@newsails/veil-cli 1.0.1

package/api/routes/memory.js

@@ -0,0 +1,169 @@
+'use strict';
+
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const router = express.Router({ mergeParams: true });
+const { sendError } = require('../middleware');
+const context = require('../../utils/context');
+const paths = require('../../utils/paths');
+
+const SAFE_FILE_RE = /^[\w\-]+\.md$/;
+
+function safeFile(file) {
+  return SAFE_FILE_RE.test(file);
+}
+
+function listMdFiles(dir) {
+  if (!fs.existsSync(dir)) return [];
+  return fs.readdirSync(dir)
+    .filter(f => f.endsWith('.md'))
+    .map(f => {
+      const stat = fs.statSync(path.join(dir, f));
+      return { name: f, size: stat.size, modified: stat.mtime.toISOString() };
+    });
+}
+
+// ── Global memory routes (/memory/*) ──────────────────────────────────────────
+
+// GET /memory — list global memory files
+router.get('/memory', (req, res, next) => {
+  try {
+    const cwd = context.getCwd();
+    const dir = paths.getProjectMemoryDir(cwd);
+    const files = listMdFiles(dir);
+    res.json({ files });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /memory/:file — read a global memory file
+router.get('/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9A-Z_-]+.md');
+    }
+    const cwd = context.getCwd();
+    const filePath = path.join(paths.getProjectMemoryDir(cwd), req.params.file);
+    if (!fs.existsSync(filePath)) {
+      return sendError(res, 404, 'NOT_FOUND', `Memory file not found: ${req.params.file}`);
+    }
+    const content = fs.readFileSync(filePath, 'utf8');
+    res.json({ file: req.params.file, content });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// PUT /memory/:file — write/replace a global memory file
+router.put('/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9A-Z_-]+.md');
+    }
+    const { content } = req.body;
+    if (typeof content !== 'string') {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'content must be a string');
+    }
+    const cwd = context.getCwd();
+    const dir = paths.getProjectMemoryDir(cwd);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const filePath = path.join(dir, req.params.file);
+    fs.writeFileSync(filePath, content, 'utf8');
+    res.json({ file: req.params.file, size: Buffer.byteLength(content, 'utf8') });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// DELETE /memory/:file — delete a global memory file
+router.delete('/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9A-Z_-]+.md');
+    }
+    const cwd = context.getCwd();
+    const filePath = path.join(paths.getProjectMemoryDir(cwd), req.params.file);
+    if (!fs.existsSync(filePath)) {
+      return sendError(res, 404, 'NOT_FOUND', `Memory file not found: ${req.params.file}`);
+    }
+    fs.unlinkSync(filePath);
+    res.json({ file: req.params.file, status: 'deleted' });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// ── Agent memory routes (/agents/:name/memory/*) ─────────────────────────────
+
+// GET /agents/:name/memory — list agent memory files
+router.get('/:name/memory', (req, res, next) => {
+  try {
+    const cwd = context.getCwd();
+    const dir = paths.getAgentMemoryDir(cwd, req.params.name);
+    const files = listMdFiles(dir);
+    res.json({ agentName: req.params.name, files });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /agents/:name/memory/:file — read a specific agent memory file
+router.get('/:name/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9_-]+.md');
+    }
+    const cwd = context.getCwd();
+    const filePath = path.join(paths.getAgentMemoryDir(cwd, req.params.name), req.params.file);
+    if (!fs.existsSync(filePath)) {
+      return sendError(res, 404, 'NOT_FOUND', `Memory file not found: ${req.params.file}`);
+    }
+    const content = fs.readFileSync(filePath, 'utf8');
+    res.json({ agentName: req.params.name, file: req.params.file, content });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// PUT /agents/:name/memory/:file — write/replace an agent memory file
+router.put('/:name/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9_-]+.md');
+    }
+    const { content } = req.body;
+    if (typeof content !== 'string') {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'content must be a string');
+    }
+    const cwd = context.getCwd();
+    const dir = paths.getAgentMemoryDir(cwd, req.params.name);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const filePath = path.join(dir, req.params.file);
+    fs.writeFileSync(filePath, content, 'utf8');
+    res.json({ agentName: req.params.name, file: req.params.file, size: Buffer.byteLength(content, 'utf8') });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// DELETE /agents/:name/memory/:file — delete an agent memory file
+router.delete('/:name/memory/:file', (req, res, next) => {
+  try {
+    if (!safeFile(req.params.file)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'File name must match [a-z0-9_-]+.md');
+    }
+    const cwd = context.getCwd();
+    const filePath = path.join(paths.getAgentMemoryDir(cwd, req.params.name), req.params.file);
+    if (!fs.existsSync(filePath)) {
+      return sendError(res, 404, 'NOT_FOUND', `Memory file not found: ${req.params.file}`);
+    }
+    fs.unlinkSync(filePath);
+    res.json({ agentName: req.params.name, file: req.params.file, status: 'deleted' });
+  } catch (err) {
+    next(err);
+  }
+});
+
+module.exports = router;

