@hailer/mcp 1.1.11 → 1.1.13

package/dist/bot/bot.js

@@ -15,12 +15,14 @@ const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
 const tool_registry_1 = require("../mcp/tool-registry");
 const hailer_clients_1 = require("../mcp/hailer-clients");
 const hailer_api_client_1 = require("../mcp/utils/hailer-api-client");
+const types_1 = require("../mcp/utils/types");
 const workspace_cache_1 = require("../mcp/workspace-cache");
 const tool_executor_1 = require("./tool-executor");
 const workspace_overview_1 = require("./workspace-overview");
 const operation_logger_1 = require("./operation-logger");
 const services_1 = require("./services");
 const logger_1 = require("../lib/logger");
+const permission_guard_1 = require("./services/permission-guard");
 /**
  * Tools available to the bot. Add/remove tool names here to control what the LLM can use.
  * The MCP server (Claude Code terminal) is unaffected - it keeps full access to all tools.
@@ -59,21 +61,31 @@ const BOT_TOOLS = new Set([
     'preview_insight',
     'create_insight',
     'update_insight',
+    // Permissions
+    'list_workflow_permissions',
+    'check_user_permissions',
+    'grant_workflow_permission',
+    'revoke_workflow_permission',
 ]);
-const WORKFLOW_SCOPED_TOOLS = new Set([
-    'list_activities', 'count_activities',
-    'get_workflow_schema', 'list_workflow_phases',
-    'create_activity', 'update_activity',
-    'install_workflow',
+/** Tools that require the requesting user to be a workspace admin or owner */
+const ADMIN_ONLY_TOOLS = new Set([
+    'grant_workflow_permission',
+    'revoke_workflow_permission',
 ]);
-/** Tools that bypass the workflowId arg gate and need post-execution permission checks */
-const UNGATED_TOOLS = new Set([
+/**
+ * Tools where the workflowId only appears in the result, not the args.
+ * These run first, then the result is checked for workflow access.
+ */
+const POST_CHECK_TOOLS = new Set([
     'show_activity_by_id',
     'fetch_discussion_messages',
     'get_activity_from_discussion',
 ]);
+/** Minimal tool set for SIMPLE-routed messages (greetings, quick lookups). */
 const MODEL_HAIKU = 'claude-haiku-4-5-20251001';
 const MODEL_SONNET = 'claude-sonnet-4-5-20250929';
+const IMAGE_MIME_TYPES = new Set(['image/jpeg', 'image/png', 'image/gif', 'image/webp']);
+const MAX_IMAGE_SIZE = 5 * 1024 * 1024; // 5MB — skip vision for larger images
 const MAX_TOOL_ITERATIONS = 10;
 const RATE_LIMIT_WINDOW = 60_000; // 60 seconds
 const RATE_LIMIT_PER_DISCUSSION = 30; // max signals per discussion per window
@@ -91,6 +103,9 @@ class Bot {
     workspaceOverview = '';
     userId = '';
     _workspaceId;
+    // Live-updatable config (can be hot-swapped without restart)
+    _systemPrompt;
+    _responseMode = 'always';
     // Services
     conversationManager = null;
     messageClassifier = null;
@@ -98,6 +113,9 @@ class Bot {
     typingIndicator = null;
     tokenBilling = null;
     sessionLogger = null;
+    hailerApi = null;
+    /** Cache of insightId → Set<workflowId> for permission checks on ID-based insight tools */
+    insightWorkflowCache = new Map();
     opLogger = new operation_logger_1.OperationLogger();
     // State
     discussionStates = new Map();
@@ -119,25 +137,62 @@ class Bot {
     permissionIndex = new Map();
     adminUserIds = new Set();
     ownerUserIds = new Set();
+    workspaceMemberIds = new Set();
+    membersLoaded = false;
     // Config
     config;
+    botManager; // BotManager ref for cross-bot awareness
     constructor(config) {
         this.config = {
-            ...config,
+            email: config.email,
+            password: config.password,
+            apiHost: config.apiHost,
+            anthropicApiKey: config.anthropicApiKey,
             model: config.model || 'claude-haiku-4-5-20251001',
+            toolRegistry: config.toolRegistry,
+            workspaceId: config.workspaceId,
+            systemPrompt: config.systemPrompt,
+            accessLevel: config.accessLevel || 'all',
+            allowedWorkflows: config.allowedWorkflows || [],
         };
+        this.botManager = config.botManager || null;
+        this._systemPrompt = config.systemPrompt;
+        this._responseMode = config.responseMode || 'always';
         this.logger = (0, logger_1.createLogger)({ component: 'Bot' });
         this.clientManager = new hailer_clients_1.HailerClientManager(config.apiHost, config.email, config.password);
         this.toolExecutor = new tool_executor_1.ToolExecutor(config.toolRegistry);
     }
+    get email() { return this.config.email; }
+    get password() { return this.config.password; }
+    get accessLevel() { return this.config.accessLevel; }
+    /**
+     * Hot-update the system prompt without restarting the bot.
+     * Takes effect on the next message processed.
