npm - @openparachute/agent - Versions diffs - 0.1.2 → 0.2.2 - Mend

@openparachute/agent 0.1.2 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (608) hide show

package/.parachute/module.json +124 -8
package/LICENSE +2 -16
package/README.md +118 -166
package/package.json +35 -42
package/scripts/spawn-agent.ts +371 -0
package/src/_parked/interactive-spawn.test.ts +324 -0
package/src/_parked/interactive-spawn.ts +701 -0
package/src/agent-defs.test.ts +1504 -0
package/src/agent-defs.ts +1702 -0
package/src/agent-mcp-config.test.ts +115 -0
package/src/agent-mcp-config.ts +115 -0
package/src/agents.test.ts +360 -0
package/src/agents.ts +379 -0
package/src/auth.test.ts +46 -0
package/src/auth.ts +140 -0
package/src/backends/attached-queue.test.ts +376 -0
package/src/backends/attached-queue.ts +372 -0
package/src/backends/programmatic.test.ts +1715 -0
package/src/backends/programmatic.ts +927 -0
package/src/backends/registry.test.ts +1494 -0
package/src/backends/registry.ts +1202 -0
package/src/backends/stream-json.test.ts +570 -0
package/src/backends/stream-json.ts +392 -0
package/src/backends/types.ts +223 -0
package/src/bridge.ts +417 -0
package/src/channel-backend-wiring.test.ts +237 -0
package/src/credentials.test.ts +274 -0
package/src/credentials.ts +380 -0
package/src/cron.test.ts +342 -0
package/src/cron.ts +380 -0
package/src/daemon-agent-def-api.test.ts +166 -0
package/src/daemon-agent-defs-api.test.ts +953 -0
package/src/daemon-agent-env-api.test.ts +338 -0
package/src/daemon-attached-queue-store.test.ts +65 -0
package/src/daemon-config-api.test.ts +962 -0
package/src/daemon-jobs-api.test.ts +271 -0
package/src/daemon-vault-chat.test.ts +250 -0
package/src/daemon.test.ts +746 -0
package/src/daemon.ts +3314 -0
package/src/def-vaults.test.ts +136 -0
package/src/def-vaults.ts +165 -0
package/src/delivery-state.test.ts +110 -0
package/src/delivery-state.ts +154 -0
package/src/effective-env.test.ts +114 -0
package/src/effective-env.ts +184 -0
package/src/env-compat.ts +39 -0
package/src/grants.test.ts +638 -0
package/src/grants.ts +675 -0
package/src/hub-jwt.test.ts +161 -0
package/src/hub-jwt.ts +182 -0
package/src/jobs.test.ts +245 -0
package/src/jobs.ts +266 -0
package/src/mcp-http.test.ts +265 -0
package/src/mcp-http.ts +771 -0
package/src/mint-token.test.ts +152 -0
package/src/mint-token.ts +139 -0
package/src/module-manifest.test.ts +158 -0
package/src/oauth-discovery.ts +134 -0
package/src/programmatic-wiring.test.ts +838 -0
package/src/registry.test.ts +227 -0
package/src/registry.ts +228 -0
package/src/resolve-port.test.ts +64 -0
package/src/routing.test.ts +184 -0
package/src/routing.ts +76 -0
package/src/runner.test.ts +506 -0
package/src/runner.ts +255 -0
package/src/sandbox/config.test.ts +150 -0
package/src/sandbox/config.ts +102 -0
package/src/sandbox/egress.test.ts +113 -0
package/src/sandbox/egress.ts +123 -0
package/src/sandbox/index.ts +180 -0
package/src/sandbox/live-seatbelt.test.ts +277 -0
package/src/sandbox/mounts.test.ts +154 -0
package/src/sandbox/mounts.ts +133 -0
package/src/sandbox/sandbox.test.ts +168 -0
package/src/sandbox/types.ts +382 -0
package/src/services-manifest.test.ts +106 -0
package/src/services-manifest.ts +95 -0
package/src/spa-serve.test.ts +116 -0
package/src/spa-serve.ts +116 -0
package/src/spawn-agent-cli.test.ts +172 -0
package/src/spawn-agent.test.ts +1218 -0
package/src/spawn-agent.ts +569 -0
package/src/spawn-deps.test.ts +54 -0
package/src/spawn-deps.ts +166 -0
package/src/telegram/api.ts +153 -0
package/src/terminal-assets.test.ts +50 -0
package/src/terminal-assets.ts +79 -0
package/src/terminal-ui.ts +305 -0
package/src/terminal.test.ts +530 -0
package/src/terminal.ts +458 -0
package/src/transport.ts +270 -0
package/src/transports/http-ui.test.ts +455 -0
package/src/transports/http-ui.ts +201 -0
package/src/transports/telegram.test.ts +174 -0
package/src/transports/telegram.ts +426 -0
package/src/transports/vault.test.ts +2011 -0
package/src/transports/vault.ts +1790 -0
package/src/ui-kit.test.ts +178 -0
package/src/ui-kit.ts +402 -0
package/tsconfig.json +8 -14
package/web/ui/dist/assets/index-C-iWdFFV.css +1 -0
package/web/ui/dist/assets/index-VFETBk0a.js +60 -0
package/web/ui/dist/index.html +15 -0
package/web/ui/tsconfig.json +2 -1
package/.claude/scheduled_tasks.lock +0 -1
package/.claude/settings.json +0 -5
