npm - @hasna/conversations - Versions diffs - 0.2.42 → 0.2.44 - Mend

@hasna/conversations 0.2.42 → 0.2.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -5,44 +5,65 @@ var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toESMCache_node;
+var __toESMCache_esm;
 var __toESM = (mod, isNodeMode, target) => {
+  var canCache = mod != null && typeof mod === "object";
+  if (canCache) {
+    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
+    var cached = cache.get(mod);
+    if (cached)
+      return cached;
+  }
   target = mod != null ? __create(__getProtoOf(mod)) : {};
   const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
   for (let key of __getOwnPropNames(mod))
     if (!__hasOwnProp.call(to, key))
       __defProp(to, key, {
-        get: () => mod[key],
+        get: __accessProp.bind(mod, key),
         enumerable: true
       });
+  if (canCache)
+    cache.set(mod, to);
   return to;
 };
-var __moduleCache = /* @__PURE__ */ new WeakMap;
 var __toCommonJS = (from) => {
-  var entry = __moduleCache.get(from), desc;
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
   if (entry)
     return entry;
   entry = __defProp({}, "__esModule", { value: true });
-  if (from && typeof from === "object" || typeof from === "function")
-    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
-      get: () => from[key],
-      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-    }));
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
   __moduleCache.set(from, entry);
   return entry;
 };
+var __moduleCache;
 var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: (newValue) => all[name] = () => newValue
+      set: __exportSetter.bind(all, name)
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-// ../../../../node_modules/@hasna/cloud/dist/index.js
+// node_modules/@hasna/cloud/dist/index.js
 import { createRequire } from "module";
 import { Database } from "bun:sqlite";
 import {
@@ -63,11 +84,11 @@ import { homedir as homedir4 } from "os";
 import { join as join4 } from "path";
 import { join as join6, dirname } from "path";
 import { homedir as homedir5, platform } from "os";
-function __accessProp(key) {
+function __accessProp2(key) {
   return this[key];
 }
-function __exportSetter(name, newValue) {
-  this[name] = __returnValue.bind(null, newValue);
+function __exportSetter2(name, newValue) {
+  this[name] = __returnValue2.bind(null, newValue);
 }
 function translateSql(sql, dialect) {
   if (dialect === "sqlite")
@@ -1097,10 +1118,10 @@ class SyncProgressTracker {
     }
   }
 }
-var __create2, __getProtoOf2, __defProp2, __getOwnPropNames2, __hasOwnProp2, __toESMCache_node, __toESMCache_esm, __toESM2 = (mod, isNodeMode, target) => {
+var __create2, __getProtoOf2, __defProp2, __getOwnPropNames2, __hasOwnProp2, __toESMCache_node2, __toESMCache_esm2, __toESM2 = (mod, isNodeMode, target) => {
   var canCache = mod != null && typeof mod === "object";
   if (canCache) {
-    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
+    var cache = isNodeMode ? __toESMCache_node2 ??= new WeakMap : __toESMCache_esm2 ??= new WeakMap;
     var cached = cache.get(mod);
     if (cached)
       return cached;
@@ -1110,19 +1131,19 @@ var __create2, __getProtoOf2, __defProp2, __getOwnPropNames2, __hasOwnProp2, __t
   for (let key of __getOwnPropNames2(mod))
     if (!__hasOwnProp2.call(to, key))
       __defProp2(to, key, {
-        get: __accessProp.bind(mod, key),
+        get: __accessProp2.bind(mod, key),
         enumerable: true
       });
   if (canCache)
     cache.set(mod, to);
   return to;
-}, __commonJS2 = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports), __returnValue = (v) => v, __export2 = (target, all) => {
+}, __commonJS2 = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports), __returnValue2 = (v) => v, __export2 = (target, all) => {
   for (var name in all)
     __defProp2(target, name, {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: __exportSetter.bind(all, name)
+      set: __exportSetter2.bind(all, name)
     });
