npm - @openparachute/agent - Versions diffs - 0.1.0 - Mend

@openparachute/agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/.claude/scheduled_tasks.lock +1 -0
package/.claude/settings.json +5 -0
package/.claude/skills/add-atomic-chat-tool/SKILL.md +243 -0
package/.claude/skills/add-atomic-chat-tool/atomic-chat-mcp-stdio.ts +229 -0
package/.claude/skills/add-codex/SKILL.md +161 -0
package/.claude/skills/add-dashboard/SKILL.md +138 -0
package/.claude/skills/add-dashboard/resources/dashboard-pusher.ts +495 -0
package/.claude/skills/add-emacs/SKILL.md +296 -0
package/.claude/skills/add-gcal-tool/SKILL.md +210 -0
package/.claude/skills/add-gchat/REMOVE.md +6 -0
package/.claude/skills/add-gchat/SKILL.md +92 -0
package/.claude/skills/add-gchat/VERIFY.md +3 -0
package/.claude/skills/add-github/REMOVE.md +6 -0
package/.claude/skills/add-github/SKILL.md +148 -0
package/.claude/skills/add-github/VERIFY.md +3 -0
package/.claude/skills/add-gmail-tool/SKILL.md +229 -0
package/.claude/skills/add-imessage/REMOVE.md +6 -0
package/.claude/skills/add-imessage/SKILL.md +113 -0
package/.claude/skills/add-imessage/VERIFY.md +3 -0
package/.claude/skills/add-karpathy-llm-wiki/SKILL.md +110 -0
package/.claude/skills/add-karpathy-llm-wiki/llm-wiki.md +75 -0
package/.claude/skills/add-linear/REMOVE.md +6 -0
package/.claude/skills/add-linear/SKILL.md +168 -0
package/.claude/skills/add-linear/VERIFY.md +3 -0
package/.claude/skills/add-macos-statusbar/SKILL.md +133 -0
package/.claude/skills/add-macos-statusbar/add/src/statusbar.swift +147 -0
package/.claude/skills/add-matrix/REMOVE.md +6 -0
package/.claude/skills/add-matrix/SKILL.md +148 -0
package/.claude/skills/add-matrix/VERIFY.md +3 -0
package/.claude/skills/add-ollama-provider/SKILL.md +179 -0
package/.claude/skills/add-ollama-tool/SKILL.md +193 -0
package/.claude/skills/add-opencode/SKILL.md +229 -0
package/.claude/skills/add-parallel/SKILL.md +290 -0
package/.claude/skills/add-resend/REMOVE.md +6 -0
package/.claude/skills/add-resend/SKILL.md +93 -0
package/.claude/skills/add-resend/VERIFY.md +3 -0
package/.claude/skills/add-signal/REMOVE.md +13 -0
package/.claude/skills/add-signal/SKILL.md +318 -0
package/.claude/skills/add-signal/VERIFY.md +5 -0
package/.claude/skills/add-slack/REMOVE.md +6 -0
package/.claude/skills/add-slack/SKILL.md +112 -0
package/.claude/skills/add-slack/VERIFY.md +3 -0
package/.claude/skills/add-teams/REMOVE.md +6 -0
package/.claude/skills/add-teams/SKILL.md +207 -0
package/.claude/skills/add-teams/VERIFY.md +3 -0
package/.claude/skills/add-vercel/SKILL.md +147 -0
package/.claude/skills/add-vercel/container-skills/vercel-cli/SKILL.md +103 -0
package/.claude/skills/add-webex/REMOVE.md +6 -0
package/.claude/skills/add-webex/SKILL.md +88 -0
package/.claude/skills/add-webex/VERIFY.md +3 -0
package/.claude/skills/add-wechat/REMOVE.md +49 -0
package/.claude/skills/add-wechat/SKILL.md +170 -0
package/.claude/skills/add-wechat/scripts/wire-dm.ts +172 -0
package/.claude/skills/add-whatsapp/SKILL.md +264 -0
package/.claude/skills/add-whatsapp-cloud/REMOVE.md +6 -0
package/.claude/skills/add-whatsapp-cloud/SKILL.md +95 -0
package/.claude/skills/add-whatsapp-cloud/VERIFY.md +3 -0
package/.claude/skills/claw/SKILL.md +131 -0
package/.claude/skills/claw/scripts/claw +374 -0
package/.claude/skills/convert-to-apple-container/SKILL.md +212 -0
package/.claude/skills/customize/SKILL.md +110 -0
package/.claude/skills/debug/SKILL.md +349 -0
package/.claude/skills/get-qodo-rules/SKILL.md +122 -0
package/.claude/skills/get-qodo-rules/references/output-format.md +41 -0
package/.claude/skills/get-qodo-rules/references/pagination.md +33 -0
package/.claude/skills/get-qodo-rules/references/repository-scope.md +26 -0
package/.claude/skills/init-first-agent/SKILL.md +120 -0
package/.claude/skills/init-onecli/SKILL.md +270 -0
package/.claude/skills/manage-channels/SKILL.md +87 -0
package/.claude/skills/manage-mounts/SKILL.md +47 -0
package/.claude/skills/migrate-from-openclaw/MIGRATE_CRONS.md +100 -0
package/.claude/skills/migrate-from-openclaw/SKILL.md +447 -0
package/.claude/skills/migrate-from-openclaw/scripts/discover-openclaw.ts +734 -0
package/.claude/skills/migrate-from-openclaw/scripts/extract-channel-credentials.ts +476 -0
package/.claude/skills/migrate-nanoclaw/SKILL.md +484 -0
package/.claude/skills/migrate-nanoclaw/diagnostics.md +51 -0
package/.claude/skills/qodo-pr-resolver/SKILL.md +326 -0
package/.claude/skills/qodo-pr-resolver/resources/providers.md +329 -0
package/.claude/skills/update-nanoclaw/SKILL.md +243 -0
package/.claude/skills/update-nanoclaw/diagnostics.md +48 -0
package/.claude/skills/update-skills/SKILL.md +130 -0
package/.claude/skills/use-native-credential-proxy/SKILL.md +167 -0
package/.claude/skills/x-integration/SKILL.md +417 -0
package/.claude/skills/x-integration/agent.ts +243 -0
package/.claude/skills/x-integration/host.ts +155 -0
package/.claude/skills/x-integration/lib/browser.ts +148 -0
package/.claude/skills/x-integration/lib/config.ts +62 -0
package/.claude/skills/x-integration/scripts/like.ts +56 -0
