@openparachute/agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (501) hide show
  1. package/.claude/scheduled_tasks.lock +1 -0
  2. package/.claude/settings.json +5 -0
  3. package/.claude/skills/add-atomic-chat-tool/SKILL.md +243 -0
  4. package/.claude/skills/add-atomic-chat-tool/atomic-chat-mcp-stdio.ts +229 -0
  5. package/.claude/skills/add-codex/SKILL.md +161 -0
  6. package/.claude/skills/add-dashboard/SKILL.md +138 -0
  7. package/.claude/skills/add-dashboard/resources/dashboard-pusher.ts +495 -0
  8. package/.claude/skills/add-emacs/SKILL.md +296 -0
  9. package/.claude/skills/add-gcal-tool/SKILL.md +210 -0
  10. package/.claude/skills/add-gchat/REMOVE.md +6 -0
  11. package/.claude/skills/add-gchat/SKILL.md +92 -0
  12. package/.claude/skills/add-gchat/VERIFY.md +3 -0
  13. package/.claude/skills/add-github/REMOVE.md +6 -0
  14. package/.claude/skills/add-github/SKILL.md +148 -0
  15. package/.claude/skills/add-github/VERIFY.md +3 -0
  16. package/.claude/skills/add-gmail-tool/SKILL.md +229 -0
  17. package/.claude/skills/add-imessage/REMOVE.md +6 -0
  18. package/.claude/skills/add-imessage/SKILL.md +113 -0
  19. package/.claude/skills/add-imessage/VERIFY.md +3 -0
  20. package/.claude/skills/add-karpathy-llm-wiki/SKILL.md +110 -0
  21. package/.claude/skills/add-karpathy-llm-wiki/llm-wiki.md +75 -0
  22. package/.claude/skills/add-linear/REMOVE.md +6 -0
  23. package/.claude/skills/add-linear/SKILL.md +168 -0
  24. package/.claude/skills/add-linear/VERIFY.md +3 -0
  25. package/.claude/skills/add-macos-statusbar/SKILL.md +133 -0
  26. package/.claude/skills/add-macos-statusbar/add/src/statusbar.swift +147 -0
  27. package/.claude/skills/add-matrix/REMOVE.md +6 -0
  28. package/.claude/skills/add-matrix/SKILL.md +148 -0
  29. package/.claude/skills/add-matrix/VERIFY.md +3 -0
  30. package/.claude/skills/add-ollama-provider/SKILL.md +179 -0
  31. package/.claude/skills/add-ollama-tool/SKILL.md +193 -0
  32. package/.claude/skills/add-opencode/SKILL.md +229 -0
  33. package/.claude/skills/add-parallel/SKILL.md +290 -0
  34. package/.claude/skills/add-resend/REMOVE.md +6 -0
  35. package/.claude/skills/add-resend/SKILL.md +93 -0
  36. package/.claude/skills/add-resend/VERIFY.md +3 -0
  37. package/.claude/skills/add-signal/REMOVE.md +13 -0
  38. package/.claude/skills/add-signal/SKILL.md +318 -0
  39. package/.claude/skills/add-signal/VERIFY.md +5 -0
  40. package/.claude/skills/add-slack/REMOVE.md +6 -0
  41. package/.claude/skills/add-slack/SKILL.md +112 -0
  42. package/.claude/skills/add-slack/VERIFY.md +3 -0
  43. package/.claude/skills/add-teams/REMOVE.md +6 -0
  44. package/.claude/skills/add-teams/SKILL.md +207 -0
  45. package/.claude/skills/add-teams/VERIFY.md +3 -0
  46. package/.claude/skills/add-vercel/SKILL.md +147 -0
  47. package/.claude/skills/add-vercel/container-skills/vercel-cli/SKILL.md +103 -0
  48. package/.claude/skills/add-webex/REMOVE.md +6 -0
  49. package/.claude/skills/add-webex/SKILL.md +88 -0
  50. package/.claude/skills/add-webex/VERIFY.md +3 -0
  51. package/.claude/skills/add-wechat/REMOVE.md +49 -0
  52. package/.claude/skills/add-wechat/SKILL.md +170 -0
  53. package/.claude/skills/add-wechat/scripts/wire-dm.ts +172 -0
  54. package/.claude/skills/add-whatsapp/SKILL.md +264 -0
  55. package/.claude/skills/add-whatsapp-cloud/REMOVE.md +6 -0
  56. package/.claude/skills/add-whatsapp-cloud/SKILL.md +95 -0
  57. package/.claude/skills/add-whatsapp-cloud/VERIFY.md +3 -0
  58. package/.claude/skills/claw/SKILL.md +131 -0
  59. package/.claude/skills/claw/scripts/claw +374 -0
  60. package/.claude/skills/convert-to-apple-container/SKILL.md +212 -0
  61. package/.claude/skills/customize/SKILL.md +110 -0
  62. package/.claude/skills/debug/SKILL.md +349 -0
  63. package/.claude/skills/get-qodo-rules/SKILL.md +122 -0
  64. package/.claude/skills/get-qodo-rules/references/output-format.md +41 -0
  65. package/.claude/skills/get-qodo-rules/references/pagination.md +33 -0
  66. package/.claude/skills/get-qodo-rules/references/repository-scope.md +26 -0
  67. package/.claude/skills/init-first-agent/SKILL.md +120 -0
  68. package/.claude/skills/init-onecli/SKILL.md +270 -0
  69. package/.claude/skills/manage-channels/SKILL.md +87 -0
  70. package/.claude/skills/manage-mounts/SKILL.md +47 -0
  71. package/.claude/skills/migrate-from-openclaw/MIGRATE_CRONS.md +100 -0
  72. package/.claude/skills/migrate-from-openclaw/SKILL.md +447 -0
  73. package/.claude/skills/migrate-from-openclaw/scripts/discover-openclaw.ts +734 -0
  74. package/.claude/skills/migrate-from-openclaw/scripts/extract-channel-credentials.ts +476 -0
  75. package/.claude/skills/migrate-nanoclaw/SKILL.md +484 -0
  76. package/.claude/skills/migrate-nanoclaw/diagnostics.md +51 -0
  77. package/.claude/skills/qodo-pr-resolver/SKILL.md +326 -0
  78. package/.claude/skills/qodo-pr-resolver/resources/providers.md +329 -0
  79. package/.claude/skills/update-nanoclaw/SKILL.md +243 -0
  80. package/.claude/skills/update-nanoclaw/diagnostics.md +48 -0
  81. package/.claude/skills/update-skills/SKILL.md +130 -0
  82. package/.claude/skills/use-native-credential-proxy/SKILL.md +167 -0
  83. package/.claude/skills/x-integration/SKILL.md +417 -0
  84. package/.claude/skills/x-integration/agent.ts +243 -0
  85. package/.claude/skills/x-integration/host.ts +155 -0
  86. package/.claude/skills/x-integration/lib/browser.ts +148 -0
  87. package/.claude/skills/x-integration/lib/config.ts +62 -0
  88. package/.claude/skills/x-integration/scripts/like.ts +56 -0
  89. package/.claude/skills/x-integration/scripts/post.ts +66 -0
  90. package/.claude/skills/x-integration/scripts/quote.ts +80 -0
  91. package/.claude/skills/x-integration/scripts/reply.ts +74 -0
  92. package/.claude/skills/x-integration/scripts/retweet.ts +62 -0
  93. package/.claude/skills/x-integration/scripts/setup.ts +87 -0
  94. package/.github/CODEOWNERS +10 -0
  95. package/.github/PULL_REQUEST_TEMPLATE.md +18 -0
  96. package/.github/workflows/bump-version.yml +35 -0
  97. package/.github/workflows/ci.yml +39 -0
  98. package/.github/workflows/label-pr.yml +40 -0
  99. package/.github/workflows/update-tokens.yml +43 -0
  100. package/.husky/pre-commit +1 -0
  101. package/.mcp.json +3 -0
  102. package/.nvmrc +1 -0
  103. package/.parachute/module.json +14 -0
  104. package/.prettierrc +4 -0
  105. package/CHANGELOG.md +215 -0
  106. package/CLAUDE.md +307 -0
  107. package/CODE_OF_CONDUCT.md +128 -0
  108. package/CONTRIBUTING.md +159 -0
  109. package/CONTRIBUTORS.md +26 -0
  110. package/LICENSE +21 -0
  111. package/README.md +190 -0
  112. package/README_ja.md +194 -0
  113. package/README_zh.md +194 -0
  114. package/assets/nanoclaw-favicon.png +0 -0
  115. package/assets/nanoclaw-icon.png +0 -0
  116. package/assets/nanoclaw-logo-dark.png +0 -0
  117. package/assets/nanoclaw-logo.png +0 -0
  118. package/assets/nanoclaw-profile.jpeg +0 -0
  119. package/assets/nanoclaw-sales.png +0 -0
  120. package/assets/social-preview.jpg +0 -0
  121. package/config-examples/mount-allowlist.json +25 -0
  122. package/container/.dockerignore +2 -0
