hasLarkUnbind = boolFlag(updateFlags, 'unbind-lark');
+      if (!runtime && !hasLarkBinding && !hasLarkUnbind) throw new Error('--runtime, --lark-app-id/--lark-app-secret, or --unbind-lark is required');
+
+      let agent: Record<string, unknown> | undefined;
+      if (runtime) {
+        const response = await fetch(`${serverClient.baseUrl}/api/agents/${encodeURIComponent(agentKey)}`, {
+          method: 'PATCH',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({ runtime }),
+        });
+        const payload = await response.json() as { data?: { agent: Record<string, unknown> }; message?: string };
+        if (!response.ok) throw new Error(payload.message ?? `update failed: ${response.status}`);
+        agent = payload.data?.agent;
+      } else {
+        agent = (await listAgentRecords(serverClient)).find((candidate) => candidate.agent_key === agentKey);
+        if (!agent) throw new Error(`agent ${agentKey} not found`);
+      }
 
-      const response = await fetch(`${serverClient.baseUrl}/api/agents/${encodeURIComponent(agentKey)}`, {
-        method: 'PATCH',
-        headers: { 'content-type': 'application/json' },
-        body: JSON.stringify({ runtime }),
-      });
-      const payload = await response.json() as { data?: { agent: Record<string, unknown> }; message?: string };
-      if (!response.ok) throw new Error(payload.message ?? `update failed: ${response.status}`);
-      printJson(payload.data?.agent);
+      if (hasLarkUnbind) await unbindLarkBotFromAgent(serverClient, updateFlags, agentKey);
+      else await bindLarkBotToAgent(serverClient, updateFlags, agentKey);
+      printJson(agent);
       return;
     }
 

package/src/daemon.ts

@@ -153,12 +153,22 @@ async function executeRun(client: LockClient, delivery: MessageDelivery, message
   console.log(`${logPrefix} run=${run.id} status=${run.status}`);
 
   const { runAgentRuntime } = await import('./agent-runtime.js');
-  const roomParticipants = await client.listRoomMembers(message.chat_id)
-    .then((result) => result.participants)
+  const roomSnapshot = await client.listRoomMembers(message.chat_id)
+    .then((result) => result)
     .catch((error) => {
       console.warn(`${logPrefix} room participant snapshot unavailable: ${error instanceof Error ? error.message : String(error)}`);
-      return [];
+      return null;
     });
+  const roomParticipants = roomSnapshot?.participants ?? [];
+  const roomProject = roomSnapshot?.room.project_id ? {
+    id: roomSnapshot.room.project_id,
+    name: roomSnapshot.room.project_name ?? roomSnapshot.room.project_id,
+    rootPath: roomSnapshot.room.project_root_path ?? '',
+    computerId: roomSnapshot.room.project_computer_id ?? '',
+    computerName: roomSnapshot.room.project_computer_name,
+  } : null;
+  const projectAccessible = Boolean(roomProject && options.computerId && roomProject.computerId === options.computerId);
+  const effectiveProjectCwd = projectAccessible && roomProject?.rootPath ? roomProject.rootPath : options.projectCwd;
   const recentMessages = await client.getMessages(new URLSearchParams({
     chat_id: message.chat_id,
     after: String(Math.max(0, message.id - 50)),
@@ -176,7 +186,12 @@ async function executeRun(client: LockClient, delivery: MessageDelivery, message
       message,
       cwd: options.agentHome,
       agentHome: options.agentHome,
-      projectCwd: options.projectCwd,
+      projectCwd: effectiveProjectCwd,
+      projectContext: roomProject ? {
+        ...roomProject,
+        accessible: projectAccessible,
+        currentComputerId: options.computerId,
+      } : undefined,
       extraArgs: options.extraArgs,
       localDaemonUrl: options.localDaemonUrl,
       localDaemonToken: options.localDaemonToken,
@@ -377,6 +392,7 @@ async function reconcileManagedAgents(input: {
   computerId: string;
   serverUrl: string;
   defaultCwd: string;
+  localUrl?: string;
 }): Promise<void> {
   const desiredAssignedAgents = new Set(input.assignments.map((assignment) => assignment.agent));
 
@@ -403,6 +419,7 @@ async function reconcileManagedAgents(input: {
   await input.client.registerDaemon({
     id: input.daemonId,
     name: input.computerId,
+    local_url: input.localUrl,
     server_url: input.serverUrl,
     agents: daemonAgentPayload(input.managedAgents),
   });
@@ -473,6 +490,8 @@ async function main(): Promise<void> {
 
   const daemonAuth = { computer_id: connected.computer.id, connection_id: connected.connection.id, token: connected.token };
   const client = new LockClient(serverUrl, daemonAuth);
+  const localServer = startLocalApi({ host: localHost, port: localPort, serverUrl, token: localToken, controlToken: connected.local_control_token, daemonAuth });
+  const localUrl = `http://${localServer.hostname}:${localServer.port}`;
   await reconcileManagedAgents({
     assignments: connected.agents ?? [],
     explicitAgents,
@@ -483,6 +502,7 @@ async function main(): Promise<void> {
     computerId: connected.computer.id,
     serverUrl,
     defaultCwd: cwd,
+    localUrl,
   });
   if (managedAgents.size === 0) {
     console.log(`[daemon] no agents currently assigned to computer ${connected.computer.id}; waiting for assignments`);
@@ -491,8 +511,6 @@ async function main(): Promise<void> {
   let connectionRevoked = false;
   const heartbeatMs = numberFlag(args.flags, 'heartbeat-interval', 5000)!;
 