package/.claude/skills/x-integration/scripts/post.ts +66 -0
package/.claude/skills/x-integration/scripts/quote.ts +80 -0
package/.claude/skills/x-integration/scripts/reply.ts +74 -0
package/.claude/skills/x-integration/scripts/retweet.ts +62 -0
package/.claude/skills/x-integration/scripts/setup.ts +87 -0
package/.github/CODEOWNERS +10 -0
package/.github/PULL_REQUEST_TEMPLATE.md +18 -0
package/.github/workflows/bump-version.yml +35 -0
package/.github/workflows/ci.yml +39 -0
package/.github/workflows/label-pr.yml +40 -0
package/.github/workflows/update-tokens.yml +43 -0
package/.husky/pre-commit +1 -0
package/.mcp.json +3 -0
package/.nvmrc +1 -0
package/.parachute/module.json +14 -0
package/.prettierrc +4 -0
package/CHANGELOG.md +215 -0
package/CLAUDE.md +307 -0
package/CODE_OF_CONDUCT.md +128 -0
package/CONTRIBUTING.md +159 -0
package/CONTRIBUTORS.md +26 -0
package/LICENSE +21 -0
package/README.md +190 -0
package/README_ja.md +194 -0
package/README_zh.md +194 -0
package/assets/nanoclaw-favicon.png +0 -0
package/assets/nanoclaw-icon.png +0 -0
package/assets/nanoclaw-logo-dark.png +0 -0
package/assets/nanoclaw-logo.png +0 -0
package/assets/nanoclaw-profile.jpeg +0 -0
package/assets/nanoclaw-sales.png +0 -0
package/assets/social-preview.jpg +0 -0
package/config-examples/mount-allowlist.json +25 -0
package/container/.dockerignore +2 -0
package/container/CLAUDE.md +21 -0
package/container/Dockerfile +121 -0
package/container/agent-runner/bun.lock +243 -0
package/container/agent-runner/package.json +22 -0
package/container/agent-runner/scripts/sdk-signal-probe.ts +169 -0
package/container/agent-runner/src/config.ts +55 -0
package/container/agent-runner/src/db/connection.ts +267 -0
package/container/agent-runner/src/db/index.ts +20 -0
package/container/agent-runner/src/db/messages-in.ts +138 -0
package/container/agent-runner/src/db/messages-out.ts +143 -0
package/container/agent-runner/src/db/session-routing.ts +30 -0
package/container/agent-runner/src/db/session-state.test.ts +100 -0
package/container/agent-runner/src/db/session-state.ts +79 -0
package/container/agent-runner/src/destinations.ts +135 -0
package/container/agent-runner/src/formatter.test.ts +167 -0
package/container/agent-runner/src/formatter.ts +260 -0
package/container/agent-runner/src/index.ts +110 -0
package/container/agent-runner/src/integration.test.ts +121 -0
package/container/agent-runner/src/mcp-tools/agents.instructions.md +26 -0
package/container/agent-runner/src/mcp-tools/agents.ts +66 -0
package/container/agent-runner/src/mcp-tools/core.instructions.md +27 -0
package/container/agent-runner/src/mcp-tools/core.ts +262 -0
package/container/agent-runner/src/mcp-tools/index.ts +22 -0
package/container/agent-runner/src/mcp-tools/interactive.instructions.md +22 -0
package/container/agent-runner/src/mcp-tools/interactive.ts +169 -0
package/container/agent-runner/src/mcp-tools/scheduling.instructions.md +40 -0
package/container/agent-runner/src/mcp-tools/scheduling.ts +299 -0
package/container/agent-runner/src/mcp-tools/self-mod.instructions.md +25 -0
package/container/agent-runner/src/mcp-tools/self-mod.ts +120 -0
package/container/agent-runner/src/mcp-tools/server.ts +54 -0
package/container/agent-runner/src/mcp-tools/types.ts +6 -0
package/container/agent-runner/src/poll-loop.test.ts +248 -0
package/container/agent-runner/src/poll-loop.ts +437 -0
package/container/agent-runner/src/providers/claude.ts +379 -0
package/container/agent-runner/src/providers/factory.test.ts +19 -0
package/container/agent-runner/src/providers/factory.ts +13 -0
package/container/agent-runner/src/providers/index.ts +6 -0
package/container/agent-runner/src/providers/mock.ts +77 -0
package/container/agent-runner/src/providers/provider-registry.ts +33 -0
package/container/agent-runner/src/providers/types.ts +82 -0
package/container/agent-runner/src/scheduling/task-script.ts +121 -0
package/container/agent-runner/src/timezone.test.ts +93 -0
package/container/agent-runner/src/timezone.ts +107 -0
package/container/agent-runner/tsconfig.json +14 -0
package/container/build.sh +48 -0
package/container/entrypoint.sh +16 -0
package/container/skills/agent-browser/SKILL.md +159 -0
package/container/skills/frontend-engineer/SKILL.md +157 -0
package/container/skills/self-customize/SKILL.md +87 -0
package/container/skills/slack-formatting/SKILL.md +94 -0
package/container/skills/vercel-cli/SKILL.md +111 -0
package/container/skills/welcome/SKILL.md +85 -0
package/docs/APPLE-CONTAINER-NETWORKING.md +90 -0
package/docs/BRANCH-FORK-MAINTENANCE.md +81 -0
package/docs/README.md +25 -0
package/docs/SDK_DEEP_DIVE.md +643 -0
package/docs/SECURITY.md +162 -0
package/docs/agent-runner-details.md +749 -0
package/docs/api-details.md +365 -0
package/docs/architecture-diagram.html +422 -0
package/docs/architecture-diagram.md +215 -0
package/docs/architecture.md +751 -0
package/docs/audit/2026-04-30-channel-endpoint-audit.md +36 -0
package/docs/build-and-runtime.md +80 -0
package/docs/cross-mount-stress/README.md +112 -0
