npm - @geminixiang/mama - Versions diffs - 0.2.0-beta.0 → 0.2.0-beta.10 - Mend

@geminixiang/mama 0.2.0-beta.0 → 0.2.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (273) hide show

package/README.md +171 -334
package/dist/adapter.d.ts +36 -10
package/dist/adapter.d.ts.map +1 -1
package/dist/adapter.js.map +1 -1
package/dist/adapters/discord/bot.d.ts +10 -5
package/dist/adapters/discord/bot.d.ts.map +1 -1
package/dist/adapters/discord/bot.js +349 -114
package/dist/adapters/discord/bot.js.map +1 -1
package/dist/adapters/discord/context.d.ts +1 -1
package/dist/adapters/discord/context.d.ts.map +1 -1
package/dist/adapters/discord/context.js +102 -31
package/dist/adapters/discord/context.js.map +1 -1
package/dist/adapters/shared.d.ts +71 -0
package/dist/adapters/shared.d.ts.map +1 -0
package/dist/adapters/shared.js +168 -0
package/dist/adapters/shared.js.map +1 -0
package/dist/adapters/slack/bot.d.ts +29 -22
package/dist/adapters/slack/bot.d.ts.map +1 -1
package/dist/adapters/slack/bot.js +620 -186
package/dist/adapters/slack/bot.js.map +1 -1
package/dist/adapters/slack/branch-manager.d.ts +22 -0
package/dist/adapters/slack/branch-manager.d.ts.map +1 -0
package/dist/adapters/slack/branch-manager.js +97 -0
package/dist/adapters/slack/branch-manager.js.map +1 -0
package/dist/adapters/slack/context.d.ts +1 -1
package/dist/adapters/slack/context.d.ts.map +1 -1
package/dist/adapters/slack/context.js +136 -71
package/dist/adapters/slack/context.js.map +1 -1
package/dist/adapters/slack/session.d.ts +3 -0
package/dist/adapters/slack/session.d.ts.map +1 -0
package/dist/adapters/slack/session.js +16 -0
package/dist/adapters/slack/session.js.map +1 -0
package/dist/adapters/slack/tools/attach.d.ts +1 -1
package/dist/adapters/slack/tools/attach.d.ts.map +1 -1
package/dist/adapters/slack/tools/attach.js.map +1 -1
package/dist/adapters/telegram/bot.d.ts +2 -0
package/dist/adapters/telegram/bot.d.ts.map +1 -1
package/dist/adapters/telegram/bot.js +190 -123
package/dist/adapters/telegram/bot.js.map +1 -1
package/dist/adapters/telegram/context.d.ts.map +1 -1
package/dist/adapters/telegram/context.js +57 -59
package/dist/adapters/telegram/context.js.map +1 -1
package/dist/adapters/telegram/html.d.ts +3 -0
package/dist/adapters/telegram/html.d.ts.map +1 -0
package/dist/adapters/telegram/html.js +98 -0
package/dist/adapters/telegram/html.js.map +1 -0
package/dist/agent.d.ts +9 -10
package/dist/agent.d.ts.map +1 -1
package/dist/agent.js +645 -555
package/dist/agent.js.map +1 -1
package/dist/commands/auto-reply.d.ts +16 -0
package/dist/commands/auto-reply.d.ts.map +1 -0
package/dist/commands/auto-reply.js +69 -0
package/dist/commands/auto-reply.js.map +1 -0
package/dist/commands/index.d.ts +5 -0
package/dist/commands/index.d.ts.map +1 -0
package/dist/commands/index.js +19 -0
package/dist/commands/index.js.map +1 -0
package/dist/commands/login.d.ts +5 -0
package/dist/commands/login.d.ts.map +1 -0
package/dist/commands/login.js +76 -0
package/dist/commands/login.js.map +1 -0
package/dist/commands/model.d.ts +14 -0
package/dist/commands/model.d.ts.map +1 -0
package/dist/commands/model.js +112 -0
package/dist/commands/model.js.map +1 -0
package/dist/commands/new.d.ts +9 -0
package/dist/commands/new.d.ts.map +1 -0
package/dist/commands/new.js +28 -0
package/dist/commands/new.js.map +1 -0
package/dist/commands/registry.d.ts +7 -0
package/dist/commands/registry.d.ts.map +1 -0
package/dist/commands/registry.js +14 -0
package/dist/commands/registry.js.map +1 -0
package/dist/commands/sandbox.d.ts +10 -0
package/dist/commands/sandbox.d.ts.map +1 -0
package/dist/commands/sandbox.js +88 -0
package/dist/commands/sandbox.js.map +1 -0
package/dist/commands/session-view.d.ts +5 -0
package/dist/commands/session-view.d.ts.map +1 -0
package/dist/commands/session-view.js +62 -0
package/dist/commands/session-view.js.map +1 -0
package/dist/commands/types.d.ts +41 -0
package/dist/commands/types.d.ts.map +1 -0
package/dist/commands/types.js +2 -0
package/dist/commands/types.js.map +1 -0
package/dist/commands/utils.d.ts +8 -0
package/dist/commands/utils.d.ts.map +1 -0
package/dist/commands/utils.js +14 -0
package/dist/commands/utils.js.map +1 -0
package/dist/config.d.ts +53 -7
package/dist/config.d.ts.map +1 -1
package/dist/config.js +320 -55
package/dist/config.js.map +1 -1
package/dist/context.d.ts +10 -42
package/dist/context.d.ts.map +1 -1