 }, __esm2 = (fn, res) => () => (fn && (res = fn(fn = 0)), res), __require, require_postgres_array, require_arrayParser, require_postgres_date, require_mutable, require_postgres_interval, require_postgres_bytea, require_textParsers, require_pg_int8, require_binaryParsers, require_builtins, require_pg_types, require_defaults, require_utils, require_utils_legacy, require_utils_webcrypto, require_utils2, require_cert_signatures, require_sasl, require_type_overrides, require_pg_connection_string, require_connection_parameters, require_result, require_query, require_messages, require_buffer_writer, require_serializer, require_buffer_reader, require_parser, require_dist, require_empty, require_stream, require_connection, require_split2, require_helper, require_lib, require_client, require_pg_pool, require_query2, require_client2, require_lib2, import_lib, Client, Pool, Connection, types, Query, DatabaseError, escapeIdentifier, escapeLiteral, Result, TypeOverrides, defaults, esm_default, init_esm, init_adapter, util, objectUtil, ZodParsedType, getParsedType = (data) => {
   const t = typeof data;
@@ -9459,6 +9480,137 @@ function getDbPath2() {
     return process.env.CONVERSATIONS_DB_PATH;
   return join5(getDataDir2(), "messages.db");
 }
+function parsePresenceTimestamp(value) {
+  if (typeof value !== "string" || !value)
+    return 0;
+  return new Date(`${value}Z`).getTime() || 0;
+}
+function normalizePresenceText(value) {
+  if (typeof value !== "string")
+    return null;
+  const normalized = value.trim();
+  return normalized ? normalized : null;
+}
+function shouldRebuildAgentPresenceTable(columns) {
+  const byName = new Map(columns.map((column) => [column.name, column]));
+  const agentCol = byName.get("agent");
+  const projectCol = byName.get("project_id");
+  if (!agentCol)
+    return false;
+  if (!projectCol)
+    return true;
+  return agentCol.pk !== 1 || projectCol.pk !== 2 || projectCol.notnull !== 1 || byName.has("pid");
+}
+function rebuildLegacyAgentPresenceTable(db2) {
+  const fallbackNow = db2.prepare("SELECT strftime('%Y-%m-%dT%H:%M:%f', 'now') AS now").get().now;
+  const legacyRows = db2.prepare("SELECT rowid AS _rowid, * FROM agent_presence").all();
+  legacyRows.sort((left, right) => {
+    const lastSeenDelta = parsePresenceTimestamp(right.last_seen_at) - parsePresenceTimestamp(left.last_seen_at);
+    if (lastSeenDelta !== 0)
+      return lastSeenDelta;
+    const createdDelta = parsePresenceTimestamp(right.created_at) - parsePresenceTimestamp(left.created_at);
+    if (createdDelta !== 0)
+      return createdDelta;
+    const projectDelta = Number(Boolean(normalizePresenceText(right.project_id))) - Number(Boolean(normalizePresenceText(left.project_id)));
+    if (projectDelta !== 0)
+      return projectDelta;
+    return right._rowid - left._rowid;
+  });
+  const dedupedRows = new Map;
+  for (const row of legacyRows) {
+    const normalizedAgent = normalizePresenceText(row.agent)?.toLowerCase();
+    if (!normalizedAgent)
+      continue;
+    const storedProjectId = normalizePresenceText(row.project_id) ?? "";
+    const dedupeKey = `${normalizedAgent}\x00${storedProjectId}`;
+    if (dedupedRows.has(dedupeKey))
+      continue;
+    dedupedRows.set(dedupeKey, row);
+  }
+  db2.exec("BEGIN");
+  try {
+    db2.exec(`
+      CREATE TABLE agent_presence_new (
+        id TEXT NOT NULL,
+        agent TEXT NOT NULL,
+        session_id TEXT,
+        role TEXT NOT NULL DEFAULT 'agent',
+        project_id TEXT NOT NULL DEFAULT '',
+        status TEXT NOT NULL DEFAULT 'online',
+        last_seen_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%f', 'now')),
+        created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%f', 'now')),
+        metadata TEXT,
+        PRIMARY KEY (agent, project_id)
+      )
+    `);
+    const insertPresence = db2.prepare(`
+      INSERT INTO agent_presence_new (id, agent, session_id, role, project_id, status, last_seen_at, created_at, metadata)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+    for (const [dedupeKey, row] of dedupedRows) {
+      const [agent, projectKey] = dedupeKey.split("\x00");
+      const id = normalizePresenceText(row.id) ?? crypto.randomUUID().slice(0, 8);
+      const sessionId = normalizePresenceText(row.session_id);
+      const role = normalizePresenceText(row.role) ?? "agent";