+     */
+    updateSystemPrompt(prompt) {
+        this._systemPrompt = prompt;
+        this.logger.info('System prompt updated live', { hasPrompt: !!prompt });
+    }
+    updateResponseMode(mode) {
+        this._responseMode = mode || 'always';
+        this.logger.info('Response mode updated live', { responseMode: this._responseMode });
+    }
     get connected() {
         return this._connected;
     }
     get workspaceId() {
         return this._workspaceId;
     }
+    /** Exposed for BotManager cross-bot awareness */
+    get botUserId() {
+        return this.userId;
+    }
     // ===== LIFECYCLE =====
     async start() {
+        if (this._connected) {
+            this.logger.warn('Bot.start() called while already connected, ignoring');
+            return;
+        }
         this.logger.debug('Starting bot', { email: this.config.email });
         // 1. Connect to Hailer
         this.client = await this.clientManager.connect();
@@ -152,9 +207,9 @@ class Bot {
         this.init = await this.client.socket.request('v2.core.init', [
             ['processes', 'users', 'network', 'networks', 'teams', 'groups'],
         ]);
+        (0, types_1.normalizeInitProcesses)(this.init);
         this._workspaceId = this.init.network?._id || this.config.workspaceId;
-        this.buildPermissionIndex();
-        // 4. Build workspace cache and overview
+        // 4. Build workspace cache and overview (before permission index so names resolve)
         this.workspaceCache = (0, workspace_cache_1.createWorkspaceCache)(this.init, {
             excludeTranslations: true,
             excludeSystemMessages: true,
@@ -162,6 +217,8 @@ class Bot {
             compactUserData: true,
             includeWorkspaceNamesInTools: false,
         });
+        this.backfillWorkspaceCacheMembers();
+        this.buildPermissionIndex();
         this.workspaceOverview = (0, workspace_overview_1.generateWorkspaceOverview)(this.init);
         // 5. Create Anthropic client
         this.anthropic = new sdk_1.default({ apiKey: this.config.anthropicApiKey });
@@ -180,6 +237,7 @@ class Bot {
         this.typingIndicator = new services_1.TypingIndicatorService(botConnection, this.logger);
         // Token billing
         const hailerApi = new hailer_api_client_1.HailerApiClient(this.client);
+        this.hailerApi = hailerApi;
         this.tokenBilling = new services_1.TokenBillingService(this.logger, hailerApi);
         // Message formatter - wrap ToolExecutor as MCP-style callback
         const toolCallback = async (name, args) => {
@@ -190,6 +248,7 @@ class Bot {
         this.sessionLogger = new services_1.SessionLoggerService(null, this.logger, toolCallback, () => this.getDefaultTeamId());
         this.sessionLogger.setAnthropicClient(this.anthropic);
         // 8. Build UserContext for tool execution
+        const currentWorkspaceId = this.init.network?._id || '';
         this.userContext = {
             client: this.client,
             hailer: hailerApi,
@@ -199,6 +258,9 @@ class Bot {
             createdAt: Date.now(),
             email: this.config.email,
             password: this.config.password,
+            workspaceRoles: { [currentWorkspaceId]: 'admin' },
+            currentWorkspaceId,
+            allowedGroups: ['read', 'write', 'bot_internal'],
         };
         // 9. Subscribe to messenger.new signals
         this.signalHandler = (eventData) => {
@@ -218,6 +280,9 @@ class Bot {
         this.clientManager.onSignal('process.updated', this.processUpdatedHandler);
         this.clientManager.onSignal('workspace.updated', this.workspaceUpdatedHandler);
         this.clientManager.onSignal('cache.invalidate', this.cacheInvalidateHandler);
+        // TODO: Subscribe to notification.reload for reminder handling
+        // Blocked: need to confirm reminderWorker is running and how the signal
+        // reaches the bot's socket (room join + event channel). See memory/project_reminder_bot_integration.md
         this._connected = true;
         this.logger.debug('Bot started', {
             userId: this.userId,
@@ -265,16 +330,35 @@ class Bot {
         this.client = null;
         this.logger.debug('Bot stopped');
     }
+    // ===== RESPONSE MODE =====
+    checkTriggerCondition(message) {
+        // Private DMs always pass — 1:1 conversations are always intentional
+        if (message.isPrivateDiscussion)
+            return true;
+        switch (this._responseMode) {
+            case 'mention_only': return message.isMention;
+            case 'reply_only': return message.isReplyToBot;
+            case 'mention_or_reply': return message.isMention || message.isReplyToBot;
+            case 'always':
+            default: return true;
+        }
+    }
     // ===== SIGNAL HANDLING =====
     async handleSignal(signal) {
         if (!this._connected || !this.messageClassifier)
             return;
         try {
             const rawMsgId = signal.data.msg_id;
-            if (rawMsgId) {
-                if (this.processedMessageIds.has(rawMsgId))
+            const discussionId = signal.data.discussion;
+            const dedupKey = rawMsgId || (discussionId ? `${discussionId}:${signal.data.uid}:${signal.data.created}` : null);
+            if (dedupKey) {
+                if (this.processedMessageIds.has(dedupKey))
                     return;
-                this.processedMessageIds.add(rawMsgId);
+                this.processedMessageIds.add(dedupKey);
+            }
+            else {
+                this.logger.warn('messenger.new signal has no dedup key, skipping');
+                return;
             }
             const message = await this.messageClassifier.extractIncomingMessage(signal);
             if (!message) {
@@ -282,9 +366,14 @@ class Bot {
                     this.processedMessageIds.delete(rawMsgId);
                 return;
             }
-            // Self-message guard: prevent bot feedback loops
+            // Self-message guard: prevent bot feedback loops (checks ALL bots in this workspace)
             if (message.senderId === this.userId)
                 return;
+            if (this.botManager && this._workspaceId) {
+                const botUserIds = this.botManager.getBotUserIdsForWorkspace(this._workspaceId);
+                if (botUserIds.has(message.senderId))
+                    return;
+            }
             // Rate limiting
             const now = Date.now();
             const cutoff = now - RATE_LIMIT_WINDOW;
@@ -320,37 +409,71 @@ class Bot {
                 return;
             }
             this.globalSignalTimestamps.push(now);
-            // Membership check - only respond to users who are members of the bot's workspace
-            if (this.init?.users && !this.init.users[message.senderId]) {
-                this.logger.debug('Ignoring message from non-workspace member', {
+            // Layer 1: Workspace membership check (fail-closed)
+            // Only process messages from verified workspace members.
+            // If member data hasn't loaded yet, reject — don't fail open.