package/docs/cross-mount-stress/container-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/container-writer-slow.mjs +42 -0
package/docs/cross-mount-stress/container-writer.mjs +47 -0
package/docs/cross-mount-stress/host-writer-retry.mjs +55 -0
package/docs/cross-mount-stress/host-writer-slow.mjs +43 -0
package/docs/cross-mount-stress/host-writer.mjs +47 -0
package/docs/db-central.md +316 -0
package/docs/db-session.md +183 -0
package/docs/db.md +119 -0
package/docs/design/2026-04-29-vault-management-ui.md +231 -0
package/docs/design/2026-04-30-channel-wiring-rework.md +234 -0
package/docs/design/2026-05-01-channel-wiring-approvals-deep-dive.md +272 -0
package/docs/design/2026-05-02-channel-policy-and-approval-routing.md +250 -0
package/docs/docker-sandboxes.md +359 -0
package/docs/isolation-model.md +88 -0
package/docs/ollama.md +79 -0
package/docs/parachute-integration.md +109 -0
package/docs/post-night-rebirth-reflections.md +151 -0
package/eslint.config.js +32 -0
package/package.json +54 -0
package/pnpm-workspace.yaml +8 -0
package/repo-tokens/README.md +113 -0
package/repo-tokens/action.yml +186 -0
package/repo-tokens/badge.svg +23 -0
package/repo-tokens/examples/green.svg +14 -0
package/repo-tokens/examples/red.svg +14 -0
package/repo-tokens/examples/yellow-green.svg +14 -0
package/repo-tokens/examples/yellow.svg +14 -0
package/scripts/chat.ts +101 -0
package/scripts/cleanup-sessions.sh +150 -0
package/scripts/init-cli-agent.ts +171 -0
package/scripts/init-first-agent.ts +377 -0
package/scripts/parachute.ts +158 -0
package/scripts/run-migrations.ts +105 -0
package/scripts/sanity-live-poll.ts +95 -0
package/scripts/seed-discord.ts +79 -0
package/scripts/test-v2-agent.ts +106 -0
package/scripts/test-v2-channel-e2e.ts +265 -0
package/scripts/test-v2-host.ts +184 -0
package/src/channels/adapter.ts +214 -0
package/src/channels/ask-question.ts +46 -0
package/src/channels/channel-registry.test.ts +421 -0
package/src/channels/channel-registry.ts +313 -0
package/src/channels/chat-sdk-bridge.test.ts +84 -0
package/src/channels/chat-sdk-bridge.ts +652 -0
package/src/channels/cli.ts +276 -0
package/src/channels/discord.ts +90 -0
package/src/channels/index.ts +17 -0
package/src/channels/telegram-markdown-sanitize.test.ts +78 -0
package/src/channels/telegram-markdown-sanitize.ts +55 -0
package/src/channels/telegram-pairing.test.ts +254 -0
package/src/channels/telegram-pairing.ts +339 -0
package/src/channels/telegram.ts +279 -0
package/src/channels/trust-hint.test.ts +48 -0
package/src/channels/trust-hint.ts +75 -0
package/src/claude-md-compose.migrate.test.ts +64 -0
package/src/claude-md-compose.ts +205 -0
package/src/command-gate.ts +63 -0
package/src/config.test.ts +93 -0
package/src/config.ts +108 -0
package/src/container-config.ts +167 -0
package/src/container-runner.test.ts +32 -0
package/src/container-runner.ts +576 -0
package/src/container-runtime.test.ts +169 -0
package/src/container-runtime.ts +92 -0
package/src/db/_bun-sqlite-shim.ts +88 -0
package/src/db/agent-activity.test.ts +155 -0
package/src/db/agent-activity.ts +121 -0
package/src/db/agent-groups.ts +77 -0
package/src/db/connection.migrate.test.ts +143 -0
package/src/db/connection.ts +224 -0
package/src/db/db-v2.test.ts +440 -0
package/src/db/dropped-messages.ts +44 -0
package/src/db/index.ts +40 -0
package/src/db/messaging-groups.ts +252 -0
package/src/db/migrations/001-initial.ts +112 -0
package/src/db/migrations/002-chat-sdk-state.ts +36 -0
package/src/db/migrations/008-dropped-messages.ts +27 -0
package/src/db/migrations/009-drop-pending-credentials.ts +13 -0
package/src/db/migrations/010-engage-modes.ts +103 -0
package/src/db/migrations/011-pending-sender-approvals.ts +40 -0
package/src/db/migrations/012-channel-registration.ts +48 -0
package/src/db/migrations/013-approval-render-metadata.ts +27 -0
package/src/db/migrations/014-secrets.ts +44 -0
package/src/db/migrations/015-secrets-drop-host-pattern.ts +18 -0
package/src/db/migrations/016-secret-assignments.ts +30 -0
package/src/db/migrations/017-agent-activity.ts +40 -0
package/src/db/migrations/018-oauth-app-configs.ts +34 -0
package/src/db/migrations/019-oauth-app-connections.ts +48 -0
package/src/db/migrations/020-agent-app-connections.ts +28 -0
package/src/db/migrations/021-pending-oauth-states.ts +35 -0
package/src/db/migrations/022-app-connections-provider.ts +25 -0
package/src/db/migrations/023-agent-group-secret-mode.test.ts +124 -0
package/src/db/migrations/023-agent-group-secret-mode.ts +65 -0
package/src/db/migrations/024-collapse-approvals.test.ts +249 -0
package/src/db/migrations/024-collapse-approvals.ts +182 -0
package/src/db/migrations/025-secret-mode-check.test.ts +155 -0
package/src/db/migrations/025-secret-mode-check.ts +49 -0
package/src/db/migrations/026-user-dms-bot-id.test.ts +116 -0
package/src/db/migrations/026-user-dms-bot-id.ts +54 -0
package/src/db/migrations/027-provider-credentials.ts +41 -0
package/src/db/migrations/_test-helpers.ts +41 -0
package/src/db/migrations/index.ts +127 -0
package/src/db/migrations/module-agent-to-agent-destinations.ts +84 -0