package/.claude/skills/add-atomic-chat-tool/SKILL.md +0 -243
package/.claude/skills/add-atomic-chat-tool/atomic-chat-mcp-stdio.ts +0 -229
package/.claude/skills/add-codex/SKILL.md +0 -161
package/.claude/skills/add-dashboard/SKILL.md +0 -138
package/.claude/skills/add-dashboard/resources/dashboard-pusher.ts +0 -495
package/.claude/skills/add-emacs/SKILL.md +0 -296
package/.claude/skills/add-gcal-tool/SKILL.md +0 -210
package/.claude/skills/add-gchat/REMOVE.md +0 -6
package/.claude/skills/add-gchat/SKILL.md +0 -92
package/.claude/skills/add-gchat/VERIFY.md +0 -3
package/.claude/skills/add-github/REMOVE.md +0 -6
package/.claude/skills/add-github/SKILL.md +0 -148
package/.claude/skills/add-github/VERIFY.md +0 -3
package/.claude/skills/add-gmail-tool/SKILL.md +0 -229
package/.claude/skills/add-imessage/REMOVE.md +0 -6
package/.claude/skills/add-imessage/SKILL.md +0 -113
package/.claude/skills/add-imessage/VERIFY.md +0 -3
package/.claude/skills/add-karpathy-llm-wiki/SKILL.md +0 -110
package/.claude/skills/add-karpathy-llm-wiki/llm-wiki.md +0 -75
package/.claude/skills/add-linear/REMOVE.md +0 -6
package/.claude/skills/add-linear/SKILL.md +0 -168
package/.claude/skills/add-linear/VERIFY.md +0 -3
package/.claude/skills/add-macos-statusbar/SKILL.md +0 -133
package/.claude/skills/add-macos-statusbar/add/src/statusbar.swift +0 -147
package/.claude/skills/add-matrix/REMOVE.md +0 -6
package/.claude/skills/add-matrix/SKILL.md +0 -148
package/.claude/skills/add-matrix/VERIFY.md +0 -3
package/.claude/skills/add-ollama-provider/SKILL.md +0 -179
package/.claude/skills/add-ollama-tool/SKILL.md +0 -193
package/.claude/skills/add-opencode/SKILL.md +0 -229
package/.claude/skills/add-parallel/SKILL.md +0 -290
package/.claude/skills/add-resend/REMOVE.md +0 -6
package/.claude/skills/add-resend/SKILL.md +0 -93
package/.claude/skills/add-resend/VERIFY.md +0 -3
package/.claude/skills/add-signal/REMOVE.md +0 -13
package/.claude/skills/add-signal/SKILL.md +0 -318
package/.claude/skills/add-signal/VERIFY.md +0 -5
package/.claude/skills/add-slack/REMOVE.md +0 -6
package/.claude/skills/add-slack/SKILL.md +0 -112
package/.claude/skills/add-slack/VERIFY.md +0 -3
package/.claude/skills/add-teams/REMOVE.md +0 -6
package/.claude/skills/add-teams/SKILL.md +0 -207
package/.claude/skills/add-teams/VERIFY.md +0 -3
package/.claude/skills/add-vercel/SKILL.md +0 -147
package/.claude/skills/add-vercel/container-skills/vercel-cli/SKILL.md +0 -103
package/.claude/skills/add-webex/REMOVE.md +0 -6
package/.claude/skills/add-webex/SKILL.md +0 -88
package/.claude/skills/add-webex/VERIFY.md +0 -3
package/.claude/skills/add-wechat/REMOVE.md +0 -49
package/.claude/skills/add-wechat/SKILL.md +0 -170
package/.claude/skills/add-wechat/scripts/wire-dm.ts +0 -172
package/.claude/skills/add-whatsapp/SKILL.md +0 -264
package/.claude/skills/add-whatsapp-cloud/REMOVE.md +0 -6
package/.claude/skills/add-whatsapp-cloud/SKILL.md +0 -95
package/.claude/skills/add-whatsapp-cloud/VERIFY.md +0 -3
package/.claude/skills/claw/SKILL.md +0 -131
package/.claude/skills/claw/scripts/claw +0 -374
package/.claude/skills/convert-to-apple-container/SKILL.md +0 -212
package/.claude/skills/customize/SKILL.md +0 -110
package/.claude/skills/debug/SKILL.md +0 -349
package/.claude/skills/get-qodo-rules/SKILL.md +0 -122
package/.claude/skills/get-qodo-rules/references/output-format.md +0 -41
package/.claude/skills/get-qodo-rules/references/pagination.md +0 -33
package/.claude/skills/get-qodo-rules/references/repository-scope.md +0 -26
package/.claude/skills/init-first-agent/SKILL.md +0 -120
package/.claude/skills/init-onecli/SKILL.md +0 -270
package/.claude/skills/manage-channels/SKILL.md +0 -87
package/.claude/skills/manage-mounts/SKILL.md +0 -47
package/.claude/skills/migrate-from-openclaw/MIGRATE_CRONS.md +0 -100
package/.claude/skills/migrate-from-openclaw/SKILL.md +0 -447
package/.claude/skills/migrate-from-openclaw/scripts/discover-openclaw.ts +0 -734
package/.claude/skills/migrate-from-openclaw/scripts/extract-channel-credentials.ts +0 -476
package/.claude/skills/migrate-nanoclaw/SKILL.md +0 -484
package/.claude/skills/migrate-nanoclaw/diagnostics.md +0 -51
package/.claude/skills/qodo-pr-resolver/SKILL.md +0 -326
package/.claude/skills/qodo-pr-resolver/resources/providers.md +0 -329
package/.claude/skills/update-nanoclaw/SKILL.md +0 -243
package/.claude/skills/update-nanoclaw/diagnostics.md +0 -48
