npm - @openparachute/agent - Versions diffs - 0.1.0 - Mend

@openparachute/agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/.claude/scheduled_tasks.lock +1 -0
package/.claude/settings.json +5 -0
package/.claude/skills/add-atomic-chat-tool/SKILL.md +243 -0
package/.claude/skills/add-atomic-chat-tool/atomic-chat-mcp-stdio.ts +229 -0
package/.claude/skills/add-codex/SKILL.md +161 -0
package/.claude/skills/add-dashboard/SKILL.md +138 -0
package/.claude/skills/add-dashboard/resources/dashboard-pusher.ts +495 -0
package/.claude/skills/add-emacs/SKILL.md +296 -0
package/.claude/skills/add-gcal-tool/SKILL.md +210 -0
package/.claude/skills/add-gchat/REMOVE.md +6 -0
package/.claude/skills/add-gchat/SKILL.md +92 -0
package/.claude/skills/add-gchat/VERIFY.md +3 -0
package/.claude/skills/add-github/REMOVE.md +6 -0
package/.claude/skills/add-github/SKILL.md +148 -0
package/.claude/skills/add-github/VERIFY.md +3 -0
package/.claude/skills/add-gmail-tool/SKILL.md +229 -0
package/.claude/skills/add-imessage/REMOVE.md +6 -0
package/.claude/skills/add-imessage/SKILL.md +113 -0
package/.claude/skills/add-imessage/VERIFY.md +3 -0
package/.claude/skills/add-karpathy-llm-wiki/SKILL.md +110 -0
package/.claude/skills/add-karpathy-llm-wiki/llm-wiki.md +75 -0
package/.claude/skills/add-linear/REMOVE.md +6 -0
package/.claude/skills/add-linear/SKILL.md +168 -0
package/.claude/skills/add-linear/VERIFY.md +3 -0
package/.claude/skills/add-macos-statusbar/SKILL.md +133 -0
package/.claude/skills/add-macos-statusbar/add/src/statusbar.swift +147 -0
package/.claude/skills/add-matrix/REMOVE.md +6 -0
package/.claude/skills/add-matrix/SKILL.md +148 -0
package/.claude/skills/add-matrix/VERIFY.md +3 -0
package/.claude/skills/add-ollama-provider/SKILL.md +179 -0
package/.claude/skills/add-ollama-tool/SKILL.md +193 -0
package/.claude/skills/add-opencode/SKILL.md +229 -0
package/.claude/skills/add-parallel/SKILL.md +290 -0
package/.claude/skills/add-resend/REMOVE.md +6 -0
package/.claude/skills/add-resend/SKILL.md +93 -0
package/.claude/skills/add-resend/VERIFY.md +3 -0
package/.claude/skills/add-signal/REMOVE.md +13 -0
package/.claude/skills/add-signal/SKILL.md +318 -0
package/.claude/skills/add-signal/VERIFY.md +5 -0
package/.claude/skills/add-slack/REMOVE.md +6 -0
package/.claude/skills/add-slack/SKILL.md +112 -0
package/.claude/skills/add-slack/VERIFY.md +3 -0
package/.claude/skills/add-teams/REMOVE.md +6 -0
package/.claude/skills/add-teams/SKILL.md +207 -0
package/.claude/skills/add-teams/VERIFY.md +3 -0
package/.claude/skills/add-vercel/SKILL.md +147 -0
package/.claude/skills/add-vercel/container-skills/vercel-cli/SKILL.md +103 -0
package/.claude/skills/add-webex/REMOVE.md +6 -0
package/.claude/skills/add-webex/SKILL.md +88 -0
package/.claude/skills/add-webex/VERIFY.md +3 -0
package/.claude/skills/add-wechat/REMOVE.md +49 -0
package/.claude/skills/add-wechat/SKILL.md +170 -0
package/.claude/skills/add-wechat/scripts/wire-dm.ts +172 -0
package/.claude/skills/add-whatsapp/SKILL.md +264 -0
package/.claude/skills/add-whatsapp-cloud/REMOVE.md +6 -0
package/.claude/skills/add-whatsapp-cloud/SKILL.md +95 -0
package/.claude/skills/add-whatsapp-cloud/VERIFY.md +3 -0
package/.claude/skills/claw/SKILL.md +131 -0
package/.claude/skills/claw/scripts/claw +374 -0
package/.claude/skills/convert-to-apple-container/SKILL.md +212 -0
package/.claude/skills/customize/SKILL.md +110 -0
package/.claude/skills/debug/SKILL.md +349 -0
package/.claude/skills/get-qodo-rules/SKILL.md +122 -0
package/.claude/skills/get-qodo-rules/references/output-format.md +41 -0
package/.claude/skills/get-qodo-rules/references/pagination.md +33 -0
package/.claude/skills/get-qodo-rules/references/repository-scope.md +26 -0
package/.claude/skills/init-first-agent/SKILL.md +120 -0
package/.claude/skills/init-onecli/SKILL.md +270 -0
package/.claude/skills/manage-channels/SKILL.md +87 -0
package/.claude/skills/manage-mounts/SKILL.md +47 -0
package/.claude/skills/migrate-from-openclaw/MIGRATE_CRONS.md +100 -0
package/.claude/skills/migrate-from-openclaw/SKILL.md +447 -0
package/.claude/skills/migrate-from-openclaw/scripts/discover-openclaw.ts +734 -0
package/.claude/skills/migrate-from-openclaw/scripts/extract-channel-credentials.ts +476 -0
package/.claude/skills/migrate-nanoclaw/SKILL.md +484 -0
package/.claude/skills/migrate-nanoclaw/diagnostics.md +51 -0
package/.claude/skills/qodo-pr-resolver/SKILL.md +326 -0
package/.claude/skills/qodo-pr-resolver/resources/providers.md +329 -0
package/.claude/skills/update-nanoclaw/SKILL.md +243 -0
package/.claude/skills/update-nanoclaw/diagnostics.md +48 -0
package/.claude/skills/update-skills/SKILL.md +130 -0
package/.claude/skills/use-native-credential-proxy/SKILL.md +167 -0
package/.claude/skills/x-integration/SKILL.md +417 -0
package/.claude/skills/x-integration/agent.ts +243 -0
package/.claude/skills/x-integration/host.ts +155 -0
package/.claude/skills/x-integration/lib/browser.ts +148 -0
package/.claude/skills/x-integration/lib/config.ts +62 -0
package/.claude/skills/x-integration/scripts/like.ts +56 -0
package/.claude/skills/x-integration/scripts/post.ts +66 -0
package/.claude/skills/x-integration/scripts/quote.ts +80 -0
package/.claude/skills/x-integration/scripts/reply.ts +74 -0
package/.claude/skills/x-integration/scripts/retweet.ts +62 -0
package/.claude/skills/x-integration/scripts/setup.ts +87 -0
package/.github/CODEOWNERS +10 -0
package/.github/PULL_REQUEST_TEMPLATE.md +18 -0
package/.github/workflows/bump-version.yml +35 -0
package/.github/workflows/ci.yml +39 -0
package/.github/workflows/label-pr.yml +40 -0
package/.github/workflows/update-tokens.yml +43 -0
package/.husky/pre-commit +1 -0
package/.mcp.json +3 -0
package/.nvmrc +1 -0
package/.parachute/module.json +14 -0
package/.prettierrc +4 -0
package/CHANGELOG.md +215 -0
package/CLAUDE.md +307 -0
package/CODE_OF_CONDUCT.md +128 -0
package/CONTRIBUTING.md +159 -0