package/src/db/migrations/module-approvals-pending-approvals.ts +42 -0
package/src/db/migrations/module-approvals-title-options.ts +40 -0
package/src/db/schema.ts +258 -0
package/src/db/session-db.test.ts +93 -0
package/src/db/session-db.ts +325 -0
package/src/db/sessions.ts +241 -0
package/src/delivery.test.ts +148 -0
package/src/delivery.ts +445 -0
package/src/env.ts +74 -0
package/src/group-folder.test.ts +35 -0
package/src/group-folder.ts +44 -0
package/src/group-init.ts +92 -0
package/src/host-core.test.ts +456 -0
package/src/host-sweep.test.ts +146 -0
package/src/host-sweep.ts +287 -0
package/src/index.ts +227 -0
package/src/install-slug.ts +33 -0
package/src/log.test.ts +81 -0
package/src/log.ts +117 -0
package/src/mcp/http.ts +72 -0
package/src/mcp/server.ts +92 -0
package/src/mcp/stdio.ts +51 -0
package/src/mcp/tools/activity.ts +88 -0
package/src/mcp/tools/agent-groups.ts +183 -0
package/src/mcp/tools/approvals.ts +122 -0
package/src/mcp/tools/channels.ts +199 -0
package/src/mcp/tools/index.ts +27 -0
package/src/mcp/tools/oauth.ts +48 -0
package/src/mcp/tools/secrets.ts +169 -0
package/src/mcp/tools/sessions.ts +135 -0
package/src/mcp/types.ts +51 -0
package/src/modules/agent-to-agent/agent-route.test.ts +46 -0
package/src/modules/agent-to-agent/agent-route.ts +223 -0
package/src/modules/agent-to-agent/create-agent.ts +127 -0
package/src/modules/agent-to-agent/db/agent-destinations.ts +135 -0
package/src/modules/agent-to-agent/index.ts +22 -0
package/src/modules/agent-to-agent/write-destinations.ts +59 -0
package/src/modules/approvals/agent.md +45 -0
package/src/modules/approvals/index.ts +21 -0
package/src/modules/approvals/picks.test.ts +291 -0
package/src/modules/approvals/primitive.ts +279 -0
package/src/modules/approvals/project.md +27 -0
package/src/modules/approvals/response-handler.ts +87 -0
package/src/modules/index.ts +24 -0
package/src/modules/interactive/agent.md +21 -0
package/src/modules/interactive/index.ts +69 -0
package/src/modules/interactive/project.md +12 -0
package/src/modules/mount-security/index.ts +448 -0
package/src/modules/mount-security/migrate.test.ts +91 -0
package/src/modules/permissions/access.ts +28 -0
package/src/modules/permissions/channel-approval.test.ts +389 -0
package/src/modules/permissions/channel-approval.ts +188 -0
package/src/modules/permissions/db/agent-group-members.ts +44 -0
package/src/modules/permissions/db/pending-channel-approvals.test.ts +86 -0
package/src/modules/permissions/db/pending-channel-approvals.ts +66 -0
package/src/modules/permissions/db/pending-sender-approvals.ts +60 -0
package/src/modules/permissions/db/user-dms.ts +58 -0
package/src/modules/permissions/db/user-roles.ts +85 -0
package/src/modules/permissions/db/users.ts +38 -0
package/src/modules/permissions/index.ts +421 -0
package/src/modules/permissions/permissions.test.ts +358 -0
package/src/modules/permissions/sender-approval.test.ts +470 -0
package/src/modules/permissions/sender-approval.ts +165 -0
package/src/modules/permissions/user-dm.ts +200 -0
package/src/modules/provider-credentials/db.ts +121 -0
package/src/modules/provider-credentials/index.ts +12 -0
package/src/modules/provider-credentials/spawn.test.ts +206 -0
package/src/modules/provider-credentials/spawn.ts +114 -0
package/src/modules/scheduling/actions.ts +113 -0
package/src/modules/scheduling/db.test.ts +282 -0
package/src/modules/scheduling/db.ts +148 -0
package/src/modules/scheduling/index.ts +34 -0
package/src/modules/scheduling/recurrence.test.ts +98 -0
package/src/modules/scheduling/recurrence.ts +54 -0
package/src/modules/self-mod/agent.md +30 -0
package/src/modules/self-mod/apply.ts +85 -0
package/src/modules/self-mod/index.ts +30 -0
package/src/modules/self-mod/project.md +39 -0
package/src/modules/self-mod/request.ts +91 -0
package/src/modules/typing/index.ts +165 -0
package/src/oauth/agent-app-connections.ts +103 -0
package/src/oauth/app-configs.test.ts +64 -0
package/src/oauth/app-configs.ts +114 -0
package/src/oauth/app-connections.test.ts +109 -0
package/src/oauth/app-connections.ts +178 -0
package/src/oauth/crypto.ts +56 -0
package/src/oauth/flow.ts +104 -0
package/src/oauth/providers/google.test.ts +38 -0
package/src/oauth/providers/google.ts +46 -0
package/src/oauth/providers/index.ts +48 -0
package/src/oauth/state-store.test.ts +54 -0
package/src/oauth/state-store.ts +93 -0
package/src/parachute/README.md +27 -0
package/src/parachute/create-agent.test.ts +83 -0
package/src/parachute/create-agent.ts +122 -0
package/src/parachute/group-status.test.ts +165 -0
package/src/parachute/group-status.ts +136 -0
package/src/parachute/types.ts +41 -0
package/src/parachute/vault-mcp.test.ts +251 -0
package/src/parachute/vault-mcp.ts +232 -0
package/src/platform-id.test.ts +104 -0
package/src/platform-id.ts +109 -0
package/src/providers/index.ts +6 -0
package/src/providers/provider-container-registry.ts +58 -0
package/src/response-registry.ts +45 -0
package/src/router.ts +530 -0
package/src/secrets/crypto.test.ts +45 -0