package/.claude/skills/update-skills/SKILL.md +0 -130
package/.claude/skills/use-native-credential-proxy/SKILL.md +0 -167
package/.claude/skills/x-integration/SKILL.md +0 -417
package/.claude/skills/x-integration/agent.ts +0 -243
package/.claude/skills/x-integration/host.ts +0 -155
package/.claude/skills/x-integration/lib/browser.ts +0 -148
package/.claude/skills/x-integration/lib/config.ts +0 -62
package/.claude/skills/x-integration/scripts/like.ts +0 -56
package/.claude/skills/x-integration/scripts/post.ts +0 -66
package/.claude/skills/x-integration/scripts/quote.ts +0 -80
package/.claude/skills/x-integration/scripts/reply.ts +0 -74
package/.claude/skills/x-integration/scripts/retweet.ts +0 -62
package/.claude/skills/x-integration/scripts/setup.ts +0 -87
package/.github/CODEOWNERS +0 -10
package/.github/PULL_REQUEST_TEMPLATE.md +0 -18
package/.github/workflows/bump-version.yml +0 -35
package/.github/workflows/ci.yml +0 -39
package/.github/workflows/label-pr.yml +0 -40
package/.github/workflows/update-tokens.yml +0 -43
package/.husky/pre-commit +0 -1
package/.mcp.json +0 -3
package/.nvmrc +0 -1
package/.prettierrc +0 -4
package/CHANGELOG.md +0 -263
package/CLAUDE.md +0 -307
package/CODE_OF_CONDUCT.md +0 -128
package/CONTRIBUTING.md +0 -159
package/CONTRIBUTORS.md +0 -26
package/LICENSE-NANOCLAW-MIT +0 -21
package/README_ja.md +0 -194
package/README_zh.md +0 -194
package/assets/nanoclaw-favicon.png +0 -0
package/assets/nanoclaw-icon.png +0 -0
package/assets/nanoclaw-logo-dark.png +0 -0
package/assets/nanoclaw-logo.png +0 -0
package/assets/nanoclaw-profile.jpeg +0 -0
package/assets/nanoclaw-sales.png +0 -0
package/assets/social-preview.jpg +0 -0
package/config-examples/mount-allowlist.json +0 -25
package/container/.dockerignore +0 -2
package/container/CLAUDE.md +0 -21
package/container/Dockerfile +0 -121
package/container/agent-runner/bun.lock +0 -243
package/container/agent-runner/package.json +0 -22
package/container/agent-runner/scripts/sdk-signal-probe.ts +0 -169
package/container/agent-runner/src/config.ts +0 -55
package/container/agent-runner/src/db/connection.ts +0 -267
package/container/agent-runner/src/db/index.ts +0 -20
package/container/agent-runner/src/db/messages-in.ts +0 -138
package/container/agent-runner/src/db/messages-out.ts +0 -143
package/container/agent-runner/src/db/session-routing.ts +0 -30
package/container/agent-runner/src/db/session-state.test.ts +0 -100
package/container/agent-runner/src/db/session-state.ts +0 -79
package/container/agent-runner/src/destinations.ts +0 -135
package/container/agent-runner/src/formatter.test.ts +0 -167
package/container/agent-runner/src/formatter.ts +0 -260
package/container/agent-runner/src/index.ts +0 -110
package/container/agent-runner/src/integration.test.ts +0 -121
package/container/agent-runner/src/mcp-tools/agents.instructions.md +0 -26
package/container/agent-runner/src/mcp-tools/agents.ts +0 -66
package/container/agent-runner/src/mcp-tools/core.instructions.md +0 -27
package/container/agent-runner/src/mcp-tools/core.ts +0 -262
package/container/agent-runner/src/mcp-tools/index.ts +0 -22
package/container/agent-runner/src/mcp-tools/interactive.instructions.md +0 -22
package/container/agent-runner/src/mcp-tools/interactive.ts +0 -169
package/container/agent-runner/src/mcp-tools/scheduling.instructions.md +0 -40
package/container/agent-runner/src/mcp-tools/scheduling.ts +0 -299
package/container/agent-runner/src/mcp-tools/self-mod.instructions.md +0 -25
package/container/agent-runner/src/mcp-tools/self-mod.ts +0 -120
package/container/agent-runner/src/mcp-tools/server.ts +0 -54
package/container/agent-runner/src/mcp-tools/types.ts +0 -6
package/container/agent-runner/src/poll-loop.test.ts +0 -248
package/container/agent-runner/src/poll-loop.ts +0 -437
package/container/agent-runner/src/providers/claude.ts +0 -379
package/container/agent-runner/src/providers/factory.test.ts +0 -19
package/container/agent-runner/src/providers/factory.ts +0 -13
package/container/agent-runner/src/providers/index.ts +0 -6
package/container/agent-runner/src/providers/mock.ts +0 -77
package/container/agent-runner/src/providers/provider-registry.ts +0 -33
package/container/agent-runner/src/providers/types.ts +0 -82
package/container/agent-runner/src/scheduling/task-script.ts +0 -121
package/container/agent-runner/src/timezone.test.ts +0 -93