  123. package/container/CLAUDE.md +21 -0
  124. package/container/Dockerfile +121 -0
  125. package/container/agent-runner/bun.lock +243 -0
  126. package/container/agent-runner/package.json +22 -0
  127. package/container/agent-runner/scripts/sdk-signal-probe.ts +169 -0
  128. package/container/agent-runner/src/config.ts +55 -0
  129. package/container/agent-runner/src/db/connection.ts +267 -0
  130. package/container/agent-runner/src/db/index.ts +20 -0
  131. package/container/agent-runner/src/db/messages-in.ts +138 -0
  132. package/container/agent-runner/src/db/messages-out.ts +143 -0
  133. package/container/agent-runner/src/db/session-routing.ts +30 -0
  134. package/container/agent-runner/src/db/session-state.test.ts +100 -0
  135. package/container/agent-runner/src/db/session-state.ts +79 -0
  136. package/container/agent-runner/src/destinations.ts +135 -0
  137. package/container/agent-runner/src/formatter.test.ts +167 -0
  138. package/container/agent-runner/src/formatter.ts +260 -0
  139. package/container/agent-runner/src/index.ts +110 -0
  140. package/container/agent-runner/src/integration.test.ts +121 -0
  141. package/container/agent-runner/src/mcp-tools/agents.instructions.md +26 -0
  142. package/container/agent-runner/src/mcp-tools/agents.ts +66 -0
  143. package/container/agent-runner/src/mcp-tools/core.instructions.md +27 -0
  144. package/container/agent-runner/src/mcp-tools/core.ts +262 -0
  145. package/container/agent-runner/src/mcp-tools/index.ts +22 -0
  146. package/container/agent-runner/src/mcp-tools/interactive.instructions.md +22 -0
  147. package/container/agent-runner/src/mcp-tools/interactive.ts +169 -0
  148. package/container/agent-runner/src/mcp-tools/scheduling.instructions.md +40 -0
  149. package/container/agent-runner/src/mcp-tools/scheduling.ts +299 -0
  150. package/container/agent-runner/src/mcp-tools/self-mod.instructions.md +25 -0
  151. package/container/agent-runner/src/mcp-tools/self-mod.ts +120 -0
  152. package/container/agent-runner/src/mcp-tools/server.ts +54 -0
  153. package/container/agent-runner/src/mcp-tools/types.ts +6 -0
  154. package/container/agent-runner/src/poll-loop.test.ts +248 -0
  155. package/container/agent-runner/src/poll-loop.ts +437 -0
  156. package/container/agent-runner/src/providers/claude.ts +379 -0
  157. package/container/agent-runner/src/providers/factory.test.ts +19 -0
  158. package/container/agent-runner/src/providers/factory.ts +13 -0
  159. package/container/agent-runner/src/providers/index.ts +6 -0
  160. package/container/agent-runner/src/providers/mock.ts +77 -0
  161. package/container/agent-runner/src/providers/provider-registry.ts +33 -0
  162. package/container/agent-runner/src/providers/types.ts +82 -0
  163. package/container/agent-runner/src/scheduling/task-script.ts +121 -0
  164. package/container/agent-runner/src/timezone.test.ts +93 -0
  165. package/container/agent-runner/src/timezone.ts +107 -0
  166. package/container/agent-runner/tsconfig.json +14 -0
  167. package/container/build.sh +48 -0
  168. package/container/entrypoint.sh +16 -0
  169. package/container/skills/agent-browser/SKILL.md +159 -0
  170. package/container/skills/frontend-engineer/SKILL.md +157 -0
  171. package/container/skills/self-customize/SKILL.md +87 -0
  172. package/container/skills/slack-formatting/SKILL.md +94 -0
  173. package/container/skills/vercel-cli/SKILL.md +111 -0
  174. package/container/skills/welcome/SKILL.md +85 -0
  175. package/docs/APPLE-CONTAINER-NETWORKING.md +90 -0
  176. package/docs/BRANCH-FORK-MAINTENANCE.md +81 -0
  177. package/docs/README.md +25 -0
  178. package/docs/SDK_DEEP_DIVE.md +643 -0
  179. package/docs/SECURITY.md +162 -0
  180. package/docs/agent-runner-details.md +749 -0
  181. package/docs/api-details.md +365 -0
  182. package/docs/architecture-diagram.html +422 -0
  183. package/docs/architecture-diagram.md +215 -0
  184. package/docs/architecture.md +751 -0
  185. package/docs/audit/2026-04-30-channel-endpoint-audit.md +36 -0
  186. package/docs/build-and-runtime.md +80 -0
  187. package/docs/cross-mount-stress/README.md +112 -0
  188. package/docs/cross-mount-stress/container-writer-retry.mjs +55 -0
  189. package/docs/cross-mount-stress/container-writer-slow.mjs +42 -0
  190. package/docs/cross-mount-stress/container-writer.mjs +47 -0
  191. package/docs/cross-mount-stress/host-writer-retry.mjs +55 -0
  192. package/docs/cross-mount-stress/host-writer-slow.mjs +43 -0
  193. package/docs/cross-mount-stress/host-writer.mjs +47 -0
  194. package/docs/db-central.md +316 -0
  195. package/docs/db-session.md +183 -0
  196. package/docs/db.md +119 -0
  197. package/docs/design/2026-04-29-vault-management-ui.md +231 -0
  198. package/docs/design/2026-04-30-channel-wiring-rework.md +234 -0
  199. package/docs/design/2026-05-01-channel-wiring-approvals-deep-dive.md +272 -0
  200. package/docs/design/2026-05-02-channel-policy-and-approval-routing.md +250 -0
  201. package/docs/docker-sandboxes.md +359 -0
  202. package/docs/isolation-model.md +88 -0
  203. package/docs/ollama.md +79 -0
  204. package/docs/parachute-integration.md +109 -0
  205. package/docs/post-night-rebirth-reflections.md +151 -0
  206. package/eslint.config.js +32 -0
  207. package/package.json +54 -0
  208. package/pnpm-workspace.yaml +8 -0
  209. package/repo-tokens/README.md +113 -0
  210. package/repo-tokens/action.yml +186 -0
  211. package/repo-tokens/badge.svg +23 -0
  212. package/repo-tokens/examples/green.svg +14 -0
  213. package/repo-tokens/examples/red.svg +14 -0
  214. package/repo-tokens/examples/yellow-green.svg +14 -0
  215. package/repo-tokens/examples/yellow.svg +14 -0
  216. package/scripts/chat.ts +101 -0
  217. package/scripts/cleanup-sessions.sh +150 -0
  218. package/scripts/init-cli-agent.ts +171 -0
  219. package/scripts/init-first-agent.ts +377 -0
  220. package/scripts/parachute.ts +158 -0
  221. package/scripts/run-migrations.ts +105 -0
  222. package/scripts/sanity-live-poll.ts +95 -0
  223. package/scripts/seed-discord.ts +79 -0
  224. package/scripts/test-v2-agent.ts +106 -0
  225. package/scripts/test-v2-channel-e2e.ts +265 -0
  226. package/scripts/test-v2-host.ts +184 -0
  227. package/src/channels/adapter.ts +214 -0
  228. package/src/channels/ask-question.ts +46 -0
  229. package/src/channels/channel-registry.test.ts +421 -0
  230. package/src/channels/channel-registry.ts +313 -0
  231. package/src/channels/chat-sdk-bridge.test.ts +84 -0
  232. package/src/channels/chat-sdk-bridge.ts +652 -0
  233. package/src/channels/cli.ts +276 -0
  234. package/src/channels/discord.ts +90 -0
  235. package/src/channels/index.ts +17 -0
  236. package/src/channels/telegram-markdown-sanitize.test.ts +78 -0
  237. package/src/channels/telegram-markdown-sanitize.ts +55 -0
  238. package/src/channels/telegram-pairing.test.ts +254 -0
  239. package/src/channels/telegram-pairing.ts +339 -0
  240. package/src/channels/telegram.ts +279 -0
  241. package/src/channels/trust-hint.test.ts +48 -0
  242. package/src/channels/trust-hint.ts +75 -0