+            if (!this.membersLoaded || !this.workspaceMemberIds.has(message.senderId)) {
+                this.logger.debug('Ignoring message - sender not a verified workspace member', {
                     senderId: message.senderId,
                     senderName: message.senderName,
+                    membersLoaded: this.membersLoaded,
                 });
                 if (rawMsgId)
                     this.processedMessageIds.delete(rawMsgId);
                 return;
             }
+            // Layer 2: AI Hub access gate — who can talk to this bot
+            if (this.config.accessLevel !== 'all') {
+                const isAdmin = this.adminUserIds.has(message.senderId);
+                const isOwner = this.ownerUserIds.has(message.senderId);
+                const allowed = this.config.accessLevel === 'owner' ? isOwner : (isAdmin || isOwner);
+                if (!allowed) {
+                    this.logger.debug('Ignoring message - sender does not meet access level', {
+                        senderId: message.senderId,
+                        senderName: message.senderName,
+                        requiredLevel: this.config.accessLevel,
+                        isAdmin,
+                        isOwner,
+                    });
+                    if (rawMsgId)
+                        this.processedMessageIds.delete(rawMsgId);
+                    return;
+                }
+            }
             // Prune dedup set
             if (this.processedMessageIds.size > 500) {
                 const ids = Array.from(this.processedMessageIds);
                 this.processedMessageIds = new Set(ids.slice(-250));
             }
             const state = this.getOrCreateDiscussionState(discId);
-            // Always buffer the message
+            // Always buffer the message (provides context when bot IS triggered later)
             state.contextBuffer.push(message);
+            // Check response mode trigger condition BEFORE engagement logic
+            // DMs always pass — 1:1 conversations are always intentional
+            const triggerMet = this.checkTriggerCondition(message);
+            if (!triggerMet) {
+                return; // Signal dropped — no LLM call, no token cost
+            }
             // Determine if this should trigger processing
-            const isExplicitTrigger = message.isMention || message.isReplyToBot || message.isDirectMessage;
+            // Private discussions (DMs) are always explicit triggers
+            const isExplicitTrigger = message.isMention || message.isReplyToBot || message.isPrivateDiscussion;
             if (state.state === 'idle') {
-                if (isExplicitTrigger) {
+                // In 'always' mode, every message triggers engagement (original behavior)
+                if (isExplicitTrigger || this._responseMode === 'always') {
                     state.state = 'engaged';
                     state.consecutiveNonResponses = 0;
-                    this.opLogger.engage(discId, message.isMention ? 'mention' : message.isReplyToBot ? 'reply' : 'dm');
+                    this.opLogger.engage(discId, message.isMention ? 'mention' : message.isReplyToBot ? 'reply' : message.isDirectMessage ? 'dm' : 'always');
                 }
                 else {
                     // Not addressed while idle — message sits in buffer as context only
                     return;
                 }
             }
+            // In non-'always' modes, each message must independently meet the trigger condition
+            // This prevents the bot from staying engaged and responding to everything after one mention
+            if (this._responseMode !== 'always' && !isExplicitTrigger) {
+                return;
+            }
             // State is 'engaged' — trigger processing if not already running
             if (!this.processingDiscussions.has(discId)) {
                 this.processDiscussion(discId).catch(err => {
@@ -389,7 +512,17 @@ class Bot {
                 if (messages.length > 1) {
                     merged = `<context type="coalesced" count="${messages.length}">These ${messages.length} messages arrived while you were processing. Respond to the most recent/relevant.</context>\n\n${merged}`;
                 }
-                conversation.push({ role: 'user', content: merged });
+                // Resolve image attachments for vision
+                const imageBlocks = await this.resolveImageAttachments(messages);
+                if (imageBlocks.length > 0) {
+                    conversation.push({
+                        role: 'user',
+                        content: [{ type: 'text', text: merged }, ...imageBlocks],
+                    });
+                }
+                else {
+                    conversation.push({ role: 'user', content: merged });
+                }
                 // Use last message for routing/billing context
                 const primaryMessage = messages[messages.length - 1];
                 state.lastProgressTime = 0;
@@ -451,7 +584,6 @@ class Bot {
         const defaultRoute = {
             model: MODEL_HAIKU,
             maxTokens: 2000,
-            classification: 'SIMPLE',
         };
         try {
             const wsName = this.init?.network?.name || 'Workspace';
@@ -493,12 +625,11 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                 const route = {
                     model: MODEL_SONNET,
                     maxTokens: 16384,
-                    classification: 'COMPLEX',
                 };
-                this.opLogger.route(message.discussionId, route.classification, route.model, message.content);
+                this.opLogger.route(message.discussionId, 'COMPLEX', route.model, message.content);
                 return route;
             }
-            this.opLogger.route(message.discussionId, defaultRoute.classification, defaultRoute.model, message.content);
+            this.opLogger.route(message.discussionId, 'SIMPLE', defaultRoute.model, message.content);
             return defaultRoute;
         }
         catch (error) {
@@ -564,7 +695,7 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
     }
     // ===== MESSAGE PROCESSING =====
     async processMessage(message, signal) {
-        this.typingIndicator?.start(message.discussionId);
+        this.typingIndicator?.start(message.discussionId, 'Reading');
         // Check token balance
         const billingWorkspaceId = this._workspaceId || message.workspaceId;
         if (this.tokenBilling && billingWorkspaceId) {
@@ -604,6 +735,7 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
             const cachedConversation = this.conversationManager.prepareForCaching(conversation);
             let response;
             let llmStart = Date.now();
+            this.typingIndicator?.updateStatus(message.discussionId, i === 0 ? 'Thinking' : 'Processing');
             try {
                 response = await this.anthropic.messages.create({
                     model: route.model,
@@ -626,7 +758,8 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                     this.logger.warn('Sonnet API call failed, falling back to Haiku', {
                         error: error instanceof Error ? error.message : String(error),
                     });
-                    route = { model: MODEL_HAIKU, maxTokens: 2000, classification: 'SIMPLE' };
+                    route = { model: MODEL_HAIKU, maxTokens: 2000 };
+                    this.typingIndicator?.updateStatus(message.discussionId, 'Switching models');
                     llmStart = Date.now();
                     response = await this.anthropic.messages.create({
                         model: MODEL_HAIKU,
@@ -682,10 +815,11 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
             // Check for tool calls
             const toolUseBlocks = response.content.filter((b) => b.type === 'tool_use');
             if (toolUseBlocks.length > 0) {
+                this.typingIndicator?.updateStatus(message.discussionId, this.getToolStatus(toolUseBlocks));
                 const toolResults = await this.executeTools(toolUseBlocks, message, signal);
                 conversation.push({ role: 'user', content: toolResults });
                 // Inject any messages that arrived during tool execution
-                this.injectPendingContext(message.discussionId, conversation);
+                await this.injectPendingContext(message.discussionId, conversation);
                 // Auto-escalate: if Haiku is failing tool calls, switch to Sonnet
                 if (route.model === MODEL_HAIKU) {
                     const failedCount = toolResults
@@ -696,7 +830,7 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                             failedTools: failedCount,
                             iteration: i,
                         });
-                        route = { model: MODEL_SONNET, maxTokens: 16384, classification: 'COMPLEX' };
+                        route = { model: MODEL_SONNET, maxTokens: 16384 };
                         await this.sendMessage(message.discussionId, `Switching to a more capable model to handle this.`);
                     }
                 }
@@ -730,6 +864,7 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                 break;
             }
             // Post the response
+            this.typingIndicator?.updateStatus(message.discussionId, 'Writing response');
             this.typingIndicator?.stop(message.discussionId);
             const formatted = await this.formatOutgoingMessage(responseText);
             const links = this.messageFormatter.extractTagLinks(formatted);
@@ -746,17 +881,36 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
         const WRITE_TOOLS = new Set(['create_activity', 'update_activity']);
         for (const block of toolUseBlocks) {
             const toolStart = Date.now();
-            // Permission gate: check if user has access to the workflow
+            // ── Admin-only gate ──
+            // Some tools require workspace admin/owner regardless of workflow access.