package/CONTRIBUTORS.md +26 -0
package/LICENSE +21 -0
package/README.md +190 -0
package/README_ja.md +194 -0
package/README_zh.md +194 -0
package/assets/nanoclaw-favicon.png +0 -0
package/assets/nanoclaw-icon.png +0 -0
package/assets/nanoclaw-logo-dark.png +0 -0
package/assets/nanoclaw-logo.png +0 -0
package/assets/nanoclaw-profile.jpeg +0 -0
package/assets/nanoclaw-sales.png +0 -0
package/assets/social-preview.jpg +0 -0
package/config-examples/mount-allowlist.json +25 -0
package/container/.dockerignore +2 -0
package/container/CLAUDE.md +21 -0
package/container/Dockerfile +121 -0
package/container/agent-runner/bun.lock +243 -0
package/container/agent-runner/package.json +22 -0
package/container/agent-runner/scripts/sdk-signal-probe.ts +169 -0
package/container/agent-runner/src/config.ts +55 -0
package/container/agent-runner/src/db/connection.ts +267 -0
package/container/agent-runner/src/db/index.ts +20 -0
package/container/agent-runner/src/db/messages-in.ts +138 -0
package/container/agent-runner/src/db/messages-out.ts +143 -0
package/container/agent-runner/src/db/session-routing.ts +30 -0
package/container/agent-runner/src/db/session-state.test.ts +100 -0
package/container/agent-runner/src/db/session-state.ts +79 -0
package/container/agent-runner/src/destinations.ts +135 -0
package/container/agent-runner/src/formatter.test.ts +167 -0
package/container/agent-runner/src/formatter.ts +260 -0
package/container/agent-runner/src/index.ts +110 -0
package/container/agent-runner/src/integration.test.ts +121 -0
package/container/agent-runner/src/mcp-tools/agents.instructions.md +26 -0
package/container/agent-runner/src/mcp-tools/agents.ts +66 -0
package/container/agent-runner/src/mcp-tools/core.instructions.md +27 -0
package/container/agent-runner/src/mcp-tools/core.ts +262 -0
package/container/agent-runner/src/mcp-tools/index.ts +22 -0
package/container/agent-runner/src/mcp-tools/interactive.instructions.md +22 -0
package/container/agent-runner/src/mcp-tools/interactive.ts +169 -0
package/container/agent-runner/src/mcp-tools/scheduling.instructions.md +40 -0
package/container/agent-runner/src/mcp-tools/scheduling.ts +299 -0
package/container/agent-runner/src/mcp-tools/self-mod.instructions.md +25 -0
package/container/agent-runner/src/mcp-tools/self-mod.ts +120 -0
package/container/agent-runner/src/mcp-tools/server.ts +54 -0
package/container/agent-runner/src/mcp-tools/types.ts +6 -0
package/container/agent-runner/src/poll-loop.test.ts +248 -0
package/container/agent-runner/src/poll-loop.ts +437 -0
package/container/agent-runner/src/providers/claude.ts +379 -0
package/container/agent-runner/src/providers/factory.test.ts +19 -0
package/container/agent-runner/src/providers/factory.ts +13 -0
package/container/agent-runner/src/providers/index.ts +6 -0
package/container/agent-runner/src/providers/mock.ts +77 -0
package/container/agent-runner/src/providers/provider-registry.ts +33 -0
package/container/agent-runner/src/providers/types.ts +82 -0
package/container/agent-runner/src/scheduling/task-script.ts +121 -0
package/container/agent-runner/src/timezone.test.ts +93 -0
package/container/agent-runner/src/timezone.ts +107 -0
package/container/agent-runner/tsconfig.json +14 -0
package/container/build.sh +48 -0
package/container/entrypoint.sh +16 -0
package/container/skills/agent-browser/SKILL.md +159 -0
package/container/skills/frontend-engineer/SKILL.md +157 -0
package/container/skills/self-customize/SKILL.md +87 -0
package/container/skills/slack-formatting/SKILL.md +94 -0
package/container/skills/vercel-cli/SKILL.md +111 -0
package/container/skills/welcome/SKILL.md +85 -0
package/docs/APPLE-CONTAINER-NETWORKING.md +90 -0
package/docs/BRANCH-FORK-MAINTENANCE.md +81 -0
package/docs/README.md +25 -0
package/docs/SDK_DEEP_DIVE.md +643 -0
package/docs/SECURITY.md +162 -0
package/docs/agent-runner-details.md +749 -0
package/docs/api-details.md +365 -0
package/docs/architecture-diagram.html +422 -0
package/docs/architecture-diagram.md +215 -0
package/docs/architecture.md +751 -0
package/docs/audit/2026-04-30-channel-endpoint-audit.md +36 -0
package/docs/build-and-runtime.md +80 -0
package/docs/cross-mount-stress/README.md +112 -0
package/docs/cross-mount-stress/container-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/container-writer-slow.mjs +42 -0
package/docs/cross-mount-stress/container-writer.mjs +47 -0
package/docs/cross-mount-stress/host-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/host-writer-slow.mjs +43 -0
package/docs/cross-mount-stress/host-writer.mjs +47 -0
package/docs/db-central.md +316 -0
package/docs/db-session.md +183 -0
package/docs/db.md +119 -0
package/docs/design/2026-04-29-vault-management-ui.md +231 -0
package/docs/design/2026-04-30-channel-wiring-rework.md +234 -0
package/docs/design/2026-05-01-channel-wiring-approvals-deep-dive.md +272 -0
package/docs/design/2026-05-02-channel-policy-and-approval-routing.md +250 -0
package/docs/docker-sandboxes.md +359 -0
package/docs/isolation-model.md +88 -0
package/docs/ollama.md +79 -0
package/docs/parachute-integration.md +109 -0
package/docs/post-night-rebirth-reflections.md +151 -0
package/eslint.config.js +32 -0
package/package.json +54 -0
package/pnpm-workspace.yaml +8 -0
package/repo-tokens/README.md +113 -0
package/repo-tokens/action.yml +186 -0
package/repo-tokens/badge.svg +23 -0
package/repo-tokens/examples/green.svg +14 -0
package/repo-tokens/examples/red.svg +14 -0
package/repo-tokens/examples/yellow-green.svg +14 -0
package/repo-tokens/examples/yellow.svg +14 -0
package/scripts/chat.ts +101 -0
package/scripts/cleanup-sessions.sh +150 -0
package/scripts/init-cli-agent.ts +171 -0
package/scripts/init-first-agent.ts +377 -0
package/scripts/parachute.ts +158 -0
package/scripts/run-migrations.ts +105 -0
package/scripts/sanity-live-poll.ts +95 -0
package/scripts/seed-discord.ts +79 -0
package/scripts/test-v2-agent.ts +106 -0