  243. package/src/claude-md-compose.migrate.test.ts +64 -0
  244. package/src/claude-md-compose.ts +205 -0
  245. package/src/command-gate.ts +63 -0
  246. package/src/config.test.ts +93 -0
  247. package/src/config.ts +108 -0
  248. package/src/container-config.ts +167 -0
  249. package/src/container-runner.test.ts +32 -0
  250. package/src/container-runner.ts +576 -0
  251. package/src/container-runtime.test.ts +169 -0
  252. package/src/container-runtime.ts +92 -0
  253. package/src/db/_bun-sqlite-shim.ts +88 -0
  254. package/src/db/agent-activity.test.ts +155 -0
  255. package/src/db/agent-activity.ts +121 -0
  256. package/src/db/agent-groups.ts +77 -0
  257. package/src/db/connection.migrate.test.ts +143 -0
  258. package/src/db/connection.ts +224 -0
  259. package/src/db/db-v2.test.ts +440 -0
  260. package/src/db/dropped-messages.ts +44 -0
  261. package/src/db/index.ts +40 -0
  262. package/src/db/messaging-groups.ts +252 -0
  263. package/src/db/migrations/001-initial.ts +112 -0
  264. package/src/db/migrations/002-chat-sdk-state.ts +36 -0
  265. package/src/db/migrations/008-dropped-messages.ts +27 -0
  266. package/src/db/migrations/009-drop-pending-credentials.ts +13 -0
  267. package/src/db/migrations/010-engage-modes.ts +103 -0
  268. package/src/db/migrations/011-pending-sender-approvals.ts +40 -0
  269. package/src/db/migrations/012-channel-registration.ts +48 -0
  270. package/src/db/migrations/013-approval-render-metadata.ts +27 -0
  271. package/src/db/migrations/014-secrets.ts +44 -0
  272. package/src/db/migrations/015-secrets-drop-host-pattern.ts +18 -0
  273. package/src/db/migrations/016-secret-assignments.ts +30 -0
  274. package/src/db/migrations/017-agent-activity.ts +40 -0
  275. package/src/db/migrations/018-oauth-app-configs.ts +34 -0
  276. package/src/db/migrations/019-oauth-app-connections.ts +48 -0
  277. package/src/db/migrations/020-agent-app-connections.ts +28 -0
  278. package/src/db/migrations/021-pending-oauth-states.ts +35 -0
  279. package/src/db/migrations/022-app-connections-provider.ts +25 -0
  280. package/src/db/migrations/023-agent-group-secret-mode.test.ts +124 -0
  281. package/src/db/migrations/023-agent-group-secret-mode.ts +65 -0
  282. package/src/db/migrations/024-collapse-approvals.test.ts +249 -0
  283. package/src/db/migrations/024-collapse-approvals.ts +182 -0
  284. package/src/db/migrations/025-secret-mode-check.test.ts +155 -0
  285. package/src/db/migrations/025-secret-mode-check.ts +49 -0
  286. package/src/db/migrations/026-user-dms-bot-id.test.ts +116 -0
  287. package/src/db/migrations/026-user-dms-bot-id.ts +54 -0
  288. package/src/db/migrations/027-provider-credentials.ts +41 -0
  289. package/src/db/migrations/_test-helpers.ts +41 -0
  290. package/src/db/migrations/index.ts +127 -0
  291. package/src/db/migrations/module-agent-to-agent-destinations.ts +84 -0
  292. package/src/db/migrations/module-approvals-pending-approvals.ts +42 -0
  293. package/src/db/migrations/module-approvals-title-options.ts +40 -0
  294. package/src/db/schema.ts +258 -0
  295. package/src/db/session-db.test.ts +93 -0
  296. package/src/db/session-db.ts +325 -0
  297. package/src/db/sessions.ts +241 -0
  298. package/src/delivery.test.ts +148 -0
  299. package/src/delivery.ts +445 -0
  300. package/src/env.ts +74 -0
  301. package/src/group-folder.test.ts +35 -0
  302. package/src/group-folder.ts +44 -0
  303. package/src/group-init.ts +92 -0
  304. package/src/host-core.test.ts +456 -0
  305. package/src/host-sweep.test.ts +146 -0
  306. package/src/host-sweep.ts +287 -0
  307. package/src/index.ts +227 -0
  308. package/src/install-slug.ts +33 -0
  309. package/src/log.test.ts +81 -0
  310. package/src/log.ts +117 -0
  311. package/src/mcp/http.ts +72 -0
  312. package/src/mcp/server.ts +92 -0
  313. package/src/mcp/stdio.ts +51 -0
  314. package/src/mcp/tools/activity.ts +88 -0
  315. package/src/mcp/tools/agent-groups.ts +183 -0
  316. package/src/mcp/tools/approvals.ts +122 -0
  317. package/src/mcp/tools/channels.ts +199 -0
  318. package/src/mcp/tools/index.ts +27 -0
  319. package/src/mcp/tools/oauth.ts +48 -0
  320. package/src/mcp/tools/secrets.ts +169 -0
  321. package/src/mcp/tools/sessions.ts +135 -0
  322. package/src/mcp/types.ts +51 -0
  323. package/src/modules/agent-to-agent/agent-route.test.ts +46 -0
  324. package/src/modules/agent-to-agent/agent-route.ts +223 -0
  325. package/src/modules/agent-to-agent/create-agent.ts +127 -0
  326. package/src/modules/agent-to-agent/db/agent-destinations.ts +135 -0
  327. package/src/modules/agent-to-agent/index.ts +22 -0
  328. package/src/modules/agent-to-agent/write-destinations.ts +59 -0
  329. package/src/modules/approvals/agent.md +45 -0
  330. package/src/modules/approvals/index.ts +21 -0
  331. package/src/modules/approvals/picks.test.ts +291 -0
  332. package/src/modules/approvals/primitive.ts +279 -0
  333. package/src/modules/approvals/project.md +27 -0
  334. package/src/modules/approvals/response-handler.ts +87 -0
  335. package/src/modules/index.ts +24 -0
  336. package/src/modules/interactive/agent.md +21 -0
  337. package/src/modules/interactive/index.ts +69 -0
  338. package/src/modules/interactive/project.md +12 -0
  339. package/src/modules/mount-security/index.ts +448 -0
  340. package/src/modules/mount-security/migrate.test.ts +91 -0
  341. package/src/modules/permissions/access.ts +28 -0
  342. package/src/modules/permissions/channel-approval.test.ts +389 -0
  343. package/src/modules/permissions/channel-approval.ts +188 -0
  344. package/src/modules/permissions/db/agent-group-members.ts +44 -0
  345. package/src/modules/permissions/db/pending-channel-approvals.test.ts +86 -0
  346. package/src/modules/permissions/db/pending-channel-approvals.ts +66 -0
  347. package/src/modules/permissions/db/pending-sender-approvals.ts +60 -0
  348. package/src/modules/permissions/db/user-dms.ts +58 -0
  349. package/src/modules/permissions/db/user-roles.ts +85 -0
  350. package/src/modules/permissions/db/users.ts +38 -0
  351. package/src/modules/permissions/index.ts +421 -0
  352. package/src/modules/permissions/permissions.test.ts +358 -0
  353. package/src/modules/permissions/sender-approval.test.ts +470 -0
  354. package/src/modules/permissions/sender-approval.ts +165 -0
  355. package/src/modules/permissions/user-dm.ts +200 -0
  356. package/src/modules/provider-credentials/db.ts +121 -0
  357. package/src/modules/provider-credentials/index.ts +12 -0
  358. package/src/modules/provider-credentials/spawn.test.ts +206 -0
  359. package/src/modules/provider-credentials/spawn.ts +114 -0
  360. package/src/modules/scheduling/actions.ts +113 -0
  361. package/src/modules/scheduling/db.test.ts +282 -0
  362. package/src/modules/scheduling/db.ts +148 -0
  363. package/src/modules/scheduling/index.ts +34 -0
  364. package/src/modules/scheduling/recurrence.test.ts +98 -0
  365. package/src/modules/scheduling/recurrence.ts +54 -0
  366. package/src/modules/self-mod/agent.md +30 -0
  367. package/src/modules/self-mod/apply.ts +85 -0
  368. package/src/modules/self-mod/index.ts +30 -0