+            if (ADMIN_ONLY_TOOLS.has(block.name)) {
+                if (!this.adminUserIds.has(message.senderId) && !this.ownerUserIds.has(message.senderId)) {
+                    this.opLogger.permDenied(discussionId, block.name, 'n/a', 'requires-admin');
+                    results.push({
+                        type: 'tool_result',
+                        tool_use_id: block.id,
+                        content: `Permission denied: Only workspace admins can modify workflow permissions.`,
+                        is_error: true,
+                    });
+                    continue;
+                }
+            }
+            // ── Unified permission gate ──
+            // Extract all workflow IDs from tool args (any shape) and check access.
+            // POST_CHECK_TOOLS are checked after execution (workflow ID is in the result, not the args).
             const args = block.input;
-            const workflowId = args.workflowId;
-            if (workflowId && WORKFLOW_SCOPED_TOOLS.has(block.name)) {
-                const allowed = this.permissionIndex.get(workflowId);
-                if (allowed && !allowed.has(message.senderId) && !this.adminUserIds.has(message.senderId) && !this.ownerUserIds.has(message.senderId)) {
-                    this.opLogger.permDenied(discussionId, block.name, workflowId, message.senderId);
+            const permCtx = this.getPermissionContext();
+            if (!POST_CHECK_TOOLS.has(block.name)) {
+                const workflowIds = (0, permission_guard_1.extractWorkflowIdsFromArgs)(args, this.insightWorkflowCache);
+                const denied = (0, permission_guard_1.checkWorkflowAccess)(workflowIds, message.senderId, permCtx);
+                if (denied) {
+                    this.opLogger.permDenied(discussionId, block.name, denied.workflowId, denied.reason);
                     results.push({
                         type: 'tool_result',
                         tool_use_id: block.id,
-                        content: `Permission denied: This user does not have access to workflow ${workflowId}. This is a workspace permission restriction on the user, not on you (the bot).`,
+                        content: denied.reason === 'bot-scope'
+                            ? `Permission denied: This bot does not have access to workflow ${denied.workflowId}.`
+                            : `Permission denied: You do not have access to workflow ${denied.workflowId}.`,
                         is_error: true,
                     });
                     continue;
@@ -784,40 +938,32 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                 const text = result?.content?.[0]?.text ?? JSON.stringify(result);
                 let contentStr = typeof text === 'string' ? text : JSON.stringify(text);
                 const toolDuration = (Date.now() - toolStart) / 1000;
-                // Post-filter list_workflows results to only show accessible workflows
-                if ((block.name === 'list_workflows' || block.name === 'list_workflows_minimal') && this.permissionIndex.size > 0 && !this.adminUserIds.has(message.senderId) && !this.ownerUserIds.has(message.senderId)) {
-                    try {
-                        const parsed = JSON.parse(contentStr);
-                        if (parsed.workflows && Array.isArray(parsed.workflows)) {
-                            const before = parsed.workflows.length;
-                            parsed.workflows = parsed.workflows.filter((wf) => {
-                                const wfId = wf.id || wf._id || wf.workflowId;
-                                if (!wfId)
-                                    return true;
-                                const allowed = this.permissionIndex.get(wfId);
-                                return !allowed || allowed.has(message.senderId);
-                            });
-                            if (parsed.workflows.length < before) {
-                                this.opLogger.permFiltered(discussionId, block.name, before, parsed.workflows.length);
-                            }
-                            contentStr = JSON.stringify(parsed);
-                        }
-                    }
-                    catch {
-                        // Not JSON or unexpected format, pass through unfiltered
+                // ── Post-execution permission checks ──
+                // Cache insight → workflow mapping after successful create_insight
+                if (block.name === 'create_insight' && !contentStr.includes('❌')) {
+                    const idMatch = contentStr.match(/\*\*Insight ID:\*\*\s+`([a-f0-9]{24})`/);
+                    if (idMatch) {
+                        const sources = args.sources || [];
+                        const wfIds = new Set(sources.map((s) => s.workflowId).filter(Boolean));
+                        if (wfIds.size > 0)
+                            this.insightWorkflowCache.set(idMatch[1], wfIds);
                     }
                 }
-                // Post-execution permission check for tools not gated by workflowId arg
-                if (this.permissionIndex.size > 0 && UNGATED_TOOLS.has(block.name)) {
+                // Post-filter list results: remove items the user can't access
+                contentStr = await this.postFilterListResults(block.name, contentStr, message.senderId, discussionId);
+                // Post-execution permission check for tools where workflowId is in the result
+                if (POST_CHECK_TOOLS.has(block.name)) {
                     const extractedWorkflowId = this.extractWorkflowIdFromResult(block.name, contentStr);
                     if (extractedWorkflowId) {
-                        const allowed = this.permissionIndex.get(extractedWorkflowId);
-                        if (allowed && !allowed.has(message.senderId) && !this.adminUserIds.has(message.senderId) && !this.ownerUserIds.has(message.senderId)) {
-                            this.opLogger.permDenied(discussionId, block.name, extractedWorkflowId, message.senderId);
+                        const denied = (0, permission_guard_1.checkWorkflowAccess)([extractedWorkflowId], message.senderId, permCtx);
+                        if (denied) {
+                            this.opLogger.permDenied(discussionId, block.name, denied.workflowId, denied.reason);
                             results.push({
                                 type: 'tool_result',
                                 tool_use_id: block.id,
-                                content: `Permission denied: This user does not have access to the resource in workflow ${extractedWorkflowId}. This is a workspace permission restriction on the user, not on you (the bot).`,
+                                content: denied.reason === 'bot-scope'
+                                    ? `Permission denied: This bot does not have access to that resource.`
+                                    : `Permission denied: You do not have access to that resource.`,
                                 is_error: true,
                             });
                             continue;
@@ -866,7 +1012,7 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
      * between LLM iterations. Merges into the existing user message to preserve
      * Anthropic's alternation rule (user/assistant/user/assistant).