package/scripts/test-v2-channel-e2e.ts +265 -0
package/scripts/test-v2-host.ts +184 -0
package/src/channels/adapter.ts +214 -0
package/src/channels/ask-question.ts +46 -0
package/src/channels/channel-registry.test.ts +421 -0
package/src/channels/channel-registry.ts +313 -0
package/src/channels/chat-sdk-bridge.test.ts +84 -0
package/src/channels/chat-sdk-bridge.ts +652 -0
package/src/channels/cli.ts +276 -0
package/src/channels/discord.ts +90 -0
package/src/channels/index.ts +17 -0
package/src/channels/telegram-markdown-sanitize.test.ts +78 -0
package/src/channels/telegram-markdown-sanitize.ts +55 -0
package/src/channels/telegram-pairing.test.ts +254 -0
package/src/channels/telegram-pairing.ts +339 -0
package/src/channels/telegram.ts +279 -0
package/src/channels/trust-hint.test.ts +48 -0
package/src/channels/trust-hint.ts +75 -0
package/src/claude-md-compose.migrate.test.ts +64 -0
package/src/claude-md-compose.ts +205 -0
package/src/command-gate.ts +63 -0
package/src/config.test.ts +93 -0
package/src/config.ts +108 -0
package/src/container-config.ts +167 -0
package/src/container-runner.test.ts +32 -0
package/src/container-runner.ts +576 -0
package/src/container-runtime.test.ts +169 -0
package/src/container-runtime.ts +92 -0
package/src/db/_bun-sqlite-shim.ts +88 -0
package/src/db/agent-activity.test.ts +155 -0
package/src/db/agent-activity.ts +121 -0
package/src/db/agent-groups.ts +77 -0
package/src/db/connection.migrate.test.ts +143 -0
package/src/db/connection.ts +224 -0
package/src/db/db-v2.test.ts +440 -0
package/src/db/dropped-messages.ts +44 -0
package/src/db/index.ts +40 -0
package/src/db/messaging-groups.ts +252 -0
package/src/db/migrations/001-initial.ts +112 -0
package/src/db/migrations/002-chat-sdk-state.ts +36 -0
package/src/db/migrations/008-dropped-messages.ts +27 -0
package/src/db/migrations/009-drop-pending-credentials.ts +13 -0
package/src/db/migrations/010-engage-modes.ts +103 -0
package/src/db/migrations/011-pending-sender-approvals.ts +40 -0
package/src/db/migrations/012-channel-registration.ts +48 -0
package/src/db/migrations/013-approval-render-metadata.ts +27 -0
package/src/db/migrations/014-secrets.ts +44 -0
package/src/db/migrations/015-secrets-drop-host-pattern.ts +18 -0
package/src/db/migrations/016-secret-assignments.ts +30 -0
package/src/db/migrations/017-agent-activity.ts +40 -0
package/src/db/migrations/018-oauth-app-configs.ts +34 -0
package/src/db/migrations/019-oauth-app-connections.ts +48 -0
package/src/db/migrations/020-agent-app-connections.ts +28 -0
package/src/db/migrations/021-pending-oauth-states.ts +35 -0
package/src/db/migrations/022-app-connections-provider.ts +25 -0
package/src/db/migrations/023-agent-group-secret-mode.test.ts +124 -0
package/src/db/migrations/023-agent-group-secret-mode.ts +65 -0
package/src/db/migrations/024-collapse-approvals.test.ts +249 -0
package/src/db/migrations/024-collapse-approvals.ts +182 -0
package/src/db/migrations/025-secret-mode-check.test.ts +155 -0
package/src/db/migrations/025-secret-mode-check.ts +49 -0
package/src/db/migrations/026-user-dms-bot-id.test.ts +116 -0
package/src/db/migrations/026-user-dms-bot-id.ts +54 -0
package/src/db/migrations/027-provider-credentials.ts +41 -0
package/src/db/migrations/_test-helpers.ts +41 -0
package/src/db/migrations/index.ts +127 -0
package/src/db/migrations/module-agent-to-agent-destinations.ts +84 -0
package/src/db/migrations/module-approvals-pending-approvals.ts +42 -0
package/src/db/migrations/module-approvals-title-options.ts +40 -0
package/src/db/schema.ts +258 -0
package/src/db/session-db.test.ts +93 -0
package/src/db/session-db.ts +325 -0
package/src/db/sessions.ts +241 -0
package/src/delivery.test.ts +148 -0
package/src/delivery.ts +445 -0
package/src/env.ts +74 -0
package/src/group-folder.test.ts +35 -0
package/src/group-folder.ts +44 -0
package/src/group-init.ts +92 -0
package/src/host-core.test.ts +456 -0
package/src/host-sweep.test.ts +146 -0
package/src/host-sweep.ts +287 -0
package/src/index.ts +227 -0
package/src/install-slug.ts +33 -0
package/src/log.test.ts +81 -0
package/src/log.ts +117 -0
package/src/mcp/http.ts +72 -0
package/src/mcp/server.ts +92 -0
package/src/mcp/stdio.ts +51 -0
package/src/mcp/tools/activity.ts +88 -0
package/src/mcp/tools/agent-groups.ts +183 -0
package/src/mcp/tools/approvals.ts +122 -0
package/src/mcp/tools/channels.ts +199 -0
package/src/mcp/tools/index.ts +27 -0
package/src/mcp/tools/oauth.ts +48 -0
package/src/mcp/tools/secrets.ts +169 -0
package/src/mcp/tools/sessions.ts +135 -0
package/src/mcp/types.ts +51 -0
package/src/modules/agent-to-agent/agent-route.test.ts +46 -0
package/src/modules/agent-to-agent/agent-route.ts +223 -0
package/src/modules/agent-to-agent/create-agent.ts +127 -0
package/src/modules/agent-to-agent/db/agent-destinations.ts +135 -0
package/src/modules/agent-to-agent/index.ts +22 -0
package/src/modules/agent-to-agent/write-destinations.ts +59 -0
package/src/modules/approvals/agent.md +45 -0
package/src/modules/approvals/index.ts +21 -0
package/src/modules/approvals/picks.test.ts +291 -0
package/src/modules/approvals/primitive.ts +279 -0
package/src/modules/approvals/project.md +27 -0
package/src/modules/approvals/response-handler.ts +87 -0
package/src/modules/index.ts +24 -0
package/src/modules/interactive/agent.md +21 -0
package/src/modules/interactive/index.ts +69 -0
package/src/modules/interactive/project.md +12 -0
package/src/modules/mount-security/index.ts +448 -0
package/src/modules/mount-security/migrate.test.ts +91 -0
package/src/modules/permissions/access.ts +28 -0
package/src/modules/permissions/channel-approval.test.ts +389 -0
package/src/modules/permissions/channel-approval.ts +188 -0
package/src/modules/permissions/db/agent-group-members.ts +44 -0
package/src/modules/permissions/db/pending-channel-approvals.test.ts +86 -0
package/src/modules/permissions/db/pending-channel-approvals.ts +66 -0