package/container/agent-runner/src/timezone.ts +0 -107
package/container/agent-runner/tsconfig.json +0 -14
package/container/build.sh +0 -48
package/container/entrypoint.sh +0 -16
package/container/skills/agent-browser/SKILL.md +0 -159
package/container/skills/frontend-engineer/SKILL.md +0 -157
package/container/skills/self-customize/SKILL.md +0 -87
package/container/skills/slack-formatting/SKILL.md +0 -94
package/container/skills/vercel-cli/SKILL.md +0 -111
package/container/skills/welcome/SKILL.md +0 -85
package/docs/APPLE-CONTAINER-NETWORKING.md +0 -90
package/docs/BRANCH-FORK-MAINTENANCE.md +0 -81
package/docs/README.md +0 -25
package/docs/SDK_DEEP_DIVE.md +0 -643
package/docs/SECURITY.md +0 -162
package/docs/agent-runner-details.md +0 -749
package/docs/api-details.md +0 -365
package/docs/architecture-diagram.html +0 -422
package/docs/architecture-diagram.md +0 -215
package/docs/architecture.md +0 -751
package/docs/audit/2026-04-30-channel-endpoint-audit.md +0 -36
package/docs/build-and-runtime.md +0 -80
package/docs/cross-mount-stress/README.md +0 -112
package/docs/cross-mount-stress/container-writer-retry.mjs +0 -55
package/docs/cross-mount-stress/container-writer-slow.mjs +0 -42
package/docs/cross-mount-stress/container-writer.mjs +0 -47
package/docs/cross-mount-stress/host-writer-retry.mjs +0 -55
package/docs/cross-mount-stress/host-writer-slow.mjs +0 -43
package/docs/cross-mount-stress/host-writer.mjs +0 -47
package/docs/db-central.md +0 -316
package/docs/db-session.md +0 -183
package/docs/db.md +0 -119
package/docs/design/2026-04-29-vault-management-ui.md +0 -231
package/docs/design/2026-04-30-channel-wiring-rework.md +0 -234
package/docs/design/2026-05-01-channel-wiring-approvals-deep-dive.md +0 -272
package/docs/design/2026-05-02-channel-policy-and-approval-routing.md +0 -250
package/docs/docker-sandboxes.md +0 -359
package/docs/isolation-model.md +0 -88
package/docs/ollama.md +0 -79
package/docs/parachute-integration.md +0 -109
package/docs/post-night-rebirth-reflections.md +0 -151
package/eslint.config.js +0 -32
package/pnpm-workspace.yaml +0 -8
package/repo-tokens/README.md +0 -113
package/repo-tokens/action.yml +0 -186
package/repo-tokens/badge.svg +0 -23
package/repo-tokens/examples/green.svg +0 -14
package/repo-tokens/examples/red.svg +0 -14
package/repo-tokens/examples/yellow-green.svg +0 -14
package/repo-tokens/examples/yellow.svg +0 -14
package/scripts/chat.ts +0 -101
package/scripts/cleanup-sessions.sh +0 -150
package/scripts/init-cli-agent.ts +0 -172
package/scripts/init-first-agent.ts +0 -378
package/scripts/parachute.ts +0 -158
package/scripts/run-migrations.ts +0 -105
package/scripts/sanity-live-poll.ts +0 -95
package/scripts/seed-discord.ts +0 -80
package/scripts/test-v2-agent.ts +0 -106
package/scripts/test-v2-channel-e2e.ts +0 -265
package/scripts/test-v2-host.ts +0 -184
package/src/channels/adapter.ts +0 -214
package/src/channels/api-translator.test.ts +0 -306
package/src/channels/api-translator.ts +0 -214
package/src/channels/ask-question.ts +0 -46
package/src/channels/channel-registry.test.ts +0 -421
package/src/channels/channel-registry.ts +0 -313
package/src/channels/chat-sdk-bridge.test.ts +0 -84
package/src/channels/chat-sdk-bridge.ts +0 -652
package/src/channels/cli.ts +0 -276
package/src/channels/discord.ts +0 -90
package/src/channels/index.ts +0 -17
package/src/channels/telegram-markdown-sanitize.test.ts +0 -78
package/src/channels/telegram-markdown-sanitize.ts +0 -55
package/src/channels/telegram-pairing.test.ts +0 -254
package/src/channels/telegram-pairing.ts +0 -339
package/src/channels/telegram.ts +0 -279
package/src/channels/trust-hint.test.ts +0 -48
package/src/channels/trust-hint.ts +0 -75
package/src/claude-md-compose.migrate.test.ts +0 -64
package/src/claude-md-compose.ts +0 -205
package/src/command-gate.ts +0 -63
package/src/config.test.ts +0 -93
package/src/config.ts +0 -128
package/src/container-config.ts +0 -167
package/src/container-runner.test.ts +0 -32
package/src/container-runner.ts +0 -576
package/src/container-runtime.test.ts +0 -269
package/src/container-runtime.ts +0 -167
package/src/db/_bun-sqlite-shim.ts +0 -88
package/src/db/agent-activity.test.ts +0 -155
package/src/db/agent-activity.ts +0 -121
package/src/db/agent-groups.ts +0 -77
package/src/db/connection.migrate.test.ts +0 -176
package/src/db/connection.ts +0 -259
