@grindxp/cli 0.1.8 → 0.1.9

package/dist/web/server/assets/{agent.functions-zpMkBrG3.js → agent.functions-BL3upUNr.js}

@@ -1,9 +1,10 @@
-import { f as createQuest, h as completeQuest, i as getQuestById, u as updateQuestStatus, g as getCompanionByUserId, j as updateCompanionUserContext, k as updateCompanionInsight, m as findCompanionInsightByContent, n as createCompanionInsight, o as listCompanionInsights, l as listQuestsByUser, p as findQuestByPrefix, c as createServerRpc, q as getConversationById, r as createConversation, s as appendMessage, t as getConversationMessages, v as storedToModelMessages } from "./sessions-DOkG47Ex.js";
-import { d as desc, f as forgeRules, e as eq, b as and, c as forgeRuleSchema, h as createForgeRuleInputSchema, i as forgeRuns, j as forgeRunSchema, s as sql, k as createForgeRunInputSchema, Z as ZodFirstPartyTypeKind, o as objectType, n as numberType, l as stringType, m as arrayType, p as enumType, u as unionType, q as getOAuthToken, r as isTokenExpired, t as refreshOAuthToken, O as OAUTH_CONFIGS, x as xpForLevelThreshold, v as formatElapsed, A as ACTIVITY_BASE_XP, w as activityTypeSchema, y as questDifficultySchema, z as booleanType, B as recordType, C as unknownType, a as getUserById, D as readTimer, E as getElapsedMinutes, F as clearTimer, G as writeTimer, H as readGrindConfig, I as signals, J as writeGrindConfig, K as users, L as quests, M as skills, N as gte, P as questLogs, g as getVaultContext, Q as getGrindConfig } from "./vault.server-Ndu49yTf.js";
+import { f as createQuest, h as completeQuest, i as getQuestById, u as updateQuestStatus, j as updateCompanionMode, k as listCompanionInsights, m as deleteCompanionInsight, n as findQuestByPrefix, l as listQuestsByUser, o as updateQuest, p as listQuestLogs, a as listSkillsByUser, g as getCompanionByUserId, q as updateCompanionUserContext, r as updateCompanionInsight, s as findCompanionInsightByContent, t as createCompanionInsight, c as createServerRpc, v as getConversationById, w as createConversation, x as appendMessage, y as getConversationMessages, z as storedToModelMessages } from "./sessions-UCWtijHE.js";
+import { b as and, e as eq, s as signals, d as desc, f as forgeRules, c as forgeRuleSchema, h as createForgeRuleInputSchema, i as forgeRuns, j as signalSchema, k as forgeRunSchema, l as sql, m as createForgeRunInputSchema, Z as ZodFirstPartyTypeKind, o as objectType, n as numberType, p as stringType, q as arrayType, r as enumType, u as unionType, t as getOAuthToken, v as isTokenExpired, w as refreshOAuthToken, O as OAUTH_CONFIGS, x as xpForLevelThreshold, y as formatElapsed, A as ACTIVITY_BASE_XP, z as activityTypeSchema, B as questDifficultySchema, C as booleanType, D as recordType, E as unknownType, a as getUserById, F as readTimer, G as getElapsedMinutes, H as clearTimer, I as writeTimer, J as readGrindConfig, K as writeGrindConfig, L as users, M as quests, N as skills, P as gte, Q as questLogs, g as getVaultContext, R as getGrindConfig } from "./vault.server-CscY5Z8e.js";
 import * as fs from "fs/promises";
 import * as path from "path";
 import os from "os";
 import { spawnSync } from "node:child_process";
+import { homedir } from "node:os";
 import { c as createServerFn } from "../server.js";
 function rowToForgeRule(row) {
   return forgeRuleSchema.parse({
@@ -19,6 +20,18 @@ function rowToForgeRule(row) {
     updatedAt: row.updatedAt
   });
 }
+function rowToSignal(row) {
+  return signalSchema.parse({
+    id: row.id,
+    userId: row.userId,
+    source: row.source,
+    type: row.type,
+    confidence: row.confidence,
+    payload: row.payload,
+    detectedAt: row.detectedAt,
+    ingestedAt: row.ingestedAt
+  });
+}
 function rowToForgeRun(row) {
   return forgeRunSchema.parse({
     id: row.id,
@@ -98,6 +111,16 @@ async function deleteForgeRule(db, userId, ruleId) {
   const rows = await db.delete(forgeRules).where(and(eq(forgeRules.id, ruleId), eq(forgeRules.userId, userId))).returning({ id: forgeRules.id });
   return rows.length > 0;
 }
+async function listSignals(db, userId, options = {}) {
+  const { limit = 20, source } = options;
+  const where = source ? and(eq(signals.userId, userId), eq(signals.source, source)) : eq(signals.userId, userId);
+  const rows = await db.query.signals.findMany({
+    where,
+    orderBy: [desc(signals.detectedAt)],
+    limit
+  });
+  return rows.map(rowToSignal);
+}
 async function hasForgeRunByDedupe(db, ruleId, dedupeKey) {
   const rows = await db.select({ value: sql`count(1)` }).from(forgeRuns).where(and(eq(forgeRuns.ruleId, ruleId), eq(forgeRuns.dedupeKey, dedupeKey)));
   const count = rows[0]?.value ?? 0;
@@ -7164,8 +7187,8 @@ function requireGetVercelOidcToken() {
     }
     try {
       const [{ getTokenPayload, isExpired }, { refreshToken }] = await Promise.all([
-        await import("./token-util-1cB5CD6M.js").then((n) => n.t),
-        await import("./token-W0NPKas8.js").then((n) => n.t)
+        await import("./token-util-Bw35afYM.js").then((n) => n.t),
+        await import("./token-DGoahKjI.js").then((n) => n.t)
       ]);
       if (!token || isExpired(getTokenPayload(token))) {
         await refreshToken();
@@ -15441,7 +15464,7 @@ async function resolveModel(config2) {