  369. package/src/modules/self-mod/project.md +39 -0
  370. package/src/modules/self-mod/request.ts +91 -0
  371. package/src/modules/typing/index.ts +165 -0
  372. package/src/oauth/agent-app-connections.ts +103 -0
  373. package/src/oauth/app-configs.test.ts +64 -0
  374. package/src/oauth/app-configs.ts +114 -0
  375. package/src/oauth/app-connections.test.ts +109 -0
  376. package/src/oauth/app-connections.ts +178 -0
  377. package/src/oauth/crypto.ts +56 -0
  378. package/src/oauth/flow.ts +104 -0
  379. package/src/oauth/providers/google.test.ts +38 -0
  380. package/src/oauth/providers/google.ts +46 -0
  381. package/src/oauth/providers/index.ts +48 -0
  382. package/src/oauth/state-store.test.ts +54 -0
  383. package/src/oauth/state-store.ts +93 -0
  384. package/src/parachute/README.md +27 -0
  385. package/src/parachute/create-agent.test.ts +83 -0
  386. package/src/parachute/create-agent.ts +122 -0
  387. package/src/parachute/group-status.test.ts +165 -0
  388. package/src/parachute/group-status.ts +136 -0
  389. package/src/parachute/types.ts +41 -0
  390. package/src/parachute/vault-mcp.test.ts +251 -0
  391. package/src/parachute/vault-mcp.ts +232 -0
  392. package/src/platform-id.test.ts +104 -0
  393. package/src/platform-id.ts +109 -0
  394. package/src/providers/index.ts +6 -0
  395. package/src/providers/provider-container-registry.ts +58 -0
  396. package/src/response-registry.ts +45 -0
  397. package/src/router.ts +530 -0
  398. package/src/secrets/crypto.test.ts +45 -0
  399. package/src/secrets/crypto.ts +55 -0
  400. package/src/secrets/index.ts +355 -0
  401. package/src/secrets/master-key.ts +70 -0
  402. package/src/secrets/secrets.test.ts +354 -0
  403. package/src/session-manager.migrate.test.ts +59 -0
  404. package/src/session-manager.ts +433 -0
  405. package/src/startup-bootstrap.test.ts +226 -0
  406. package/src/startup-bootstrap.ts +207 -0
  407. package/src/state-sqlite.ts +182 -0
  408. package/src/timezone.test.ts +64 -0
  409. package/src/timezone.ts +37 -0
  410. package/src/types.ts +230 -0
  411. package/src/web/auth.test.ts +335 -0
  412. package/src/web/auth.ts +214 -0
  413. package/src/web/discord-validate.test.ts +77 -0
  414. package/src/web/discord-validate.ts +88 -0
  415. package/src/web/hub-discovery.test.ts +98 -0
  416. package/src/web/hub-discovery.ts +69 -0
  417. package/src/web/routes/activity.ts +106 -0
  418. package/src/web/routes/agent-provider.test.ts +282 -0
  419. package/src/web/routes/agent-provider.ts +309 -0
  420. package/src/web/routes/approvals.ts +185 -0
  421. package/src/web/routes/apps.ts +434 -0
  422. package/src/web/routes/channels-mg-detail.test.ts +324 -0
  423. package/src/web/routes/channels-mga-detail.test.ts +425 -0
  424. package/src/web/routes/channels.ts +489 -0
  425. package/src/web/routes/oauth-providers.ts +42 -0
  426. package/src/web/routes/secrets.test.ts +175 -0
  427. package/src/web/routes/secrets.ts +282 -0
  428. package/src/web/routes/sessions.ts +123 -0
  429. package/src/web/routes/settings.test.ts +106 -0
  430. package/src/web/routes/settings.ts +247 -0
  431. package/src/web/routes/setup-status.ts +205 -0
  432. package/src/web/routes/vaults.test.ts +389 -0
  433. package/src/web/routes/vaults.ts +225 -0
  434. package/src/web/server-version.test.ts +16 -0
  435. package/src/web/server.ts +1003 -0
  436. package/src/web/services-manifest.test.ts +120 -0
  437. package/src/web/services-manifest.ts +61 -0
  438. package/src/web/static-serve.test.ts +255 -0
  439. package/src/web/static-serve.ts +104 -0
  440. package/src/web/telegram-validate.test.ts +116 -0
  441. package/src/web/telegram-validate.ts +107 -0
  442. package/src/web/vault-proxy.test.ts +214 -0
  443. package/src/web/vault-proxy.ts +120 -0
  444. package/src/web/wire-channel.ts +181 -0
  445. package/src/webhook-server.ts +134 -0
  446. package/tsconfig.json +21 -0
  447. package/vitest.config.ts +18 -0
  448. package/web/README.md +63 -0
  449. package/web/ui/index.html +13 -0
  450. package/web/ui/package.json +35 -0
  451. package/web/ui/pnpm-lock.yaml +2164 -0
  452. package/web/ui/scripts/verify-base.mjs +31 -0
  453. package/web/ui/src/App.tsx +88 -0
  454. package/web/ui/src/components/ActivityFeed.tsx +444 -0
  455. package/web/ui/src/components/AgentGroupPicker.tsx +263 -0
  456. package/web/ui/src/components/AgentProviderCards.tsx +220 -0
  457. package/web/ui/src/components/CredentialForm.tsx +214 -0
  458. package/web/ui/src/components/ScopeGrants.tsx +74 -0
  459. package/web/ui/src/components/StatusDot.tsx +43 -0
  460. package/web/ui/src/components/VaultPicker.tsx +127 -0
  461. package/web/ui/src/components/setup/AdapterInstallStep.tsx +178 -0
  462. package/web/ui/src/components/setup/AgentGroupStep.tsx +43 -0
  463. package/web/ui/src/components/setup/ChannelPickStep.tsx +74 -0
  464. package/web/ui/src/components/setup/DoneStep.tsx +49 -0
  465. package/web/ui/src/components/setup/PrereqStep.tsx +129 -0
  466. package/web/ui/src/components/setup/TestConnectionStep.tsx +108 -0
  467. package/web/ui/src/components/setup/TestMessageStep.tsx +104 -0
  468. package/web/ui/src/components/setup/WireChannelStep.tsx +166 -0
  469. package/web/ui/src/components/setup/types.ts +105 -0
  470. package/web/ui/src/lib/api.test.ts +410 -0
  471. package/web/ui/src/lib/api.ts +1210 -0
  472. package/web/ui/src/lib/auth.test.ts +139 -0
  473. package/web/ui/src/lib/auth.ts +348 -0
  474. package/web/ui/src/lib/channel-adapters.ts +136 -0
  475. package/web/ui/src/main.tsx +19 -0
  476. package/web/ui/src/routes/ApprovalsList.tsx +294 -0
  477. package/web/ui/src/routes/Apps.tsx +613 -0
  478. package/web/ui/src/routes/ChannelWireDetail.test.tsx +233 -0
  479. package/web/ui/src/routes/ChannelWireDetail.tsx +403 -0
  480. package/web/ui/src/routes/ChannelsList.tsx +158 -0
  481. package/web/ui/src/routes/GroupDetail.tsx +755 -0
  482. package/web/ui/src/routes/GroupList.tsx +187 -0
  483. package/web/ui/src/routes/MessagingGroupDetail.test.tsx +233 -0
  484. package/web/ui/src/routes/MessagingGroupDetail.tsx +306 -0
  485. package/web/ui/src/routes/NewGroupWizard.tsx +390 -0
  486. package/web/ui/src/routes/OAuthCallback.tsx +56 -0
  487. package/web/ui/src/routes/SecretsList.tsx +921 -0
  488. package/web/ui/src/routes/SessionsList.tsx +220 -0
  489. package/web/ui/src/routes/SettingsAgentProvider.tsx +109 -0
  490. package/web/ui/src/routes/SettingsApprovals.tsx +234 -0
  491. package/web/ui/src/routes/SetupWizard.tsx +219 -0
  492. package/web/ui/src/routes/VaultDetail.test.tsx +361 -0
  493. package/web/ui/src/routes/VaultDetail.tsx +960 -0
  494. package/web/ui/src/routes/VaultsList.tsx +295 -0
  495. package/web/ui/src/routes/WireChannelPage.tsx +413 -0
  496. package/web/ui/src/styles.css +608 -0
  497. package/web/ui/src/test/setup.ts +23 -0
  498. package/web/ui/src/vite-env.d.ts +10 -0
  499. package/web/ui/tsconfig.json +20 -0
  500. package/web/ui/vite.config.ts +34 -0
  501. package/web/ui/vitest.config.ts +25 -0
@@ -0,0 +1,489 @@
1
+ /**
2
+ * /api/channels — channel-wire CRUD for the /channels page.