package/src/secrets/crypto.ts +55 -0
package/src/secrets/index.ts +355 -0
package/src/secrets/master-key.ts +70 -0
package/src/secrets/secrets.test.ts +354 -0
package/src/session-manager.migrate.test.ts +59 -0
package/src/session-manager.ts +433 -0
package/src/startup-bootstrap.test.ts +226 -0
package/src/startup-bootstrap.ts +207 -0
package/src/state-sqlite.ts +182 -0
package/src/timezone.test.ts +64 -0
package/src/timezone.ts +37 -0
package/src/types.ts +230 -0
package/src/web/auth.test.ts +335 -0
package/src/web/auth.ts +214 -0
package/src/web/discord-validate.test.ts +77 -0
package/src/web/discord-validate.ts +88 -0
package/src/web/hub-discovery.test.ts +98 -0
package/src/web/hub-discovery.ts +69 -0
package/src/web/routes/activity.ts +106 -0
package/src/web/routes/agent-provider.test.ts +282 -0
package/src/web/routes/agent-provider.ts +309 -0
package/src/web/routes/approvals.ts +185 -0
package/src/web/routes/apps.ts +434 -0
package/src/web/routes/channels-mg-detail.test.ts +324 -0
package/src/web/routes/channels-mga-detail.test.ts +425 -0
package/src/web/routes/channels.ts +489 -0
package/src/web/routes/oauth-providers.ts +42 -0
package/src/web/routes/secrets.test.ts +175 -0
package/src/web/routes/secrets.ts +282 -0
package/src/web/routes/sessions.ts +123 -0
package/src/web/routes/settings.test.ts +106 -0
package/src/web/routes/settings.ts +247 -0
package/src/web/routes/setup-status.ts +205 -0
package/src/web/routes/vaults.test.ts +389 -0
package/src/web/routes/vaults.ts +225 -0
package/src/web/server-version.test.ts +16 -0
package/src/web/server.ts +1003 -0
package/src/web/services-manifest.test.ts +120 -0
package/src/web/services-manifest.ts +61 -0
package/src/web/static-serve.test.ts +255 -0
package/src/web/static-serve.ts +104 -0
package/src/web/telegram-validate.test.ts +116 -0
package/src/web/telegram-validate.ts +107 -0
package/src/web/vault-proxy.test.ts +214 -0
package/src/web/vault-proxy.ts +120 -0
package/src/web/wire-channel.ts +181 -0
package/src/webhook-server.ts +134 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +18 -0
package/web/README.md +63 -0
package/web/ui/index.html +13 -0
package/web/ui/package.json +35 -0
package/web/ui/pnpm-lock.yaml +2164 -0
package/web/ui/scripts/verify-base.mjs +31 -0
package/web/ui/src/App.tsx +88 -0
package/web/ui/src/components/ActivityFeed.tsx +444 -0
package/web/ui/src/components/AgentGroupPicker.tsx +263 -0
package/web/ui/src/components/AgentProviderCards.tsx +220 -0
package/web/ui/src/components/CredentialForm.tsx +214 -0
package/web/ui/src/components/ScopeGrants.tsx +74 -0
package/web/ui/src/components/StatusDot.tsx +43 -0
package/web/ui/src/components/VaultPicker.tsx +127 -0
package/web/ui/src/components/setup/AdapterInstallStep.tsx +178 -0
package/web/ui/src/components/setup/AgentGroupStep.tsx +43 -0
package/web/ui/src/components/setup/ChannelPickStep.tsx +74 -0
package/web/ui/src/components/setup/DoneStep.tsx +49 -0
package/web/ui/src/components/setup/PrereqStep.tsx +129 -0
package/web/ui/src/components/setup/TestConnectionStep.tsx +108 -0
package/web/ui/src/components/setup/TestMessageStep.tsx +104 -0
package/web/ui/src/components/setup/WireChannelStep.tsx +166 -0
package/web/ui/src/components/setup/types.ts +105 -0
package/web/ui/src/lib/api.test.ts +410 -0
package/web/ui/src/lib/api.ts +1210 -0
package/web/ui/src/lib/auth.test.ts +139 -0
package/web/ui/src/lib/auth.ts +348 -0
package/web/ui/src/lib/channel-adapters.ts +136 -0
package/web/ui/src/main.tsx +19 -0
package/web/ui/src/routes/ApprovalsList.tsx +294 -0
package/web/ui/src/routes/Apps.tsx +613 -0
package/web/ui/src/routes/ChannelWireDetail.test.tsx +233 -0
package/web/ui/src/routes/ChannelWireDetail.tsx +403 -0
package/web/ui/src/routes/ChannelsList.tsx +158 -0
package/web/ui/src/routes/GroupDetail.tsx +755 -0
package/web/ui/src/routes/GroupList.tsx +187 -0
package/web/ui/src/routes/MessagingGroupDetail.test.tsx +233 -0
package/web/ui/src/routes/MessagingGroupDetail.tsx +306 -0
package/web/ui/src/routes/NewGroupWizard.tsx +390 -0
package/web/ui/src/routes/OAuthCallback.tsx +56 -0
package/web/ui/src/routes/SecretsList.tsx +921 -0
package/web/ui/src/routes/SessionsList.tsx +220 -0
package/web/ui/src/routes/SettingsAgentProvider.tsx +109 -0
package/web/ui/src/routes/SettingsApprovals.tsx +234 -0
package/web/ui/src/routes/SetupWizard.tsx +219 -0
package/web/ui/src/routes/VaultDetail.test.tsx +361 -0
package/web/ui/src/routes/VaultDetail.tsx +960 -0
package/web/ui/src/routes/VaultsList.tsx +295 -0
package/web/ui/src/routes/WireChannelPage.tsx +413 -0
package/web/ui/src/styles.css +608 -0
package/web/ui/src/test/setup.ts +23 -0
package/web/ui/src/vite-env.d.ts +10 -0
package/web/ui/tsconfig.json +20 -0
package/web/ui/vite.config.ts +34 -0
package/web/ui/vitest.config.ts +25 -0

package/src/secrets/index.ts ADDED Viewed

@@ -0,0 +1,355 @@
+/**
+ * Public API for paraclaw's secret store. Values are AES-256-GCM encrypted
+ * in-process before landing in the central DB; decrypted only when injected
+ * into per-session containers (`src/container-runner.ts`).