   const modelId = config2.model ?? DEFAULT_MODELS[provider];
   switch (provider) {
     case "anthropic": {
-      const { createAnthropic } = await import("./index-C09LXa7Z.js");
+      const { createAnthropic } = await import("./index-B2ULpkv2.js");
       if (config2.authType === "oauth") {
         const client2 = createAnthropic({
           authToken: "grind-oauth-managed",
@@ -15459,7 +15482,7 @@ async function resolveModel(config2) {
       return client(modelId);
     }
     case "openai": {
-      const { createOpenAI } = await import("./index-BDL7hA7T.js");
+      const { createOpenAI } = await import("./index-BQUCDamI.js");
       if (config2.authType === "oauth") {
         const client2 = createOpenAI({
           apiKey: "openai-oauth-dummy",
@@ -15475,14 +15498,14 @@ async function resolveModel(config2) {
       return client(modelId);
     }
     case "google": {
-      const { createGoogleGenerativeAI } = await import("./index-D31yYLCV.js");
+      const { createGoogleGenerativeAI } = await import("./index-BGBMycx-.js");
       const client = createGoogleGenerativeAI({
         ...config2.apiKey ? { apiKey: config2.apiKey } : {}
       });
       return client(modelId);
     }
     case "ollama": {
-      const { createOpenAI } = await import("./index-BDL7hA7T.js");
+      const { createOpenAI } = await import("./index-BQUCDamI.js");
       const client = createOpenAI({
         baseURL: config2.baseUrl ?? "http://localhost:11434/v1",
         apiKey: "ollama"
@@ -15564,8 +15587,16 @@ TOOL USAGE:
 - When asked whether integrations/channels are connected or available (Telegram, WhatsApp, Discord, Google Calendar), call get_integrations_status first. Do not guess.
 - If the user asks to send or test a Telegram message, call send_telegram_message immediately. Never ask the user for their chat ID — it is resolved automatically.
 - If send_telegram_message fails because no chat ID was found yet, tell the user to send any message to the bot from Telegram (not /start specifically) and offer to try again immediately after.
-- When the user asks to automate, schedule reminders, or set recurring workflows, use forge tools (create_forge_rule, list_forge_rules, update_forge_rule, run_forge_rule, delete_forge_rule) instead of telling them to use CLI manually.
-- Before updating or deleting a forge rule, call list_forge_rules to confirm the target. Use list_forge_runs to diagnose failures.
+- When the user asks to automate, schedule reminders, or set recurring workflows, use forge tools directly — never tell the user to use the CLI manually.
+- Before updating, deleting, or running a specific rule, call list_forge_rules to confirm the target and read its xpImpact field.
+- xpImpact: false rules (notifications, reminders, monitors): act fully autonomously — no explanation needed beyond confirming what you did.
+- xpImpact: true rules (log-to-vault, update-skill): proceed autonomously and briefly mention in your reply that XP will be awarded automatically.
+- Deleting a rule is permanent — tell the user this before calling delete_forge_rule.
+- run-script rules execute shell scripts as automations — always show the full script in your reply when creating or updating one.
+- Use list_forge_runs to diagnose failures.
+- When the user names a specific calendar (anything other than 'primary'), always call list_calendars first to resolve the name to its id, then pass that id to create_calendar_event or get_calendar_events. Never assume the id — always look it up.
+- If list_calendars does not return the named calendar and the user wants to create it, call create_calendar first, then use the returned id immediately for any subsequent event creation.
+- Never ask the user for a calendar ID — always resolve it yourself via list_calendars.
 - Keep responses concise. 1-3 sentences for simple actions. No walls of text.
 
 WEB & FILE ACCESS:
@@ -15905,6 +15936,15 @@ async function listCalendars(serviceConfig) {
   const data = await resp.json();
   return data.items ?? [];
 }
+async function createCalendar(serviceConfig, summary, timeZone) {
+  const body = { summary };
+  if (timeZone) body.timeZone = timeZone;
+  const resp = await googleFetch(`${BASE$1}/calendars`, serviceConfig, {
+    method: "POST",
+    body: JSON.stringify(body)
+  });
+  return resp.json();
+}
 const BASE = "https://gmail.googleapis.com/gmail/v1/users/me";
 function extractHeader(headers, name16) {
   return headers.find((h) => h.name.toLowerCase() === name16.toLowerCase())?.value ?? "";
@@ -16075,6 +16115,8 @@ async function executeForgeAction(db, userId, plan) {
         return executeLogToVault(db, userId, plan);
       case "send-notification":
         return executeSendNotification(plan);
+      case "run-script":
+        return executeRunScript(plan);
       default:
         return {
           status: "skipped",
@@ -16270,6 +16312,53 @@ async function executeSendNotification(plan) {
     error: `Unsupported notification channel '${channel}'.`
   };
 }
+async function executeRunScript(plan) {
+  const script = asString(plan.actionConfig.script);
+  if (!script) {
+    return {
+      status: "failed",
+      actionPayload: {},
+      error: "run-script requires actionConfig.script."