package/src/modules/permissions/db/pending-sender-approvals.ts +60 -0
package/src/modules/permissions/db/user-dms.ts +58 -0
package/src/modules/permissions/db/user-roles.ts +85 -0
package/src/modules/permissions/db/users.ts +38 -0
package/src/modules/permissions/index.ts +421 -0
package/src/modules/permissions/permissions.test.ts +358 -0
package/src/modules/permissions/sender-approval.test.ts +470 -0
package/src/modules/permissions/sender-approval.ts +165 -0
package/src/modules/permissions/user-dm.ts +200 -0
package/src/modules/provider-credentials/db.ts +121 -0
package/src/modules/provider-credentials/index.ts +12 -0
package/src/modules/provider-credentials/spawn.test.ts +206 -0
package/src/modules/provider-credentials/spawn.ts +114 -0
package/src/modules/scheduling/actions.ts +113 -0
package/src/modules/scheduling/db.test.ts +282 -0
package/src/modules/scheduling/db.ts +148 -0
package/src/modules/scheduling/index.ts +34 -0
package/src/modules/scheduling/recurrence.test.ts +98 -0
package/src/modules/scheduling/recurrence.ts +54 -0
package/src/modules/self-mod/agent.md +30 -0
package/src/modules/self-mod/apply.ts +85 -0
package/src/modules/self-mod/index.ts +30 -0
package/src/modules/self-mod/project.md +39 -0
package/src/modules/self-mod/request.ts +91 -0
package/src/modules/typing/index.ts +165 -0
package/src/oauth/agent-app-connections.ts +103 -0
package/src/oauth/app-configs.test.ts +64 -0
package/src/oauth/app-configs.ts +114 -0
package/src/oauth/app-connections.test.ts +109 -0
package/src/oauth/app-connections.ts +178 -0
package/src/oauth/crypto.ts +56 -0
package/src/oauth/flow.ts +104 -0
package/src/oauth/providers/google.test.ts +38 -0
package/src/oauth/providers/google.ts +46 -0
package/src/oauth/providers/index.ts +48 -0
package/src/oauth/state-store.test.ts +54 -0
package/src/oauth/state-store.ts +93 -0
package/src/parachute/README.md +27 -0
package/src/parachute/create-agent.test.ts +83 -0
package/src/parachute/create-agent.ts +122 -0
package/src/parachute/group-status.test.ts +165 -0
package/src/parachute/group-status.ts +136 -0
package/src/parachute/types.ts +41 -0
package/src/parachute/vault-mcp.test.ts +251 -0
package/src/parachute/vault-mcp.ts +232 -0
package/src/platform-id.test.ts +104 -0
package/src/platform-id.ts +109 -0
package/src/providers/index.ts +6 -0
package/src/providers/provider-container-registry.ts +58 -0
package/src/response-registry.ts +45 -0
package/src/router.ts +530 -0
package/src/secrets/crypto.test.ts +45 -0
package/src/secrets/crypto.ts +55 -0
package/src/secrets/index.ts +355 -0
package/src/secrets/master-key.ts +70 -0
package/src/secrets/secrets.test.ts +354 -0
package/src/session-manager.migrate.test.ts +59 -0
package/src/session-manager.ts +433 -0
package/src/startup-bootstrap.test.ts +226 -0
package/src/startup-bootstrap.ts +207 -0
package/src/state-sqlite.ts +182 -0
package/src/timezone.test.ts +64 -0
package/src/timezone.ts +37 -0
package/src/types.ts +230 -0
package/src/web/auth.test.ts +335 -0
package/src/web/auth.ts +214 -0
package/src/web/discord-validate.test.ts +77 -0
package/src/web/discord-validate.ts +88 -0
package/src/web/hub-discovery.test.ts +98 -0
package/src/web/hub-discovery.ts +69 -0
package/src/web/routes/activity.ts +106 -0
package/src/web/routes/agent-provider.test.ts +282 -0
package/src/web/routes/agent-provider.ts +309 -0
package/src/web/routes/approvals.ts +185 -0
package/src/web/routes/apps.ts +434 -0
package/src/web/routes/channels-mg-detail.test.ts +324 -0
package/src/web/routes/channels-mga-detail.test.ts +425 -0
package/src/web/routes/channels.ts +489 -0
package/src/web/routes/oauth-providers.ts +42 -0
package/src/web/routes/secrets.test.ts +175 -0
package/src/web/routes/secrets.ts +282 -0
package/src/web/routes/sessions.ts +123 -0
package/src/web/routes/settings.test.ts +106 -0
package/src/web/routes/settings.ts +247 -0
package/src/web/routes/setup-status.ts +205 -0
package/src/web/routes/vaults.test.ts +389 -0
package/src/web/routes/vaults.ts +225 -0
package/src/web/server-version.test.ts +16 -0
package/src/web/server.ts +1003 -0
package/src/web/services-manifest.test.ts +120 -0
package/src/web/services-manifest.ts +61 -0
package/src/web/static-serve.test.ts +255 -0
package/src/web/static-serve.ts +104 -0
package/src/web/telegram-validate.test.ts +116 -0
package/src/web/telegram-validate.ts +107 -0
package/src/web/vault-proxy.test.ts +214 -0
package/src/web/vault-proxy.ts +120 -0
package/src/web/wire-channel.ts +181 -0
package/src/webhook-server.ts +134 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +18 -0
package/web/README.md +63 -0
package/web/ui/index.html +13 -0
package/web/ui/package.json +35 -0
package/web/ui/pnpm-lock.yaml +2164 -0
package/web/ui/scripts/verify-base.mjs +31 -0
package/web/ui/src/App.tsx +88 -0
package/web/ui/src/components/ActivityFeed.tsx +444 -0
package/web/ui/src/components/AgentGroupPicker.tsx +263 -0
package/web/ui/src/components/AgentProviderCards.tsx +220 -0
package/web/ui/src/components/CredentialForm.tsx +214 -0
package/web/ui/src/components/ScopeGrants.tsx +74 -0
package/web/ui/src/components/StatusDot.tsx +43 -0
package/web/ui/src/components/VaultPicker.tsx +127 -0
package/web/ui/src/components/setup/AdapterInstallStep.tsx +178 -0
package/web/ui/src/components/setup/AgentGroupStep.tsx +43 -0
package/web/ui/src/components/setup/ChannelPickStep.tsx +74 -0
package/web/ui/src/components/setup/DoneStep.tsx +49 -0
package/web/ui/src/components/setup/PrereqStep.tsx +129 -0
package/web/ui/src/components/setup/TestConnectionStep.tsx +108 -0
package/web/ui/src/components/setup/TestMessageStep.tsx +104 -0
package/web/ui/src/components/setup/WireChannelStep.tsx +166 -0
package/web/ui/src/components/setup/types.ts +105 -0
package/web/ui/src/lib/api.test.ts +410 -0
package/web/ui/src/lib/api.ts +1210 -0
package/web/ui/src/lib/auth.test.ts +139 -0
package/web/ui/src/lib/auth.ts +348 -0
