@openparachute/agent 0.1.1 → 0.2.0

package/.parachute/module.json

@@ -1,14 +1,130 @@
 {
   "name": "agent",
   "manifestName": "parachute-agent",
-  "displayName": "Parachute Agent",
-  "tagline": "Manage your Parachute agent groups + vault attachments.",
-  "kind": "frontend",
-  "port": 1944,
+  "displayName": "Agent",
+  "tagline": "Chat with your Claude Code sessions — a session per agent.",
+  "port": 1941,
   "paths": ["/agent"],
-  "health": "/api/health",
-  "startCmd": ["bun", "src/index.ts"],
+  "health": "/health",
+  "stripPrefix": true,
+  "uiUrl": "/agent/app/",
+  "configUiUrl": "/agent/app/",
+  "websocket": true,
+  "focus": "experimental",
+  "adminCapabilities": ["config"],
+  "startCmd": ["parachute-agent"],
   "scopes": {
-    "defines": ["agent:read", "agent:write", "agent:admin"]
-  }
+    "defines": ["agent:read", "agent:write", "agent:send", "agent:admin"]
+  },
+  "events": [
+    { "key": "message.received", "title": "A message arrived for an agent" },
+    { "key": "message.sent", "title": "An agent replied" }
+  ],
+  "actions": [
+    {
+      "key": "message.deliver",
+      "title": "Deliver an inbound message (wakes the session)",
+      "endpoint": "/api/vault/inbound",
+      "scope": "agent:send",
+      "provision": {
+        "type": "vault-trigger",
+        "note": "hub registers a vault runtime trigger that webhooks the agent inbound endpoint with an agent:send bearer"
+      }
+    },
+    {
+      "key": "definition.reload",
+      "title": "Reload a changed agent definition (re-instantiate the agent)",
+      "endpoint": "/api/vault/agent-def",
+      "scope": "agent:send",
+      "provision": {
+        "type": "vault-trigger",
+        "note": "hub registers a vault runtime trigger that webhooks the agent-def reload endpoint with an agent:send bearer; the daemon re-reads the one changed #agent/definition note and (re)instantiates that agent"
+      }
+    }
+  ],
+  "connectionTemplates": [
+    {
+      "key": "link-to-vault",
+      "title": "Link an agent to a vault",
+      "description": "Back an agent with a Parachute vault: inbound notes wake the agent, replies are written back as notes. The operator picks WHICH vault (the parameter) and names the agent's channel; the agent's config UI creates the connection with the operator's approval (the click is the approval).",
+      "requestedBy": "agent",
+      "source": {
+        "module": "vault",
+        "event": "note.created",
+        "filter": {
+          "tags": ["#agent/message/inbound"],
+          "has_metadata": ["channel"],
+          "missing_metadata": ["channel_inbound_rendered_at"]
+        }
+      },
+      "sink": {
+        "module": "agent",
+        "action": "message.deliver"
+      },
+      "parameters": [
+        {
+          "key": "vault",
+          "target": "source.vault",
+          "title": "Vault",
+          "description": "Which vault stores this channel's messages — the operator chooses from the hub's installed vaults."
+        },
+        {
+          "key": "channel",
+          "target": "sink.params.channel",
+          "title": "Channel name",
+          "description": "A unique slug naming the channel the session connects to."
+        }
+      ]
+    },
+    {
+      "key": "reload-defs-on-create",
+      "title": "Reload agent definitions on create",
+      "description": "Make a new #agent/definition note instantiate its agent live, instead of converging only via the 60s loadAll poll. The operator picks WHICH def-vault (the parameter); the connection's creation in the hub Connections view is the operator's approval. Pair with reload-defs-on-edit to cover edits too — the hub binds one event per connection, so create and edit are two connections.",
+      "requestedBy": "agent",
+      "source": {
+        "module": "vault",
+        "event": "note.created",
+        "filter": {
+          "tags": ["#agent/definition"]
+        }
+      },
+      "sink": {
+        "module": "agent",
+        "action": "definition.reload"
+      },
+      "parameters": [
+        {
+          "key": "vault",
+          "target": "source.vault",
+          "title": "Def-vault",
+          "description": "Which vault holds the #agent/definition notes — the operator chooses from the hub's installed vaults."
+        }
+      ]
+    },
+    {
+      "key": "reload-defs-on-edit",
+      "title": "Reload agent definitions on edit",
+      "description": "Make an edited #agent/definition note re-instantiate its agent live, instead of converging only via the 60s loadAll poll. The operator picks WHICH def-vault (the parameter); the connection's creation in the hub Connections view is the operator's approval. Pair with reload-defs-on-create to cover creates too — the hub binds one event per connection, so create and edit are two connections.",
+      "requestedBy": "agent",
+      "source": {
+        "module": "vault",
+        "event": "note.updated",
+        "filter": {
+          "tags": ["#agent/definition"]
+        }
+      },
+      "sink": {
+        "module": "agent",
+        "action": "definition.reload"
+      },
+      "parameters": [
+        {
+          "key": "vault",
+          "target": "source.vault",
+          "title": "Def-vault",
+          "description": "Which vault holds the #agent/definition notes — the operator chooses from the hub's installed vaults."
+        }
+      ]
+    }
+  ]
 }