+    };
+  }
+  const timeoutMs = parsePositiveInt$1(plan.actionConfig.timeout) ?? 3e4;
+  const rawWorkdir = asString(plan.actionConfig.workdir);
+  const workdir = rawWorkdir ? rawWorkdir.replace(/^~/, homedir()) : void 0;
+  const result = spawnSync("sh", ["-c", script], {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: timeoutMs,
+    ...workdir ? { cwd: workdir } : {}
+  });
+  const errCode = result.error?.code;
+  if (errCode === "ENOENT" && workdir) {
+    return {
+      status: "failed",
+      actionPayload: { script, exitCode: null },
+      error: `Working directory does not exist: ${workdir}`
+    };
+  }
+  if (errCode === "ETIMEDOUT") {
+    return {
+      status: "failed",
+      actionPayload: { script, exitCode: null },
+      error: `Script timed out after ${timeoutMs}ms.`
+    };
+  }
+  if (result.status !== 0) {
+    const stderr = result.stderr?.trim().slice(0, 500) ?? "";
+    return {
+      status: "failed",
+      actionPayload: { script, exitCode: result.status },
+      error: `Script exited ${result.status ?? "null"}${stderr ? `: ${stderr}` : ""}`
+    };
+  }
+  const stdout = result.stdout?.trim().slice(0, 2e3) ?? "";
+  return {
+    status: "success",
+    actionPayload: { script, exitCode: 0, ...stdout ? { stdout } : {} }
+  };
+}
 async function executeQueueQuest(db, userId, plan) {
   const eventPayload = asRecord$1(plan.actionConfig.eventPayload);
   const questId = asString(plan.actionConfig.questId) ?? asString(eventPayload?.questId) ?? asString(plan.actionConfig.targetQuestId);
@@ -16379,6 +16468,37 @@ function parseConfidence(value) {
   if (Number.isNaN(value) || value < 0 || value > 1) return null;
   return value;
 }
+const TRUST_LEVEL_NAMES = ["Watcher", "Advisor", "Scribe", "Agent", "Sovereign"];
+const TOOL_TRUST_REQUIREMENTS = {
+  // Lv.2 Scribe: can act on behalf of the user
+  complete_quest: 2,
+  abandon_quest: 2,
+  activate_quest: 2,
+  start_timer: 2,
+  stop_timer: 2,
+  update_companion_mode: 2,
+  // Lv.3 Agent: can create and modify structure
+  create_quest: 3,
+  update_quest: 3,
+  // Lv.4 Sovereign: destructive or sensitive operations
+  delete_insight: 4
+  // Note: forge operations are not gated by trust level — the AI reasons
+  // autonomously using the xpImpact field returned by list_forge_rules.
+};
+function requireTrust(ctx, toolName) {
+  const required2 = TOOL_TRUST_REQUIREMENTS[toolName];
+  if (required2 === void 0) return { denied: false };
+  const current = ctx.trustLevel ?? 0;
+  if (current < required2) {
+    const requiredName = TRUST_LEVEL_NAMES[required2] ?? `Lv.${required2}`;
+    const currentName = TRUST_LEVEL_NAMES[current] ?? `Lv.${current}`;
+    return {
+      denied: true,
+      error: `Action requires trust level ${required2} (${requiredName}). Current level: ${current} (${currentName}). Grant trust with: grindxp companion trust ${required2}`
+    };
+  }
+  return { denied: false };
+}
 const MAX_FETCH_SIZE = 50 * 1024;
 const MAX_READ_SIZE = 50 * 1024;
 const MAX_BASH_OUTPUT = 50 * 1024;
@@ -16435,6 +16555,38 @@ async function requirePermission(ctx, toolName, detail) {
   if (reply === "deny") return { denied: true, error: "Permission denied by user" };
   return { denied: false };
 }
+function classifyGoogleError(err) {
+  if (err instanceof GoogleNotConnectedError || err instanceof GoogleTokenExpiredError) {
+    return "Google account not connected or session expired. Run `grindxp integrations connect google`.";
+  }
+  if (err instanceof GoogleApiError) {
+    switch (err.status) {
+      case 401:
+        return "Google account disconnected. Run `grindxp integrations connect google`.";
+      case 403:
+        return "No write access to this calendar. Check the calendar's sharing settings.";
+      case 404:
+        return "Calendar or event not found. Use list_calendars to verify available calendar IDs.";
+      case 409:
+        return "Conflict — this event may already exist on the calendar.";
+      case 410:
+        return "Sync token expired — a full re-sync will happen on the next poll.";
+    }
+    if (err.status >= 500) {
+      return "Google Calendar is temporarily unavailable. Try again in a moment.";
+    }
+    if (err.status === 400) {
+      try {
+        const parsed = JSON.parse(err.body);
+        const msg = parsed?.error?.message;
+        if (msg) return `Invalid request: ${msg}`;
+      } catch {
+      }
+      return "Invalid request — check the calendar ID and date format.";
+    }
+  }
+  return err instanceof Error ? err.message : String(err);
+}
 async function extractText(html) {
   let text2 = "";
   let skip = false;
@@ -16593,16 +16745,6 @@ async function resolveTelegramChatId(ctx, token) {
       return { chatId: candidate, source: "recent-signal" };
     }
   }
-  const webhookActive = Boolean(
-    ctx.config?.gateway?.telegramWebhookSecret ?? freshConfig?.gateway?.telegramWebhookSecret
-  );
-  if (webhookActive) {
-    return {
-      chatId: null,
-      source: "none",
-      detail: "Send any message to your Telegram bot and I'll respond automatically. The chat ID will be captured on first contact."