-  const localServer = startLocalApi({ host: localHost, port: localPort, serverUrl, token: localToken, daemonAuth });
-
   console.log(`pal daemon computer=${connected.computer.id} connection=${connected.connection.id} agents=${Array.from(managedAgents.values()).map((managed) => `${managed.agent}:${managed.runtimeProvider}`).join(',') || 'none'} server=${serverUrl}`);
   console.log(`local api=http://${localServer.hostname}:${localServer.port} token=${localToken ? 'set' : 'missing'}`);
   console.log(`state=${statePath} lastSeenId=${state.lastSeenId}`);
@@ -525,6 +543,7 @@ async function main(): Promise<void> {
         computerId: connected.computer.id,
         serverUrl,
         defaultCwd: cwd,
+        localUrl,
       });
       writeState(statePath, state);
     } catch (error) {

package/src/db.ts

@@ -1,10 +1,11 @@
 import { Database, type SQLQueryBindings } from 'bun:sqlite';
 import { createHash, randomBytes } from 'node:crypto';
+import { isAbsolute } from 'node:path';
 import { ensureParentDir } from './config.js';
 import { runMigrations } from './migrations.js';
 import { artifactExpiry, generateArtifactToken, hashArtifactToken, validateArtifactContent } from './artifacts.js';
 import { palIdentityHandle } from './provider-identity.js';
-import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkAuthorizedUser, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
+import type { AgentDefinition, AgentRun, AgentSession, AgentValidationResult, Artifact, ArtifactMetadata, ChannelAccount, ChannelConversation, ChannelMessageMapping, ChannelOutboxRecord, Chat, ChatKind, Computer, ComputerAgentAssignment, ComputerConnection, DaemonInstance, LarkAuthorizedUser, LarkGroupRoomMapping, LockProviderEvidence, LockTranscriptMessage, Message, MessageDelivery, MessageType, AgentRoomSubscription, AgentRoomSubscriptionMode, PendingInboundEvent, Project, ProvisionedComputer, ProviderExternalType, ProviderIdentityBinding, PalIdentity, RoomChannel, RoomParticipant, RoomParticipantKind, RoomParticipantSource, RoomProvider, RunAction, RunStatus, TranscriptReadModel, WorkbenchArtifact } from './types.js';
 
 export const ALL_AGENTS_MENTION = '__pal_all_agents__';
 
@@ -85,6 +86,7 @@ export interface ConnectComputerResult {
   computer: Computer;
   connection: ComputerConnection;
   token: string;
+  localControlToken: string;
   daemon: DaemonInstance;
   agents: ComputerAgentAssignment[];
 }
@@ -356,6 +358,19 @@ function rowToComputerAgentAssignment(row: Record<string, unknown>): ComputerAge
   };
 }
 
+function rowToProject(row: Record<string, unknown>): Project {
+  return {
+    id: String(row.id),
+    name: String(row.name),
+    computer_id: String(row.computer_id),
+    computer_name: row.computer_name === null || row.computer_name === undefined ? null : String(row.computer_name),
+    root_path: String(row.root_path),
+    room_count: Number(row.room_count ?? 0),
+    created_at: String(row.created_at),
+    updated_at: String(row.updated_at),
+  };
+}
+
 function rowToMessage(row: Record<string, unknown>): Message {
   return {
     id: Number(row.id),
@@ -812,6 +827,68 @@ export class MessageStore {
     return this.getChatById(id)!;
   }
 