package/src/db/db-v2.test.ts +0 -440
package/src/db/dropped-messages.ts +0 -44
package/src/db/index.ts +0 -40
package/src/db/messaging-groups.ts +0 -252
package/src/db/migrations/001-initial.ts +0 -112
package/src/db/migrations/002-chat-sdk-state.ts +0 -36
package/src/db/migrations/008-dropped-messages.ts +0 -27
package/src/db/migrations/009-drop-pending-credentials.ts +0 -13
package/src/db/migrations/010-engage-modes.ts +0 -103
package/src/db/migrations/011-pending-sender-approvals.ts +0 -40
package/src/db/migrations/012-channel-registration.ts +0 -48
package/src/db/migrations/013-approval-render-metadata.ts +0 -27
package/src/db/migrations/014-secrets.ts +0 -44
package/src/db/migrations/015-secrets-drop-host-pattern.ts +0 -18
package/src/db/migrations/016-secret-assignments.ts +0 -30
package/src/db/migrations/017-agent-activity.ts +0 -40
package/src/db/migrations/018-oauth-app-configs.ts +0 -34
package/src/db/migrations/019-oauth-app-connections.ts +0 -48
package/src/db/migrations/020-agent-app-connections.ts +0 -28
package/src/db/migrations/021-pending-oauth-states.ts +0 -35
package/src/db/migrations/022-app-connections-provider.ts +0 -25
package/src/db/migrations/023-agent-group-secret-mode.test.ts +0 -124
package/src/db/migrations/023-agent-group-secret-mode.ts +0 -65
package/src/db/migrations/024-collapse-approvals.test.ts +0 -249
package/src/db/migrations/024-collapse-approvals.ts +0 -182
package/src/db/migrations/025-secret-mode-check.test.ts +0 -155
package/src/db/migrations/025-secret-mode-check.ts +0 -49
package/src/db/migrations/026-user-dms-bot-id.test.ts +0 -116
package/src/db/migrations/026-user-dms-bot-id.ts +0 -54
package/src/db/migrations/027-provider-credentials.ts +0 -41
package/src/db/migrations/_test-helpers.ts +0 -41
package/src/db/migrations/index.ts +0 -127
package/src/db/migrations/module-agent-to-agent-destinations.ts +0 -84
package/src/db/migrations/module-approvals-pending-approvals.ts +0 -42
package/src/db/migrations/module-approvals-title-options.ts +0 -40
package/src/db/schema.ts +0 -258
package/src/db/session-db.test.ts +0 -93
package/src/db/session-db.ts +0 -325
package/src/db/sessions.ts +0 -241
package/src/delivery.test.ts +0 -148
package/src/delivery.ts +0 -445
package/src/env.ts +0 -74
package/src/group-folder.test.ts +0 -35
package/src/group-folder.ts +0 -44
package/src/group-init.ts +0 -92
package/src/host-core.test.ts +0 -456
package/src/host-sweep.test.ts +0 -146
package/src/host-sweep.ts +0 -287
package/src/index.ts +0 -232
package/src/install-slug.ts +0 -33
package/src/log.test.ts +0 -81
package/src/log.ts +0 -117
package/src/mcp/http.ts +0 -72
package/src/mcp/server.ts +0 -92
package/src/mcp/stdio.ts +0 -51
package/src/mcp/tools/activity.ts +0 -88
package/src/mcp/tools/agent-groups.ts +0 -183
package/src/mcp/tools/approvals.ts +0 -122
package/src/mcp/tools/channels.test.ts +0 -126
package/src/mcp/tools/channels.ts +0 -134
package/src/mcp/tools/index.ts +0 -27
package/src/mcp/tools/oauth.ts +0 -48
package/src/mcp/tools/secrets.ts +0 -169
package/src/mcp/tools/sessions.ts +0 -135
package/src/mcp/types.ts +0 -51
package/src/modules/agent-to-agent/agent-route.test.ts +0 -46
package/src/modules/agent-to-agent/agent-route.ts +0 -223
package/src/modules/agent-to-agent/create-agent.ts +0 -127
package/src/modules/agent-to-agent/db/agent-destinations.ts +0 -135
package/src/modules/agent-to-agent/index.ts +0 -22
package/src/modules/agent-to-agent/write-destinations.ts +0 -59
package/src/modules/approvals/agent.md +0 -45
package/src/modules/approvals/index.ts +0 -21
package/src/modules/approvals/picks.test.ts +0 -291
package/src/modules/approvals/primitive.ts +0 -279
package/src/modules/approvals/project.md +0 -27
package/src/modules/approvals/response-handler.ts +0 -87
package/src/modules/index.ts +0 -24
package/src/modules/interactive/agent.md +0 -21
package/src/modules/interactive/index.ts +0 -69
package/src/modules/interactive/project.md +0 -12
package/src/modules/mount-security/expand-path.test.ts +0 -82
package/src/modules/mount-security/index.ts +0 -459
package/src/modules/mount-security/migrate.test.ts +0 -91
package/src/modules/permissions/access.ts +0 -28
package/src/modules/permissions/channel-approval.test.ts +0 -389
package/src/modules/permissions/channel-approval.ts +0 -188
package/src/modules/permissions/db/agent-group-members.ts +0 -44