3
+ *
4
+ * A "channel wire" in the night/arch terminology = a row in the legacy
5
+ * `messaging_group_agents` table joined with its messaging_groups +
6
+ * agent_groups parents. We translate the storage shape (snake_case +
7
+ * legacy enum names) to the camelCase API shape declared in
8
+ * web/ui/src/lib/api.ts:ChannelWireView.
9
+ *
10
+ * Enum translation: night/arch's API contract uses `engageMode = mention |
11
+ * pattern | all`, `senderScope = allowlist | all`, `ignoredMessagePolicy =
12
+ * drop | silent`. The DB still stores the pre-rebuild values: engage_mode
13
+ * = pattern | mention | mention-sticky (with engage_pattern='.' as the
14
+ * sentinel for "match every message"), sender_scope = all | known,
15
+ * ignored_message_policy = drop | accumulate. The translator collapses the
16
+ * pattern + '.' sentinel into the API's `all` mode, lossy on the
17
+ * mention-sticky distinction (rendered as `mention` to the UI). When the
18
+ * DB schema migrates to the new shape, this translator becomes a no-op.
19
+ *
20
+ * PATCH translates the inverse direction. DELETE is a straight pass-through
21
+ * to deleteMessagingGroupAgent — the agent_destinations row created at wire
22
+ * time is left in place; deleting destinations is a separate concern.
23
+ */
24
+ import http from 'node:http';
25
+
26
+ import { getAgentGroup } from '../../db/agent-groups.js';
27
+ import { getDb } from '../../db/connection.js';
28
+ import {
29
+ deleteMessagingGroupAgent,
30
+ getMessagingGroup,
31
+ getMessagingGroupAgent,
32
+ updateMessagingGroup,
33
+ updateMessagingGroupAgent,
34
+ } from '../../db/messaging-groups.js';
35
+ import { log } from '../../log.js';
36
+ import type {
37
+ EngageMode as DbEngageMode,
38
+ IgnoredMessagePolicy as DbIgnoredMessagePolicy,
39
+ MessagingGroup,
40
+ SenderScope as DbSenderScope,
41
+ MessagingGroupAgent,
42
+ UnknownSenderPolicy,
43
+ } from '../../types.js';
44
+
45
+ type ApiEngageMode = 'mention' | 'pattern' | 'all';
46
+ type ApiSenderScope = 'allowlist' | 'all';
47
+ type ApiIgnoredMessagePolicy = 'drop' | 'silent';
48
+
49
+ interface ChannelWireView {
50
+ id: string;
51
+ channelType: string;
52
+ messagingGroupId: string;
53
+ platformId: string;
54
+ displayName: string | null;
55
+ agentGroupId: string;
56
+ agentGroupFolder: string;
57
+ agentGroupName: string;
58
+ engageMode: ApiEngageMode;
59
+ engagePattern: string | null;
60
+ senderScope: ApiSenderScope;
61
+ ignoredMessagePolicy: ApiIgnoredMessagePolicy;
62
+ priority: number;
63
+ createdAt: string;
64
+ }
65
+
66
+ const ALL_MESSAGES_PATTERN_SENTINEL = '.';
67
+
68
+ function dbToApiEngage(mode: DbEngageMode, pattern: string | null): ApiEngageMode {
69
+ if (mode === 'pattern') {
70
+ return pattern === ALL_MESSAGES_PATTERN_SENTINEL ? 'all' : 'pattern';
71
+ }
72
+ // mention + mention-sticky both render as 'mention' on the UI today.
73
+ return 'mention';
74
+ }
75
+
76
+ function dbToApiSenderScope(s: DbSenderScope): ApiSenderScope {
77
+ return s === 'known' ? 'allowlist' : 'all';
78
+ }
79
+
80
+ function dbToApiIgnoredPolicy(p: DbIgnoredMessagePolicy): ApiIgnoredMessagePolicy {
81
+ return p === 'accumulate' ? 'silent' : 'drop';
82
+ }
83
+
84
+ interface PatchInput {
85
+ engageMode?: ApiEngageMode;
86
+ engagePattern?: string | null;
87
+ senderScope?: ApiSenderScope;
88
+ ignoredMessagePolicy?: ApiIgnoredMessagePolicy;
89
+ priority?: number;
90
+ }
91
+
92
+ interface DbPatch {
93
+ engage_mode?: DbEngageMode;
94
+ engage_pattern?: string | null;
95
+ sender_scope?: DbSenderScope;
96
+ ignored_message_policy?: DbIgnoredMessagePolicy;
97
+ priority?: number;
98
+ }
99
+
100
+ function apiToDbPatch(input: PatchInput, current: MessagingGroupAgent): DbPatch {
101
+ const out: DbPatch = {};
102
+
103
+ // engageMode is paired with engagePattern: 'all' encodes as
104
+ // mode='pattern' + pattern='.', which the router treats as match-every.
105
+ if (input.engageMode !== undefined) {
106
+ if (input.engageMode === 'all') {
107
+ out.engage_mode = 'pattern';
108
+ out.engage_pattern = ALL_MESSAGES_PATTERN_SENTINEL;
109
+ } else if (input.engageMode === 'pattern') {
110
+ out.engage_mode = 'pattern';
111
+ // Pattern body comes from input.engagePattern when present; otherwise
112
+ // preserve what's already on the row. validatePatchInput already
113
+ // rejects bare '.' here so the next read can't silently collapse to
114
+ // 'all'.
115
+ if (input.engagePattern !== undefined) {
116
+ out.engage_pattern = input.engagePattern;
117
+ }
118
+ } else if (input.engageMode === 'mention') {
119
+ // Preserve mention-sticky if that's what's currently on the row;
120
+ // collapsing it to plain mention here would silently change router
121
+ // behavior (sticky engagement persists across replies). The UI
122
+ // doesn't expose sticky → it sees `mention` for both, but a PATCH
123
+ // that doesn't touch the sticky distinction shouldn't lose it.
124
+ out.engage_mode = current.engage_mode === 'mention-sticky' ? 'mention-sticky' : 'mention';
125
+ out.engage_pattern = null;
126
+ }
127
+ } else if (input.engagePattern !== undefined) {
128
+ // pattern body changed without changing the mode.