package/LICENSE

@@ -1,17 +1,3 @@
-Copyright (c) 2026 Aaron Gabriel Neyer (and contributors to parachute-agent)
-
-parachute-agent is a derivative of NanoClaw
-(https://github.com/qwibitai/nanoclaw), which is MIT-licensed
-(Copyright (c) 2026 Gavriel). The original NanoClaw copyright notice
-and permission text are preserved verbatim in LICENSE-NANOCLAW-MIT.
-
-Modifications made by Aaron Gabriel Neyer and the parachute-agent
-contributors, and the combined work, are licensed under the GNU
-Affero General Public License, version 3, the full text of which
-follows.
-
-----------------------------------------------------------------------
-
                     GNU AFFERO GENERAL PUBLIC LICENSE
                        Version 3, 19 November 2007
 
@@ -647,8 +633,8 @@ the "copyright" line and a pointer to where the full notice is found.
     Copyright (C) <year>  <name of author>
 
     This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
     (at your option) any later version.
 
     This program is distributed in the hope that it will be useful,

package/README.md

@@ -1,197 +1,149 @@
-# parachute-agent
+# Agent
+
+**Chat with your Claude Code sessions — a channel per session.**
+
+> ⚠️ **Experimental (v0.1.0).** Agent is a preview, evolving quickly. It runs
+> today on an owner-operated, trusted machine — it is **not yet hardened for
+> untrusted or multi-tenant use**. Read [Status & safety](#status--safety) before
+> you rely on it. (Part of [Parachute](https://parachute.computer); conventions in
+> [`parachute-patterns`](https://github.com/ParachuteComputer/parachute-patterns).)
+
+Agent is a **messaging fabric for Claude Code**. One daemon hosts named
+*channels*; a Claude Code session connects to a channel, and you talk to it — from
+Telegram, from a Parachute vault, or from the built-in web chat. The session
+replies on the same channel. It also lets you **spawn and watch sandboxed agent
+sessions from the browser**.
+
+## What you get
+
+- **Talk to a session over any transport.** A channel is bound to one transport:
+  - `vault` — messages are durable [`#agent/message`](#vault-backed-channels)
+    notes in a Parachute vault, so the conversation is queryable and renders in any
+    vault surface (this is the recommended transport).
+  - `telegram` — a Telegram bot, one per channel.
+  - `http-ui` — an ephemeral in-memory transport for quick local testing.
+- **A built-in web surface** at `<hub-origin>/agent/` — Home, Chat, Agents,
+  Terminal, and Config, on the Parachute brand. Chat over a `vault` channel shows
+  the durable transcript and writes your messages back as notes.
+- **Sandboxed agent sessions.** Spawn a Claude Code session in a sandbox (scoped
+  filesystem + a network posture you choose), bound to a channel, and watch it in
+  an in-page terminal. See [Agents](#agent-sessions).
+
+## How it works
+
+Two components connected by SSE — a long-running **daemon** and a per-session
+**bridge**:
 