+      const projectId = projectKey;
+      const status = normalizePresenceText(row.status) ?? "online";
+      const lastSeenAt = normalizePresenceText(row.last_seen_at) ?? fallbackNow;
+      const createdAt = normalizePresenceText(row.created_at) ?? lastSeenAt;
+      const metadata = typeof row.metadata === "string" ? row.metadata : row.metadata == null ? null : JSON.stringify(row.metadata);
+      insertPresence.run(id, agent, sessionId, role, projectId, status, lastSeenAt, createdAt, metadata);
+    }
+    db2.exec("DROP TABLE agent_presence");
+    db2.exec("ALTER TABLE agent_presence_new RENAME TO agent_presence");
+    db2.exec("COMMIT");
+  } catch (error) {
+    db2.exec("ROLLBACK");
+    throw error;
+  }
+}
+function collapseDuplicateAgentPresenceRows(db2) {
+  const rows = db2.prepare("SELECT rowid AS _rowid, * FROM agent_presence").all();
+  rows.sort((left, right) => {
+    const lastSeenDelta = parsePresenceTimestamp(right.last_seen_at) - parsePresenceTimestamp(left.last_seen_at);
+    if (lastSeenDelta !== 0)
+      return lastSeenDelta;
+    const createdDelta = parsePresenceTimestamp(right.created_at) - parsePresenceTimestamp(left.created_at);
+    if (createdDelta !== 0)
+      return createdDelta;
+    const projectDelta = Number(Boolean(normalizePresenceText(right.project_id))) - Number(Boolean(normalizePresenceText(left.project_id)));
+    if (projectDelta !== 0)
+      return projectDelta;
+    return right._rowid - left._rowid;
+  });
+  const rowIdsToDelete = [];
+  const seenAgents = new Set;
+  for (const row of rows) {
+    const normalizedAgent = normalizePresenceText(row.agent)?.toLowerCase();
+    if (!normalizedAgent)
+      continue;
+    if (seenAgents.has(normalizedAgent)) {
+      rowIdsToDelete.push(row._rowid);
+      continue;
+    }
+    seenAgents.add(normalizedAgent);
+  }
+  if (rowIdsToDelete.length === 0)
+    return;
+  db2.exec("BEGIN");
+  try {
+    const deleteRow = db2.prepare("DELETE FROM agent_presence WHERE rowid = ?");
+    for (const rowId of rowIdsToDelete) {
+      deleteRow.run(rowId);
+    }
+    db2.exec("COMMIT");
+  } catch (error) {
+    db2.exec("ROLLBACK");
+    throw error;
+  }
+}
+function ensureAgentPresenceAgentUniqueIndex(db2) {
+  collapseDuplicateAgentPresenceRows(db2);
+  db2.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_agent_presence_agent_unique ON agent_presence(agent)");
+}
 function getDb() {
   if (db)
     return db;
@@ -9531,16 +9683,18 @@ function getDb() {
   db.exec(`
     CREATE TABLE IF NOT EXISTS agent_presence (
       id TEXT NOT NULL,
-      agent TEXT PRIMARY KEY,
+      agent TEXT NOT NULL,
       session_id TEXT,
       role TEXT NOT NULL DEFAULT 'agent',
-      project_id TEXT,
+      project_id TEXT NOT NULL DEFAULT '',
       status TEXT NOT NULL DEFAULT 'online',
       last_seen_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%f', 'now')),
       created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%f', 'now')),
-      metadata TEXT
+      metadata TEXT,
+      PRIMARY KEY (agent, project_id)
     )
   `);
+  ensureAgentPresenceAgentUniqueIndex(db);
   db.exec(`
     CREATE TABLE IF NOT EXISTS resource_locks (
       resource_type TEXT NOT NULL,
@@ -9642,8 +9796,13 @@ function getDb() {
     db.exec("UPDATE messages SET uuid = lower(hex(randomblob(16))) WHERE uuid IS NULL");
     db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_messages_uuid ON messages(uuid)");
   }
-  const presenceCols = db.prepare("PRAGMA table_info(agent_presence)").all();
-  const presenceColNames = presenceCols.map((c) => c.name);
+  let presenceCols = db.prepare("PRAGMA table_info(agent_presence)").all();
+  let presenceColNames = presenceCols.map((c) => c.name);
+  if (shouldRebuildAgentPresenceTable(presenceCols)) {
+    rebuildLegacyAgentPresenceTable(db);
+    presenceCols = db.prepare("PRAGMA table_info(agent_presence)").all();
+    presenceColNames = presenceCols.map((c) => c.name);
+  }
   if (!presenceColNames.includes("id")) {
     db.exec("ALTER TABLE agent_presence ADD COLUMN id TEXT NOT NULL DEFAULT ''");
     const rows = db.prepare("SELECT agent FROM agent_presence").all();