package/dist/context.js +15 -128
package/dist/context.js.map +1 -1
package/dist/events.d.ts +16 -5
package/dist/events.d.ts.map +1 -1
package/dist/events.js +127 -58
package/dist/events.js.map +1 -1
package/dist/execution-resolver.d.ts +24 -0
package/dist/execution-resolver.d.ts.map +1 -0
package/dist/execution-resolver.js +115 -0
package/dist/execution-resolver.js.map +1 -0
package/dist/file-guards.d.ts +6 -0
package/dist/file-guards.d.ts.map +1 -0
package/dist/file-guards.js +48 -0
package/dist/file-guards.js.map +1 -0
package/dist/fs-atomic.d.ts +10 -0
package/dist/fs-atomic.d.ts.map +1 -0
package/dist/fs-atomic.js +45 -0
package/dist/fs-atomic.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +4 -0
package/dist/index.js.map +1 -0
package/dist/instrument.d.ts.map +1 -1
package/dist/instrument.js +3 -3
package/dist/instrument.js.map +1 -1
package/dist/log.d.ts +3 -7
package/dist/log.d.ts.map +1 -1
package/dist/log.js +20 -45
package/dist/log.js.map +1 -1
package/dist/login/index.d.ts +41 -0
package/dist/login/index.d.ts.map +1 -0
package/dist/login/index.js +202 -0
package/dist/login/index.js.map +1 -0
package/dist/login/portal.d.ts +19 -0
package/dist/login/portal.d.ts.map +1 -0
package/dist/login/portal.js +1453 -0
package/dist/login/portal.js.map +1 -0
package/dist/login/session.d.ts +33 -0
package/dist/login/session.d.ts.map +1 -0
package/dist/login/session.js +68 -0
package/dist/login/session.js.map +1 -0
package/dist/main.d.ts.map +1 -1
package/dist/main.js +229 -264
package/dist/main.js.map +1 -1
package/dist/provisioner.d.ts +79 -0
package/dist/provisioner.d.ts.map +1 -0
package/dist/provisioner.js +437 -0
package/dist/provisioner.js.map +1 -0
package/dist/runtime/conversation-orchestrator.d.ts +42 -0
package/dist/runtime/conversation-orchestrator.d.ts.map +1 -0
package/dist/runtime/conversation-orchestrator.js +150 -0
package/dist/runtime/conversation-orchestrator.js.map +1 -0
package/dist/runtime/index.d.ts +2 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +2 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/session-runtime.d.ts +27 -0
package/dist/runtime/session-runtime.d.ts.map +1 -0
package/dist/runtime/session-runtime.js +211 -0
package/dist/runtime/session-runtime.js.map +1 -0
package/dist/sandbox/cloudflare.d.ts +15 -0
package/dist/sandbox/cloudflare.d.ts.map +1 -0
package/dist/sandbox/cloudflare.js +137 -0
package/dist/sandbox/cloudflare.js.map +1 -0
package/dist/sandbox/container.d.ts +16 -0
package/dist/sandbox/container.d.ts.map +1 -0
package/dist/sandbox/container.js +126 -0
package/dist/sandbox/container.js.map +1 -0
package/dist/sandbox/errors.d.ts +6 -0
package/dist/sandbox/errors.d.ts.map +1 -0
package/dist/sandbox/errors.js +11 -0
package/dist/sandbox/errors.js.map +1 -0
package/dist/sandbox/firecracker.d.ts +17 -0
package/dist/sandbox/firecracker.d.ts.map +1 -0
package/dist/sandbox/firecracker.js +212 -0
package/dist/sandbox/firecracker.js.map +1 -0
package/dist/sandbox/host.d.ts +11 -0
package/dist/sandbox/host.d.ts.map +1 -0
package/dist/sandbox/host.js +89 -0
package/dist/sandbox/host.js.map +1 -0
package/dist/sandbox/image.d.ts +5 -0
package/dist/sandbox/image.d.ts.map +1 -0
package/dist/sandbox/image.js +30 -0
package/dist/sandbox/image.js.map +1 -0
package/dist/sandbox/index.d.ts +22 -0
package/dist/sandbox/index.d.ts.map +1 -0
package/dist/sandbox/index.js +54 -0
package/dist/sandbox/index.js.map +1 -0
package/dist/sandbox/path-context.d.ts +4 -0
package/dist/sandbox/path-context.d.ts.map +1 -0
package/dist/sandbox/path-context.js +20 -0
package/dist/sandbox/path-context.js.map +1 -0
package/dist/sandbox/types.d.ts +67 -0
package/dist/sandbox/types.d.ts.map +1 -0
package/dist/sandbox/types.js +2 -0
package/dist/sandbox/types.js.map +1 -0
package/dist/sandbox/utils.d.ts +4 -0
package/dist/sandbox/utils.d.ts.map +1 -0
package/dist/sandbox/utils.js +51 -0
package/dist/sandbox/utils.js.map +1 -0
package/dist/sandbox.d.ts +1 -39
package/dist/sandbox.d.ts.map +1 -1
package/dist/sandbox.js +1 -286
package/dist/sandbox.js.map +1 -1
package/dist/sentry.d.ts +2 -2
package/dist/sentry.d.ts.map +1 -1
package/dist/sentry.js +6 -4
package/dist/sentry.js.map +1 -1
package/dist/session-policy.d.ts +13 -0
package/dist/session-policy.d.ts.map +1 -0
package/dist/session-policy.js +23 -0
package/dist/session-policy.js.map +1 -0
package/dist/session-store.d.ts +35 -8