-    };
-  }
   const updatesResponse = await fetch(
     `https://api.telegram.org/bot${token}/getUpdates?limit=50&timeout=0`,
     {
@@ -16668,10 +16810,17 @@ function persistTelegramDefaultChatId(ctx, chatId) {
       telegramDefaultChatId: chatId
     }
   };
-  writeGrindConfig(ctx.config);
+  const onDisk = readGrindConfig();
+  if (!onDisk?.gateway) return;
+  writeGrindConfig({ ...onDisk, gateway: { ...onDisk.gateway, telegramDefaultChatId: chatId } });
 }
 const FORGE_TRIGGER_TYPES = ["cron", "event", "signal", "webhook", "manual"];
-const FORGE_ACTION_TYPES = ["queue-quest", "log-to-vault", "send-notification"];
+const FORGE_ACTION_TYPES = [
+  "queue-quest",
+  "log-to-vault",
+  "send-notification",
+  "run-script"
+];
 const FORGE_NOTIFICATION_CHANNELS = ["console", "telegram", "webhook", "whatsapp"];
 const FORGE_WEBHOOK_CHANNEL_TAGS = ["webhook", "telegram", "discord", "whatsapp"];
 const SIMPLE_CRON_FIELD_REGEX = /^[\d*/,\-]+$/;
@@ -16982,6 +17131,37 @@ async function normalizeForgeRuleDefinition(ctx, input) {
       }
       break;
     }
+    case "run-script": {
+      const script = asNonEmptyString(actionConfig.script);
+      if (!script) {
+        return {
+          ok: false,
+          error: "run-script requires actionConfig.script (shell command to execute)."
+        };
+      }
+      actionConfig.script = script;
+      if (actionConfig.timeout !== void 0) {
+        const timeout = parsePositiveInt(actionConfig.timeout);
+        if (!timeout) {
+          return {
+            ok: false,
+            error: "run-script actionConfig.timeout must be a positive integer (milliseconds)."
+          };
+        }
+        actionConfig.timeout = timeout;
+      }
+      if (actionConfig.workdir !== void 0) {
+        const workdir = asNonEmptyString(actionConfig.workdir);
+        if (!workdir) {
+          return {
+            ok: false,
+            error: "run-script actionConfig.workdir must be a non-empty string when provided."
+          };
+        }
+        actionConfig.workdir = workdir;
+      }
+      break;
+    }
   }
   return {
     ok: true,
@@ -17049,7 +17229,7 @@ function createGrindTools(ctx) {
           const calendars = await listCalendars(googleConfig);
           return { ok: true, calendars, count: calendars.length };
         } catch (err) {
-          return { ok: false, error: err instanceof Error ? err.message : String(err) };
+          return { ok: false, error: classifyGoogleError(err) };
         }
       }
     }),
@@ -17145,12 +17325,12 @@ function createGrindTools(ctx) {
           });
           return { ok: true, events: result.events, count: result.events.length };
         } catch (err) {
-          return { ok: false, error: err instanceof Error ? err.message : String(err) };
+          return { ok: false, error: classifyGoogleError(err) };
         }
       }
     }),
     create_calendar_event: tool({
-      description: "Create a new event in Google Calendar. Creates in the primary calendar by default. Use list_calendars to find other calendar IDs if needed.",
+      description: "Create a new event in Google Calendar. If the user names a specific calendar (anything other than 'primary'), call list_calendars first to resolve its id, then pass that id as calendarId. If the calendar does not exist yet, call create_calendar first, then use the returned id.",
       inputSchema: objectType({
         summary: stringType().min(1).max(500).describe("Event title"),
         startDateTime: stringType().describe("Start time (ISO 8601, e.g. 2026-02-21T09:00:00)"),
@@ -17159,7 +17339,10 @@ function createGrindTools(ctx) {
         location: stringType().optional().describe("Event location"),
         attendees: arrayType(stringType().email()).optional().describe("List of attendee email addresses"),
         allDay: booleanType().optional().describe("If true, treats startDateTime/endDateTime as dates (YYYY-MM-DD)"),
-        timeZone: stringType().optional().describe("IANA timezone name (e.g. America/New_York)")
+        timeZone: stringType().optional().describe("IANA timezone name (e.g. America/New_York)"),
+        calendarId: stringType().optional().describe(
+          "Calendar ID to create the event in. Use list_calendars to resolve a calendar name to its id. Defaults to the primary calendar."