+ *
+ * Naming: a secret is keyed by `(name, agent_group_id)`. A NULL agent_group_id
+ * is global; a non-NULL agent_group_id scopes the secret to that group only.
+ *
+ * Resolution preference at injection time: agent-scoped secret with that
+ * name beats the global one. The host walks both rows and the scoped wins.
+ *
+ * Injection policy lives on the recipient `agent_groups.secret_mode` row
+ * (migration 023): `all` injects every in-scope secret; `selective` injects
+ * only those with an explicit `secret_assignments` row pointing to the group.
+ */
+import crypto from 'crypto';
+import { getDb } from '../db/connection.js';
+import type { Database } from '../db/connection.js';
+import { decryptSecret, deriveKey, encryptSecret } from './crypto.js';
+import { loadOrCreateMasterKey } from './master-key.js';
+// Domain tag for HKDF-derived secrets-store key. Bumping the version (v2…)
+// would force re-encryption of every row in this table. See crypto.ts.
+//
+// ⚠ The `paraclaw.` prefix is a cryptographic domain separator and must
+// stay frozen across the paraclaw → parachute-agent rename. Renaming it
+// changes the derived key and renders every existing ciphertext row
+// undecryptable. The brand-sweep documentation lives in commit messages
+// and CHANGELOG; the bytes here do not change.
+const SECRETS_INFO = 'paraclaw.secrets.v1';
+function secretsKey(): Buffer {
+  return deriveKey(loadOrCreateMasterKey(), SECRETS_INFO);
+}
+export type SecretKind = 'channel-token' | 'api-key' | 'generic';
+export type AssignedMode = 'all' | 'selective';
+export interface SecretRow {
+  id: string;
+  name: string;
+  kind: SecretKind;
+  agent_group_id: string | null;
+  created_at: string;
+  updated_at: string;
+}
+export interface PutSecretOpts {
+  kind?: SecretKind;
+  agent_group_id?: string | null;
+}
+interface RawRow extends SecretRow {
+  value_encrypted: string;
+}
+function db(): Database {
+  return getDb();
+}
+function nowIso(): string {
+  return new Date().toISOString();
+}
+/** Insert or update a secret. Returns the row's id. */
+export function putSecret(name: string, value: string, opts: PutSecretOpts = {}): string {
+  const key = secretsKey();
+  const ct = encryptSecret(value, key);
+  const agentGroupId = opts.agent_group_id ?? null;
+  const kind = opts.kind ?? 'generic';
+  const existing = db()
+    .prepare<{ id: string }>(`SELECT id FROM secrets WHERE name = @name AND agent_group_id IS @agent_group_id`)
+    .get({ name, agent_group_id: agentGroupId });
+  const now = nowIso();
+  if (existing) {
+    db()
+      .prepare(
+        `UPDATE secrets
+            SET value_encrypted = @value_encrypted,
+                kind            = @kind,
+                updated_at      = @updated_at
+          WHERE id = @id`,
+      )
+      .run({
+        id: existing.id,
+        value_encrypted: ct,
+        kind,
+        updated_at: now,
+      });
+    return existing.id;
+  }
+  const id = crypto.randomUUID();
+  db()
+    .prepare(
+      `INSERT INTO secrets
+         (id, name, value_encrypted, kind, agent_group_id, created_at, updated_at)
+       VALUES
+         (@id, @name, @value_encrypted, @kind, @agent_group_id, @created_at, @updated_at)`,
+    )
+    .run({
+      id,
+      name,
+      value_encrypted: ct,
+      kind,
+      agent_group_id: agentGroupId,
+      created_at: now,
+      updated_at: now,
+    });
+  return id;
+}
+/**
+ * Decrypt and return a secret's plaintext value. Returns undefined if the
+ * named secret does not exist for the given scope. Resolution: an
+ * agent-scoped secret beats a global one with the same name.