package/api/routes/models.js

@@ -0,0 +1,40 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const { listModels, getModel, invalidateCache } = require('../../utils/models');
+const { sendError } = require('../middleware');
+
+// GET /models — list all known models
+router.get('/', (req, res) => {
+  res.json(listModels());
+});
+
+// GET /models/:id — get a single model by id (e.g. "anthropic/claude-sonnet-4.6")
+router.get('/:provider/:name', (req, res) => {
+  const modelId = `${req.params.provider}/${req.params.name}`;
+  const model = getModel(modelId);
+  if (!model) return sendError(res, 404, 'MODEL_NOT_FOUND', `Model "${modelId}" not found`);
+  res.json({ id: modelId, ...model });
+});
+
+// POST /models/refresh — re-fetch models from OpenRouter and reload cache
+router.post('/refresh', async (req, res, next) => {
+  try {
+    const { execFile } = require('child_process');
+    const path = require('path');
+    const scriptPath = path.join(__dirname, '..', '..', 'scripts', 'fetch-models.js');
+    await new Promise((resolve, reject) => {
+      execFile(process.execPath, [scriptPath], { timeout: 30000 }, (err, stdout, stderr) => {
+        if (err) return reject(new Error(stderr || err.message));
+        resolve(stdout);
+      });
+    });
+    invalidateCache();
+    res.json({ refreshed: true, ...listModels() });
+  } catch (err) {
+    next(err);
+  }
+});
+
+module.exports = router;

package/api/routes/remote-methods.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const rm = require('../../core/remote-methods');
+
+/**
+ * GET /remote-methods
+ *
+ * SSE stream. Sends all currently-pending methods on connect, then streams
+ * new `method.pending` and `method.done` events in real time.
+ *
+ * Event shapes:
+ *   { type: "method.pending", id, method, data, createdAt }
+ *   { type: "method.done",    id, timedOut: bool }
+ *
+ * The client MUST implement reconnection logic (EventSource does this
+ * automatically). UI-side deduplication via method `id` is recommended.
+ */
+router.get('/', (req, res) => {
+  res.setHeader('Content-Type', 'text/event-stream');
+  res.setHeader('Cache-Control', 'no-cache');
+  res.setHeader('Connection', 'keep-alive');
+  res.setHeader('X-Accel-Buffering', 'no'); // disable nginx buffering if proxied
+  res.flushHeaders();
+
+  // Send a keepalive comment immediately so the client knows the stream is live
+  res.write(': connected\n\n');
+
+  rm.addClient(res);
+
+  // Keepalive ping every 20s to prevent proxies from closing idle connections
+  const ping = setInterval(() => {
+    try { res.write(': ping\n\n'); } catch { clearInterval(ping); }
+  }, 20_000);
+
+  req.on('close', () => {
+    clearInterval(ping);
+    rm.removeClient(res);
+  });
+});
+
+/**
+ * POST /remote-methods/:id/result
+ *
+ * Deliver the UI's response for a pending method call.
+ *
+ * Body: { result: <any JSON value> }
+ *
+ * Responses:
+ *   200 { ok: true }              — result accepted, waiting tool unblocked
+ *   409 { error: "not_found" }   — id unknown (already resolved, timed out, or invalid)
+ */
+router.post('/:id/result', (req, res) => {
+  const { id } = req.params;
+  const result = req.body?.result;
+
+  const status = rm.resolve(id, result);
+
+  if (status === 'not_found') {
+    return res.status(409).json({ error: 'not_found', message: `No pending remote method with id "${id}". It may have already been resolved or timed out.` });
+  }
+
+  return res.json({ ok: true, id });
+});
+
+/**
+ * GET /remote-methods/pending  (diagnostic — lists pending IDs)
+ */
+router.get('/pending', (req, res) => {
+  res.json({ pending: rm.pendingIds() });
+});
+
+module.exports = router;