      */
-    injectPendingContext(discussionId, conversation) {
+    async injectPendingContext(discussionId, conversation) {
         const state = this.discussionStates.get(discussionId);
         if (!state || state.contextBuffer.length === 0)
             return;
@@ -878,6 +1024,10 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
                 type: 'text',
                 text: `<context type="messages-during-processing">\n${contextText}\n</context>`,
             });
+            const imageBlocks = await this.resolveImageAttachments(pending);
+            for (const block of imageBlocks) {
+                lastMsg.content.push(block);
+            }
             this.opLogger.contextInject(discussionId, pending.length);
         }
     }
@@ -907,11 +1057,59 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
         const nameAttr = discName ? ` discussion_name="${discName}"` : '';
         let fileInfo = '';
         if (message.fileAttachments?.length) {
-            const ids = message.fileAttachments.map(f => f.fileId).join(', ');
-            fileInfo = `\n[File attached: ${message.fileAttachments.length} file(s) - IDs: ${ids}]\nUse download_file tool with fileId to read file contents.`;
+            const imageFiles = message.fileAttachments.filter(f => f.mime && IMAGE_MIME_TYPES.has(f.mime) && (!f.size || f.size <= MAX_IMAGE_SIZE));
+            const nonImageFiles = message.fileAttachments.filter(f => !f.mime || !IMAGE_MIME_TYPES.has(f.mime) || (f.size && f.size > MAX_IMAGE_SIZE));
+            const parts = [];
+            for (const img of imageFiles) {
+                parts.push(`[Image attached: ${img.filename} — included below for vision]`);
+            }
+            if (nonImageFiles.length) {
+                const ids = nonImageFiles.map(f => f.fileId).join(', ');
+                parts.push(`[File attached: ${nonImageFiles.length} file(s) - IDs: ${ids}]\nUse download_file tool with fileId to read file contents.`);
+            }
+            if (parts.length)
+                fileInfo = '\n' + parts.join('\n');
         }
         return `<incoming discussion="${message.discussionId}"${nameAttr}${activityAttr} from="${message.senderName}" user_id="${message.senderId}" timestamp="${new Date(message.timestamp).toISOString()}">\n${message.content}${fileInfo}\n</incoming>`;
     }
+    /**
+     * Download image attachments and return Anthropic image content blocks.
+     * Falls back silently on errors — the text note still tells the LLM about the file.
+     */
+    async resolveImageAttachments(messages) {
+        const blocks = [];
+        if (!this.hailerApi)
+            return blocks;
+        const imageFiles = [];
+        for (const msg of messages) {
+            if (!msg.fileAttachments?.length)
+                continue;
+            for (const f of msg.fileAttachments) {
+                if (f.mime && IMAGE_MIME_TYPES.has(f.mime) && (!f.size || f.size <= MAX_IMAGE_SIZE)) {
+                    imageFiles.push({ fileId: f.fileId, filename: f.filename, mime: f.mime });
+                }
+            }
+        }
+        for (const img of imageFiles) {
+            try {
+                const result = await this.hailerApi.downloadFile(img.fileId);
+                if (result.encoding === 'base64') {
+                    blocks.push({
+                        type: 'image',
+                        source: {
+                            type: 'base64',
+                            media_type: img.mime,
+                            data: result.content,
+                        },
+                    });
+                }
+            }
+            catch (err) {
+                this.logger.warn('Failed to download image for vision', { fileId: img.fileId, filename: img.filename, error: err });
+            }
+        }
+        return blocks;
+    }
     async formatOutgoingMessage(text) {
         let formatted = await this.messageFormatter.resolveUserTags(text);
         formatted = await this.messageFormatter.resolveActivityTags(formatted);
@@ -987,46 +1185,123 @@ Reply with exactly one word: SIMPLE or COMPLEX`,
     buildSystemPrompt() {
         const wsName = this.init?.network?.name || 'Workspace';
         const botName = this.getBotDisplayName();
-        return `You are a workspace assistant for "${wsName}" on Hailer.
-
-<bot-identity>
+        const identity = `<bot-identity>
 Your user ID: ${this.userId}
 Your display name: ${botName}
-</bot-identity>
+Workspace: ${wsName}
+</bot-identity>`;
+        // Platform rules — always applied regardless of custom prompt.
+        // These are operational requirements that keep the bot functional.
+        const platformRules = `<platform-rules>
+- Use tools to answer questions — don't guess or make up data.
+- When a tool call fails, tell the user what failed and why. Never silently try alternatives.
+- For bulk operations, batch into groups of 25-50 per tool call.
+- NEVER output raw URLs like https://app.hailer.com/...
+
+HAILERTAG LINKING (mandatory):
+- When referencing activities, discussions, or users, ALWAYS use: [hailerTag|Display Name](objectId)
+- Examples:
+    [hailerTag|AC Milan deal](691ffe654217e9e8434e578a)
+    [hailerTag|John Smith](691ffe654217e9e8434e5123)
+- Tool responses include both names and IDs — use them directly in this format.
+- NEVER use hailerTag for workflows, phases, teams, or groups — these don't support linking. Just use their plain text names.
+- NEVER output bare 24-character hex IDs to the user.