+        )
       }),
       execute: async ({
         summary,
@@ -17169,7 +17352,8 @@ function createGrindTools(ctx) {
         location,
         attendees,
         allDay,
-        timeZone
+        timeZone,
+        calendarId
       }) => {
         const googleConfig = ctx.config?.services?.google;
         if (!googleConfig) {
@@ -17179,19 +17363,45 @@ function createGrindTools(ctx) {
           };
         }
         try {
-          const event = await createCalendarEvent(googleConfig, {
-            summary,
-            startDateTime,
-            endDateTime,
-            ...description ? { description } : {},
-            ...location ? { location } : {},
-            ...attendees ? { attendees } : {},
-            ...allDay ? { allDay } : {},
-            ...timeZone ? { timeZone } : {}
-          });
+          const event = await createCalendarEvent(
+            googleConfig,
+            {
+              summary,
+              startDateTime,
+              endDateTime,
+              ...description ? { description } : {},
+              ...location ? { location } : {},
+              ...attendees ? { attendees } : {},
+              ...allDay ? { allDay } : {},
+              ...timeZone ? { timeZone } : {}
+            },
+            calendarId ?? "primary"
+          );
           return { ok: true, event };
         } catch (err) {
-          return { ok: false, error: err instanceof Error ? err.message : String(err) };
+          return { ok: false, error: classifyGoogleError(err) };
+        }
+      }
+    }),
+    create_calendar: tool({
+      description: "Create a new Google Calendar. After creation, use the returned id with create_calendar_event to add events to it. Use this when the user asks to create a calendar that does not yet exist in their list.",
+      inputSchema: objectType({
+        summary: stringType().min(1).max(255).describe("Calendar name (e.g. 'Work', 'God', 'Study')"),
+        timeZone: stringType().optional().describe("IANA timezone name for the calendar (e.g. America/Sao_Paulo)")
+      }),
+      execute: async ({ summary, timeZone }) => {
+        const googleConfig = ctx.config?.services?.google;
+        if (!googleConfig) {
+          return {
+            ok: false,
+            error: "Google account not connected. Run `grindxp integrations connect google`."
+          };
+        }
+        try {
+          const calendar = await createCalendar(googleConfig, summary, timeZone);
+          return { ok: true, calendar };
+        } catch (err) {
+          return { ok: false, error: classifyGoogleError(err) };
         }
       }
     }),
@@ -17244,7 +17454,7 @@ function createGrindTools(ctx) {
           );
           return { ok: true, event };
         } catch (err) {
-          return { ok: false, error: err instanceof Error ? err.message : String(err) };
+          return { ok: false, error: classifyGoogleError(err) };
         }
       }
     }),
@@ -17266,7 +17476,7 @@ function createGrindTools(ctx) {
           await deleteCalendarEvent(googleConfig, eventId, calendarId ?? "primary");
           return { ok: true, eventId };
         } catch (err) {
-          return { ok: false, error: err instanceof Error ? err.message : String(err) };
+          return { ok: false, error: classifyGoogleError(err) };
         }
       }
     }),
@@ -17387,7 +17597,7 @@ function createGrindTools(ctx) {
       }
     }),
     list_forge_rules: tool({
-      description: "List forge automation rules. Use this before updating, deleting, or running a specific rule.",
+      description: "List forge automation rules. Each rule includes xpImpact: true/false — use this to decide how to communicate the action to the user. Always call this before updating, deleting, or running a specific rule.",
       inputSchema: objectType({
         enabledOnly: booleanType().optional().describe("When true, return only enabled rules."),
         includeRecentRuns: booleanType().default(true).describe("When true, include recent execution history."),
@@ -17409,6 +17619,7 @@ function createGrindTools(ctx) {
             enabled: rule.enabled,
             triggerType: rule.triggerType,
             actionType: rule.actionType,
+            xpImpact: ["log-to-vault", "update-skill"].includes(rule.actionType),
             triggerConfig: redactForgeValue(rule.triggerConfig),
             actionConfig: redactForgeValue(rule.actionConfig),
             updatedAt: rule.updatedAt
@@ -17483,14 +17694,14 @@ function createGrindTools(ctx) {
       }
     }),
     create_forge_rule: tool({
-      description: "Create a forge automation rule. This supports currently implemented actions only: queue-quest, log-to-vault, send-notification.",
+      description: "Create a forge automation rule (queue-quest, log-to-vault, send-notification, run-script). send-notification and queue-quest have no XP impact — create autonomously. log-to-vault auto-awards XP — create it and mention that in your reply. run-script executes a shell script — always include the full script in your reply so the user can verify it.",
       inputSchema: objectType({
         name: stringType().min(2).max(128).describe("Human-readable rule name."),
         triggerType: enumType(FORGE_TRIGGER_TYPES).describe("Trigger type (cron, event, signal, webhook, manual)."),
         triggerConfig: recordType(stringType(), unknownType()).default({}).describe("Trigger configuration object."),
         actionType: enumType(FORGE_ACTION_TYPES).describe("Action type (queue-quest, log-to-vault, send-notification)."),
         actionConfig: recordType(stringType(), unknownType()).default({}).describe(
-          "Action configuration object. send-notification: required 'message' (static string) or 'script' (shell command whose stdout becomes the message), plus 'channel' (telegram/console/webhook/whatsapp) and channel credentials. queue-quest: required 'questId'. log-to-vault: required 'activityType', 'durationMinutes'."