+ */
+export function getSecret(name: string, agentGroupId?: string | null): string | undefined {
+  const key = secretsKey();
+  const scoped = agentGroupId
+    ? db()
+        .prepare<RawRow>(`SELECT * FROM secrets WHERE name = @name AND agent_group_id = @agent_group_id`)
+        .get({ name, agent_group_id: agentGroupId })
+    : undefined;
+  const row =
+    scoped ?? db().prepare<RawRow>(`SELECT * FROM secrets WHERE name = @name AND agent_group_id IS NULL`).get({ name });
+  if (!row) return undefined;
+  return decryptSecret(row.value_encrypted, key);
+}
+/** Names + metadata only — never decrypts. */
+export function listSecrets(agentGroupId?: string | null): SecretRow[] {
+  if (agentGroupId === undefined) {
+    return db()
+      .prepare<SecretRow>(
+        `SELECT id, name, kind, agent_group_id, created_at, updated_at
+         FROM secrets ORDER BY name`,
+      )
+      .all();
+  }
+  if (agentGroupId === null) {
+    return db()
+      .prepare<SecretRow>(
+        `SELECT id, name, kind, agent_group_id, created_at, updated_at
+         FROM secrets WHERE agent_group_id IS NULL ORDER BY name`,
+      )
+      .all();
+  }
+  return db()
+    .prepare<SecretRow>(
+      `SELECT id, name, kind, agent_group_id, created_at, updated_at
+       FROM secrets
+       WHERE agent_group_id = @agent_group_id OR agent_group_id IS NULL
+       ORDER BY name`,
+    )
+    .all({ agent_group_id: agentGroupId });
+}
+export function deleteSecret(id: string): boolean {
+  const r = db().prepare(`DELETE FROM secrets WHERE id = @id`).run({ id });
+  return r.changes > 0;
+}
+/**
+ * Resolve the secrets that should be injected into a session for the given
+ * agent group. Returns plaintext values; callers are expected to inject as
+ * env vars and never log. Agent-scoped wins over global on name collision.
+ *
+ * Mode lives on the recipient `agent_groups.secret_mode`:
+ *   - `all`       — inject every in-scope secret (scoped + globals).
+ *   - `selective` — inject only those with an explicit assignment row
+ *                   pointing to this group. Lets operators stage credentials
+ *                   in the store before any agent gets them and revoke per
+ *                   agent without rotating the value.
+ *
+ * Unknown agent_group_id is treated as `selective` (the safe default) — the
+ * group-level row is the source of truth, so a missing row means we err on
+ * the side of withholding.
+ */
+export function resolveInjectableSecrets(agentGroupId: string): Map<string, string> {
+  const key = secretsKey();
+  const rows = db()
+    .prepare<RawRow>(
+      `SELECT s.*
+         FROM secrets s
+         LEFT JOIN secret_assignments a
+           ON a.secret_id = s.id
+          AND a.agent_group_id = @agent_group_id
+         LEFT JOIN agent_groups g
+           ON g.id = @agent_group_id
+        WHERE (s.agent_group_id = @agent_group_id OR s.agent_group_id IS NULL)
+          AND (g.secret_mode = 'all' OR a.secret_id IS NOT NULL)
+        ORDER BY s.agent_group_id IS NULL`,
+    )
+    .all({ agent_group_id: agentGroupId });
+  const out = new Map<string, string>();
+  for (const row of rows) {
+    if (out.has(row.name)) continue;
+    out.set(row.name, decryptSecret(row.value_encrypted, key));
+  }
+  return out;
+}
+// ── Assignments ──
+export interface SecretAssignment {
+  secret_id: string;
+  agent_group_id: string;
+  created_at: string;
+}
+/** All agent_group_ids assigned to this secret (selective-mode allowlist). */
+export function listAssignments(secretId: string): string[] {
+  const rows = db()
+    .prepare<{ agent_group_id: string }>(
+      `SELECT agent_group_id FROM secret_assignments
+         WHERE secret_id = @secret_id
+         ORDER BY agent_group_id`,
+    )
+    .all({ secret_id: secretId });
+  return rows.map((r) => r.agent_group_id);
+}
+/**
+ * Replace the assignment set atomically. Empty array = revoke everything.
+ * Throws if the secret doesn't exist; FK ON DELETE CASCADE handles agent
+ * groups that vanish. The whole replace runs inside one transaction so
+ * the UI's "save" button is all-or-nothing.
+ */
+export function replaceAssignments(secretId: string, agentGroupIds: string[]): void {
+  const exists = db().prepare<{ id: string }>(`SELECT id FROM secrets WHERE id = @id`).get({ id: secretId });
+  if (!exists) throw new Error(`secret not found: ${secretId}`);
+  const now = nowIso();
+  db().transaction(() => {
+    db().prepare(`DELETE FROM secret_assignments WHERE secret_id = @secret_id`).run({ secret_id: secretId });
+    const insert = db().prepare(
+      `INSERT INTO secret_assignments (secret_id, agent_group_id, created_at)
+         VALUES (@secret_id, @agent_group_id, @created_at)`,
+    );
+    for (const gid of agentGroupIds) {
+      insert.run({ secret_id: secretId, agent_group_id: gid, created_at: now });
+    }
+  })();
+}
+/** Idempotent — re-adding an existing assignment is a no-op (composite PK). */
+export function addAssignment(secretId: string, agentGroupId: string): boolean {
+  const r = db()
+    .prepare(
+      `INSERT INTO secret_assignments (secret_id, agent_group_id, created_at)
+         VALUES (@secret_id, @agent_group_id, @created_at)
+         ON CONFLICT (secret_id, agent_group_id) DO NOTHING`,
+    )
+    .run({ secret_id: secretId, agent_group_id: agentGroupId, created_at: nowIso() });
+  return r.changes > 0;
+}
+export function removeAssignment(secretId: string, agentGroupId: string): boolean {
+  const r = db()
+    .prepare(`DELETE FROM secret_assignments WHERE secret_id = @secret_id AND agent_group_id = @agent_group_id`)
+    .run({ secret_id: secretId, agent_group_id: agentGroupId });
+  return r.changes > 0;
+}
+// ── Staleness detection (Bug B) ──
+export interface StaleSession {
+  sessionId: string;
+  agentGroupId: string;
+  agentGroupName: string;
+  agentGroupFolder: string;
+  sessionCreatedAt: string;
+  secretUpdatedAt: string;
+}
+/**
+ * Sessions whose container was spawned BEFORE this secret was last updated
+ * AND whose agent group would inject the secret. The injection predicate
+ * mirrors `resolveInjectableSecrets` for the configurations the UI can
+ * actually create:
+ *   - scoped secret  → matches its parent group (`s.agent_group_id = g.id`)
+ *   - global secret  → matches any group with `secret_mode='all'` OR an
+ *                      explicit `secret_assignments` row
+ *
+ * Note on a subtle asymmetry: `resolveInjectableSecrets` additionally gates
+ * scoped secrets through `(secret_mode='all' OR assignment row exists)` on
+ * the recipient group. The SQL here accepts the scoped match unconditionally.