package/dist/session-store.d.ts.map +1 -1
package/dist/session-store.js +182 -23
package/dist/session-store.js.map +1 -1
package/dist/session-view/command.d.ts +5 -0
package/dist/session-view/command.d.ts.map +1 -0
package/dist/session-view/command.js +11 -0
package/dist/session-view/command.js.map +1 -0
package/dist/session-view/portal.d.ts +16 -0
package/dist/session-view/portal.d.ts.map +1 -0
package/dist/session-view/portal.js +1742 -0
package/dist/session-view/portal.js.map +1 -0
package/dist/session-view/service.d.ts +34 -0
package/dist/session-view/service.d.ts.map +1 -0
package/dist/session-view/service.js +427 -0
package/dist/session-view/service.js.map +1 -0
package/dist/session-view/store.d.ts +18 -0
package/dist/session-view/store.d.ts.map +1 -0
package/dist/session-view/store.js +39 -0
package/dist/session-view/store.js.map +1 -0
package/dist/store.d.ts +4 -7
package/dist/store.d.ts.map +1 -1
package/dist/store.js +26 -52
package/dist/store.js.map +1 -1
package/dist/tool-diagnostics.d.ts +2 -0
package/dist/tool-diagnostics.d.ts.map +1 -0
package/dist/tool-diagnostics.js +7 -0
package/dist/tool-diagnostics.js.map +1 -0
package/dist/tools/bash.d.ts +1 -1
package/dist/tools/bash.d.ts.map +1 -1
package/dist/tools/bash.js.map +1 -1
package/dist/tools/edit.d.ts +1 -1
package/dist/tools/edit.d.ts.map +1 -1
package/dist/tools/edit.js.map +1 -1
package/dist/tools/event.d.ts +62 -0
package/dist/tools/event.d.ts.map +1 -0
package/dist/tools/event.js +138 -0
package/dist/tools/event.js.map +1 -0
package/dist/tools/index.d.ts +8 -2
package/dist/tools/index.d.ts.map +1 -1
package/dist/tools/index.js +5 -1
package/dist/tools/index.js.map +1 -1
package/dist/tools/read.d.ts +1 -1
package/dist/tools/read.d.ts.map +1 -1
package/dist/tools/read.js.map +1 -1
package/dist/tools/write.d.ts +1 -1
package/dist/tools/write.d.ts.map +1 -1
package/dist/tools/write.js.map +1 -1
package/dist/trigger.d.ts +31 -0
package/dist/trigger.d.ts.map +1 -0
package/dist/trigger.js +98 -0
package/dist/trigger.js.map +1 -0
package/dist/ui-copy.d.ts +12 -0
package/dist/ui-copy.d.ts.map +1 -0
package/dist/ui-copy.js +36 -0
package/dist/ui-copy.js.map +1 -0
package/dist/vault-routing.d.ts +4 -0
package/dist/vault-routing.d.ts.map +1 -0
package/dist/vault-routing.js +16 -0
package/dist/vault-routing.js.map +1 -0
package/dist/vault.d.ts +72 -0
package/dist/vault.d.ts.map +1 -0
package/dist/vault.js +264 -0
package/dist/vault.js.map +1 -0
package/package.json +16 -13

package/dist/main.js CHANGED Viewed

@@ -1,19 +1,25 @@
 #!/usr/bin/env node
 import "./instrument.js";
 import { join, resolve } from "path";
-import { readFileSync } from "fs";
+import { mkdirSync, statSync, writeFileSync } from "fs";
+import { homedir } from "os";
 import { fileURLToPath } from "url";
 import { dirname, join as pathJoin } from "path";
 import { DiscordBot } from "./adapters/discord/index.js";
 import { TelegramBot } from "./adapters/telegram/index.js";
 import { SlackBot as SlackBotClass } from "./adapters/slack/index.js";
-import { createRunner } from "./agent.js";
-import { createManagedSessionFile, createManagedSessionFileAtPath, getSessionDir, getThreadSessionFile, } from "./session-store.js";
 import { downloadChannel } from "./download.js";
 import { createEventsWatcher } from "./events.js";
 import * as log from "./log.js";
-import { parseSandboxArg, validateSandbox } from "./sandbox.js";
-import { addLifecycleBreadcrumb, applyRunScope } from "./sentry.js";
+import { startLinkServer } from "./login/portal.js";
+import { InMemoryLinkTokenStore } from "./login/session.js";
+import { InMemorySessionViewTokenStore } from "./session-view/store.js";
+import { DockerContainerManager } from "./provisioner.js";
+import { createGlobalSettingsFile, loadAgentConfig, MissingGlobalSettingsError } from "./config.js";
+import { ensureDirExists, isRecord, readJsonFileIfExists } from "./file-guards.js";
+import { SandboxError, parseSandboxArg, validateSandbox } from "./sandbox.js";
+import { FileVaultManager } from "./vault.js";
+import { createSessionRuntime } from "./runtime/index.js";
 import { ChannelStore } from "./store.js";
 import * as Sentry from "@sentry/node";
 // ============================================================================
@@ -28,38 +34,50 @@ function getVersion() {
         pathJoin(process.cwd(), "package.json"),
     ];