@@ -9664,7 +9823,9 @@ function getDb() {
   }
   if (!presenceColNames.includes("project_id")) {
     db.exec("ALTER TABLE agent_presence ADD COLUMN project_id TEXT");
+    db.exec("UPDATE agent_presence SET project_id = '' WHERE project_id IS NULL");
   }
+  ensureAgentPresenceAgentUniqueIndex(db);
   db.exec(`
     CREATE TABLE IF NOT EXISTS message_read_receipts (
       message_id INTEGER NOT NULL REFERENCES messages(id) ON DELETE CASCADE,
@@ -11386,14 +11547,14 @@ Check the top-level render call using <` + parentName + ">.";
             var thenableResult = result;
             var wasAwaited = false;
             var thenable = {
-              then: function(resolve, reject) {
+              then: function(resolve2, reject) {
                 wasAwaited = true;
                 thenableResult.then(function(returnValue2) {
                   popActScope(prevActScopeDepth);
                   if (actScopeDepth === 0) {
-                    recursivelyFlushAsyncActWork(returnValue2, resolve, reject);
+                    recursivelyFlushAsyncActWork(returnValue2, resolve2, reject);
                   } else {
-                    resolve(returnValue2);
+                    resolve2(returnValue2);
                   }
                 }, function(error2) {
                   popActScope(prevActScopeDepth);
@@ -11422,20 +11583,20 @@ Check the top-level render call using <` + parentName + ">.";
                 ReactCurrentActQueue.current = null;
               }
               var _thenable = {
-                then: function(resolve, reject) {
+                then: function(resolve2, reject) {
                   if (ReactCurrentActQueue.current === null) {
                     ReactCurrentActQueue.current = [];
-                    recursivelyFlushAsyncActWork(returnValue, resolve, reject);
+                    recursivelyFlushAsyncActWork(returnValue, resolve2, reject);
                   } else {
-                    resolve(returnValue);
+                    resolve2(returnValue);
                   }
                 }
               };
               return _thenable;
             } else {
               var _thenable2 = {
-                then: function(resolve, reject) {
-                  resolve(returnValue);
+                then: function(resolve2, reject) {
+                  resolve2(returnValue);
                 }
               };
               return _thenable2;
@@ -11451,7 +11612,7 @@ Check the top-level render call using <` + parentName + ">.";
           actScopeDepth = prevActScopeDepth;
         }
       }
-      function recursivelyFlushAsyncActWork(returnValue, resolve, reject) {
+      function recursivelyFlushAsyncActWork(returnValue, resolve2, reject) {
         {
           var queue = ReactCurrentActQueue.current;
           if (queue !== null) {
@@ -11460,16 +11621,16 @@ Check the top-level render call using <` + parentName + ">.";
               enqueueTask(function() {
                 if (queue.length === 0) {
                   ReactCurrentActQueue.current = null;
-                  resolve(returnValue);
+                  resolve2(returnValue);
                 } else {
-                  recursivelyFlushAsyncActWork(returnValue, resolve, reject);
+                  recursivelyFlushAsyncActWork(returnValue, resolve2, reject);
                 }
               });
             } catch (error2) {
               reject(error2);
             }
           } else {
-            resolve(returnValue);
+            resolve2(returnValue);
           }
         }
       }
@@ -11560,13 +11721,15 @@ var require_react = __commonJS((exports, module) => {
 // src/lib/messages.ts
 init_db();
 import { randomUUID } from "crypto";
-import { mkdirSync as mkdirSync5, copyFileSync as copyFileSync3, statSync as statSync2 } from "fs";
-import { join as join8 } from "path";
+import { mkdirSync as mkdirSync5, copyFileSync as copyFileSync3, statSync as statSync2, existsSync as existsSync6, realpathSync } from "fs";
+import { join as join8, basename, resolve } from "path";
 // src/lib/webhooks.ts
 init_db();
 import { readFileSync as readFileSync2 } from "fs";
 import { join as join7 } from "path";
+import dns from "dns";