package/web/ui/src/lib/channel-adapters.ts +136 -0
package/web/ui/src/main.tsx +19 -0
package/web/ui/src/routes/ApprovalsList.tsx +294 -0
package/web/ui/src/routes/Apps.tsx +613 -0
package/web/ui/src/routes/ChannelWireDetail.test.tsx +233 -0
package/web/ui/src/routes/ChannelWireDetail.tsx +403 -0
package/web/ui/src/routes/ChannelsList.tsx +158 -0
package/web/ui/src/routes/GroupDetail.tsx +755 -0
package/web/ui/src/routes/GroupList.tsx +187 -0
package/web/ui/src/routes/MessagingGroupDetail.test.tsx +233 -0
package/web/ui/src/routes/MessagingGroupDetail.tsx +306 -0
package/web/ui/src/routes/NewGroupWizard.tsx +390 -0
package/web/ui/src/routes/OAuthCallback.tsx +56 -0
package/web/ui/src/routes/SecretsList.tsx +921 -0
package/web/ui/src/routes/SessionsList.tsx +220 -0
package/web/ui/src/routes/SettingsAgentProvider.tsx +109 -0
package/web/ui/src/routes/SettingsApprovals.tsx +234 -0
package/web/ui/src/routes/SetupWizard.tsx +219 -0
package/web/ui/src/routes/VaultDetail.test.tsx +361 -0
package/web/ui/src/routes/VaultDetail.tsx +960 -0
package/web/ui/src/routes/VaultsList.tsx +295 -0
package/web/ui/src/routes/WireChannelPage.tsx +413 -0
package/web/ui/src/styles.css +608 -0
package/web/ui/src/test/setup.ts +23 -0
package/web/ui/src/vite-env.d.ts +10 -0
package/web/ui/tsconfig.json +20 -0
package/web/ui/vite.config.ts +34 -0
package/web/ui/vitest.config.ts +25 -0

package/docs/architecture-diagram.html ADDED Viewed

@@ -0,0 +1,422 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    <title>Paraclaw Architecture</title>
+    <script src="https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.min.js"></script>
+    <style>
+      :root {
+        --bg: #0b0d12;
+        --panel: #141821;
+        --ink: #e7ecf3;
+        --muted: #8a94a6;
+        --accent: #7aa2ff;
+        --border: #232a38;
+      }
+      * { box-sizing: border-box; }
+      html, body {
+        margin: 0;
+        padding: 0;
+        background: var(--bg);
+        color: var(--ink);
+        font-family: -apple-system, BlinkMacSystemFont, "SF Pro Text", "Segoe UI", Helvetica, Arial, sans-serif;
+        font-size: 15px;
+        line-height: 1.55;
+      }
+      header {
+        padding: 32px 40px 16px;
+        border-bottom: 1px solid var(--border);
+        position: sticky;
+        top: 0;
+        background: rgba(11, 13, 18, 0.92);
+        backdrop-filter: saturate(180%) blur(10px);
+        z-index: 10;
+      }
+      header h1 {
+        margin: 0 0 4px;
+        font-size: 22px;
+        font-weight: 600;
+        letter-spacing: -0.01em;
+      }
+      header .sub {
+        color: var(--muted);
+        font-size: 13px;
+      }
+      nav {
+        display: flex;
+        flex-wrap: wrap;
+        gap: 8px;
+        margin-top: 14px;
+      }
+      nav a {
+        color: var(--accent);
+        text-decoration: none;
+        font-size: 12px;
+        padding: 4px 10px;
+        border: 1px solid var(--border);
+        border-radius: 999px;
+        background: var(--panel);
+      }
+      nav a:hover { border-color: var(--accent); }
+      main {
+        max-width: 1280px;
+        margin: 0 auto;
+        padding: 28px 40px 80px;
+      }
+      section {
+        margin-bottom: 48px;
+      }
+      section h2 {
+        font-size: 18px;
+        font-weight: 600;
+        margin: 0 0 6px;
+        letter-spacing: -0.005em;
+      }
+      section h2 .num {
+        color: var(--muted);
+        font-weight: 500;
+        margin-right: 8px;
+      }
+      section p.desc {
+        color: var(--muted);
+        margin: 0 0 16px;
+        max-width: 900px;
+      }
+      .diagram {
+        background: var(--panel);
+        border: 1px solid var(--border);
+        border-radius: 14px;
+        padding: 24px;
+        overflow-x: auto;
+      }
+      .diagram svg { max-width: 100%; height: auto; display: block; margin: 0 auto; }
+      table {
+        width: 100%;
+        border-collapse: collapse;
+        margin-top: 14px;
+        font-size: 13px;
+      }
+      th, td {
+        text-align: left;
+        padding: 10px 12px;
+        border-bottom: 1px solid var(--border);
+      }
+      th {
+        color: var(--muted);
+        font-weight: 500;
+        text-transform: uppercase;
+        font-size: 11px;
+        letter-spacing: 0.04em;
+      }
+      code {
+        font-family: "SF Mono", Menlo, Consolas, monospace;
+        font-size: 12px;
+        background: #1c2230;
+        padding: 1px 6px;
+        border-radius: 4px;
+        color: #c8d4ee;
+      }
+      footer {
+        color: var(--muted);
+        font-size: 12px;
+        text-align: center;
+        padding: 20px 0 0;
+        border-top: 1px solid var(--border);
+      }
+    </style>
+  </head>
+  <body>
+    <header>
+      <h1>Paraclaw Architecture</h1>
+      <div class="sub">Session-DB messaging model · Chat SDK bridge · local AES-GCM secret store · per-session containers</div>
+      <nav>
+        <a href="#overview">1 · Overview</a>
+        <a href="#flow">2 · Message Flow</a>
+        <a href="#destinations">3 · Destinations &amp; A2A</a>
+        <a href="#entities">4 · Entity Model</a>
+        <a href="#twodb">5 · Two-DB Split</a>
+      </nav>
+    </header>
+    <main>
+      <section id="overview">
+        <h2><span class="num">1</span>System Overview</h2>
+        <p class="desc">
+          Inbound messages land at the Chat SDK bridge, which hands off to the
+          router. The router resolves the messaging group → agent group → session
+          and writes to the session's <code>inbound.db</code>. The container runner
+          spawns a per-session container (with secrets injected as env vars from
+          paraclaw's local AES-GCM secret store), and the agent-runner
+          polls its DB, calls Claude, and writes responses to <code>outbound.db</code>.