129
+ out.engage_pattern = input.engagePattern;
130
+ }
131
+
132
+ if (input.senderScope !== undefined) {
133
+ out.sender_scope = input.senderScope === 'allowlist' ? 'known' : 'all';
134
+ }
135
+ if (input.ignoredMessagePolicy !== undefined) {
136
+ out.ignored_message_policy = input.ignoredMessagePolicy === 'silent' ? 'accumulate' : 'drop';
137
+ }
138
+ if (input.priority !== undefined) {
139
+ out.priority = input.priority;
140
+ }
141
+ return out;
142
+ }
143
+
144
+ interface WireJoinRow extends MessagingGroupAgent {
145
+ mg_channel_type: string;
146
+ mg_platform_id: string;
147
+ mg_name: string | null;
148
+ ag_folder: string;
149
+ ag_name: string;
150
+ }
151
+
152
+ function listAllWires(): ChannelWireView[] {
153
+ const rows = getDb()
154
+ .prepare<WireJoinRow>(
155
+ `SELECT mga.*,
156
+ mg.channel_type AS mg_channel_type,
157
+ mg.platform_id AS mg_platform_id,
158
+ mg.name AS mg_name,
159
+ ag.folder AS ag_folder,
160
+ ag.name AS ag_name
161
+ FROM messaging_group_agents mga
162
+ JOIN messaging_groups mg ON mg.id = mga.messaging_group_id
163
+ JOIN agent_groups ag ON ag.id = mga.agent_group_id
164
+ ORDER BY mga.created_at DESC`,
165
+ )
166
+ .all();
167
+ return rows.map(rowToView);
168
+ }
169
+
170
+ function rowToView(row: WireJoinRow): ChannelWireView {
171
+ return {
172
+ id: row.id,
173
+ channelType: row.mg_channel_type,
174
+ messagingGroupId: row.messaging_group_id,
175
+ platformId: row.mg_platform_id,
176
+ displayName: row.mg_name,
177
+ agentGroupId: row.agent_group_id,
178
+ agentGroupFolder: row.ag_folder,
179
+ agentGroupName: row.ag_name,
180
+ engageMode: dbToApiEngage(row.engage_mode, row.engage_pattern),
181
+ engagePattern:
182
+ row.engage_mode === 'pattern' && row.engage_pattern !== ALL_MESSAGES_PATTERN_SENTINEL ? row.engage_pattern : null,
183
+ senderScope: dbToApiSenderScope(row.sender_scope),
184
+ ignoredMessagePolicy: dbToApiIgnoredPolicy(row.ignored_message_policy),
185
+ priority: row.priority,
186
+ createdAt: row.created_at,
187
+ };
188
+ }
189
+
190
+ function getOneWireView(id: string): ChannelWireView | null {
191
+ const mga = getMessagingGroupAgent(id);
192
+ if (!mga) return null;
193
+ const mg = getMessagingGroup(mga.messaging_group_id);
194
+ const ag = getAgentGroup(mga.agent_group_id);
195
+ if (!mg || !ag) return null;
196
+ return rowToView({
197
+ ...mga,
198
+ mg_channel_type: mg.channel_type,
199
+ mg_platform_id: mg.platform_id,
200
+ mg_name: mg.name,
201
+ ag_folder: ag.folder,
202
+ ag_name: ag.name,
203
+ });
204
+ }
205
+
206
+ const json = (res: http.ServerResponse, status: number, body: unknown): void => {
207
+ res.writeHead(status, { 'content-type': 'application/json' });
208
+ res.end(JSON.stringify(body));
209
+ };
210
+
211
+ const error = (res: http.ServerResponse, status: number, message: string): void =>
212
+ json(res, status, { error: message });
213
+
214
+ async function readJsonBody<T>(req: http.IncomingMessage): Promise<T> {
215
+ const chunks: Buffer[] = [];
216
+ for await (const chunk of req) chunks.push(chunk as Buffer);
217
+ if (chunks.length === 0) return {} as T;
218
+ return JSON.parse(Buffer.concat(chunks).toString('utf8')) as T;
219
+ }
220
+
221
+ const VALID_ENGAGE_MODES: ApiEngageMode[] = ['mention', 'pattern', 'all'];
222
+ const VALID_SENDER_SCOPES: ApiSenderScope[] = ['allowlist', 'all'];
223
+ const VALID_IGNORED_POLICIES: ApiIgnoredMessagePolicy[] = ['drop', 'silent'];
224
+
225
+ function validatePatchInput(body: unknown): { ok: true; input: PatchInput } | { ok: false; reason: string } {
226
+ if (!body || typeof body !== 'object') return { ok: false, reason: 'body must be an object' };
227
+ const b = body as Record<string, unknown>;
228
+ const out: PatchInput = {};
229
+ if ('engageMode' in b) {
230
+ if (!VALID_ENGAGE_MODES.includes(b.engageMode as ApiEngageMode)) {
231
+ return { ok: false, reason: `invalid engageMode: ${String(b.engageMode)}` };
232
+ }
233
+ out.engageMode = b.engageMode as ApiEngageMode;
234
+ }
235
+ if ('engagePattern' in b) {
236
+ if (b.engagePattern !== null && typeof b.engagePattern !== 'string') {
237
+ return { ok: false, reason: 'engagePattern must be string or null' };
238
+ }
239
+ // Bare '.' is the wire-format sentinel for engageMode='all' — accepting
240
+ // it as a literal pattern would silently round-trip back as 'all' on the
241
+ // next read and lose the user's intent. Force the caller to disambiguate.
242
+ if (b.engagePattern === ALL_MESSAGES_PATTERN_SENTINEL) {
243
+ return {
244
+ ok: false,
245
+ reason:
246
+ "engagePattern '.' is reserved as the 'all' sentinel — use '\\\\.' (escaped) to match a literal dot, or set engageMode to 'all'",
247
+ };
248
+ }
249
+ out.engagePattern = b.engagePattern as string | null;
250
+ }
251
+ if ('senderScope' in b) {
252
+ if (!VALID_SENDER_SCOPES.includes(b.senderScope as ApiSenderScope)) {
253
+ return { ok: false, reason: `invalid senderScope: ${String(b.senderScope)}` };
254
+ }
255
+ out.senderScope = b.senderScope as ApiSenderScope;
256
+ }
257
+ if ('ignoredMessagePolicy' in b) {
258
+ if (!VALID_IGNORED_POLICIES.includes(b.ignoredMessagePolicy as ApiIgnoredMessagePolicy)) {
259
+ return { ok: false, reason: `invalid ignoredMessagePolicy: ${String(b.ignoredMessagePolicy)}` };
260
+ }
261
+ out.ignoredMessagePolicy = b.ignoredMessagePolicy as ApiIgnoredMessagePolicy;
262
+ }
263
+ if ('priority' in b) {
264
+ if (typeof b.priority !== 'number' || !Number.isFinite(b.priority)) {
265
+ return { ok: false, reason: 'priority must be a finite number' };
266
+ }
267
+ out.priority = b.priority;
268
+ }
269
+ return { ok: true, input: out };
270
+ }
271
+
272
+ // ─── /api/channels/mg/:id — per-MG detail + policy editor ──────────────
273
+ //
274
+ // Path is namespaced under `mg/` so it can't collide with `/api/channels/:mga-id`
275
+ // when an mg-id and an mga-id happen to share a prefix or shape (both are
276
+ // uuids today, but the disambiguation is a contract for future schemas).
277
+ // Each MGA wire row already carries its parent `messagingGroupId`, so the
278
+ // list page links the detail with the value it already has — no extra
279
+ // resolve step.
280
+
281
+ export interface WiredAgentSummary {
282
+ /** mga.id — primary key for the per-MGA detail page in PR3. */
283
+ messagingGroupAgentId: string;
284
+ agentGroupId: string;
285
+ agentGroupFolder: string;
286
+ agentGroupName: string;
287
+ /** Snapshot of MGA fields useful for the read-only summary on the detail page. */
288
+ engageMode: ApiEngageMode;
289
+ engagePattern: string | null;
290
+ senderScope: ApiSenderScope;
291
+ ignoredMessagePolicy: ApiIgnoredMessagePolicy;
292
+ priority: number;
293
+ createdAt: string;
294
+ }
295
+
296
+ export interface MessagingGroupDetailView {
297
+ id: string;
298
+ channelType: string;
299
+ platformId: string;
300
+ /** MG's `name` column — null when the operator hasn't set one. */
301
+ displayName: string | null;
302
+ isGroup: boolean;
303
+ unknownSenderPolicy: UnknownSenderPolicy;
304
+ /** ISO when the owner explicitly denied this channel; null otherwise. */
305
+ deniedAt: string | null;
306
+ createdAt: string;
307
+ wiredAgents: WiredAgentSummary[];
308
+ }
309
+
310
+ interface AgentJoinRow extends MessagingGroupAgent {
311
+ ag_folder: string;
312
+ ag_name: string;
313
+ }
314
+
315
+ export function getMessagingGroupDetail(id: string): MessagingGroupDetailView | null {
316
+ const mg = getMessagingGroup(id);
317
+ if (!mg) return null;
318
+ const rows = getDb()
319
+ .prepare<AgentJoinRow>(
320
+ `SELECT mga.*, ag.folder AS ag_folder, ag.name AS ag_name
321
+ FROM messaging_group_agents mga
322
+ JOIN agent_groups ag ON ag.id = mga.agent_group_id
323
+ WHERE mga.messaging_group_id = ?