+</platform-rules>`;
+        const now = new Date();
+        const isoDate = now.toISOString().split('T')[0];
+        const dayOfWeek = now.getUTCDay(); // 0=Sun, 1=Mon, ...
+        const weekNum = Math.ceil(((+now - +new Date(now.getFullYear(), 0, 1)) / 86400000 + new Date(now.getFullYear(), 0, 1).getDay() + 1) / 7);
+        const dateContext = `<current-date>
+Today: ${now.toLocaleDateString('en-US', { weekday: 'long', year: 'numeric', month: 'long', day: 'numeric' })} (${isoDate}, ISO week ${weekNum}, day ${dayOfWeek})
+Time: ${now.toLocaleTimeString('en-US', { hour: '2-digit', minute: '2-digit', hour12: false, timeZone: 'Europe/Helsinki' })} Europe/Helsinki
+Year: ${now.getFullYear()}
 
-<rules>
+DATE HANDLING — CRITICAL:
+- The current year is ${now.getFullYear()}. When no year is specified, ALWAYS use ${now.getFullYear()} (or ${now.getFullYear() + 1} if the date has already passed this year).
+- European/Finnish dates use DD.MM.YYYY or DD.M.YYYY format (day first, NOT month first). "18.7.2026" = July 18, 2026. "3.12" = December 3. Never confuse day and month.
+- Resolve relative dates in any language (Finnish, Swedish, English, etc.) by calculating from today's date.
+- For activity date fields, always output YYYY-MM-DD format. The system auto-converts to timestamps.
+- If a date is ambiguous, ask the user to clarify.
+</current-date>`;
+        const wsContext = `<workspace-context>
+${this.workspaceOverview}
+</workspace-context>`;
+        const customPrompt = this._systemPrompt?.trim();
+        if (customPrompt) {
+            // Custom prompt = the bot's mission brief. It defines personality, scope, and behavior.
+            // Platform rules and identity are always appended — they keep the bot functional.
+            const body = customPrompt
+                .replace(/\{wsName\}/g, wsName)
+                .replace(/\{userId\}/g, this.userId)
+                .replace(/\{botName\}/g, botName);
+            return `${body}\n\n${platformRules}\n\n${identity}\n\n${dateContext}\n\n${wsContext}`;
+        }
+        // Default prompt — general-purpose workspace assistant with behavioral defaults.
+        const defaultBehavior = `<behavior>
 - Be concise. Short answers, no filler.
 - Never list your capabilities unprompted. If asked what you can do, give a 1-2 sentence summary based on the workspace context below, not a feature dump.
 - Never use emojis unless the user does first.
-- Use tools to answer questions - don't guess or make up data.
-- When a task will require multiple steps (investigating errors, fixing data, bulk lookups), briefly tell the user what you're specifically about to do before starting. Be concrete: "I'll check each insight's SQL and fix any broken column references." NEVER use vague filler like "Let me look into that" — always name the actual action.
+- When a task will require multiple steps, briefly tell the user what you're about to do. Be concrete — never use vague filler like "Let me look into that".
 - When showing data, use clean formatting (tables, bullet points). Don't over-explain.
 - If a request is ambiguous, ask a clarifying question instead of guessing.
-- Always reference actual workspace data (workflow names, field values) - never speak in generic terms.
-- For bulk operations (creating/updating many items), batch into groups of 25-50 per tool call. Never try to create more than 50 items in a single tool call.
-- When a tool call fails, ALWAYS tell the user what failed and why. Never silently try alternatives. If an insight has a SQL error, tell the user the insight is broken, explain what's wrong (e.g. missing column), and offer to fix it using update_insight. Fix the root cause, don't work around it.
-- NEVER output raw URLs like https://app.hailer.com/...
-- When referencing activities, discussions, or users, use hailerTag format: [hailerTag|Display Name](objectId)
-  Examples: [hailerTag|AC Milan](691ffe654217e9e8434e578a) or [hailerTag|John Smith](691ffe654217e9e8434e5123)
-  You always have the name and ID from tool responses - use them directly in this format.
-</rules>
+- Always reference actual workspace data (workflow names, field values) — never speak in generic terms.
+</behavior>`;
+        return `You are a workspace assistant for "${wsName}" on Hailer.
 
-<workspace-context>
-${this.workspaceOverview}
-</workspace-context>`;
+${identity}
+
+${platformRules}
+
+${defaultBehavior}
+
+${dateContext}
+
+${wsContext}`;
     }
     // ===== TOOLS =====
+    static TOOL_STATUS_LABELS = {
+        list_activities: 'Searching activities',
+        count_activities: 'Counting activities',
+        show_activity_by_id: 'Reading activity',
+        create_activity: 'Creating activity',
+        update_activity: 'Updating activity',
+        list_workflows: 'Loading workflows',
+        list_workflows_minimal: 'Loading workflows',
+        get_workflow_schema: 'Reading workflow schema',
+        list_workflow_phases: 'Loading phases',
+        preview_insight: 'Running query',
+        get_insight_data: 'Running report',
+        search_workspace_users: 'Searching users',
+        fetch_discussion_messages: 'Reading messages',
+        add_discussion_message: 'Sending message',
+        join_discussion: 'Joining discussion',
+    };
+    getToolStatus(toolUseBlocks) {
+        if (toolUseBlocks.length === 1) {
+            return Bot.TOOL_STATUS_LABELS[toolUseBlocks[0].name]
+                || toolUseBlocks[0].name.replace(/_/g, ' ');
+        }
+        const firstLabel = Bot.TOOL_STATUS_LABELS[toolUseBlocks[0].name]
+            || toolUseBlocks[0].name.replace(/_/g, ' ');
+        return `${firstLabel} (+${toolUseBlocks.length - 1} more)`;
+    }
     getAnthropicTools() {
+        const allowedTools = BOT_TOOLS;
         const defs = this.toolExecutor.getToolDefinitions({
             allowedGroups: [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND, tool_registry_1.ToolGroup.BOT_INTERNAL],
         });
-        return defs
-            .filter(d => BOT_TOOLS.has(d.name))
+        const tools = defs
+            .filter(d => allowedTools.has(d.name))
             .map(d => ({
             name: d.name,
             description: d.description,
             input_schema: d.inputSchema,
         }));
+        // Mark last tool for prompt caching — tools never change per session
+        if (tools.length > 0) {
+            tools[tools.length - 1].cache_control = { type: 'ephemeral' };
+        }
+        return tools;
     }
     // ===== HAILER MESSAGING =====
     async sendMessage(discussionId, text, links) {
@@ -1091,6 +1366,7 @@ ${this.workspaceOverview}
             this.logger.debug('Refreshing workspace data', { keys, trigger: isFull ? 'full' : Array.from(scopes).join(',') });
             const freshData = await this.client.socket.request('v2.core.init', [keys]);
             // Merge fresh data into existing init (partial update)
+            (0, types_1.normalizeInitProcesses)(freshData);
             if (!this.init) {
                 this.init = freshData;
             }
@@ -1117,6 +1393,7 @@ ${this.workspaceOverview}
                 compactUserData: true,
                 includeWorkspaceNamesInTools: false,
             });
+            this.backfillWorkspaceCacheMembers();
             // Rebuild workspace overview for system prompt
             this.workspaceOverview = (0, workspace_overview_1.generateWorkspaceOverview)(this.init);
             // Update UserContext with fresh data
@@ -1143,95 +1420,112 @@ ${this.workspaceOverview}
             }
         }
     }
-    buildPermissionIndex() {
-        this.permissionIndex.clear();
-        const wsId = this._workspaceId;
-        if (!this.init?.processes || !wsId)
+    /**
+     * Backfill workspaceCache.usersById with entries from network.members
+     * that are missing from init.users (which is only a partial user list).