+          "Action configuration object. send-notification: required 'message' (static string) or 'script' (shell command whose stdout becomes the message), plus 'channel' (telegram/console/webhook/whatsapp) and channel credentials. queue-quest: required 'questId'. log-to-vault: required 'activityType', 'durationMinutes'. run-script: required 'script' (shell command), optional 'timeout' (ms, default 30000), optional 'workdir' (supports ~)."
         ),
         enabled: booleanType().default(true).describe("Whether the rule starts enabled.")
       }),
@@ -17531,7 +17742,7 @@ function createGrindTools(ctx) {
       }
     }),
     update_forge_rule: tool({
-      description: "Update a forge rule by ID prefix or name. Use list_forge_rules first to confirm the target.",
+      description: "Update a forge rule by ID prefix or name. Call list_forge_rules first to confirm the target. Act autonomously — no permission needed unless changing to a log-to-vault action, in which case mention the XP impact in your reply.",
       inputSchema: objectType({
         ruleSearch: stringType().min(1).describe("Rule ID prefix or rule name substring."),
         name: stringType().min(2).max(128).optional().describe("New rule name."),
@@ -17601,6 +17812,7 @@ function createGrindTools(ctx) {
           nextTriggerConfig = normalized.triggerConfig;
           nextActionConfig = normalized.actionConfig;
         }
+        actionType ?? rule.actionType;
         const updated = await updateForgeRule(ctx.db, ctx.userId, rule.id, {
           ...name16 !== void 0 ? { name: name16 } : {},
           ...triggerType !== void 0 ? { triggerType } : {},
@@ -17630,7 +17842,7 @@ function createGrindTools(ctx) {
       }
     }),
     delete_forge_rule: tool({
-      description: "Delete a forge rule by ID prefix or name. Related run history is removed as part of rule deletion.",
+      description: "Delete a forge rule by ID prefix or name. This is permanent — warn the user before calling this. Run history is also removed.",
       inputSchema: objectType({
         ruleSearch: stringType().min(1).describe("Rule ID prefix or rule name substring.")
       }),
@@ -17639,6 +17851,12 @@ function createGrindTools(ctx) {
         if (!rule) {
           return { ok: false, error: `No forge rule matching "${ruleSearch}".` };
         }
+        const perm = await requirePermission(
+          ctx,
+          "delete_forge_rule",
+          `Permanently delete forge rule "${rule.name}"?`
+        );
+        if (perm.denied) return { ok: false, error: "Deletion cancelled." };
         const deleted = await deleteForgeRule(ctx.db, ctx.userId, rule.id);
         if (!deleted) {
           return { ok: false, error: "Failed to delete forge rule." };
@@ -17655,7 +17873,7 @@ function createGrindTools(ctx) {
       }
     }),
     run_forge_rule: tool({
-      description: "Run a forge rule immediately by ID prefix or name. Useful for testing automation behavior without waiting for its trigger.",
+      description: "Run a forge rule immediately by ID prefix or name. Check xpImpact from list_forge_rules first: if false (notifications, reminders), run autonomously; if true (log-to-vault), run and mention the XP award in your reply.",
       inputSchema: objectType({
         ruleSearch: stringType().min(1).describe("Rule ID prefix or rule name substring."),
         eventPayload: recordType(stringType(), unknownType()).optional().describe("Optional payload passed as event context for this run-now execution."),
@@ -17763,6 +17981,8 @@ function createGrindTools(ctx) {
         baseXp: numberType().int().positive().default(10).describe("Base XP before multipliers. 10=small, 25=medium, 50=large, 100=epic")
       }),
       execute: async ({ title, description, type, difficulty, skillTags, baseXp }) => {
+        const trust = requireTrust(ctx, "create_quest");
+        if (trust.denied) return { error: trust.error };
         const active = await listQuestsByUser(ctx.db, ctx.userId, ["active"]);
         if (active.length >= 5) {
           return { error: "Max 5 active quests. Complete or abandon one first." };
@@ -17798,6 +18018,8 @@ function createGrindTools(ctx) {
         durationMinutes: numberType().int().positive().optional().describe("Duration in minutes if timer proof")
       }),
       execute: async ({ questSearch, proofType, durationMinutes }) => {
+        const trust = requireTrust(ctx, "complete_quest");
+        if (trust.denied) return { error: trust.error };
         const quest = await findQuestByPrefix(ctx.db, ctx.userId, questSearch);
         if (!quest) return { error: `No quest matching "${questSearch}"` };
         if (quest.status === "completed") return { error: "Quest already completed" };
@@ -17834,6 +18056,8 @@ function createGrindTools(ctx) {
         questSearch: stringType().describe("Quest ID prefix or title substring")
       }),
       execute: async ({ questSearch }) => {
+        const trust = requireTrust(ctx, "abandon_quest");
+        if (trust.denied) return { error: trust.error };
         const quest = await findQuestByPrefix(ctx.db, ctx.userId, questSearch);