+import net from "net";
 var cachedConfig = null;
 var configLoadedAt = 0;
 var CONFIG_CACHE_MS = 1e4;
@@ -11601,6 +11764,44 @@ function matchesEvent(webhook, msg) {
   }
   return false;
 }
+function isPrivateIP(ip) {
+  if (net.isIPv4(ip)) {
+    const parts = ip.split(".").map(Number);
+    if (parts[0] === 10)
+      return true;
+    if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31)
+      return true;
+    if (parts[0] === 192 && parts[1] === 168)
+      return true;
+    if (parts[0] === 127)
+      return true;
+    if (parts[0] === 169 && parts[1] === 254)
+      return true;
+    if (parts[0] === 0)
+      return true;
+  } else if (net.isIPv6(ip)) {
+    const lower = ip.toLowerCase();
+    if (lower === "::1" || lower.startsWith("::ffff:") || lower.startsWith("fc") || lower.startsWith("fd"))
+      return true;
+  }
+  return false;
+}
+async function validateWebhookUrl(urlStr) {
+  try {
+    const url = new URL(urlStr);
+    if (url.protocol !== "https:")
+      return false;
+    const hostname = url.hostname;
+    if (hostname === "localhost" || hostname === "0.0.0.0" || hostname === "127.0.0.1" || hostname === "::1")
+      return false;
+    const addresses = await dns.promises.lookup(hostname, { all: true });
+    if (!Array.isArray(addresses))
+      return false;
+    return !addresses.some((a) => isPrivateIP(a.address));
+  } catch {
+    return false;
+  }
+}
 function fireWebhooks(msg) {
   const config = loadConfig();
   if (!config.webhooks || config.webhooks.length === 0)
@@ -11610,20 +11811,24 @@ function fireWebhooks(msg) {
       continue;
     if (!matchesEvent(webhook, msg))
       continue;
-    fetch(webhook.url, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        id: msg.id,
-        from: msg.from_agent,
-        to: msg.to_agent,
-        space: msg.space,
-        content: msg.content,
-        priority: msg.priority,
-        blocking: msg.blocking,
-        created_at: msg.created_at
-      })
-    }).catch(() => {});
+    validateWebhookUrl(webhook.url).then((valid) => {
+      if (!valid)
+        return;
+      fetch(webhook.url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: msg.id,
+          from: msg.from_agent,
+          to: msg.to_agent,
+          space: msg.space,
+          content: msg.content,
+          priority: msg.priority,
+          blocking: msg.blocking,
+          created_at: msg.created_at
+        })
+      }).catch(() => {});
+    });
   }
 }
@@ -11668,6 +11873,22 @@ function getAttachmentsDir() {
     return process.env.CONVERSATIONS_ATTACHMENTS_DIR;
   return join8(getDataDir2(), "attachments");
 }
+function validateAttachment(sourcePath, name) {
+  const absolute = resolve(sourcePath);
+  if (!existsSync6(absolute)) {
+    throw new Error(`Attachment source not found: ${sourcePath}`);
+  }
+  const real = realpathSync(absolute);
+  const stat = statSync2(real);
+  if (!stat.isFile()) {
+    throw new Error(`Attachment source must be a regular file: ${sourcePath}`);
+  }
+  const safeName = basename(name.replace(/\0/g, ""));
+  if (!safeName || safeName.startsWith(".")) {
+    throw new Error(`Invalid attachment name: ${name}`);
+  }
+  return { safeSource: real, safeName };
+}
 function guessMimeType(name) {
   const ext = name.split(".").pop()?.toLowerCase();
   const mimeMap = {
@@ -11739,14 +11960,15 @@ function sendMessage(opts) {
     mkdirSync5(attachmentsDir, { recursive: true });
     const attachmentInfos = [];
     for (const att of opts.attachments) {
-      const destPath = join8(attachmentsDir, att.name);
-      copyFileSync3(att.source_path, destPath);
+      const { safeSource, safeName } = validateAttachment(att.source_path, att.name);
+      const destPath = join8(attachmentsDir, safeName);
+      copyFileSync3(safeSource, destPath);
       const stat = statSync2(destPath);
       attachmentInfos.push({
-        name: att.name,
+        name: safeName,
         path: destPath,
         size: stat.size,
-        mime_type: guessMimeType(att.name)
+        mime_type: guessMimeType(safeName)
       });
     }
     const attachmentsJson = JSON.stringify(attachmentInfos);
@@ -11808,8 +12030,10 @@ function readMessages(opts = {}) {