+          Delivery polls the outbound DB, re-validates destinations, and ships
+          messages back through the same bridge.
+        </p>
+        <div class="diagram">
+<pre class="mermaid">
+flowchart TB
+  subgraph Platforms["Messaging Platforms"]
+    P1[Discord]
+    P2[Telegram]
+    P3[Slack]
+    P4[GitHub / Linear]
+    P5[WhatsApp / iMessage / Teams / GChat / Matrix / Webex / Email]
+  end
+  subgraph Host["Host Process (Node)"]
+    direction TB
+    Bridge["Chat SDK Bridge<br/>src/channels/chat-sdk-bridge.ts"]
+    Router["Router<br/>src/router.ts<br/>platformId + threadId → session"]
+    SessMgr["Session Manager<br/>src/session-manager.ts"]
+    Runner["Container Runner<br/>src/container-runner.ts<br/>spawn + secret env injection"]
+    Delivery["Delivery Poller<br/>src/delivery.ts<br/>1s active / 60s sweep"]
+    Sweep["Host Sweep<br/>src/host-sweep.ts"]
+    Central[("Central DB · data/v2.db<br/>agent_groups · messaging_groups<br/>messaging_group_agents · sessions<br/>pending_approvals")]
+  end
+  subgraph Secrets["Local Secret Store"]
+    Vault["AES-GCM ciphertext<br/>(central DB)<br/>master key on host"]
+    Approvals["pending_approvals (self-mod)"]
+  end
+  subgraph Session["Per-Session Container"]
+    direction TB
+    PollLoop["Poll Loop<br/>container/agent-runner"]
+    Provider["Claude Agent SDK<br/>(codex / opencode planned)"]
+    MCP["MCP Tools<br/>send_message · send_file · edit_message<br/>send_card · ask_user_question · schedule_task<br/>create_agent · install_packages · add_mcp_server<br/>request_rebuild"]
+    InDB[("inbound.db<br/>host writes · even seq")]
+    OutDB[("outbound.db<br/>container writes · odd seq")]
+  end
+  Folder["Agent Group FS<br/>groups/*<br/>CLAUDE.md · memory · skills"]
+  P1 & P2 & P3 & P4 & P5 --> Bridge
+  Bridge --> Router
+  Router --> Central
+  Router --> SessMgr
+  SessMgr --> InDB
+  SessMgr --> Runner
+  Runner --> Vault
+  Runner --> PollLoop
+  PollLoop --> InDB
+  PollLoop --> Provider
+  Provider --> MCP
+  MCP --> OutDB
+  OutDB --> Delivery
+  Delivery --> Central
+  Delivery --> Bridge
+  Bridge --> P1 & P2 & P3 & P4 & P5
+  Sweep --> InDB
+  Sweep --> OutDB
+  Sweep --> Central
+  Runner -.mounts.-> Folder
+  MCP -.approval.-> Approvals
+  Approvals --> Central
+  Vault -.env vars.-> Provider
+</pre>
+        </div>
+      </section>
+      <section id="flow">
+        <h2><span class="num">2</span>Message Flow</h2>
+        <p class="desc">
+          End-to-end path of a single message. The host and container never write
+          to the same SQLite file — the split between inbound and outbound DBs is
+          what makes this lock-free under concurrent activity.
+        </p>
+        <div class="diagram">
+<pre class="mermaid">
+sequenceDiagram
+  participant P as Platform (Telegram)
+  participant B as Chat SDK Bridge
+  participant R as Router
+  participant SM as Session Manager
+  participant IDB as inbound.db
+  participant C as Container (agent-runner)
+  participant ODB as outbound.db
+  participant D as Delivery Poller
+  P->>B: new message
+  B->>R: routeInbound(platformId, threadId, msg)
+  R->>R: resolve messaging_group → agent_group → session<br/>(agent-shared · shared · per-thread)
+  R->>SM: ensure session + DBs exist
+  R->>IDB: INSERT messages_in (even seq)
+  R->>C: wake container (spawn or signal)
+  C->>IDB: poll messages_in
+  C->>C: format xml → Claude SDK stream
+  C->>ODB: INSERT messages_out (odd seq)<br/>parse &lt;message to='name'&gt; blocks
+  D->>ODB: 1s active poll / 60s sweep
+  D->>D: hasDestination() re-validate
+  D->>B: deliver via adapter
+  B->>P: send · edit · react · file · card
+</pre>
+        </div>
+      </section>
+      <section id="destinations">
+        <h2><span class="num">3</span>Named Destinations &amp; Agent-to-Agent</h2>
+        <p class="desc">
+          Agents address outputs by local name. The host looks up each name against
+          the agent's destinations table at delivery time — dropping anything
+          unauthorized. The same table routes agent-to-agent messages to a sibling
+          agent's <code>inbound.db</code> with bidirectional permission rows.