         if (!quest) return { error: `No quest matching "${questSearch}"` };
         if (quest.status !== "active") return { error: `Quest is ${quest.status}, not active` };
@@ -17851,6 +18075,8 @@ function createGrindTools(ctx) {
         questSearch: stringType().describe("Quest ID prefix or title substring")
       }),
       execute: async ({ questSearch }) => {
+        const trust = requireTrust(ctx, "start_timer");
+        if (trust.denied) return { error: trust.error };
         const existing = readTimer(ctx.timerPath);
         if (existing) {
           const elapsed = formatElapsed(existing.startedAt);
@@ -17876,6 +18102,8 @@ function createGrindTools(ctx) {
         complete: booleanType().default(false).describe("Whether to also complete the quest with timer-duration proof")
       }),
       execute: async ({ complete }) => {
+        const trust = requireTrust(ctx, "stop_timer");
+        if (trust.denied) return { error: trust.error };
         const timer = readTimer(ctx.timerPath);
         if (!timer) return { error: "No timer running" };
         const elapsed = getElapsedMinutes(timer.startedAt);
@@ -18611,6 +18839,174 @@ ${normalized}` : normalized;
         return { pattern, matches, totalMatches: matches.length, truncated };
       }
     }),
+    list_skills: tool({
+      description: "List all skills with current XP, level, and category. Use this to see the full skill breakdown before making quest suggestions or updates.",
+      inputSchema: objectType({}),
+      execute: async () => {
+        const allSkills = await listSkillsByUser(ctx.db, ctx.userId);
+        return allSkills.map((s) => ({
+          id: s.id.slice(0, 8),
+          name: s.name,
+          category: s.category,
+          xp: s.xp,
+          level: s.level
+        }));
+      }
+    }),
+    list_quest_logs: tool({
+      description: "List recent quest completion history. Returns completions with XP earned, duration, and proof type. Use this to see what the user has actually done recently.",
+      inputSchema: objectType({
+        limit: numberType().int().min(1).max(100).default(20).describe("Maximum number of logs to return"),
+        sinceDaysAgo: numberType().int().min(1).max(90).optional().describe("Only return logs from this many days ago")
+      }),
+      execute: async ({ limit, sinceDaysAgo }) => {
+        const since = sinceDaysAgo ? Date.now() - sinceDaysAgo * 24 * 60 * 60 * 1e3 : void 0;
+        const logs = await listQuestLogs(ctx.db, ctx.userId, {
+          limit,
+          ...since ? { since } : {}
+        });
+        const questIds = [...new Set(logs.map((l) => l.questId))];
+        const questTitles = {};
+        for (const qid of questIds) {
+          const q = await getQuestById(ctx.db, qid);
+          if (q) questTitles[qid] = q.title;
+        }
+        return logs.map((l) => ({
+          questTitle: questTitles[l.questId] ?? l.questId.slice(0, 8),
+          completedAt: new Date(l.completedAt).toLocaleDateString(),
+          xpEarned: l.xpEarned,
+          durationMinutes: l.durationMinutes ?? null,
+          proofType: l.proofType,
+          streakDay: l.streakDay
+        }));
+      }
+    }),
+    list_signals: tool({
+      description: "List recently detected signals (git commits, file changes, process observations, webhook events). Use this to understand what the user has been doing passively.",
+      inputSchema: objectType({
+        limit: numberType().int().min(1).max(50).default(20).describe("Maximum number of signals to return"),
+        source: enumType(["git", "file", "process", "webhook"]).optional().describe("Filter by signal source")
+      }),
+      execute: async ({ limit, source }) => {
+        const sigs = await listSignals(ctx.db, ctx.userId, {
+          limit,
+          ...source ? { source } : {}
+        });
+        return sigs.map((s) => ({
+          source: s.source,
+          type: s.type,
+          confidence: s.confidence,
+          detectedAt: new Date(s.detectedAt).toLocaleString(),
+          payload: s.payload
+        }));
+      }
+    }),
+    update_quest: tool({
+      description: "Update quest details: title, description, difficulty, type, baseXp, skillTags, or schedule. Does NOT change quest status — use abandon_quest or complete_quest for that.",
+      inputSchema: objectType({
+        questSearch: stringType().describe("Quest ID prefix or title substring"),
+        title: stringType().min(1).max(256).optional().describe("New quest title"),
+        description: stringType().max(2e3).nullable().optional().describe("New description"),
+        type: enumType(["daily", "weekly", "epic", "bounty", "chain", "ritual"]).optional().describe("New quest type"),
+        difficulty: enumType(["easy", "medium", "hard", "epic"]).optional().describe("New difficulty"),
+        skillTags: arrayType(stringType()).optional().describe("Replace skill tags"),
+        baseXp: numberType().int().positive().optional().describe("New base XP (before multipliers)"),
+        scheduleCron: stringType().nullable().optional().describe("New cron schedule (null to remove)")
+      }).refine(