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
   const resolvedLimit = isLatest ? Math.floor(opts.latest) : Number.isFinite(opts.limit) && opts.limit > 0 ? Math.floor(opts.limit) : 20;
   const order = isLatest ? "DESC" : opts.order?.toLowerCase() === "desc" ? "DESC" : "ASC";
-  const resolvedOffset = opts.offset && opts.offset > 0 ? Math.floor(opts.offset) : 0;
-  const rows = db2.prepare(`SELECT * FROM messages ${where} ORDER BY created_at ${order}, id ${order} LIMIT ${resolvedLimit} OFFSET ${resolvedOffset}`).all(...params);
+  const resolvedOffset = Number.isFinite(opts.offset) ? Math.floor(opts.offset) : 0;
+  const safeLimit = Math.max(1, Math.min(resolvedLimit, 1e4));
+  const safeOffset = Math.max(0, Math.floor(resolvedOffset));
+  const rows = db2.prepare(`SELECT * FROM messages ${where} ORDER BY created_at ${order}, id ${order} LIMIT ${safeLimit} OFFSET ${safeOffset}`).all(...params);
   let messages = rows.map(parseMessage);
   if (opts.include_reply_counts && messages.length > 0) {
     const db22 = getDb();
@@ -11954,8 +12178,9 @@ function getPinnedMessages(opts) {
     params.push(opts.session_id);
   }
   const where = `WHERE ${conditions.join(" AND ")}`;
-  const limit = Number.isFinite(opts?.limit) && opts.limit > 0 ? `LIMIT ${Math.floor(opts.limit)}` : "";
-  const rows = db2.prepare(`SELECT * FROM messages ${where} ORDER BY pinned_at DESC, id DESC ${limit}`).all(...params);
+  const safeLimit = Number.isFinite(opts?.limit) && opts.limit > 0 ? Math.floor(opts.limit) : 0;
+  const limitClause = safeLimit > 0 ? `LIMIT ${safeLimit}` : "";
+  const rows = db2.prepare(`SELECT * FROM messages ${where} ORDER BY pinned_at DESC, id DESC ${limitClause}`).all(...params);
   return rows.map(parseMessage);
 }
 function getUnreadBlockers(agent) {
@@ -13064,6 +13289,33 @@ function getReactionSummary(messageId) {
 init_db();
 var ONLINE_THRESHOLD_SECONDS = 60;
 var CONFLICT_THRESHOLD_SECONDS = 30 * 60;
+function normalizeAgentName(name) {
+  return name.trim().toLowerCase();
+}
+function toStoredProjectId(projectId) {
+  const normalized = projectId?.trim() ?? "";
+  return normalized || "";
+}
+function fromStoredProjectId(projectId) {
+  const normalized = typeof projectId === "string" ? projectId.trim() : "";
+  return normalized || null;
+}
+function getPresenceByAgent(db2, agent) {
+  return db2.prepare(`
+    SELECT * FROM agent_presence
+    WHERE LOWER(agent) = ?
+    ORDER BY last_seen_at DESC
+    LIMIT 1
+  `).get(agent);
+}
+function getPresenceByAgentAndProject(db2, agent, projectId) {
+  return db2.prepare(`
+    SELECT * FROM agent_presence
+    WHERE LOWER(agent) = ? AND COALESCE(project_id, '') = ?
+    ORDER BY last_seen_at DESC
+    LIMIT 1
+  `).get(agent, projectId);
+}
 function parsePresence(row) {
   let metadata = null;
   if (row.metadata) {
@@ -13082,7 +13334,7 @@ function parsePresence(row) {
     agent: row.agent,
     session_id: row.session_id ?? null,
     role: row.role || "agent",
-    project_id: row.project_id ?? null,
+    project_id: fromStoredProjectId(row.project_id),
     status: row.status,
     last_seen_at: lastSeenAt,
     created_at: row.created_at || lastSeenAt,
@@ -13100,9 +13352,10 @@ function isAgentConflict(result) {
 }
 function registerAgent(name, sessionId, role, projectId) {
   const db2 = getDb();
-  const normalizedName = name.trim().toLowerCase();
+  const normalizedName = normalizeAgentName(name);
   const result = db2.transaction(() => {
-    const existing = db2.prepare("SELECT * FROM agent_presence WHERE agent = ?").get(normalizedName);
+    const existing = getPresenceByAgent(db2, normalizedName);
+    const storedProjectId = toStoredProjectId(projectId ?? existing?.project_id);
     if (existing) {
       const lastSeenAt = existing.last_seen_at;
       const existingSessionId = existing.session_id;
@@ -13120,12 +13373,26 @@ function registerAgent(name, sessionId, role, projectId) {
         };
       }
       const tookOver = existingSessionId !== sessionId;
-      db2.prepare(`
-        UPDATE agent_presence
-        SET session_id = ?, role = ?, project_id = ?, last_seen_at = strftime('%Y-%m-%dT%H:%M:%f', 'now')
-        WHERE agent = ?