package/src/modules/permissions/db/pending-channel-approvals.test.ts +0 -86
package/src/modules/permissions/db/pending-channel-approvals.ts +0 -66
package/src/modules/permissions/db/pending-sender-approvals.ts +0 -60
package/src/modules/permissions/db/user-dms.ts +0 -58
package/src/modules/permissions/db/user-roles.ts +0 -85
package/src/modules/permissions/db/users.ts +0 -38
package/src/modules/permissions/index.ts +0 -421
package/src/modules/permissions/permissions.test.ts +0 -358
package/src/modules/permissions/sender-approval.test.ts +0 -641
package/src/modules/permissions/sender-approval.ts +0 -165
package/src/modules/permissions/user-dm.ts +0 -200
package/src/modules/provider-credentials/db.ts +0 -121
package/src/modules/provider-credentials/index.ts +0 -12
package/src/modules/provider-credentials/spawn.test.ts +0 -206
package/src/modules/provider-credentials/spawn.ts +0 -114
package/src/modules/scheduling/actions.ts +0 -113
package/src/modules/scheduling/db.test.ts +0 -282
package/src/modules/scheduling/db.ts +0 -148
package/src/modules/scheduling/index.ts +0 -34
package/src/modules/scheduling/recurrence.test.ts +0 -98
package/src/modules/scheduling/recurrence.ts +0 -54
package/src/modules/self-mod/agent.md +0 -30
package/src/modules/self-mod/apply.ts +0 -85
package/src/modules/self-mod/index.ts +0 -30
package/src/modules/self-mod/project.md +0 -39
package/src/modules/self-mod/request.ts +0 -91
package/src/modules/typing/index.ts +0 -165
package/src/oauth/agent-app-connections.ts +0 -103
package/src/oauth/app-configs.test.ts +0 -64
package/src/oauth/app-configs.ts +0 -114
package/src/oauth/app-connections.test.ts +0 -109
package/src/oauth/app-connections.ts +0 -178
package/src/oauth/crypto.ts +0 -56
package/src/oauth/flow.ts +0 -104
package/src/oauth/providers/google.test.ts +0 -38
package/src/oauth/providers/google.ts +0 -46
package/src/oauth/providers/index.ts +0 -48
package/src/oauth/state-store.test.ts +0 -54
package/src/oauth/state-store.ts +0 -93
package/src/parachute/README.md +0 -27
package/src/parachute/create-agent.test.ts +0 -83
package/src/parachute/create-agent.ts +0 -122
package/src/parachute/group-status.test.ts +0 -165
package/src/parachute/group-status.ts +0 -136
package/src/parachute/types.ts +0 -41
package/src/parachute/vault-mcp.test.ts +0 -251
package/src/parachute/vault-mcp.ts +0 -232
package/src/platform-id.test.ts +0 -104
package/src/platform-id.ts +0 -109
package/src/providers/index.ts +0 -6
package/src/providers/provider-container-registry.ts +0 -58
package/src/response-registry.ts +0 -45
package/src/router.ts +0 -530
package/src/secrets/crypto.test.ts +0 -45
package/src/secrets/crypto.ts +0 -55
package/src/secrets/index.ts +0 -461
package/src/secrets/master-key.ts +0 -70
package/src/secrets/secrets.test.ts +0 -651
package/src/session-manager.attachments.test.ts +0 -171
package/src/session-manager.dup-skip.test.ts +0 -173
package/src/session-manager.migrate.test.ts +0 -59
package/src/session-manager.ts +0 -451
package/src/startup-bootstrap.test.ts +0 -226
package/src/startup-bootstrap.ts +0 -207
package/src/state-sqlite.ts +0 -182
package/src/timezone.test.ts +0 -64
package/src/timezone.ts +0 -37
package/src/types.ts +0 -233
package/src/web/auth.test.ts +0 -335
package/src/web/auth.ts +0 -214
package/src/web/discord-validate.test.ts +0 -77
package/src/web/discord-validate.ts +0 -88
package/src/web/hub-discovery.test.ts +0 -98
package/src/web/hub-discovery.ts +0 -69
package/src/web/routes/activity.ts +0 -106
package/src/web/routes/agent-provider.test.ts +0 -282
package/src/web/routes/agent-provider.ts +0 -309
package/src/web/routes/approvals.ts +0 -185
package/src/web/routes/apps.ts +0 -434
package/src/web/routes/channels-mg-detail.test.ts +0 -324
package/src/web/routes/channels-mga-detail.test.ts +0 -472
package/src/web/routes/channels.ts +0 -311
package/src/web/routes/oauth-providers.ts +0 -42
package/src/web/routes/secrets.test.ts +0 -220
package/src/web/routes/secrets.ts +0 -317
package/src/web/routes/sessions.ts +0 -123
package/src/web/routes/settings.test.ts +0 -106
package/src/web/routes/settings.ts +0 -247
package/src/web/routes/setup-status.ts +0 -205
package/src/web/routes/vaults.test.ts +0 -389
package/src/web/routes/vaults.ts +0 -225
package/src/web/server-version.test.ts +0 -16
package/src/web/server.ts +0 -1024
package/src/web/services-manifest.test.ts +0 -148