-<p align="center">
-  An AI assistant that runs agents securely in their own containers. Lightweight, built to be easily understood and completely customized for your needs. A [Parachute](https://parachute.computer) module.
-</p>
-
-<p align="center">
-  <a href="https://parachute.computer">parachute.computer</a>&nbsp; • &nbsp;
-  <a href="docs/">docs</a>&nbsp; • &nbsp;
-  <a href="README_zh.md">中文</a>&nbsp; • &nbsp;
-  <a href="README_ja.md">日本語</a>
-</p>
-
----
-
-## Why parachute-agent
-
-Most AI-assistant frameworks fall into one of two camps: heavyweight platforms with hundreds of thousands of lines of code, dozens of config files, and security at the application layer (allowlists, pairing codes); or DIY scripts with no isolation at all. Both ask you to either trust software you can't read, or hand the agent direct access to your machine.
-
-parachute-agent runs each agent group in its own Linux container with filesystem isolation, in a codebase small enough to read in an afternoon — one process and a handful of files. Bash access is safe because commands run inside the container, not on your host. The user's [Parachute Vault](https://github.com/ParachuteComputer/parachute-vault) is the agent's substrate: scoped vault tokens grant exactly the read/write surface you choose, and credentials live in a local AES-GCM-encrypted store, never round-tripped through chat context.
-
-## Quick Start
-
-parachute-agent is a [Parachute](https://parachute.computer) module — install it through the hub and configure it from the web UI:
-
-```bash
-parachute install parachute-agent
-```
-
-The hub builds the agent container, brings the host process up under `bun src/index.ts`, and serves the configuration UI at `http://127.0.0.1:1944/agent/`. From there: drop in your Anthropic API key, pick a channel (Telegram, Discord, or the local CLI), and pair your first agent — no shell scripts required. See [`docs/parachute-integration.md`](docs/parachute-integration.md) for the full Parachute path.
-
-## Philosophy
-
-**Small enough to understand.** One process, a few source files and no microservices. If you want to understand the full parachute-agent codebase, just ask Claude Code to walk you through it.
-
-**Secure by isolation.** Agents run in Linux containers and they can only see what's explicitly mounted. Bash access is safe because commands run inside the container, not on your host.
-
-**Built for the individual user.** parachute-agent isn't a monolithic framework; it's software that fits each user's exact needs. Instead of becoming bloatware, parachute-agent is designed to be bespoke. You make your own fork and have Claude Code modify it to match your needs.
-
-**Customization = code changes.** No configuration sprawl. Want different behavior? Modify the code. The codebase is small enough that it's safe to make changes.
-
-**AI-native, hybrid by design.** The install and onboarding flow is an optimized scripted path, fast and deterministic. When a step needs judgment, whether a failed install, a guided decision, or a customization, control hands off to Claude Code seamlessly. Beyond setup there's no monitoring dashboard or debugging UI either: describe the problem in chat and Claude Code handles it.
-
-**Skills over features.** Trunk ships the registry and infrastructure, not specific channel adapters or alternative agent providers. Channels (Discord, Slack, Telegram, WhatsApp, …) live on a long-lived `channels` branch; alternative providers (OpenCode, Ollama) live on `providers`. You run `/add-telegram`, `/add-opencode`, etc. and the skill copies exactly the module(s) you need into your fork. No feature you didn't ask for.
-
-**Best harness, best model.** parachute-agent natively uses Claude Code via Anthropic's official Claude Agent SDK, so you get the latest Claude models and Claude Code's full toolset, including the ability to modify and expand your own parachute-agent fork. Other providers are drop-in options: `/add-codex` for OpenAI's Codex (ChatGPT subscription or API key), `/add-opencode` for OpenRouter, Google, DeepSeek and more via OpenCode, and `/add-ollama-provider` for local open-weight models. Provider is configurable per agent group.
-
-## What It Supports
-
-- **Multi-channel messaging** — WhatsApp, Telegram, Discord, Slack, Microsoft Teams, iMessage, Matrix, Google Chat, Webex, Linear, GitHub, WeChat, and email via Resend. Installed on demand with `/add-<channel>` skills. Run one or many at the same time.
-- **Flexible isolation** — connect each channel to its own agent for full privacy, share one agent across many channels for unified memory with separate conversations, or fold multiple channels into a single shared session so one conversation spans many surfaces. Pick per channel via `/manage-channels`. See [docs/isolation-model.md](docs/isolation-model.md).
-- **Per-agent workspace** — each agent group has its own `CLAUDE.md`, its own memory, its own container, and only the mounts you allow. Nothing crosses the boundary unless you wire it to.
-- **Scheduled tasks** — recurring jobs that run Claude and can message you back
-- **Web access** — search and fetch content from the web
-- **Container isolation** — agents are sandboxed in Docker (macOS/Linux/WSL2), with optional [Docker Sandboxes](docs/docker-sandboxes.md) micro-VM isolation or Apple Container as a macOS-native opt-in
-- **Credential security** — agents never hold raw API keys. parachute-agent stores credentials in a local AES-GCM-encrypted secret store (`~/.parachute/agent/master.key` + the central DB), injects them into the container's environment at spawn time, and never round-trips them through chat context.
-
-## Usage
-
-Talk to your assistant with the trigger word (default: `@Andy`):
-
-```
-@Andy send an overview of the sales pipeline every weekday morning at 9am (has access to my Obsidian vault folder)
-@Andy review the git history for the past week each Friday and update the README if there's drift
-@Andy every Monday at 8am, compile news on AI developments from Hacker News and TechCrunch and message me a briefing
-```
-
-From a channel you own or administer, you can manage groups and tasks:
 ```
-@Andy list all scheduled tasks across groups
-@Andy pause the Monday briefing task
-@Andy join the Family Chat group
+your transports (Telegram / vault trigger / web chat)
+        ↕
+   daemon (port 1941, one per machine) ──┐ owns each transport; fans inbound
+        ↕ SSE (/events) + HTTP (/api/*)  │ to subscribers, accepts outbound
+   bridge  (stdio MCP, per session)      │
+        ↕ MCP notifications + tools       │
+   Claude Code session ──────────────────┘ wakes on a message, replies with a tool
 ```
 