+     */
+    backfillWorkspaceCacheMembers() {
+        if (!this.workspaceCache || !this.init)
             return;
-        // Extract workspace admins from network members
-        this.adminUserIds.clear();
         const network = this.init.network;
-        if (network?.members) {
-            const members = Array.isArray(network.members) ? network.members : Object.values(network.members);
-            for (const member of members) {
-                if (member.admin === true) {
-                    this.adminUserIds.add(member.uid);
-                }
-            }
-        }
-        // Extract workspace owners from network members
-        this.ownerUserIds.clear();
-        if (network?.members) {
-            const ownerMembers = Array.isArray(network.members) ? network.members : Object.values(network.members);
-            for (const member of ownerMembers) {
-                if (member.owner === true) {
-                    this.ownerUserIds.add(member.uid);
-                }
-            }
-        }
-        const teams = this.init.teams?.[wsId] || {};
-        const groups = this.init.groups?.[wsId] || {};
-        let networkOpenCount = 0;
-        for (const proc of this.init.processes) {
-            const members = proc.members || [];
-            // If any member is network_ (all workspace members), skip indexing — everyone has access
-            if (members.some((m) => m.id.startsWith('network_'))) {
-                networkOpenCount++;
-                continue;
-            }
-            // If any member references a public team, treat as open — all workspace members have access
-            let hasPublicTeam = false;
-            for (const m of members) {
-                if (!m.id.startsWith('team_'))
-                    continue;
-                const team = teams[m.id.slice(5)];
-                if (team) {
-                    if (team.public) {
-                        hasPublicTeam = true;
-                        break;
-                    }
-                }
-            }
-            if (hasPublicTeam) {
-                networkOpenCount++;
-                continue;
-            }
-            const userIds = new Set();
-            for (const member of members) {
-                const id = member.id;
-                if (id.startsWith('user_')) {
-                    userIds.add(id.slice(5));
-                }
-                else if (id.startsWith('team_')) {
-                    const team = teams[id.slice(5)];
-                    if (team?.members) {
-                        for (const uid of team.members) {
-                            userIds.add(typeof uid === 'string' ? uid : uid._id || uid.id || uid.uid);
-                        }
-                    }
-                }
-                else if (id.startsWith('group_')) {
-                    const group = groups[id.slice(6)];
-                    if (group?.members) {
-                        for (const uid of group.members) {
-                            userIds.add(typeof uid === 'string' ? uid : uid._id || uid.id || uid.uid);
-                        }
-                    }
-                }
+        if (!network?.members)
+            return;
+        const members = Array.isArray(network.members) ? network.members : Object.values(network.members);
+        let backfilled = 0;
+        for (const member of members) {
+            if (member.uid && !this.workspaceCache.usersById[member.uid]) {
+                const stub = {
+                    id: member.uid,
+                    firstname: member.firstname || '',
+                    lastname: member.lastname || '',
+                    fullName: member.firstname && member.lastname
+                        ? `${member.firstname} ${member.lastname}`
+                        : member.firstname || member.lastname || '',
+                    companies: [],
+                    lastSeen: 0,
+                };
+                this.workspaceCache.usersById[member.uid] = stub;
+                this.workspaceCache.users.push(stub);
+                backfilled++;
             }
-            // Workflow creator always has access
-            if (proc.uid)
-                userIds.add(proc.uid);
-            this.permissionIndex.set(proc._id, userIds);
         }
+        this.logger.debug('Workspace cache member backfill', {
+            totalMembers: members.length,
+            inInitUsers: members.length - backfilled,
+            backfilled,
+        });
+    }
+    buildPermissionIndex() {
+        const wsId = this._workspaceId;
+        if (!wsId)
+            return;
+        const result = (0, permission_guard_1.buildPermissionIndex)(this.init, wsId);
+        this.permissionIndex = result.permissionIndex;
+        this.adminUserIds = result.adminUserIds;
+        this.ownerUserIds = result.ownerUserIds;
+        this.workspaceMemberIds = result.workspaceMemberIds;
+        this.membersLoaded = result.workspaceMemberIds.size > 0;
+        const totalWorkflows = this.init?.processes?.length || 0;
         this.logger.debug('Permission index built', {
             restricted: this.permissionIndex.size,
-            open: networkOpenCount,
-            totalWorkflows: this.init.processes.length,
+            open: totalWorkflows - this.permissionIndex.size,
+            totalWorkflows,
             totalEntries: Array.from(this.permissionIndex.values()).reduce((n, s) => n + s.size, 0),
             admins: this.adminUserIds.size,
             owners: this.ownerUserIds.size,
+            membersLoaded: this.membersLoaded,
+            workspaceMembers: this.workspaceMemberIds.size,
+            accessLevel: this.config.accessLevel,
+            botWorkflowScope: this.config.allowedWorkflows.length > 0
+                ? `${this.config.allowedWorkflows.length} workflows`
+                : 'all',
         });
+        // Detailed permission map for verification
+        const processNames = new Map();
+        for (const proc of (this.init?.processes || [])) {
+            processNames.set(proc._id, proc.name || proc._id);
+        }
+        // Resolve user IDs to names where possible
+        const userNames = new Map();
+        if (this.workspaceCache?.usersById) {