package/src/web/services-manifest.ts +0 -66
package/src/web/static-serve.test.ts +0 -255
package/src/web/static-serve.ts +0 -104
package/src/web/telegram-validate.test.ts +0 -116
package/src/web/telegram-validate.ts +0 -107
package/src/web/vault-proxy.test.ts +0 -214
package/src/web/vault-proxy.ts +0 -120
package/src/web/wire-channel.ts +0 -181
package/src/webhook-server.ts +0 -134
package/vitest.config.ts +0 -18
package/web/README.md +0 -63
package/web/ui/index.html +0 -13
package/web/ui/package.json +0 -35
package/web/ui/pnpm-lock.yaml +0 -2164
package/web/ui/scripts/verify-base.mjs +0 -31
package/web/ui/src/App.tsx +0 -88
package/web/ui/src/components/ActivityFeed.tsx +0 -444
package/web/ui/src/components/AgentGroupPicker.tsx +0 -263
package/web/ui/src/components/AgentProviderCards.tsx +0 -220
package/web/ui/src/components/CredentialForm.tsx +0 -214
package/web/ui/src/components/ScopeGrants.tsx +0 -74
package/web/ui/src/components/StatusDot.tsx +0 -43
package/web/ui/src/components/VaultPicker.tsx +0 -127
package/web/ui/src/components/setup/AdapterInstallStep.tsx +0 -178
package/web/ui/src/components/setup/AgentGroupStep.tsx +0 -43
package/web/ui/src/components/setup/ChannelPickStep.tsx +0 -74
package/web/ui/src/components/setup/DoneStep.tsx +0 -49
package/web/ui/src/components/setup/PrereqStep.tsx +0 -129
package/web/ui/src/components/setup/TestConnectionStep.tsx +0 -108
package/web/ui/src/components/setup/TestMessageStep.tsx +0 -104
package/web/ui/src/components/setup/WireChannelStep.tsx +0 -166
package/web/ui/src/components/setup/types.ts +0 -105
package/web/ui/src/lib/api.test.ts +0 -410
package/web/ui/src/lib/api.ts +0 -1248
package/web/ui/src/lib/auth.test.ts +0 -352
package/web/ui/src/lib/auth.ts +0 -405
package/web/ui/src/lib/channel-adapters.ts +0 -136
package/web/ui/src/main.tsx +0 -19
package/web/ui/src/routes/ApprovalsList.tsx +0 -294
package/web/ui/src/routes/Apps.tsx +0 -613
package/web/ui/src/routes/ChannelWireDetail.test.tsx +0 -233
package/web/ui/src/routes/ChannelWireDetail.tsx +0 -403
package/web/ui/src/routes/ChannelsList.tsx +0 -158
package/web/ui/src/routes/GroupDetail.test.tsx +0 -206
package/web/ui/src/routes/GroupDetail.tsx +0 -880
package/web/ui/src/routes/GroupList.tsx +0 -187
package/web/ui/src/routes/MessagingGroupDetail.test.tsx +0 -233
package/web/ui/src/routes/MessagingGroupDetail.tsx +0 -306
package/web/ui/src/routes/NewGroupWizard.tsx +0 -390
package/web/ui/src/routes/OAuthCallback.tsx +0 -56
package/web/ui/src/routes/SecretsList.tsx +0 -942
package/web/ui/src/routes/SessionsList.tsx +0 -220
package/web/ui/src/routes/SettingsAgentProvider.tsx +0 -109
package/web/ui/src/routes/SettingsApprovals.tsx +0 -234
package/web/ui/src/routes/SetupWizard.tsx +0 -219
package/web/ui/src/routes/VaultDetail.test.tsx +0 -363
package/web/ui/src/routes/VaultDetail.tsx +0 -960
package/web/ui/src/routes/VaultsList.tsx +0 -295
package/web/ui/src/routes/WireChannelPage.tsx +0 -413
package/web/ui/src/styles.css +0 -608
package/web/ui/src/test/setup.ts +0 -23
package/web/ui/src/vite-env.d.ts +0 -10
package/web/ui/vite.config.ts +0 -34
package/web/ui/vitest.config.ts +0 -25

package/src/secrets/secrets.test.ts DELETED Viewed

@@ -1,651 +0,0 @@
-import crypto from 'crypto';
-import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-import type { SecretMode } from '../types.js';
-import { closeDb, initTestDb, runMigrations } from '../db/index.js';
-import { _setMasterKeyForTest } from './master-key.js';
-import {
-  addAssignment,
-  deleteSecret,
-  findStaleSessionsForSecret,
-  getSecret,
-  getSecretById,
-  listAssignments,
-  listInjectableSecretsForGroup,
-  listSecrets,
-  putSecret,
-  removeAssignment,
-  replaceAssignments,
-  resolveInjectableSecrets,
-} from './index.js';
-beforeEach(() => {
-  const db = initTestDb();
-  runMigrations(db);
-  _setMasterKeyForTest(crypto.randomBytes(32));
-});
-afterEach(() => {
-  closeDb();
-});
-function seedAgentGroup(db: ReturnType<typeof initTestDb>, id: string, mode: SecretMode = 'selective') {
-  db.prepare(
-    `INSERT INTO agent_groups (id, folder, name, secret_mode, created_at)
-     VALUES (?, ?, ?, ?, datetime('now'))`,
-  ).run(id, id, id, mode);
-}
-describe('secrets store', () => {
-  it('round-trips a global secret', () => {
-    putSecret('SLACK_BOT_TOKEN', 'xoxb-1234');