-## Customizing
+A session can also connect as a **pure HTTP MCP server** (by URL + OAuth, exactly
+like adding the vault) — no local config file. See
+[Connecting a session](#connecting-a-session).
 
-parachute-agent doesn't use configuration files. To make changes, just tell Claude Code what you want:
+Deeper design + operational detail live in [`CLAUDE.md`](./CLAUDE.md).
 
-- "Change the trigger word to @Bob"
-- "Remember in the future to make responses shorter and more direct"
-- "Add a custom greeting when I say good morning"
-- "Store conversation summaries weekly"
+## Status & safety
 
-Or run `/customize` for guided changes.
+Agent is `focus: experimental` and pre-1.0. What's solid vs. early:
 
-The codebase is small enough that Claude can safely modify it.
+- **Solid:** the daemon/bridge fabric, the vault + Telegram + http-ui transports,
+  hub registration + reverse-proxy, the web surface (Home/Chat/Agents/Terminal/
+  Config), and vault-backed durable chat.
+- **Early / changing:** the npm package isn't published yet (run from source —
+  tracked in [#16](https://github.com/ParachuteComputer/parachute-agent/issues/16));
+  agent-session isolation is real but young; APIs may shift.
 
-## Contributing
+**Read this about agent sessions.** A spawned agent runs `claude` with
+`--dangerously-skip-permissions` (it's autonomous — no human at the terminal to
+answer prompts). The containment is the **OS sandbox**
+([`@anthropic-ai/sandbox-runtime`](https://www.npmjs.com/package/@anthropic-ai/sandbox-runtime) —
+Seatbelt on macOS, bubblewrap on Linux), with two independent boundaries you set
+per spawn:
 
-**Don't add features. Add skills.**
+- **Filesystem** — `workspace` (default): reads are scoped to the agent's own
+  workspace + the claude runtime, so it **can't read your home tree** (SSH keys,
+  `~/.parachute/operator.token`, other projects); `full`: broad reads. Writes are
+  confined to the workspace in both.
+- **Network** — `open` (default): full internet; `restricted`: only the
+  Anthropic API + your hub/vault + hosts you list.
 
-If you want to add a new channel or agent provider, don't add it to trunk. New channel adapters land on the `channels` branch; new agent providers land on `providers`. Users install them in their own fork with `/add-<name>` skills, which copy the relevant module(s) into the standard paths, wire the registration, and pin dependencies.
+The default (scoped reads + open network) is safe for your *own* agents because
+the filesystem sandbox keeps secrets unreadable — open network can't exfiltrate
+what the agent can't see. For an agent that handles **untrusted input**, use
+`network: restricted`. This is appropriate for an owner-operated, trusted box;
+full multi-tenant isolation is future work.
 