     for (const pkgPath of possiblePaths) {
-        try {
-            const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
-            if (pkg.version)
-                return pkg.version;
-        }
-        catch {
-            // Continue to next path
-        }
+        const pkg = readJsonFileIfExists(pkgPath, (value) => isRecord(value), () => "Ignoring package.json while resolving version");
+        if (typeof pkg?.version === "string" && pkg.version)
+            return pkg.version;
     }
     return "unknown";
 }
-const MOM_SLACK_APP_TOKEN = process.env.MOM_SLACK_APP_TOKEN;
-const MOM_SLACK_BOT_TOKEN = process.env.MOM_SLACK_BOT_TOKEN;
-const MOM_TELEGRAM_BOT_TOKEN = process.env.MOM_TELEGRAM_BOT_TOKEN;
-const MOM_DISCORD_BOT_TOKEN = process.env.MOM_DISCORD_BOT_TOKEN;
+const MAMA_SLACK_APP_TOKEN = process.env.MAMA_SLACK_APP_TOKEN;
+const MAMA_SLACK_BOT_TOKEN = process.env.MAMA_SLACK_BOT_TOKEN;
+const MAMA_TELEGRAM_BOT_TOKEN = process.env.MAMA_TELEGRAM_BOT_TOKEN;
+const MAMA_DISCORD_BOT_TOKEN = process.env.MAMA_DISCORD_BOT_TOKEN;
+const MAMA_LINK_URL = process.env.MAMA_LINK_URL;
+const MAMA_LINK_PORT = process.env.MAMA_LINK_PORT
+    ? parseInt(process.env.MAMA_LINK_PORT, 10)
+    : MAMA_LINK_URL
+        ? 8181
+        : undefined;
 function parseArgs() {
     const args = process.argv.slice(2);
     let sandbox = { type: "host" };
     let workingDir;
+    let stateDirArg;
     let downloadChannelId;
+    let showOnboard = false;
     let showVersion = false;
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
         if (arg === "--version" || arg === "-v" || arg === "-V") {
             showVersion = true;
         }
+        else if (arg === "--onboard") {
+            showOnboard = true;
+        }
         else if (arg.startsWith("--sandbox=")) {
             sandbox = parseSandboxArg(arg.slice("--sandbox=".length));
         }
         else if (arg === "--sandbox") {
             sandbox = parseSandboxArg(args[++i] || "");
         }
+        else if (arg.startsWith("--state-dir=")) {
+            stateDirArg = arg.slice("--state-dir=".length);
+        }
+        else if (arg === "--state-dir") {
+            stateDirArg = args[++i];
+        }
         else if (arg.startsWith("--download=")) {
             downloadChannelId = arg.slice("--download=".length);
         }
@@ -72,283 +90,225 @@ function parseArgs() {
     }
     return {
         workingDir: workingDir ? resolve(workingDir) : undefined,
+        stateDir: stateDirArg ? resolve(stateDirArg) : undefined,
         sandbox,
         downloadChannel: downloadChannelId,
+        showOnboard,
         showVersion,
     };
 }
-const parsedArgs = parseArgs();
+const WORLD_WRITABLE_MODE = 0o002;
+function ensureSecureStateDir(path) {
+    let stat;
+    try {
+        stat = statSync(path);
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === "ENOENT") {
+            mkdirSync(path, { recursive: true, mode: 0o700 });
+            return;
+        }
+        console.error(`Error: cannot access --state-dir ${path}: ${err.message}`);
+        process.exit(1);
+    }
+    if (!stat.isDirectory()) {
+        console.error(`Error: --state-dir ${path} exists but is not a directory`);
+        process.exit(1);
+    }
+    if (stat.mode & WORLD_WRITABLE_MODE) {
+        console.error(`Error: --state-dir ${path} is world-writable (mode ${(stat.mode & 0o777).toString(8)}). ` +
+            `Credentials stored there would be exposed to other local users. ` +
+            `Fix with: chmod 0700 ${path}`);
+        process.exit(1);
+    }
+    const euid = typeof process.geteuid === "function" ? process.geteuid() : undefined;
+    if (euid !== undefined && stat.uid !== euid) {
+        console.error(`Error: --state-dir ${path} is owned by uid ${stat.uid} but mama is running as uid ${euid}. ` +
+            `Run mama as the directory owner or point --state-dir at a directory you own.`);
+        process.exit(1);
+    }
+}
+function handleStartupError(error) {
+    if (error instanceof SandboxError) {
+        for (const line of error.formatForCli()) {
+            console.error(line);
+        }
+        process.exit(1);
+    }
+    if (error instanceof MissingGlobalSettingsError) {
+        console.error(`Missing global settings: ${error.settingsPath}`);
+        console.error("");
+        console.error("Run onboarding to create it:");