324
+ ORDER BY mga.priority DESC, mga.created_at ASC`,
325
+ )
326
+ .all(id);
327
+ return mgToDetailView(
328
+ mg,
329
+ rows.map((row) => ({
330
+ messagingGroupAgentId: row.id,
331
+ agentGroupId: row.agent_group_id,
332
+ agentGroupFolder: row.ag_folder,
333
+ agentGroupName: row.ag_name,
334
+ engageMode: dbToApiEngage(row.engage_mode, row.engage_pattern),
335
+ engagePattern:
336
+ row.engage_mode === 'pattern' && row.engage_pattern !== ALL_MESSAGES_PATTERN_SENTINEL
337
+ ? row.engage_pattern
338
+ : null,
339
+ senderScope: dbToApiSenderScope(row.sender_scope),
340
+ ignoredMessagePolicy: dbToApiIgnoredPolicy(row.ignored_message_policy),
341
+ priority: row.priority,
342
+ createdAt: row.created_at,
343
+ })),
344
+ );
345
+ }
346
+
347
+ function mgToDetailView(mg: MessagingGroup, wiredAgents: WiredAgentSummary[]): MessagingGroupDetailView {
348
+ return {
349
+ id: mg.id,
350
+ channelType: mg.channel_type,
351
+ platformId: mg.platform_id,
352
+ displayName: mg.name,
353
+ isGroup: mg.is_group === 1,
354
+ unknownSenderPolicy: mg.unknown_sender_policy,
355
+ deniedAt: mg.denied_at ?? null,
356
+ createdAt: mg.created_at,
357
+ wiredAgents,
358
+ };
359
+ }
360
+
361
+ const VALID_UNKNOWN_SENDER_POLICIES: UnknownSenderPolicy[] = ['strict', 'request_approval', 'public'];
362
+
363
+ interface MgPatchInput {
364
+ unknownSenderPolicy: UnknownSenderPolicy;
365
+ }
366
+
367
+ function validateMgPatchInput(body: unknown): { ok: true; input: MgPatchInput } | { ok: false; reason: string } {
368
+ if (!body || typeof body !== 'object') return { ok: false, reason: 'body must be an object' };
369
+ const b = body as Record<string, unknown>;
370
+ if (!('unknownSenderPolicy' in b)) {
371
+ return { ok: false, reason: 'unknownSenderPolicy is required' };
372
+ }
373
+ if (!VALID_UNKNOWN_SENDER_POLICIES.includes(b.unknownSenderPolicy as UnknownSenderPolicy)) {
374
+ return { ok: false, reason: `invalid unknownSenderPolicy: ${String(b.unknownSenderPolicy)}` };
375
+ }
376
+ return { ok: true, input: { unknownSenderPolicy: b.unknownSenderPolicy as UnknownSenderPolicy } };
377
+ }
378
+
379
+ export interface ChannelsRouteContext {
380
+ pathname: string;
381
+ method: string;
382
+ req: http.IncomingMessage;
383
+ res: http.ServerResponse;
384
+ }
385
+
386
+ export async function handleChannelsRoute(ctx: ChannelsRouteContext): Promise<boolean> {
387
+ const { pathname, method, req, res } = ctx;
388
+
389
+ if (pathname === '/api/channels' && method === 'GET') {
390
+ json(res, 200, { wires: listAllWires() });
391
+ return true;
392
+ }
393
+
394
+ // /api/channels/mg/:id — GET (detail) or PATCH (policy edit). Must dispatch
395
+ // ahead of /api/channels/:id so the literal `mg` segment doesn't get
396
+ // mis-parsed as an mga-id.
397
+ const mgMatch = pathname.match(/^\/api\/channels\/mg\/([^/]+)$/);
398
+ if (mgMatch) {
399
+ const id = decodeURIComponent(mgMatch[1]);
400
+ const detail = getMessagingGroupDetail(id);
401
+ if (!detail) {
402
+ error(res, 404, `messaging group not found: ${id}`);
403
+ return true;
404
+ }
405
+ if (method === 'GET') {
406
+ json(res, 200, { messagingGroup: detail });
407
+ return true;
408
+ }
409
+ if (method === 'PATCH') {
410
+ let body: unknown;
411
+ try {
412
+ body = await readJsonBody<unknown>(req);
413
+ } catch {
414
+ error(res, 400, 'invalid JSON body');
415
+ return true;
416
+ }
417
+ const validated = validateMgPatchInput(body);
418
+ if (!validated.ok) {
419
+ error(res, 400, validated.reason);
420
+ return true;
421
+ }
422
+ updateMessagingGroup(id, { unknown_sender_policy: validated.input.unknownSenderPolicy });
423
+ log.info('messaging group policy updated via web', {
424
+ id,
425
+ unknownSenderPolicy: validated.input.unknownSenderPolicy,
426
+ });
427
+ // Same connection, same tx, same row — the post-update re-fetch can't
428
+ // return null without the row being concurrently deleted, which is not
429
+ // a state this surface needs to guard against.
430
+ json(res, 200, { messagingGroup: getMessagingGroupDetail(id)! });
431
+ return true;
432
+ }
433
+ error(res, 405, `method not allowed on ${pathname}: ${method}`);
434
+ return true;
435
+ }
436
+
437
+ // /api/channels/mga/:id — GET (wire detail), PATCH (routing rules edit),
438
+ // or DELETE (unwire). The `mga/` segment matches the `mg/` convention from
439
+ // the messaging-group detail block above; `mga` = messaging_group_agent =
440
+ // one wire row.
441
+ const mgaMatch = pathname.match(/^\/api\/channels\/mga\/([^/]+)$/);
442
+ if (mgaMatch) {
443
+ const id = decodeURIComponent(mgaMatch[1]);
444
+ const current = getMessagingGroupAgent(id);
445
+ if (!current) {
446
+ error(res, 404, `channel wire not found: ${id}`);
447
+ return true;
448
+ }
449
+
450
+ if (method === 'GET') {
451
+ json(res, 200, { wire: getOneWireView(id)! });
452
+ return true;
453
+ }
454
+
455
+ if (method === 'PATCH') {
456
+ let body: unknown;
457
+ try {
458
+ body = await readJsonBody<unknown>(req);
459
+ } catch {
460
+ error(res, 400, 'invalid JSON body');
461
+ return true;
462
+ }
463
+ const validated = validatePatchInput(body);
464
+ if (!validated.ok) {
465
+ error(res, 400, validated.reason);
466
+ return true;
467
+ }
468
+ const dbPatch = apiToDbPatch(validated.input, current);
469
+ updateMessagingGroupAgent(id, dbPatch);
470
+ log.info('channel wire updated via web', { id, fields: Object.keys(dbPatch) });
471
+ // Same connection, same row — see channels.ts mg/:id PATCH for the
472
+ // non-null-assertion rationale.
473
+ json(res, 200, { wire: getOneWireView(id)! });
474
+ return true;
475
+ }
476
+
477
+ if (method === 'DELETE') {
478
+ deleteMessagingGroupAgent(id);
479
+ log.info('channel wire deleted via web', { id });
480
+ json(res, 200, { id, deleted: true });
481
+ return true;
482
+ }
483
+
484
+ error(res, 405, `method not allowed on ${pathname}: ${method}`);
485
+ return true;
486
+ }
487
+
488
+ return false;
489
+ }
@@ -0,0 +1,42 @@
1
+ /**
2
+ * /api/oauth/providers — read-only provider registry.
3
+ *
4
+ * The UI's "add integration" picker is data-driven off this list rather
5
+ * than hard-coding provider slugs in the SPA bundle. New providers
6
+ * registered in `src/oauth/providers/index.ts` automatically surface
7
+ * here. No secrets, no per-account state — just the registry shape.