+        </p>
+        <div class="diagram">
+<pre class="mermaid">
+flowchart LR
+  subgraph AgentA["Agent Group A (main)"]
+    A_out["&lt;message to='slack'&gt;...&lt;/message&gt;<br/>&lt;message to='browser-agent'&gt;...&lt;/message&gt;<br/>&lt;internal&gt;scratchpad&lt;/internal&gt;"]
+  end
+  subgraph Dests["inbound.db.destinations (per agent)"]
+    D1["slack → messaging_group 42"]
+    D2["browser-agent → agent_group 7<br/>(bidirectional)"]
+    D3["github → messaging_group 13"]
+  end
+  subgraph AgentB["Agent Group B (browser sub-agent)"]
+    B_session["own inbound.db / outbound.db<br/>inherited destination back to A"]
+  end
+  Slack[Slack]
+  GitHub[GitHub PR]
+  A_out -->|parse + lookup| Dests
+  D1 -->|deliver| Slack
+  D2 -->|write to B's inbound.db| B_session
+  D3 -->|deliver| GitHub
+  B_session -.reply via 'parent'.-> Dests
+</pre>
+        </div>
+      </section>
+      <section id="entities">
+        <h2><span class="num">4</span>Entity Model</h2>
+        <p class="desc">
+          Messaging groups and agent groups are many-to-many, joined via
+          <code>messaging_group_agents</code>. The <code>session_mode</code>
+          column selects one of three isolation levels.
+        </p>
+        <div class="diagram">
+<pre class="mermaid">
+erDiagram
+  agent_groups ||--o{ messaging_group_agents : wired
+  messaging_groups ||--o{ messaging_group_agents : wired
+  agent_groups ||--o{ sessions : runs
+  messaging_groups ||--o{ sessions : context
+  agent_groups ||--o{ agent_destinations : owns
+  agent_groups ||--o{ pending_approvals : requests
+  agent_groups {
+    int id
+    string name
+    string folder
+    string agent_provider
+    json container_config
+  }
+  messaging_groups {
+    int id
+    string channel_type
+    string platform_id
+    string name
+    bool is_group
+    string unknown_sender_policy "strict | request_approval | public"
+  }
+  users {
+    string id PK "namespaced &lt;channel&gt;:&lt;handle&gt;"
+    string kind
+    string display_name
+  }
+  user_roles {
+    string user_id FK
+    string role "owner | admin"
+    string agent_group_id FK "null = global"
+  }
+  agent_group_members {
+    string user_id FK
+    string agent_group_id FK
+  }
+  user_dms {
+    string user_id FK
+    string channel_type
+    string messaging_group_id FK
+  }
+  messaging_group_agents {
+    int messaging_group_id
+    int agent_group_id
+    string session_mode
+    json trigger_rules
+    int priority
+  }
+  sessions {
+    int id
+    int agent_group_id
+    int messaging_group_id
+    string sdk_session_id
+    string status
+  }
+</pre>
+        </div>
+        <table>
+          <thead>
+            <tr><th>Level</th><th>session_mode</th><th>Shared</th><th>Example</th></tr>
+          </thead>
+          <tbody>
+            <tr><td>1 · Shared session</td><td><code>agent-shared</code></td><td>Workspace + memory + conversation</td><td>Slack + GitHub webhooks in one thread</td></tr>
+            <tr><td>2 · Same agent, separate sessions</td><td><code>shared</code> / <code>per-thread</code></td><td>Workspace + memory only</td><td>One agent across 3 Telegram chats</td></tr>
+            <tr><td>3 · Separate agent groups</td><td>— (different agent_group_id)</td><td>Nothing</td><td>Personal vs work channels</td></tr>
+          </tbody>
+        </table>
+      </section>
+      <section id="twodb">
+        <h2><span class="num">5</span>Two-DB Split</h2>
+        <p class="desc">
+          Each SQLite file has exactly one writer. The container touches a
+          heartbeat file instead of <code>UPDATE</code>-ing a liveness row, so host
+          sweep can detect staleness via <code>stat(mtime)</code> without opening the
+          DB. Host uses even seq numbers, container uses odd — collision-free.
+        </p>
+        <div class="diagram">
+<pre class="mermaid">
+flowchart LR
+  subgraph Mount["/workspace (volume mount)"]
+    In[("inbound.db")]
+    Out[("outbound.db")]
+    HB["/.heartbeat (file touch)"]
+  end
+  Host[Host process] -->|writes · even seq| In
+  Host -->|reads| Out
+  Container[agent-runner] -->|reads| In
+  Container -->|writes · odd seq| Out
+  Container -->|touch every poll| HB
+  HostSweep[Host sweep] -->|stat mtime| HB
+  HostSweep -->|reads processing_ack| In
+</pre>
+        </div>
+      </section>
+      <footer>Paraclaw · generated from docs/architecture.md, isolation-model.md</footer>
+    </main>
+    <script>
+      mermaid.initialize({
+        startOnLoad: true,
+        theme: "dark",
+        securityLevel: "loose",
+        flowchart: { curve: "basis", padding: 18 },
+        themeVariables: {
+          background: "#141821",
+          primaryColor: "#1c2230",
+          primaryTextColor: "#e7ecf3",
+          primaryBorderColor: "#3a465e",
+          lineColor: "#6b7893",
+          secondaryColor: "#222a3a",
+          tertiaryColor: "#1a2030",
+          fontSize: "14px",
+        },
+      });
+    </script>
+  </body>
+</html>

package/docs/architecture-diagram.md ADDED Viewed

@@ -0,0 +1,215 @@
+# Paraclaw Architecture Diagram
+## System Overview
+```mermaid
+flowchart TB
+  subgraph Platforms["Messaging Platforms"]
+    P1[Discord]
+    P2[Telegram]
+    P3[Slack]
+    P4[GitHub / Linear]
+    P5[WhatsApp / iMessage / Teams / GChat / Matrix / Webex / Email]
+  end
+  subgraph Host["Host Process (Node)"]
+    direction TB
+    Bridge["Chat SDK Bridge<br/>(src/channels/chat-sdk-bridge.ts)"]
+    Router["Router<br/>(src/router.ts)<br/>platformId + threadId -> messaging_group -> agent_group -> session"]
+    SessMgr["Session Manager<br/>(src/session-manager.ts)<br/>creates inbound.db + outbound.db"]
+    Runner["Container Runner<br/>(src/container-runner.ts)<br/>spawn + secret env injection"]
+    Delivery["Delivery Poller<br/>(src/delivery.ts)<br/>1s active / 60s sweep"]
+    Sweep["Host Sweep<br/>(src/host-sweep.ts)<br/>heartbeat, retry, recurrence"]
+    Central[("Central DB<br/>data/v2.db<br/>agent_groups<br/>messaging_groups<br/>messaging_group_agents<br/>sessions<br/>pending_approvals")]