+        console.error(`  mama --onboard --state-dir ${stateDir}`);
+        console.error("");
+        console.error("Then review the generated settings.json and start mama again.");
+        process.exit(1);
+    }
+    if (error instanceof Error) {
+        console.error(`Error: ${error.message}`);
+        process.exit(1);
+    }
+    console.error(String(error));
+    process.exit(1);
+}
+let parsedArgs;
+try {
+    parsedArgs = parseArgs();
+}
+catch (error) {
+    handleStartupError(error);
+}
 // Handle --version
 if (parsedArgs.showVersion) {
     console.log(getVersion());
     process.exit(0);
 }
+// Handle --onboard mode
+if (parsedArgs.showOnboard) {
+    const stateDir = parsedArgs.stateDir ?? join(homedir(), ".mama");
+    process.env.MAMA_STATE_DIR = stateDir;
+    ensureSecureStateDir(stateDir);
+    try {
+        const settingsPath = createGlobalSettingsFile(stateDir);
+        console.log(`Created global settings at ${settingsPath}`);
+        console.log("Review the file, then start mama with your working directory.");
+        process.exit(0);
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
 // Handle --download mode (Slack only)
 if (parsedArgs.downloadChannel) {
-    if (!MOM_SLACK_BOT_TOKEN) {
-        console.error("Missing env: MOM_SLACK_BOT_TOKEN");
+    if (!MAMA_SLACK_BOT_TOKEN) {
+        console.error("Missing env: MAMA_SLACK_BOT_TOKEN");
         process.exit(1);
     }
-    await downloadChannel(parsedArgs.downloadChannel, MOM_SLACK_BOT_TOKEN);
+    await downloadChannel(parsedArgs.downloadChannel, MAMA_SLACK_BOT_TOKEN);
     process.exit(0);
 }
 // Normal bot mode - require working dir
 if (!parsedArgs.workingDir) {
-    console.error("Usage: mama [--sandbox=host|docker:<name>|firecracker:<vm-id>:<host-path>] <working-directory>");
+    console.error("Usage: mama [--state-dir=<dir>] [--sandbox=host|container:<name>|image:<image>|firecracker:<vm-id>:<host-path>|cloudflare:<sandbox-id>] <working-directory>");
+    console.error("       mama --onboard [--state-dir=<dir>]");
     console.error("       mama --download <channel-id>");
     process.exit(1);
 }
 const { workingDir, sandbox } = { workingDir: parsedArgs.workingDir, sandbox: parsedArgs.sandbox };
+const stateDir = parsedArgs.stateDir ?? join(homedir(), ".mama");
+process.env.MAMA_STATE_DIR = stateDir;
+ensureSecureStateDir(stateDir);
 // Validate platform tokens
-const hasSlack = !!(MOM_SLACK_APP_TOKEN && MOM_SLACK_BOT_TOKEN);
-const hasTelegram = !!MOM_TELEGRAM_BOT_TOKEN;
-const hasDiscord = !!MOM_DISCORD_BOT_TOKEN;
+const hasSlack = !!(MAMA_SLACK_APP_TOKEN && MAMA_SLACK_BOT_TOKEN);
+const hasTelegram = !!MAMA_TELEGRAM_BOT_TOKEN;
+const hasDiscord = !!MAMA_DISCORD_BOT_TOKEN;
 if (!hasSlack && !hasTelegram && !hasDiscord) {
     console.error("No platform tokens found. Set one of:\n" +
-        "  Slack:    MOM_SLACK_APP_TOKEN + MOM_SLACK_BOT_TOKEN\n" +
-        "  Telegram: MOM_TELEGRAM_BOT_TOKEN\n" +
-        "  Discord:  MOM_DISCORD_BOT_TOKEN");
+        "  Slack:    MAMA_SLACK_APP_TOKEN + MAMA_SLACK_BOT_TOKEN\n" +
+        "  Telegram: MAMA_TELEGRAM_BOT_TOKEN\n" +
+        "  Discord:  MAMA_DISCORD_BOT_TOKEN");
     process.exit(1);
 }
-await validateSandbox(sandbox);
-const channelStates = new Map();
-/** Track in-flight runs for graceful shutdown */
-const inFlightRuns = new Set();
-/** Flag to stop accepting new events during shutdown */
-let isShuttingDown = false;
-/** Maximum number of cached sessions */
-const MAX_SESSIONS = 500;
-/** Idle timeout before a non-running session can be evicted (1 hour) */
-const IDLE_TIMEOUT_MS = 3600000;
-async function getState(channelId, sessionKey) {
-    const key = sessionKey ?? channelId;
-    let state = channelStates.get(key);
-    if (!state) {
-        const channelDir = join(workingDir, channelId);
-        state = {
-            running: false,
-            runner: await createRunner(sandbox, key, channelId, channelDir, workingDir),
-            stopRequested: false,
-            lastAccessedAt: Date.now(),
-        };
-        channelStates.set(key, state);
+try {
+    await validateSandbox(sandbox);
+}
+catch (error) {
+    handleStartupError(error);
+}
+const vaultManager = new FileVaultManager(stateDir);
+if (vaultManager.isEnabled()) {
+    console.log(sandbox.type === "container"
+        ? "  Vault system enabled. Container vault active."