package/api/routes/sessions.js

@@ -0,0 +1,208 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const { sendError } = require('../middleware');
+const context = require('../../utils/context');
+const db = require('../../infrastructure/database');
+const { loadAgent } = require('../../core/agent');
+const { assembleSystemPrompt } = require('../../core/prompt');
+const { loadSettings } = require('../../utils/settings');
+const eventBus = require('../../core/events');
+
+const VALID_MODES = ['chat', 'task', 'daemon', 'subagent'];
+
+// POST /sessions — create a new session without sending a message
+router.post('/', (req, res, next) => {
+  try {
+    const { agentName, mode = 'chat', model, model_thinking } = req.body || {};
+
+    if (!agentName) return sendError(res, 400, 'VALIDATION_ERROR', '"agentName" is required');
+    if (!VALID_MODES.includes(mode)) {
+      return sendError(res, 400, 'VALIDATION_ERROR', `"mode" must be one of: ${VALID_MODES.join(', ')}`);
+    }
+
+    const cwd = context.getCwd();
+
+    let agent;
+    try {
+      agent = loadAgent({ cwd, name: agentName });
+    } catch {
+      return sendError(res, 404, 'AGENT_NOT_FOUND', `Agent "${agentName}" not found`);
+    }
+
+    const resolvedModel = model || agent.model || null;
+    const resolvedThinking = model_thinking !== undefined ? model_thinking : (agent.thinking || null);
+    const sessionId = db.createSession({ agentName, mode, instanceFolder: cwd, model: resolvedModel, modelThinking: resolvedThinking });
+
+    // Inject system prompt as first message so the session is ready to use
+    try {
+      const settings = loadSettings({ cwd });
+      const systemPrompt = assembleSystemPrompt({ agent, mode, sessionId, cwd, settings });
+      db.addMessage({ sessionId, role: 'system', content: systemPrompt });
+    } catch { /* non-fatal — session is still usable without system prompt */ }
+
+    const session = db.getSession(sessionId);
+    res.status(201).json({ sessionId, session });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /sessions
+router.get('/', (req, res, next) => {
+  try {
+    const cwd = context.getCwd();
+    const { agentName, mode, status, limit, cursor } = req.query;
+    const sessions = db.listSessions({
+      instanceFolder: cwd,
+      agentName,
+      status,
+      limit: limit ? parseInt(limit, 10) : 20,
+      cursor,
+    });
+    res.json({ sessions });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /sessions/:id
+router.get('/:id', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+    res.json({ session });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /sessions/:id/messages
+router.get('/:id/messages', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+    const { limit, offset } = req.query;
+    const messages = db.getMessages(req.params.id, {
+      limit: limit ? parseInt(limit, 10) : 100,
+      offset: offset ? parseInt(offset, 10) : 0,
+    });
+    res.json({ sessionId: req.params.id, messages });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /sessions/:id/stream — SSE real-time event stream for a session
+router.get('/:id/stream', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+
+    const sessionId = req.params.id;
+
+    res.setHeader('Content-Type', 'text/event-stream');
+    res.setHeader('Cache-Control', 'no-cache');
+    res.setHeader('Connection', 'keep-alive');
+    res.setHeader('X-Accel-Buffering', 'no');
+    res.flushHeaders();
+
+    function send(eventType, data) {