-      `).run(sessionId, role || existing.role || "agent", projectId ?? existing.project_id ?? null, normalizedName);
-      const updated = db2.prepare("SELECT * FROM agent_presence WHERE agent = ?").get(normalizedName);
+      const existingId = existing.id;
+      const target = getPresenceByAgentAndProject(db2, normalizedName, storedProjectId);
+      if (target && target.id !== existingId) {
+        db2.prepare(`
+          UPDATE agent_presence
+          SET session_id = ?, role = ?, status = 'online', last_seen_at = strftime('%Y-%m-%dT%H:%M:%f', 'now')
+          WHERE id = ?
+        `).run(sessionId, role || existing.role || "agent", target.id);
+        db2.prepare("DELETE FROM agent_presence WHERE id = ?").run(existingId);
+      } else {
+        db2.prepare(`
+          UPDATE agent_presence
+          SET session_id = ?, role = ?, project_id = ?, status = 'online', last_seen_at = strftime('%Y-%m-%dT%H:%M:%f', 'now')
+          WHERE id = ?
+        `).run(sessionId, role || existing.role || "agent", storedProjectId, existingId);
+      }
+      const updated = getPresenceByAgentAndProject(db2, normalizedName, storedProjectId) ?? getPresenceByAgent(db2, normalizedName);
+      if (!updated) {
+        throw new Error(`Failed to update presence for agent "${normalizedName}"`);
+      }
       return { agent: parsePresence(updated), created: false, took_over: tookOver };
     }
     const id = crypto.randomUUID().slice(0, 8);
@@ -13133,33 +13400,60 @@ function registerAgent(name, sessionId, role, projectId) {
     db2.prepare(`
       INSERT INTO agent_presence (id, agent, session_id, role, project_id, status, last_seen_at, created_at)
       VALUES (?, ?, ?, ?, ?, 'online', strftime('%Y-%m-%dT%H:%M:%f', 'now'), strftime('%Y-%m-%dT%H:%M:%f', 'now'))
-    `).run(id, normalizedName, sessionId, resolvedRole, projectId ?? null);
-    const created = db2.prepare("SELECT * FROM agent_presence WHERE agent = ?").get(normalizedName);
+    `).run(id, normalizedName, sessionId, resolvedRole, storedProjectId);
+    const created = getPresenceByAgentAndProject(db2, normalizedName, storedProjectId) ?? getPresenceByAgent(db2, normalizedName);
+    if (!created) {
+      throw new Error(`Failed to create presence for agent "${normalizedName}"`);
+    }
     return { agent: parsePresence(created), created: true, took_over: false };
   });
   return result;
 }
-function heartbeat(agent, status, metadata, sessionId) {
+function heartbeat(agent, status, metadata, sessionId, projectId) {
   const db2 = getDb();
   const metadataJson = metadata ? JSON.stringify(metadata) : null;
   const resolvedStatus = status || "online";
-  const normalizedAgent = agent.trim().toLowerCase();
-  const existing = db2.prepare("SELECT id FROM agent_presence WHERE agent = ?").get(agent);
-  const id = existing?.id || crypto.randomUUID().slice(0, 8);
-  db2.prepare(`
-    INSERT INTO agent_presence (id, agent, session_id, role, status, last_seen_at, created_at, metadata)
-    VALUES (?, ?, ?, 'agent', ?, strftime('%Y-%m-%dT%H:%M:%f', 'now'), strftime('%Y-%m-%dT%H:%M:%f', 'now'), ?)