8
+ */
9
+ import http from 'node:http';
10
+
11
+ import { listProviders } from '../../oauth/providers/index.js';
12
+
13
+ interface ProviderView {
14
+ slug: string;
15
+ displayName: string;
16
+ defaultScopes: string;
17
+ }
18
+
19
+ const json = (res: http.ServerResponse, status: number, body: unknown): void => {
20
+ res.writeHead(status, { 'content-type': 'application/json' });
21
+ res.end(JSON.stringify(body));
22
+ };
23
+
24
+ export interface OauthProvidersRouteContext {
25
+ pathname: string;
26
+ method: string;
27
+ res: http.ServerResponse;
28
+ }
29
+
30
+ export function handleOauthProvidersRoute(ctx: OauthProvidersRouteContext): boolean {
31
+ const { pathname, method, res } = ctx;
32
+ if (pathname === '/api/oauth/providers' && method === 'GET') {
33
+ const providers: ProviderView[] = listProviders().map((p) => ({
34
+ slug: p.slug,
35
+ displayName: p.displayName,
36
+ defaultScopes: p.defaultScopes,
37
+ }));
38
+ json(res, 200, { providers });
39
+ return true;
40
+ }
41
+ return false;
42
+ }
@@ -0,0 +1,175 @@
1
+ /**
2
+ * HTTP-boundary tests for the secrets route — currently focused on the
3
+ * staleness probe added with paraclaw#103. The mutation surfaces (POST,
4
+ * DELETE, /assignments) are exercised by `src/secrets/secrets.test.ts` at
5
+ * the helper level; this file complements that with the route dispatcher.
6
+ *
7
+ * Auth gating (`agent:read` for GET, `agent:admin` for mutation) lives in
8
+ * `src/web/server.ts` upstream of `handleSecretsRoute`, so 401/403 cases
9
+ * belong to `auth.test.ts` rather than the route layer — the handler is
10
+ * never reached without a passing scope check. We assert the handler's
11
+ * own contract here (status, body shape, 404 for missing rows).
12
+ */
13
+ import http from 'node:http';
14
+ import crypto from 'crypto';
15
+
16
+ import { afterEach, beforeEach, describe, expect, it } from 'vitest';
17
+
18
+ import { getDb } from '../../db/connection.js';
19
+ import { closeDb, initTestDb, runMigrations } from '../../db/index.js';
20
+ import { _setMasterKeyForTest } from '../../secrets/master-key.js';
21
+ import { addAssignment, putSecret } from '../../secrets/index.js';
22
+ import { handleSecretsRoute } from './secrets.js';
23
+
24
+ beforeEach(() => {
25
+ const db = initTestDb();
26
+ runMigrations(db);
27
+ _setMasterKeyForTest(crypto.randomBytes(32));
28
+ });
29
+
30
+ afterEach(() => {
31
+ closeDb();
32
+ });
33
+
34
+ interface FakeResponse {
35
+ statusCode: number;
36
+ body: unknown;
37
+ res: http.ServerResponse;
38
+ }
39
+
40
+ function fakeRes(): FakeResponse {
41
+ const captured: FakeResponse = {
42
+ statusCode: 0,
43
+ body: undefined,
44
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
45
+ res: undefined as any,
46
+ };
47
+ const res = {
48
+ writeHead(status: number) {
49
+ captured.statusCode = status;
50
+ },
51
+ end(chunk: string) {
52
+ try {
53
+ captured.body = chunk ? JSON.parse(chunk) : undefined;
54
+ } catch {
55
+ captured.body = chunk;
56
+ }
57
+ },
58
+ } as unknown as http.ServerResponse;
59
+ captured.res = res;
60
+ return captured;
61
+ }
62
+
63
+ function fakeReq(): http.IncomingMessage {
64
+ return Object.assign(Object.create(null), {
65
+ [Symbol.asyncIterator]: async function* () {},
66
+ }) as http.IncomingMessage;
67
+ }
68
+
69
+ function seedAgentGroup(id: string, secretMode: 'all' | 'selective' = 'selective') {
70
+ getDb()
71
+ .prepare(
72
+ `INSERT INTO agent_groups (id, folder, name, secret_mode, created_at)
73
+ VALUES (?, ?, ?, ?, datetime('now'))`,
74
+ )
75
+ .run(id, id, id, secretMode);
76
+ }
77
+
78
+ function seedSession(sessionId: string, agentGroupId: string, createdAt: string) {
79
+ getDb()
80
+ .prepare(
81
+ `INSERT INTO sessions
82
+ (id, agent_group_id, messaging_group_id, thread_id, agent_provider, status, container_status, last_active, created_at)
83
+ VALUES (?, ?, NULL, NULL, NULL, 'active', 'running', NULL, ?)`,
84
+ )
85
+ .run(sessionId, agentGroupId, createdAt);
86
+ }
87
+
88
+ function bumpSecretUpdatedAt(secretId: string, updatedAt: string) {
89
+ getDb().prepare(`UPDATE secrets SET updated_at = ? WHERE id = ?`).run(updatedAt, secretId);
90
+ }
91
+
92
+ describe('GET /api/secrets/:id/stale-sessions', () => {
93
+ it('returns 200 with the secret metadata + the stale-session list', async () => {
94
+ seedAgentGroup('group-a', 'selective');
95
+ // Session spawned at t=10, secret bumped to t=20 — session is stale.
96
+ seedSession('sess-1', 'group-a', '2026-01-01T00:00:10.000Z');
97
+ const sid = putSecret('TOKEN', 'v');
98
+ addAssignment(sid, 'group-a');
99
+ bumpSecretUpdatedAt(sid, '2026-01-01T00:00:20.000Z');
100
+
101
+ const cap = fakeRes();
102
+ const handled = await handleSecretsRoute({
103
+ pathname: `/api/secrets/${sid}/stale-sessions`,
104
+ method: 'GET',
105
+ url: new URL(`https://x/api/secrets/${sid}/stale-sessions`),
106
+ req: fakeReq(),
107
+ res: cap.res,
108
+ });
109
+
110
+ expect(handled).toBe(true);
111
+ expect(cap.statusCode).toBe(200);
112
+ expect(cap.body).toMatchObject({
113
+ secretId: sid,
114
+ secretUpdatedAt: '2026-01-01T00:00:20.000Z',
115
+ staleSessions: [
116
+ {
117
+ sessionId: 'sess-1',
118
+ agentGroupId: 'group-a',
119
+ agentGroupName: 'group-a',
120
+ agentGroupFolder: 'group-a',
121
+ sessionCreatedAt: '2026-01-01T00:00:10.000Z',
122
+ secretUpdatedAt: '2026-01-01T00:00:20.000Z',
123
+ },
124
+ ],
125
+ });
126
+ });
127
+
128
+ it('returns 200 with an empty staleSessions array when nothing is stale', async () => {
129
+ seedAgentGroup('group-a', 'selective');
130
+ // Session spawned AFTER the secret update — not stale.
131
+ const sid = putSecret('TOKEN', 'v');
132
+ addAssignment(sid, 'group-a');
133
+ bumpSecretUpdatedAt(sid, '2026-01-01T00:00:10.000Z');
134
+ seedSession('sess-fresh', 'group-a', '2026-01-01T00:00:20.000Z');
135
+
136
+ const cap = fakeRes();
137
+ await handleSecretsRoute({
138
+ pathname: `/api/secrets/${sid}/stale-sessions`,
139
+ method: 'GET',
140
+ url: new URL(`https://x/api/secrets/${sid}/stale-sessions`),
141
+ req: fakeReq(),
142
+ res: cap.res,
143
+ });
144
+
145
+ expect(cap.statusCode).toBe(200);
146
+ expect(cap.body).toMatchObject({ secretId: sid, staleSessions: [] });
147
+ });
148
+
149
+ it('returns 404 for an unknown secret id', async () => {
150
+ const cap = fakeRes();
151
+ const handled = await handleSecretsRoute({
152
+ pathname: '/api/secrets/does-not-exist/stale-sessions',
153
+ method: 'GET',
154
+ url: new URL('https://x/api/secrets/does-not-exist/stale-sessions'),
155
+ req: fakeReq(),
156
+ res: cap.res,
157
+ });
158
+
159
+ expect(handled).toBe(true);
160
+ expect(cap.statusCode).toBe(404);
161
+ expect(cap.body).toMatchObject({ error: expect.stringContaining('does-not-exist') });
162
+ });
163
+
164
+ it('falls through (returns false) on non-GET methods so the dispatcher can keep looking', async () => {
165
+ const cap = fakeRes();
166
+ const handled = await handleSecretsRoute({
167
+ pathname: '/api/secrets/anything/stale-sessions',
168
+ method: 'POST',
169
+ url: new URL('https://x/api/secrets/anything/stale-sessions'),
170
+ req: fakeReq(),
171
+ res: cap.res,
172
+ });
173
+ expect(handled).toBe(false);
174
+ });
175
+ });