+  createProject(input: { name: string; computerId: string; rootPath: string }): Project {
+    const name = input.name.trim();
+    const computerId = input.computerId.trim();
+    const rootPath = input.rootPath.trim();
+    if (!name) throw new Error('project name is required');
+    if (!computerId) throw new Error('computer_id is required');
+    if (!rootPath) throw new Error('root_path is required');
+    if (!isAbsolute(rootPath)) throw new Error('root_path must be absolute');
+    const computer = this.getComputer(computerId);
+    if (!computer) throw new Error(`computer ${computerId} not found`);
+
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO projects (id, name, computer_id, root_path, created_at, updated_at)
+      VALUES (?, ?, ?, ?, datetime('now'), datetime('now'))
+    `).run(id, name, computerId, rootPath);
+    return this.getProject(id)!;
+  }
+
+  getProject(id: string): Project | null {
+    const row = this.db.query(`
+      SELECT p.*, c.name AS computer_name, COUNT(ch.id) AS room_count
+      FROM projects p
+      LEFT JOIN computers c ON c.id = p.computer_id
+      LEFT JOIN chats ch ON ch.project_id = p.id
+      WHERE p.id = ?
+      GROUP BY p.id
+    `).get(id.trim()) as Record<string, unknown> | null;
+    return row ? rowToProject(row) : null;
+  }
+
+  listProjects(limit = 50): Project[] {
+    const rows = this.db.query(`
+      SELECT p.*, c.name AS computer_name, COUNT(ch.id) AS room_count
+      FROM projects p
+      LEFT JOIN computers c ON c.id = p.computer_id
+      LEFT JOIN chats ch ON ch.project_id = p.id
+      GROUP BY p.id
+      ORDER BY p.updated_at DESC, p.created_at DESC
+      LIMIT ?
+    `).all(limitValue(limit, 50)) as Record<string, unknown>[];
+    return rows.map(rowToProject);
+  }
+
+  createProjectRoom(input: { projectId: string; name: string; kind?: ChatKind }): Chat {
+    const project = this.getProject(input.projectId);
+    if (!project) throw new Error(`project ${input.projectId} was not found`);
+    const kind = input.kind ?? 'group';
+    if (kind !== 'group' && kind !== 'dm') throw new Error('kind must be group or dm');
+    const chatName = normalizeChatName(input.name);
+    if (!chatName) throw new Error('room name is required');
+    if (this.getChatByName(chatName)) throw new Error(`room ${chatName} already exists`);
+
+    const id = crypto.randomUUID();
+    this.db.query(`
+      INSERT INTO chats (id, name, kind, provider, capabilities_json, project_id)
+      VALUES (?, ?, ?, 'web', ?, ?)
+    `).run(id, chatName, kind, kind === 'dm' ? '{"topics":"unsupported"}' : '{"topics":"native"}', project.id);
+    this.db.query(`UPDATE projects SET updated_at = datetime('now') WHERE id = ?`).run(project.id);
+    return this.getChatById(id)!;
+  }
+
   updateRoomDisplayName(roomId: string, displayName: string | null): Chat {
     const room = this.getChatById(roomId);
     if (!room) throw new Error(`room ${roomId} was not found`);
@@ -2216,6 +2293,7 @@ export class MessageStore {
 
     const connectionId = crypto.randomUUID();
     const token = generateConnectionToken();
+    const localControlToken = generateConnectionToken();
     const tokenHash = hashSecret(token);
     const revokedRows = this.db.query(`
       SELECT id FROM computer_connections
@@ -2270,9 +2348,9 @@ export class MessageStore {
         }
       }
       this.db.query(`
-        INSERT INTO computer_connections (id, computer_id, token_hash, epoch, status, connected_at, last_heartbeat_at)
-        VALUES (?, ?, ?, ?, 'active', datetime('now'), datetime('now'))
-      `).run(connectionId, computerId, tokenHash, epoch);
+        INSERT INTO computer_connections (id, computer_id, token_hash, local_control_token, epoch, status, connected_at, last_heartbeat_at)
+        VALUES (?, ?, ?, ?, ?, 'active', datetime('now'), datetime('now'))
+      `).run(connectionId, computerId, tokenHash, localControlToken, epoch);
       this.db.query(`
         INSERT INTO daemon_instances (id, name, host, local_url, server_url, status, last_seen_at)
         VALUES (?, ?, ?, ?, ?, 'online', datetime('now'))
@@ -2303,11 +2381,30 @@ export class MessageStore {
       computer: this.getComputer(computerId)!,
       connection: this.getComputerConnection(connectionId)!,
       token,
+      localControlToken,
       daemon: this.getDaemon(connectionId)!,
       agents: this.listComputerAgentAssignments(computerId),
     };
   }
 
+  getComputerLocalControl(computerId: string): { computer: Computer; connection: ComputerConnection; daemon: DaemonInstance; token: string } | null {
+    const computer = this.getComputer(computerId);
+    if (!computer || computer.status !== 'online' || !computer.active_connection_id) return null;
+    const connection = this.getComputerConnection(computer.active_connection_id);
+    if (!connection || connection.status !== 'active') return null;
+    const row = this.db.query(`
+      SELECT local_control_token
+      FROM computer_connections
+      WHERE id = ? AND computer_id = ? AND status = 'active'
+      LIMIT 1
+    `).get(connection.id, computer.id) as { local_control_token: string | null } | null;
+    const token = row?.local_control_token?.trim();
+    if (!token) return null;
+    const daemon = this.getDaemon(connection.id);
+    if (!daemon || daemon.status !== 'online' || !daemon.local_url.trim()) return null;
+    return { computer, connection, daemon, token };
+  }
+
   closeStaleComputerConnections(timeoutMs: number, now = new Date()): number {
     if (!Number.isFinite(timeoutMs) || timeoutMs < 0) throw new Error('timeoutMs must be non-negative');
     const cutoff = new Date(now.getTime() - timeoutMs).toISOString();