+  end
+  subgraph Secrets["Local Secret Store"]
+    Vault["AES-GCM ciphertext<br/>(central DB)<br/>master key on host"]
+    Approvals["pending_approvals<br/>(self-mod)"]
+  end
+  subgraph Session["Per-Session Container (Docker / Apple Container)"]
+    direction TB
+    PollLoop["Poll Loop<br/>(container/agent-runner)"]
+    Provider["Agent providers<br/>(claude, opencode, mock; todo: codex)"]
+    MCP["MCP Tools<br/>send_message, send_file, edit_message,<br/>add_reaction, send_card, ask_user_question,<br/>schedule_task, create_agent,<br/>install_packages, add_mcp_server"]
+    Skills["Container Skills<br/>(container/skills/)"]
+    InDB[("inbound.db<br/>host writes<br/>even seq<br/>messages_in<br/>destinations<br/>processing_ack")]
+    OutDB[("outbound.db<br/>container writes<br/>odd seq<br/>messages_out<br/>heartbeat file")]
+  end
+  subgraph Groups["Agent Group Filesystem (groups/*)"]
+    Folder["CLAUDE.md<br/>memory<br/>per-group skills<br/>container_config"]
+  end
+  P1 & P2 & P3 & P4 & P5 --> Bridge
+  Bridge --> Router
+  Router --> Central
+  Router --> SessMgr
+  SessMgr --> InDB
+  SessMgr --> Runner
+  Runner --> Vault
+  Runner --> PollLoop
+  PollLoop --> InDB
+  PollLoop --> Provider
+  Provider --> MCP
+  Provider --> Skills
+  MCP --> OutDB
+  OutDB --> Delivery
+  Delivery --> Central
+  Delivery --> Bridge
+  Bridge --> P1 & P2 & P3 & P4 & P5
+  Sweep --> InDB
+  Sweep --> OutDB
+  Sweep --> Central
+  Runner -.mounts.-> Folder
+  MCP -.approval.-> Approvals
+  Approvals --> Central
+  Vault -.env vars.-> Provider
+```
+## Message Flow (inbound -> agent -> outbound)
+```mermaid
+sequenceDiagram
+  participant P as Platform (e.g. Telegram)
+  participant B as Chat SDK Bridge
+  participant R as Router
+  participant SM as Session Manager
+  participant IDB as inbound.db
+  participant C as Container (agent-runner)
+  participant ODB as outbound.db
+  participant D as Delivery Poller
+  P->>B: new message
+  B->>R: routeInbound(platformId, threadId, msg)
+  R->>R: resolve messaging_group -> agent_group -> session<br/>(agent-shared | shared | per-thread)
+  R->>SM: ensure session + DBs exist
+  R->>IDB: INSERT messages_in (even seq)
+  R->>C: wake container (docker run / already running)
+  C->>IDB: poll messages_in
+  C->>C: format xml, stream to selected provider
+  C->>ODB: INSERT messages_out (odd seq)<br/>parse <message to="name"> blocks
+  D->>ODB: 1s poll (active) / 60s (sweep)
+  D->>D: hasDestination() re-validate
+  D->>B: deliver via adapter
+  B->>P: send message / edit / react / file / card
+```
+## Named Destinations + Agent-to-Agent
+```mermaid
+flowchart LR
+  subgraph AgentA["Agent Group A (main)"]
+    A_out["output:<br/>&lt;message to='slack'&gt;...&lt;/message&gt;<br/>&lt;message to='browser-agent'&gt;...&lt;/message&gt;<br/>&lt;internal&gt;scratchpad&lt;/internal&gt;"]
+  end
+  subgraph Dests["inbound.db.destinations (per agent)"]
+    D1["slack -> messaging_group 42"]
+    D2["browser-agent -> agent_group 7<br/>(bidirectional row)"]
+    D3["github -> messaging_group 13"]
+  end
+  subgraph AgentB["Agent Group B (browser sub-agent)"]
+    B_session["own inbound.db / outbound.db<br/>inherited destination back to A"]
+  end
+  Slack[Slack channel]
+  GitHub[GitHub PR thread]
+  A_out -->|parse + lookup| Dests
+  D1 -->|deliver| Slack
+  D2 -->|write to B's inbound.db| B_session
+  D3 -->|deliver| GitHub
+  B_session -.reply via 'parent'.-> Dests
+```
+## Entity Model + Isolation Levels
+```mermaid
+erDiagram
+  agent_groups ||--o{ messaging_group_agents : wired
+  messaging_groups ||--o{ messaging_group_agents : wired
+  agent_groups ||--o{ sessions : runs
+  messaging_groups ||--o{ sessions : context
+  agent_groups ||--o{ agent_destinations : owns
+  agent_groups ||--o{ pending_approvals : requests
+  agent_groups {
+    int id
+    string name
+    string folder
+    string agent_provider
+    json container_config
+  }
+  messaging_groups {
+    int id
+    string channel_type
+    string platform_id
+    string name
+    bool is_group
+    string unknown_sender_policy "strict | request_approval | public"
+  }
+  users {
+    string id PK "namespaced <channel>:<handle>"
+    string kind
+    string display_name
+  }
+  user_roles {
+    string user_id FK
+    string role "owner | admin"
+    string agent_group_id FK "null = global"
+  }
+  agent_group_members {
+    string user_id FK
+    string agent_group_id FK
+  }
+  user_dms {
+    string user_id FK
+    string channel_type
+    string messaging_group_id FK
+  }
+  messaging_group_agents {
+    int messaging_group_id
+    int agent_group_id
+    string session_mode "agent-shared | shared | per-thread"
+    json trigger_rules
+    int priority
+  }
+  sessions {
+    int id
+    int agent_group_id
+    int messaging_group_id
+    string sdk_session_id
+    string status
+  }
+```
+### Isolation Level Cheatsheet
+| Level | `session_mode` | What's shared | Example |
+|---|---|---|---|
+| 1. Shared session | `agent-shared` | Workspace + memory + conversation | Slack + GitHub webhooks in one thread |
+| 2. Same agent, separate sessions | `shared` / `per-thread` | Workspace + memory only | One agent across 3 Telegram chats |
+| 3. Separate agent groups | (different `agent_group_id`) | Nothing | Personal vs work channels |
+## Two-DB Split (why)
+```mermaid
+flowchart LR
+  subgraph Mount["/workspace (volume mounted into container)"]
+    In[("inbound.db")]
+    Out[("outbound.db")]
+    HB["/.heartbeat (file touch)"]
+  end
+  Host[Host process] -->|"writes only<br/>(even seq)"| In
+  Host -->|reads| Out
+  Container[agent-runner] -->|reads| In
+  Container -->|"writes only<br/>(odd seq)"| Out
+  Container -->|touch every poll| HB
+  HostSweep[Host sweep] -->|stat mtime| HB
+  HostSweep -->|reads processing_ack| In
+  note1["Each file has exactly ONE writer.<br/>Eliminates SQLite cross-process write contention.<br/>Collision-free seq numbering."]
+```