+        : sandbox.type === "image" || sandbox.type === "firecracker" || sandbox.type === "cloudflare"
+            ? "  Vault system enabled. Conversation-scoped credential routing active."
+            : "  Vault system enabled. Host mode will not inject vault env.");
+}
+const startupConfig = (() => {
+    try {
+        return loadAgentConfig();
     }
-    else {
-        state.lastAccessedAt = Date.now();
+    catch (error) {
+        handleStartupError(error);
     }
-    return state;
-}
-/**
- * Evict idle sessions from channelStates to bound memory usage.
- * Called after each handleEvent completes.
- */
-function evictIdleSessions() {
-    const now = Date.now();
-    for (const [key, state] of channelStates) {
-        if (!state.running && now - state.lastAccessedAt > IDLE_TIMEOUT_MS) {
-            channelStates.delete(key);
-        }
+})();
+const sandboxLimits = startupConfig.sandboxCpus || startupConfig.sandboxMemory
+    ? { cpus: startupConfig.sandboxCpus, memory: startupConfig.sandboxMemory }
+    : undefined;
+const sandboxBoostLimits = startupConfig.sandboxBoostCpus || startupConfig.sandboxBoostMemory
+    ? { cpus: startupConfig.sandboxBoostCpus, memory: startupConfig.sandboxBoostMemory }
+    : undefined;
+const provisioner = sandbox.type === "image"
+    ? new DockerContainerManager(sandbox.image, {
+        limits: sandboxLimits,
+        boostLimits: sandboxBoostLimits,
+    })
+    : undefined;
+if (sandbox.type === "image") {
+    ensureDirExists(join(workingDir, "skills"));
+    ensureDirExists(join(workingDir, "events"));
+    try {
+        writeFileSync(join(workingDir, "MEMORY.md"), "", { flag: "wx" });
     }
-    if (channelStates.size > MAX_SESSIONS) {
-        const idleSessions = [];
-        for (const [key, state] of channelStates) {
-            if (!state.running) {
-                idleSessions.push({ key, lastAccessedAt: state.lastAccessedAt });
-            }
-        }
-        idleSessions.sort((a, b) => a.lastAccessedAt - b.lastAccessedAt);
-        const toEvict = channelStates.size - MAX_SESSIONS;
-        for (let i = 0; i < toEvict && i < idleSessions.length; i++) {
-            channelStates.delete(idleSessions[i].key);
-        }
+    catch (err) {
+        if (err.code !== "EEXIST")
+            throw err;
     }
 }
-// ============================================================================
-// Handler
-// ============================================================================
-const handler = {
-    isRunning(sessionKey) {
-        const state = channelStates.get(sessionKey);
-        return !!state?.running;
-    },
-    getRunningSessions() {
-        const sessions = [];
-        for (const [sessionKey, state] of channelStates) {
-            if (state.running && state.startedAt) {
-                // Get current step from runner
-                const currentStep = state.runner.getCurrentStep();
-                sessions.push({
-                    sessionKey,
-                    startedAt: state.startedAt,
-                    lastActivityAt: state.lastActivityAt,
-                    currentTool: currentStep?.label || currentStep?.toolName,
-                });
-            }
-        }
-        return sessions;
-    },
-    async handleStop(sessionKey, channelId, bot) {
-        const state = channelStates.get(sessionKey);
-        if (state?.running) {
-            state.stopRequested = true;
-            state.runner.abort();
-            const ts = await bot.postMessage(channelId, "_Stopping..._");
-            state.stopMessageTs = ts;
-        }
-        else {
-            await bot.postMessage(channelId, "_Nothing running_");
-        }
-    },
-    forceStop(sessionKey) {
-        const state = channelStates.get(sessionKey);
-        if (state?.running) {
-            log.logInfo(`[Force Stop] Force stopping session: ${sessionKey}`);
-            state.stopRequested = true;
-            state.runner.abort();
-            state.running = false;
-        }
-    },
-    async handleNew(sessionKey, channelId, bot) {
-        const state = channelStates.get(sessionKey);
-        if (state?.running) {
-            state.stopRequested = true;
-            state.runner.abort();
-        }
-        // Channel sessions rotate via current pointer. Thread sessions reset in place.