+        (v) => v.title !== void 0 || v.description !== void 0 || v.type !== void 0 || v.difficulty !== void 0 || v.skillTags !== void 0 || v.baseXp !== void 0 || v.scheduleCron !== void 0,
+        { message: "Provide at least one field to update." }
+      ),
+      execute: async ({
+        questSearch,
+        title,
+        description,
+        type,
+        difficulty,
+        skillTags,
+        baseXp,
+        scheduleCron
+      }) => {
+        const trust = requireTrust(ctx, "update_quest");
+        if (trust.denied) return { error: trust.error };
+        const quest = await findQuestByPrefix(ctx.db, ctx.userId, questSearch);
+        if (!quest) return { error: `No quest matching "${questSearch}"` };
+        const updated = await updateQuest(ctx.db, quest.id, ctx.userId, {
+          ...title !== void 0 ? { title } : {},
+          ...description !== void 0 ? { description } : {},
+          ...type !== void 0 ? { type } : {},
+          ...difficulty !== void 0 ? { difficulty } : {},
+          ...skillTags !== void 0 ? { skillTags } : {},
+          ...baseXp !== void 0 ? { baseXp } : {},
+          ...scheduleCron !== void 0 ? { scheduleCron } : {}
+        });
+        if (!updated) return { error: "Failed to update quest." };
+        return {
+          ok: true,
+          id: updated.id.slice(0, 8),
+          title: updated.title,
+          type: updated.type,
+          difficulty: updated.difficulty,
+          skillTags: updated.skillTags,
+          baseXp: updated.baseXp
+        };
+      }
+    }),
+    activate_quest: tool({
+      description: "Move a quest from 'available' to 'active'. Use when the user is ready to start working on a quest that isn't active yet. Subject to the 5-quest active limit.",
+      inputSchema: objectType({
+        questSearch: stringType().describe("Quest ID prefix or title substring")
+      }),
+      execute: async ({ questSearch }) => {
+        const trust = requireTrust(ctx, "activate_quest");
+        if (trust.denied) return { error: trust.error };
+        const quest = await findQuestByPrefix(ctx.db, ctx.userId, questSearch);
+        if (!quest) return { error: `No quest matching "${questSearch}"` };
+        if (quest.status === "active") return { error: "Quest is already active." };
+        if (quest.status === "completed")
+          return { error: "Quest is completed — cannot reactivate." };
+        if (quest.status === "abandoned")
+          return { error: "Quest is abandoned — cannot reactivate." };
+        const active = await listQuestsByUser(ctx.db, ctx.userId, ["active"]);
+        if (active.length >= 5) {
+          return { error: "Max 5 active quests. Complete or abandon one first." };
+        }
+        await updateQuestStatus(ctx.db, quest.id, ctx.userId, "active");
+        return { ok: true, quest: quest.title, status: "active" };
+      }
+    }),
+    delete_insight: tool({
+      description: "Delete a stored companion insight. Only AI-observed insights can be deleted. User-stated insights are permanent and cannot be removed by the companion.",
+      inputSchema: objectType({
+        insightId: stringType().min(1).describe("Insight ID (full UUID or short ID prefix)")
+      }),
+      execute: async ({ insightId }) => {
+        const trust = requireTrust(ctx, "delete_insight");
+        if (trust.denied) return { error: trust.error };
+        const insights = await listCompanionInsights(ctx.db, ctx.userId, 200);
+        const match = insights.find((i) => i.id === insightId || i.id.startsWith(insightId));
+        if (!match) return { error: `No insight matching "${insightId}"` };
+        if (match.source === "user-stated") {
+          return {
+            error: "Cannot delete user-stated insights. These are facts you provided — they can only be updated, not removed."
+          };
+        }
+        const deleted = await deleteCompanionInsight(ctx.db, match.id, ctx.userId);
+        if (!deleted) return { error: "Failed to delete insight." };
+        return { ok: true, deleted: true, content: match.content };
+      }
+    }),
+    update_companion_mode: tool({
+      description: "Change the companion operating mode. 'suggest' = propose only, 'assist' = act on explicit requests, 'auto' = act proactively.",
+      inputSchema: objectType({
+        mode: enumType(["off", "suggest", "assist", "auto"]).describe("New companion mode")
+      }),
+      execute: async ({ mode }) => {
+        const trust = requireTrust(ctx, "update_companion_mode");
+        if (trust.denied) return { error: trust.error };
+        const updated = await updateCompanionMode(ctx.db, ctx.userId, mode);
+        return { ok: true, mode: updated.mode };
+      }
+    }),
     bash: tool({
       description: "Execute a shell command. Returns stdout, stderr, and exit code. Both stdout and stderr are capped at 50KB.",
       inputSchema: objectType({
@@ -19009,7 +19405,8 @@ const streamMessage = createServerFn({
     db,
     userId,
     timerPath,
-    config: config2
+    config: config2,
+    trustLevel: companionRow?.trustLevel ?? 0
   };
   const promptCtxBase = {
     user,