+      try {
+        res.write(`event: ${eventType}\ndata: ${JSON.stringify(data)}\n\n`);
+      } catch { /* client disconnected */ }
+    }
+
+    // Send current session state immediately
+    send('session', { sessionId, status: session.status, agentName: session.agent_name, mode: session.mode });
+
+    function onEvent(msg) {
+      if (msg.sessionId !== sessionId) return;
+      send(msg.type, { sessionId, agentName: msg.agentName, event: msg.event, timestamp: msg.event?.timestamp });
+    }
+
+    eventBus.on('event', onEvent);
+
+    // Keepalive ping every 15s to prevent proxy timeouts
+    const keepalive = setInterval(() => {
+      try { res.write(': keepalive\n\n'); } catch { cleanup(); }
+    }, 15000);
+
+    function cleanup() {
+      clearInterval(keepalive);
+      eventBus.off('event', onEvent);
+    }
+
+    req.on('close', cleanup);
+    req.on('error', cleanup);
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /sessions/:id/context — inspect the full message history (truncated for readability)
+router.get('/:id/context', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+    const messages = db.getMessages(req.params.id);
+    res.json({
+      sessionId: req.params.id,
+      agentName: session.agent_name,
+      mode: session.mode,
+      messageCount: messages.length,
+      messages: messages.map(m => ({
+        id: m.id,
+        role: m.role,
+        content: m.content || null,
+        tool_calls: m.tool_calls || undefined,
+        tool_call_id: m.tool_call_id || undefined,
+        created_at: m.created_at,
+      })),
+    });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// POST /sessions/:id/reset — clear messages but keep session alive
+router.post('/:id/reset', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+    if (session.status === 'closed') return sendError(res, 400, 'SESSION_CLOSED', 'Cannot reset a closed session');
+    const cwd = context.getCwd();
+    db.resetSession(req.params.id);
+    // Re-inject fresh system prompt so agent has a clean start
+    try {
+      const agent = loadAgent({ cwd, name: session.agent_name });
+      const systemPrompt = assembleSystemPrompt({ agent, mode: session.mode, sessionId: req.params.id, cwd, settings: {} });
+      db.addMessage({ sessionId: req.params.id, role: 'system', content: systemPrompt });
+    } catch { /* if agent load fails, reset without re-injecting system prompt */ }
+    res.json({ sessionId: req.params.id, status: 'reset', messageCount: 1 });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// DELETE /sessions/:id — soft close or hard delete (?hard=true)
+router.delete('/:id', (req, res, next) => {
+  try {
+    const session = db.getSession(req.params.id);
+    if (!session) return sendError(res, 404, 'SESSION_NOT_FOUND', `Session not found: ${req.params.id}`);
+    if (req.query.hard === 'true') {
+      db.deleteSession(req.params.id);
+      eventBus.emit('event', { type: 'session.deleted', sessionId: req.params.id, agentName: session.agent_name, event: { timestamp: Date.now() } });
+      res.json({ sessionId: req.params.id, status: 'deleted' });
+    } else {
+      db.closeSession(req.params.id);
+      eventBus.emit('event', { type: 'session.closed', sessionId: req.params.id, agentName: session.agent_name, event: { timestamp: Date.now() } });
+      res.json({ sessionId: req.params.id, status: 'closed' });
+    }
+  } catch (err) {
+    next(err);
+  }
+});
+
+module.exports = router;