-        const channelDir = join(workingDir, channelId);
-        if (sessionKey.includes(":")) {
-            createManagedSessionFileAtPath(getThreadSessionFile(channelDir, sessionKey), channelDir);
-        }
-        else {
-            createManagedSessionFile(getSessionDir(channelDir, sessionKey), channelDir);
-        }
-        // Remove from in-memory cache
-        channelStates.delete(sessionKey);
-        log.logInfo(`[${channelId}] Session reset: ${sessionKey}`);
-        await bot.postMessage(channelId, "Conversation reset. Send a new message to start fresh.");
-    },
-    async handleEvent(event, bot, adapters, _isEvent) {
-        // Don't accept new events during shutdown
-        if (isShuttingDown) {
-            log.logInfo(`[${event.channel}] Rejected event during shutdown: ${event.text.substring(0, 50)}`);
-            return;
-        }
-        const sessionKey = event.sessionKey ?? `${event.channel}:${event.thread_ts ?? event.ts}`;
-        const state = await getState(event.channel, sessionKey);
-        // Start run
-        state.running = true;
-        state.stopRequested = false;
-        state.startedAt = Date.now();
-        state.lastActivityAt = Date.now();
-        log.logInfo(`[${event.channel}] Starting run: ${event.text.substring(0, 50)}`);
-        // Wrap in-flight run tracking
-        Sentry.metrics.count("agent.run.started", 1, {
-            attributes: { channel: event.channel },
-        });
-        Sentry.metrics.gauge("agent.sessions.active", inFlightRuns.size + 1);
-        const runPromise = Sentry.startSpan({ name: "agent.run", op: "agent", attributes: { channelId: event.channel, sessionKey } }, async () => {
-            return Sentry.withScope(async (scope) => {
-                const { message, responseCtx, platform } = adapters;
-                applyRunScope(scope, {
-                    channelId: event.channel,
-                    sessionKey,
-                    messageId: message.id,
-                    platform: platform.name,
-                    userId: message.userId,
-                    userName: message.userName,
-                    threadTs: message.threadTs,
-                    isEvent: _isEvent,
-                });
-                addLifecycleBreadcrumb("agent.run.started", {
-                    channel_id: event.channel,
-                    platform: platform.name,
-                    has_attachments: (message.attachments?.length ?? 0) > 0,
-                });
-                try {
-                    await responseCtx.setTyping(true);
-                    await responseCtx.setWorking(true);
-                    const result = await state.runner.run(message, responseCtx, platform);
-                    await responseCtx.setWorking(false);
-                    const durationMs = Date.now() - state.startedAt;
-                    Sentry.metrics.distribution("agent.run.duration", durationMs, {
-                        unit: "millisecond",
-                        attributes: {
-                            channel: event.channel,
-                            platform: platform.name,
-                            stop_reason: result.stopReason,
-                        },
-                    });
-                    Sentry.metrics.count("agent.run.completed", 1, {
-                        attributes: {
-                            channel: event.channel,
-                            platform: platform.name,
-                            stop_reason: result.stopReason,
-                        },
-                    });
-                    addLifecycleBreadcrumb("agent.run.completed", {
-                        channel_id: event.channel,
-                        platform: platform.name,
-                        stop_reason: result.stopReason,
-                        duration_ms: durationMs,
-                    });
-                    if (result.stopReason === "aborted" && state.stopRequested) {
-                        if (state.stopMessageTs) {
-                            await bot.updateMessage(event.channel, state.stopMessageTs, "_Stopped_");
-                            state.stopMessageTs = undefined;
-                        }
-                        else {
-                            await bot.postMessage(event.channel, "_Stopped_");
-                        }
-                    }
-                }
-                catch (err) {
-                    scope.setContext("agent_run_error", {
-                        channelId: event.channel,
-                        sessionKey,
-                        platform: adapters.platform.name,
-                        messageId: adapters.message.id,
-                        threadTs: adapters.message.threadTs,
-                    });
-                    Sentry.captureException(err);
-                    Sentry.metrics.count("agent.run.errors", 1, {
-                        attributes: { channel: event.channel, platform: adapters.platform.name },
-                    });
-                    log.logWarning(`[${event.channel}] Run error`, err instanceof Error ? err.message : String(err));