-This keeps trunk as pure registry and infra, and every fork stays lean — users get the channels and providers they asked for and nothing else.
+## Running it
 
-### RFS (Request for Skills)
+Agent runs alongside the rest of a Parachute install (the
+[hub](https://github.com/ParachuteComputer/parachute-hub) is the portal + OAuth
+issuer). Until the npm package ships, run it from source:
 
-Skills we'd like to see:
-
-**Communication Channels**
-- `/add-signal` — Add Signal as a channel
-
-## Requirements
-
-- macOS or Linux (Windows via WSL2)
-- Node.js 20+ and pnpm 10+ (the installer will install both if missing)
-- [Docker Desktop](https://docker.com/products/docker-desktop) (macOS/Windows) or Docker Engine (Linux)
-- [Claude Code](https://claude.ai/download) for `/customize`, `/debug`, error recovery during setup, and all `/add-<channel>` skills
-
-## Architecture
-
-```
-messaging apps → host process (router) → inbound.db → container (Bun, Claude Agent SDK) → outbound.db → host process (delivery) → messaging apps
+```bash
+git clone https://github.com/ParachuteComputer/parachute-agent
+cd parachute-agent
+bun install
+bun link            # so `parachute start agent` follows this checkout
 ```
 
-A single Node host orchestrates per-session agent containers. When a message arrives, the host routes it via the entity model (user → messaging group → agent group → session), writes it to the session's `inbound.db`, and wakes the container. The agent-runner inside the container polls `inbound.db`, runs Claude, and writes responses to `outbound.db`. The host polls `outbound.db` and delivers back through the channel adapter.
-
-Two SQLite files per session, each with exactly one writer — no cross-mount contention, no IPC, no stdin piping. Channels and alternative providers self-register at startup; trunk ships the registry and the Chat SDK bridge, while the adapters themselves are skill-installed per fork.
-
-For the full architecture writeup see [docs/architecture.md](docs/architecture.md); for the three-level isolation model see [docs/isolation-model.md](docs/isolation-model.md).
-
-Key files:
-- `src/index.ts` — entry point: DB init, channel adapters, delivery polls, sweep
-- `src/router.ts` — inbound routing: messaging group → agent group → session → `inbound.db`
-- `src/delivery.ts` — polls `outbound.db`, delivers via adapter, handles system actions
-- `src/host-sweep.ts` — 60s sweep: stale detection, due-message wake, recurrence
-- `src/session-manager.ts` — resolves sessions, opens `inbound.db` / `outbound.db`
-- `src/container-runner.ts` — spawns per-agent-group containers, injects encrypted secrets at spawn
-- `src/db/` — central DB (users, roles, agent groups, messaging groups, wiring, migrations)
-- `src/channels/` — channel adapter infra (adapters installed via `/add-<channel>` skills)
-- `src/providers/` — host-side provider config (`claude` baked in; others via skills)
-- `container/agent-runner/` — Bun agent-runner: poll loop, MCP tools, provider abstraction
-- `groups/<folder>/` — per-agent-group filesystem (`CLAUDE.md`, skills, container config)
-
-## FAQ
-
-**Why Docker?**
-
-Docker provides cross-platform support (macOS, Linux and Windows via WSL2) and a mature ecosystem. On macOS, you can optionally switch to Apple Container via `/convert-to-apple-container` for a lighter-weight native runtime. For additional isolation, [Docker Sandboxes](docs/docker-sandboxes.md) run each container inside a micro VM.