package/api/routes/settings.js

@@ -0,0 +1,108 @@
+'use strict';
+
+const express = require('express');
+const fs = require('fs');
+const router = express.Router();
+const Ajv = require('ajv');
+const addFormats = require('ajv-formats');
+const { sendError } = require('../middleware');
+const context = require('../../utils/context');
+const { loadSettings, readSettingsForLevel, settingsPathForLevel, VALID_LEVELS } = require('../../utils/settings');
+const paths = require('../../utils/paths');
+
+const ajv = new Ajv({ allErrors: true });
+addFormats(ajv);
+
+let _settingsValidator = null;
+function getValidator() {
+  if (_settingsValidator) return _settingsValidator;
+  try {
+    const schema = require('../../schemas/settings.json');
+    _settingsValidator = ajv.compile(schema);
+  } catch {
+    _settingsValidator = null;
+  }
+  return _settingsValidator;
+}
+
+/**
+ * Redact sensitive fields (api_key values) from the settings object.
+ * @param {Object} obj
+ * @returns {Object}
+ */
+function redactSecrets(obj) {
+  if (!obj || typeof obj !== 'object') return obj;
+  const result = Array.isArray(obj) ? [] : {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (k === 'api_key' && typeof v === 'string' && v.length > 8) {
+      result[k] = v.slice(0, 3) + '…' + v.slice(-4);
+    } else if (typeof v === 'object' && v !== null) {
+      result[k] = redactSecrets(v);
+    } else {
+      result[k] = v;
+    }
+  }
+  return result;
+}
+
+// GET /settings — return settings, optionally scoped to a level
+// ?level=merged (default) | project | global | local
+router.get('/', (req, res, next) => {
+  try {
+    const level = req.query.level || 'merged';
+    if (!VALID_LEVELS.includes(level)) {
+      return sendError(res, 400, 'INVALID_LEVEL', `Invalid level "${level}". Must be one of: ${VALID_LEVELS.join(', ')}`);
+    }
+
+    const cwd = context.getCwd();
+    const { settings, exists, path: filePath } = readSettingsForLevel({ cwd, level });
+    res.json({ level, exists, path: filePath, settings: redactSecrets(settings) });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// PUT /settings — validate and write settings at the specified level, then live-reload
+// ?level=project (default) | global | local   ("merged" is read-only)
+router.put('/', (req, res, next) => {
+  try {
+    const level = req.query.level || 'project';
+    if (level === 'merged') {
+      return sendError(res, 400, 'INVALID_LEVEL', '"merged" is a read-only view and cannot be written. Use "project", "global", or "local".');
+    }
+    if (!VALID_LEVELS.includes(level)) {
+      return sendError(res, 400, 'INVALID_LEVEL', `Invalid level "${level}". Must be one of: ${VALID_LEVELS.filter(l => l !== 'merged').join(', ')}`);
+    }
+
+    const body = req.body;
+    if (!body || typeof body !== 'object') {
+      return sendError(res, 400, 'VALIDATION_ERROR', 'Request body must be a JSON object');
+    }
+
+    const validate = getValidator();
+    if (validate) {
+      const valid = validate(body);
+      if (!valid) {
+        const msgs = validate.errors.map(e => `${e.instancePath || '(root)'}: ${e.message}`).join('; ');
+        return sendError(res, 400, 'VALIDATION_ERROR', `Invalid settings: ${msgs}`);
+      }
+    }
+
+    const cwd = context.getCwd();
+    const settingsPath = settingsPathForLevel(level, cwd);
+    const dir = require('path').dirname(settingsPath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+    fs.writeFileSync(settingsPath, JSON.stringify(body, null, 2), 'utf8');
+
+    // Live reload — update in-memory merged settings for all subsequent requests
+    const newSettings = loadSettings({ cwd });
+    req.app.locals.settings = newSettings;
+
+    res.json({ status: 'updated', level, path: settingsPath, settings: redactSecrets(newSettings) });
+  } catch (err) {
+    next(err);
+  }
+});
+
+module.exports = router;

package/api/routes/system.js

@@ -0,0 +1,50 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const context = require('../../utils/context');
+const db = require('../../infrastructure/database');
+
+const startTime = Date.now();
+
+// GET /health
+router.get('/health', (req, res) => {
+  res.json({ status: 'ok', version: context.getVersion(), uptime: Math.floor((Date.now() - startTime) / 1000) });
+});
+
+// GET /status
+router.get('/status', (req, res, next) => {
+  try {
+    const cwd = context.getCwd();
+    const { listAgents } = require('../../core/agent');
+    const agents = listAgents({ cwd });
+    const scheduler = req.app.locals.scheduler;
+    const daemons = scheduler ? scheduler.listDaemons() : [];
+
+    const activeSessions = db.listSessions({ instanceFolder: cwd, status: 'active', limit: 1000 });
+    const pendingTasks = db.listTasks({ instanceFolder: cwd, status: 'pending', limit: 1000 });
+    const processingTasks = db.listTasks({ instanceFolder: cwd, status: 'processing', limit: 1000 });
+
+    res.json({
+      status: 'ok',
+      version: context.getVersion(),
+      uptime: Math.floor((Date.now() - startTime) / 1000),
+      cwd,
+      agents: agents.length,
+      activeSessions: activeSessions.length,
+      pendingTasks: pendingTasks.length,
+      processingTasks: processingTasks.length,
+      daemons: daemons.length,
+    });
+  } catch (err) {
+    next(err);
+  }
+});
+
+// POST /shutdown
+router.post('/shutdown', (req, res) => {
+  res.json({ status: 'shutting_down' });
+  setTimeout(() => process.exit(0), 500);
+});
+
+module.exports = router;