-                }
-                finally {
-                    state.running = false;
-                    state.lastAccessedAt = Date.now();
-                    Sentry.metrics.gauge("agent.sessions.active", inFlightRuns.size - 1);
-                    evictIdleSessions();
-                }
-            });
-        });
-        inFlightRuns.add(runPromise);
-        try {
-            await runPromise;
-        }
-        finally {
-            inFlightRuns.delete(runPromise);
-        }
-    },
-};
+const linkTokenStore = new InMemoryLinkTokenStore();
+const sessionViewTokenStore = new InMemorySessionViewTokenStore();
+setInterval(() => linkTokenStore.purge(), 5 * 60 * 1000).unref();
+setInterval(() => sessionViewTokenStore.purge(), 5 * 60 * 1000).unref();
+function portalBaseUrl() {
+    if (MAMA_LINK_URL)
+        return MAMA_LINK_URL.replace(/\/+$/, "");
+    if (MAMA_LINK_PORT)
+        return `http://localhost:${MAMA_LINK_PORT}`;
+    return undefined;
+}
+/** Idle timeout for managed image containers (10 minutes) */
+const IMAGE_IDLE_TIMEOUT_MS = 10 * 60 * 1000;
+if (provisioner) {
+    await provisioner.reconcile();
+    await provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS);
+    setInterval(() => provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS), IMAGE_IDLE_TIMEOUT_MS).unref();
+}
+const handler = createSessionRuntime({
+    workingDir,
+    sandbox,
+    vaultManager,
+    provisioner,
+    linkTokenStore,
+    sessionViewTokenStore,
+    portalBaseUrl: portalBaseUrl(),
+});
 // ============================================================================
 // Start
 // ============================================================================
 const sandboxDesc = sandbox.type === "host"
     ? "host"
-    : sandbox.type === "docker"
-        ? `docker:${sandbox.container}`
-        : `firecracker:${sandbox.vmId}`;
+    : sandbox.type === "container"
+        ? `container:${sandbox.container}`
+        : sandbox.type === "image"
+            ? `image:${sandbox.image}`
+            : sandbox.type === "firecracker"
+                ? `firecracker:${sandbox.vmId}`
+                : `cloudflare:${sandbox.sandboxId}`;
 log.logStartup(workingDir, sandboxDesc);
 // Create platform bots
 const bots = [];
 const botsByPlatform = {};
 if (hasSlack) {
-    const sharedStore = new ChannelStore({ workingDir, botToken: MOM_SLACK_BOT_TOKEN });
+    const slackBotToken = MAMA_SLACK_BOT_TOKEN;
+    const slackAppToken = MAMA_SLACK_APP_TOKEN;
+    if (!slackBotToken || !slackAppToken) {
+        throw new Error("Slack startup requires both MAMA_SLACK_APP_TOKEN and MAMA_SLACK_BOT_TOKEN");
+    }
+    const sharedStore = new ChannelStore({ workingDir, botToken: slackBotToken });
     const slackBot = new SlackBotClass(handler, {
-        appToken: MOM_SLACK_APP_TOKEN,
-        botToken: MOM_SLACK_BOT_TOKEN,
+        appToken: slackAppToken,
+        botToken: slackBotToken,
         workingDir,
         store: sharedStore,
     });
@@ -357,8 +317,12 @@ if (hasSlack) {
     log.logInfo("Platform: Slack");
 }
 if (hasTelegram) {
+    const telegramToken = MAMA_TELEGRAM_BOT_TOKEN;
+    if (!telegramToken) {
+        throw new Error("Telegram startup requires MAMA_TELEGRAM_BOT_TOKEN");
+    }
     const telegramBot = new TelegramBot(handler, {
-        token: MOM_TELEGRAM_BOT_TOKEN,
+        token: telegramToken,
         workingDir,
     });
     bots.push(telegramBot);
@@ -366,14 +330,25 @@ if (hasTelegram) {
     log.logInfo("Platform: Telegram");
 }
 if (hasDiscord) {
+    const discordToken = MAMA_DISCORD_BOT_TOKEN;
+    if (!discordToken) {
+        throw new Error("Discord startup requires MAMA_DISCORD_BOT_TOKEN");
+    }
     const discordBot = new DiscordBot(handler, {
-        token: MOM_DISCORD_BOT_TOKEN,
+        token: discordToken,
         workingDir,
     });
     bots.push(discordBot);
     botsByPlatform.discord = discordBot;
     log.logInfo("Platform: Discord");
 }
+if (MAMA_LINK_PORT) {
+    startLinkServer(MAMA_LINK_PORT, linkTokenStore, vaultManager, async (platform, conversationId, message) => {
+        const bot = botsByPlatform[platform];
+        if (bot)
+            await bot.postMessage(conversationId, message);
+    }, sessionViewTokenStore, { handler, botsByPlatform });
+}
 // Start events watcher with explicit platform routing
 const eventsWatcher = createEventsWatcher(workingDir, botsByPlatform);
 const slackBot = botsByPlatform.slack;
@@ -383,17 +358,7 @@ if (slackBot) {
 eventsWatcher.start();
 // Handle shutdown
 async function shutdown() {
-    if (isShuttingDown)
-        return;
-    isShuttingDown = true;
-    log.logInfo("Shutting down gracefully...");
-    const timeout = Date.now() + 30000;
-    while (inFlightRuns.size > 0 && Date.now() < timeout) {
-        await new Promise((resolve) => setTimeout(resolve, 500));
-    }
-    if (inFlightRuns.size > 0) {
-        log.logWarning(`Forcing exit with ${inFlightRuns.size} runs still in progress`);
-    }
+    await handler.shutdown();
     eventsWatcher.stop();
     await Sentry.close(5000);
     process.exit(0);