+The daemon self-registers into `~/.parachute/services.json` and ships
+`.parachute/module.json`, so the hub lists it in the portal and reverse-proxies
+`<hub-origin>/agent/*` → the loopback daemon. Reach the web surface at
+`<hub-origin>/agent/` (or `http://127.0.0.1:1941/` locally).
 
-**Can I run this on Linux or Windows?**
+| | |
+|---|---|
+| npm | `@openparachute/agent` (publish pending [#16](https://github.com/ParachuteComputer/parachute-agent/issues/16)) |
+| bins | `parachute-agent` (daemon), `parachute-agent-bridge` (session bridge) |
+| port | `1941` · paths `/agent` |
+| scopes | `agent:read` · `agent:write` · `agent:send` · `agent:admin` |
+| state | `~/.parachute/agent/` (`channels.json`, `access.json`, `inbox/`) |
 
-Yes. Docker is the default runtime and works on macOS, Linux, and Windows (via WSL2). Install via the Parachute hub: `parachute install parachute-agent`.
+## The web surface
 
-**Is this secure?**
+Reachable at `<hub-origin>/agent/`:
 
-Agents run in containers, not behind application-level permission checks. They can only access explicitly mounted directories. Credentials live in parachute-agent's AES-GCM-encrypted secret store (master key at `~/.parachute/agent/master.key`, ciphertext in the central DB), injected into each container at spawn time and scoped per agent group. You should still review what you're running, but the codebase is small enough that you actually can.
+- **Home** — your channels + any running agents at a glance.
+- **Chat** — talk to a channel. Over a `vault` channel you see the durable
+  transcript (markdown rendered); your messages are written back as notes.
+- **Agents** — set the Claude credential, then spawn a sandboxed agent bound to a
+  channel; list + kill running agents.
+- **Terminal** — attach to a running agent's session in an in-page xterm.
+- **Config** — add/remove channels (vault / Telegram / http-ui).
 
-**Why no configuration files?**
+## Vault-backed channels
 
-We don't want configuration sprawl. Every user should customize parachute-agent so that the code does exactly what they want, rather than configuring a generic system. If you prefer having config files, you can tell Claude to add them.
+A `vault` channel stores every message as a note carrying **two tags**: the parent
+`#agent/message` (queryable membership — list a channel's whole transcript with
+one `tag: "#agent/message"` + `metadata.channel` query) and a directional child
+`#agent/message/inbound` (human→session) or `#agent/message/outbound`
+(session→human). Inbound notes wake the session via a vault trigger; replies are
+written as outbound notes. Because the conversation lives in the vault, it's
+durable, queryable, and renders in any vault surface — the built-in chat and a
+custom surface show the same thread. Full note shape + the trigger setup are in
+[`CLAUDE.md`](./CLAUDE.md#vault-integration-stage-2--channels-backed-by-agent-message-notes).
 
-**Can I use third-party or open-source models?**
+## Connecting a session
 
-Yes. The supported path is `/add-opencode` (OpenRouter, OpenAI, Google, DeepSeek, and more via OpenCode config) or `/add-ollama-provider` (local open-weight models via Ollama). Both are configurable per agent group, so different agents can run on different backends in the same install.
-
-For one-off experiments, any Claude API-compatible endpoint also works via `.env`:
+A Claude Code session connects to a channel as a pure HTTP MCP server — by URL +
+OAuth, like adding the vault:
 