+            for (const uid of this.workspaceMemberIds) {
+                const user = this.workspaceCache.usersById[uid];
+                if (user)
+                    userNames.set(uid, user.fullName || user.email || uid);
+            }
+        }
+        const resolve = (uid) => {
+            const name = userNames.get(uid);
+            return name ? `${name} (${uid})` : uid;
+        };
+        this.logger.debug('Permission map — admins', {
+            admins: [...this.adminUserIds].map(resolve),
+        });
+        this.logger.debug('Permission map — owners', {
+            owners: [...this.ownerUserIds].map(resolve),
+        });
+        this.logger.debug('Permission map — workspace members', {
+            members: [...this.workspaceMemberIds].map(resolve),
+        });
+        // Log each restricted workflow with its allowed users
+        for (const [wfId, userIds] of this.permissionIndex) {
+            this.logger.debug('Permission map — restricted workflow', {
+                workflow: processNames.get(wfId) || wfId,
+                workflowId: wfId,
+                allowedUsers: [...userIds].map(resolve),
+                allowedCount: userIds.size,
+            });
+        }
+        // Log open workflows
+        const openWorkflows = (this.init?.processes || [])
+            .filter((p) => !this.permissionIndex.has(p._id))
+            .map((p) => p.name || p._id);
+        if (openWorkflows.length > 0) {
+            this.logger.debug('Permission map — open workflows (all members)', {
+                workflows: openWorkflows,
+                count: openWorkflows.length,
+            });
+        }
     }
     getOrCreateDiscussionState(discussionId) {
         let state = this.discussionStates.get(discussionId);
@@ -1271,6 +1565,88 @@ ${this.workspaceOverview}
             return undefined;
         return Object.keys(workspaceTeams)[0];
     }
+    // ===== UNIFIED PERMISSION SYSTEM =====
+    /** Get the current permission context for checkWorkflowAccess calls */
+    getPermissionContext() {
+        return {
+            allowedWorkflows: this.config.allowedWorkflows,
+            permissionIndex: this.permissionIndex,
+            adminUserIds: this.adminUserIds,
+            ownerUserIds: this.ownerUserIds,
+            insightWorkflowCache: this.insightWorkflowCache,
+        };
+    }
+    /**
+     * Post-filter list-type tool results to remove items the user can't access.
+     * Handles list_workflows, list_workflows_minimal, and list_insights.
+     */
+    async postFilterListResults(toolName, contentStr, senderId, discussionId) {
+        const ctx = this.getPermissionContext();
+        // Filter workflow lists (JSON response)
+        if (toolName === 'list_workflows' || toolName === 'list_workflows_minimal') {
+            try {
+                const parsed = JSON.parse(contentStr);
+                if (parsed.workflows && Array.isArray(parsed.workflows)) {
+                    const before = parsed.workflows.length;
+                    parsed.workflows = parsed.workflows.filter((wf) => {
+                        const wfId = wf.id || wf._id || wf.workflowId;
+                        if (!wfId)
+                            return true;
+                        return !(0, permission_guard_1.checkWorkflowAccess)([wfId], senderId, ctx);
+                    });
+                    if (parsed.workflows.length < before) {
+                        this.opLogger.permFiltered(discussionId, toolName, before, parsed.workflows.length);
+                    }
+                    return JSON.stringify(parsed);
+                }
+            }
+            catch {
+                // Not JSON (markdown response) — pass through unmodified
+                return contentStr;
+            }
+        }
+        // Filter insight lists (formatted text response — need raw API data)
+        if (toolName === 'list_insights') {
+            try {
+                const wsId = this._workspaceId || this.init?.network?._id;
+                if (wsId && this.hailerApi) {
+                    const rawInsights = await this.hailerApi.request('v3.insight.list', [wsId]);
+                    const insights = Array.isArray(rawInsights) ? rawInsights : [];
+                    const deniedIds = new Set();
+                    for (const insight of insights) {
+                        const wfIds = [];
+                        for (const src of (insight.sources || [])) {
+                            if (src.workflowId)
+                                wfIds.push(src.workflowId);
+                        }
+                        // Always cache the mapping
+                        if (wfIds.length > 0) {
+                            this.insightWorkflowCache.set(insight._id, new Set(wfIds));
+                        }
+                        // Check access
+                        if ((0, permission_guard_1.checkWorkflowAccess)(wfIds, senderId, ctx)) {
+                            deniedIds.add(insight._id);
+                        }
+                    }
+                    if (deniedIds.size > 0) {
+                        let filtered = contentStr;
+                        for (const id of deniedIds) {
+                            const pattern = new RegExp(`\\d+\\.\\s+\\*\\*[^*]+\\*\\*\\n(?:.*\\n)*?\\s+-\\s+Insight ID:\\s+\`${id}\`(?:.*\\n)*?(?=\\d+\\.\\s+\\*\\*|💡|$)`, 'g');
+                            filtered = filtered.replace(pattern, '');
+                        }
+                        const visibleCount = insights.length - deniedIds.size;
+                        filtered = filtered.replace(/\*\*Insights Found\*\*\s+\(\d+ total\)/, `**Insights Found** (${visibleCount} total)`);
+                        this.opLogger.permFiltered(discussionId, toolName, insights.length, visibleCount);
+                        return filtered;
+                    }
+                }
+            }
+            catch (err) {
+                this.logger.warn('Failed to filter list_insights by permissions', { error: err });
+            }
+        }
+        return contentStr;
+    }
     /**
      * Extract workflow ID from tool result for post-execution permission checks.
      * Returns the workflow ID if found, or undefined if extraction fails.