-    ON CONFLICT(agent) DO UPDATE SET
-      status = excluded.status,
-      last_seen_at = excluded.last_seen_at,
-      session_id = COALESCE(excluded.session_id, agent_presence.session_id),
-      metadata = excluded.metadata
-  `).run(id, normalizedAgent, sessionId ?? null, resolvedStatus, metadataJson);
+  const normalizedAgent = normalizeAgentName(agent);
+  db2.transaction(() => {
+    const existing = getPresenceByAgent(db2, normalizedAgent);
+    const storedProjectId = toStoredProjectId(projectId ?? existing?.project_id);
+    const id = existing?.id || crypto.randomUUID().slice(0, 8);
+    if (existing) {
+      const existingId = existing.id;
+      const target = getPresenceByAgentAndProject(db2, normalizedAgent, storedProjectId);
+      if (target && target.id !== existingId) {
+        db2.prepare(`
+          UPDATE agent_presence
+          SET status = ?,
+              last_seen_at = strftime('%Y-%m-%dT%H:%M:%f', 'now'),
+              session_id = COALESCE(?, session_id),
+              metadata = ?
+          WHERE id = ?
+        `).run(resolvedStatus, sessionId ?? null, metadataJson, target.id);
+        db2.prepare("DELETE FROM agent_presence WHERE id = ?").run(existingId);
+        return;
+      }
+      db2.prepare(`
+        UPDATE agent_presence
+        SET status = ?,
+            last_seen_at = strftime('%Y-%m-%dT%H:%M:%f', 'now'),
+            session_id = COALESCE(?, session_id),
+            metadata = ?,
+            project_id = ?
+        WHERE id = ?
+      `).run(resolvedStatus, sessionId ?? null, metadataJson, storedProjectId, existingId);
+      return;
+    }
+    db2.prepare(`
+      INSERT INTO agent_presence (id, agent, session_id, role, project_id, status, last_seen_at, created_at, metadata)
+      VALUES (?, ?, ?, 'agent', ?, ?, strftime('%Y-%m-%dT%H:%M:%f', 'now'), strftime('%Y-%m-%dT%H:%M:%f', 'now'), ?)
+    `).run(id, normalizedAgent, sessionId ?? null, storedProjectId, resolvedStatus, metadataJson);
+  });
 }
 function getPresence(agent) {
   const db2 = getDb();
-  const normalizedAgent = agent.trim().toLowerCase();
-  const row = db2.prepare("SELECT * FROM agent_presence WHERE LOWER(agent) = ?").get(normalizedAgent);
+  const normalizedAgent = normalizeAgentName(agent);
+  const row = getPresenceByAgent(db2, normalizedAgent);
   return row ? parsePresence(row) : null;
 }
 function listAgents(opts) {
@@ -13174,14 +13468,14 @@ function listAgents(opts) {
 }
 function removePresence(agent) {
   const db2 = getDb();
-  const normalizedAgent = agent.trim().toLowerCase();
+  const normalizedAgent = normalizeAgentName(agent);
   const result = db2.prepare("DELETE FROM agent_presence WHERE LOWER(agent) = ?").run(normalizedAgent);
   return result.changes > 0;
 }
 function renameAgent(oldName, newName) {
   const db2 = getDb();
-  const normalizedOld = oldName.trim().toLowerCase();
-  const normalizedNew = newName.trim().toLowerCase();
+  const normalizedOld = normalizeAgentName(oldName);
+  const normalizedNew = normalizeAgentName(newName);
   const existing = db2.prepare("SELECT agent FROM agent_presence WHERE LOWER(agent) = ?").get(normalizedOld);
   if (!existing)
     return false;
@@ -13888,13 +14182,13 @@ var gatherTrainingData = async (options = {}) => {
 };
 // src/lib/model-config.ts
 init_db();
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7, existsSync as existsSync6 } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7, existsSync as existsSync7 } from "fs";
 import { join as join10 } from "path";
 var DEFAULT_MODEL = "gpt-4o-mini";
 var CONFIG_DIR3 = getDataDir2();
 var CONFIG_PATH2 = join10(CONFIG_DIR3, "config.json");
 function readConfig() {
-  if (!existsSync6(CONFIG_PATH2))
+  if (!existsSync7(CONFIG_PATH2))
     return {};
   try {
     return JSON.parse(readFileSync4(CONFIG_PATH2, "utf-8"));
@@ -13903,7 +14197,7 @@ function readConfig() {
   }
 }
 function writeConfig(config) {
-  if (!existsSync6(CONFIG_DIR3)) {
+  if (!existsSync7(CONFIG_DIR3)) {
     mkdirSync7(CONFIG_DIR3, { recursive: true });
   }
   writeFileSync3(CONFIG_PATH2, JSON.stringify(config, null, 2), "utf-8");