 ```bash
-ANTHROPIC_BASE_URL=https://your-api-endpoint.com
-ANTHROPIC_AUTH_TOKEN=your-token-here
+claude mcp add --transport http agent <hub-origin>/agent/mcp/<channel>
 ```
 
-**How do I debug issues?**
-
-Ask Claude Code. "Why isn't the scheduler running?" "What's in the recent logs?" "Why did this message not get a response?" That's the AI-native approach that underlies parachute-agent.
-
-**Why isn't the setup working for me?**
-
-If a step fails, run `claude`, then `/debug`. If Claude identifies an issue likely to affect other users, open a PR against the relevant setup step or skill.
-
-**What changes will be accepted into the codebase?**
-
-Only security fixes, bug fixes, and clear improvements will be accepted to the base configuration. That's all.
-
-Everything else (new capabilities, OS compatibility, hardware support, enhancements) should be contributed as skills on the `channels` or `providers` branch.
-
-This keeps the base system minimal and lets every user customize their installation without inheriting features they don't want.
-
-## Community
-
-Questions? Ideas? [Join the Discord](https://discord.gg/VDdww8qS42).
-
-## Changelog
-
-See [CHANGELOG.md](CHANGELOG.md) for breaking changes.
+It prompts for OAuth the first time. The session wakes on inbound messages and
+replies with the `reply` tool. (A stdio bridge over `/events` + `/api/*` also
+works for local/headless launches — see [`CLAUDE.md`](./CLAUDE.md).)
 
 ## License
 
-parachute-agent is licensed under the GNU Affero General Public License v3.0
-([LICENSE](./LICENSE)).
-
-It is a derivative of [NanoClaw](https://github.com/qwibitai/nanoclaw) (MIT —
-see [LICENSE-NANOCLAW-MIT](./LICENSE-NANOCLAW-MIT) for the original copyright
-notice). Substantial modifications and the combined work are AGPL-3.0; the
-original NanoClaw code remains MIT-licensed and can be obtained from the
-upstream project.
+[AGPL-3.0](./LICENSE).

package/package.json

@@ -1,55 +1,44 @@
 {
   "name": "@openparachute/agent",
-  "version": "0.1.1",
-  "description": "Parachute Agent — per-session containerized AI agent companion.",
+  "version": "0.2.0",
+  "description": "Vault-native agents for Claude Code — a #agent/definition note + an inbound message becomes a sandboxed claude turn; the reply is written back as a note. Messaging gateway on :1941.",
   "license": "AGPL-3.0",
   "type": "module",
-  "packageManager": "pnpm@10.33.0",
-  "main": "src/index.ts",
+  "bin": {
+    "parachute-agent": "src/daemon.ts",
+    "parachute-agent-bridge": "src/bridge.ts"
+  },
+  "files": [
+    "src",
+    ".parachute",
+    "scripts/spawn-agent.ts",
+    "tsconfig.json",
+    "web/ui/dist",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc",
-    "start": "bun src/index.ts",
-    "dev": "bun --hot src/index.ts",
+    "daemon": "bun src/daemon.ts",
+    "bridge": "bun src/bridge.ts",
+    "spawn-agent": "bun scripts/spawn-agent.ts",
+    "test": "bun run typecheck && bun test ./src/",
+    "test:spa": "cd web/ui && bun run test",
+    "test:all": "bun run test && bun run test:spa",
+    "test:e2e": "bun e2e/llm/run.ts",
     "typecheck": "tsc --noEmit",
-    "format": "prettier --write \"src/**/*.ts\"",
-    "format:fix": "prettier --write \"src/**/*.ts\"",
-    "format:check": "prettier --check \"src/**/*.ts\"",
-    "prepare": "husky",
-    "parachute": "bun scripts/parachute.ts",
-    "build:spa": "cd web/ui && pnpm install --frozen-lockfile --ignore-workspace && pnpm build",
-    "postinstall": "if [ -d web/ui ]; then pnpm run build:spa; fi",
-    "lint": "eslint src/",
-    "lint:fix": "eslint src/ --fix",
-    "test": "vitest run",
-    "test:watch": "vitest"
+    "build:spa": "cd web/ui && bun install --frozen-lockfile && bun run build",
+    "prepack": "bun run build:spa"
   },
   "dependencies": {
-    "@chat-adapter/discord": "4.26.0",
-    "@chat-adapter/telegram": "4.26.0",
-    "@clack/core": "^1.2.0",
-    "@clack/prompts": "^1.2.0",
-    "@modelcontextprotocol/sdk": "^1.29.0",
-    "chat": "^4.24.0",
-    "cron-parser": "5.5.0",
-    "jose": "^6.2.2",
-    "kleur": "^4.1.5"
+    "@anthropic-ai/sandbox-runtime": "0.0.54",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@openparachute/scope-guard": "^0.4.0",
+    "@xterm/addon-fit": "0.10.0",
+    "@xterm/xterm": "5.5.0"
   },
-  "devDependencies": {
-    "@eslint/js": "^9.35.0",
-    "@types/better-sqlite3": "^7.6.12",
-    "@types/node": "^22.10.0",
-    "better-sqlite3": "11.10.0",
-    "bun-types": "^1.3.13",
-    "eslint": "^9.35.0",
-    "eslint-plugin-no-catch-all": "^1.1.0",
-    "globals": "^15.12.0",
-    "husky": "^9.1.7",
-    "prettier": "^3.8.1",
-    "typescript": "^5.7.0",
-    "typescript-eslint": "^8.35.0",
-    "vitest": "^4.0.18"
+  "peerDependencies": {
+    "typescript": "^5"
   },
-  "engines": {
-    "bun": ">=1.3"
+  "devDependencies": {
+    "@types/bun": "latest"
   }
 }