+ * The asymmetry is benign — the only configs where it would diverge (a
+ * scoped secret paired with its parent group in `selective` mode and no
+ * assignment row) are unreachable via the UI, which always seeds an
+ * assignment row when scoping. If a future code path makes that config
+ * reachable, tighten the SQL to add the same gate.
+ *
+ * The host injects env vars at spawn time only — there is no in-process
+ * update path. This helper powers the post-save banner that prompts the
+ * operator to restart the specific sessions that need to see the change.
+ *
+ * Returns empty when the secret doesn't exist (caller handles 404).
+ */
+export function findStaleSessionsForSecret(secretId: string): StaleSession[] {
+  const rows = db()
+    .prepare<{
+      session_id: string;
+      agent_group_id: string;
+      agent_group_name: string;
+      agent_group_folder: string;
+      session_created_at: string;
+      secret_updated_at: string;
+    }>(
+      `SELECT
+          sess.id           AS session_id,
+          g.id              AS agent_group_id,
+          g.name            AS agent_group_name,
+          g.folder          AS agent_group_folder,
+          sess.created_at   AS session_created_at,
+          s.updated_at      AS secret_updated_at
+        FROM secrets s
+        JOIN agent_groups g
+          ON s.agent_group_id = g.id
+          OR s.agent_group_id IS NULL
+        LEFT JOIN secret_assignments a
+          ON a.secret_id = s.id AND a.agent_group_id = g.id
+        JOIN sessions sess
+          ON sess.agent_group_id = g.id
+        WHERE s.id = @secret_id
+          AND sess.container_status = 'running'
+          AND sess.created_at < s.updated_at
+          AND (
+                s.agent_group_id = g.id
+             OR (s.agent_group_id IS NULL
+                 AND (g.secret_mode = 'all' OR a.secret_id IS NOT NULL))
+          )
+        ORDER BY sess.created_at DESC`,
+    )
+    .all({ secret_id: secretId });
+  return rows.map((r) => ({
+    sessionId: r.session_id,
+    agentGroupId: r.agent_group_id,
+    agentGroupName: r.agent_group_name,
+    agentGroupFolder: r.agent_group_folder,
+    sessionCreatedAt: r.session_created_at,
+    secretUpdatedAt: r.secret_updated_at,
+  }));
+}
+/** Metadata-only single-row read by id. Returns undefined if missing. */
+export function getSecretById(id: string): SecretRow | undefined {
+  return db()
+    .prepare<SecretRow>(`SELECT id, name, kind, agent_group_id, created_at, updated_at FROM secrets WHERE id = ?`)
+    .get(id);
+}

package/src/secrets/master-key.ts ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * Master key bootstrap. Stores a 32-byte (256-bit) random key at
+ * `~/.parachute/agent/master.key` with mode 0600. Generated on first start;
+ * loaded from disk on subsequent starts.
+ *
+ * The key is never written to logs, never sent over the wire, never put in
+ * env vars. Loss of the file = loss of every encrypted secret (no recovery
+ * path); rotation requires re-encrypting every row.
+ */
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import { CENTRAL_DB_DIR } from '../config.js';
+const KEY_LEN = 32;
+// `master.key` lives next to the central DB so a single backup of
+// `<PARACHUTE_DIR>/agent/` captures both crypto material and DB state, and
+// so `PARACHUTE_HOME` overrides reroute both atoms together — sandboxes
+// that override the home dir get a fresh DB AND a fresh master.key.
+const KEY_DIR = CENTRAL_DB_DIR;
+const KEY_PATH = path.join(KEY_DIR, 'master.key');
+let cached: Buffer | null = null;
+export function getMasterKeyPath(): string {
+  return KEY_PATH;
+}
+export function loadOrCreateMasterKey(): Buffer {
+  if (cached) return cached;
+  if (fs.existsSync(KEY_PATH)) {
+    // Refuse to load a key file that's group/world readable. The file was
+    // created with mode 0600; if something has loosened it (chmod, restore
+    // from a backup tarball, etc.) we'd rather fail loud than silently keep
+    // serving secrets out of a file anyone on the box can read.
+    const stat = fs.statSync(KEY_PATH);
+    const perm = stat.mode & 0o777;
+    if ((stat.mode & 0o077) !== 0) {
+      throw new Error(
+        `Master key at ${KEY_PATH} has permissive mode 0${perm.toString(8).padStart(3, '0')}; ` +
+          `expected 0600. Run: chmod 600 ${KEY_PATH}`,
+      );
+    }
+    const buf = fs.readFileSync(KEY_PATH);
+    if (buf.length !== KEY_LEN) {
+      throw new Error(`Master key at ${KEY_PATH} is ${buf.length} bytes; expected ${KEY_LEN}`);
+    }
+    cached = buf;
+    return buf;
+  }
+  fs.mkdirSync(KEY_DIR, { recursive: true, mode: 0o700 });
+  const key = crypto.randomBytes(KEY_LEN);
+  fs.writeFileSync(KEY_PATH, key, { mode: 0o600 });
+  cached = key;
+  return key;
+}
+/** Test-only: clear the cached key so a different one can be loaded. */
+export function _resetMasterKeyCache(): void {
+  cached = null;
+}
+/** Test-only: install a key without touching disk. */
+export function _setMasterKeyForTest(key: Buffer): void {
+  if (key.length !== KEY_LEN) throw new Error(`test key must be ${KEY_LEN} bytes`);
+  cached = key;
+}