-    expect(getSecret('SLACK_BOT_TOKEN')).toBe('xoxb-1234');
-  });
-  it('returns undefined for missing names', () => {
-    expect(getSecret('NOT_THERE')).toBeUndefined();
-  });
-  it('updates an existing secret in place', () => {
-    const id1 = putSecret('NAME', 'v1');
-    const id2 = putSecret('NAME', 'v2');
-    expect(id1).toBe(id2);
-    expect(getSecret('NAME')).toBe('v2');
-  });
-  it('lists secret metadata without exposing values', () => {
-    putSecret('A', 'aaa');
-    putSecret('B', 'bbb', { kind: 'channel-token' });
-    const rows = listSecrets();
-    expect(rows.map((r) => r.name).sort()).toEqual(['A', 'B']);
-    expect(rows.find((r) => r.name === 'B')?.kind).toBe('channel-token');
-    expect(rows[0]).not.toHaveProperty('value_encrypted');
-  });
-  it('agent-scoped secret beats a global one with the same name', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'g1');
-    putSecret('TOKEN', 'global-value');
-    putSecret('TOKEN', 'g1-value', { agent_group_id: 'g1' });
-    expect(getSecret('TOKEN')).toBe('global-value');
-    expect(getSecret('TOKEN', 'g1')).toBe('g1-value');
-  });
-  it('falls back to global when no scoped row exists', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'g1');
-    putSecret('SHARED', 'global-only');
-    expect(getSecret('SHARED', 'g1')).toBe('global-only');
-  });
-  it('deletes by id', () => {
-    const id = putSecret('ZAP', 'value');
-    expect(deleteSecret(id)).toBe(true);
-    expect(getSecret('ZAP')).toBeUndefined();
-    expect(deleteSecret(id)).toBe(false);
-  });
-  it('resolveInjectableSecrets in mode=all unions global + scoped, scoped wins', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'g1', 'all');
-    putSecret('G', 'global-only');
-    putSecret('S', 'scoped-only', { agent_group_id: 'g1' });
-    putSecret('B', 'global-B', {});
-    putSecret('B', 'scoped-B', { agent_group_id: 'g1' });
-    const env = resolveInjectableSecrets('g1');
-    expect(env.get('G')).toBe('global-only');
-    expect(env.get('S')).toBe('scoped-only');
-    expect(env.get('B')).toBe('scoped-B');
-  });
-  it('mode=selective hides unassigned globals, but scoped secrets are auto-seeded into the owner', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'g1', 'selective');
-    // Unassigned global → invisible under selective mode.
-    putSecret('GLOBAL', 'global-v');
-    // Scoped secret → putSecret auto-seeds the (id, g1) assignment row, so
-    // the resolver injects it even under selective mode (paraclaw#127).
-    putSecret('SCOPED', 'scoped-v', { agent_group_id: 'g1' });
-    const env = resolveInjectableSecrets('g1');
-    expect([...env.keys()]).toEqual(['SCOPED']);
-    expect(env.get('SCOPED')).toBe('scoped-v');
-  });
-  it('unknown agent_group_id resolves as no-secrets (selective default)', () => {
-    putSecret('GLOBAL', 'v');
-    expect(resolveInjectableSecrets('does-not-exist').size).toBe(0);
-  });
-});
-describe('putSecret auto-seeds the owner assignment for scoped creates (paraclaw#127)', () => {
-  /**
-   * The default `agent_groups.secret_mode` is `selective` (migration 023).
-   * Before the auto-seed, calling `putSecret(name, value, { agent_group_id })`
-   * inserted a `secrets` row but never the matching `secret_assignments` row,
-   * leaving the secret silently invisible to `resolveInjectableSecrets` —
-   * the row predicate `(s.agent_group_id = g.id OR s.agent_group_id IS NULL)`
-   * matches but the gate `(g.secret_mode='all' OR a.secret_id IS NOT NULL)`
-   * rejects. UI layers had a follow-up `setSecretAssignments` that papered
-   * over this on edits, but the create-side `CredentialForm` "free" mode
-   * called only `putSecret` — so the standard "+ New secret" flow produced
-   * orphan rows.
-   *
-   * Fix: `putSecret` writes the (id, owning_group) assignment row in the
-   * same transaction on INSERT. UPDATE/rotate leaves the assignment set
-   * alone (operator may have deliberately revoked).
-   */
-  it('scoped create writes a matching secret_assignments row', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    const id = putSecret('TOKEN', 'v', { agent_group_id: 'A' });
-    expect(listAssignments(id)).toEqual(['A']);
-  });
-  it('scoped create in selective mode is visible via resolveInjectableSecrets without an explicit assign call', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    putSecret('TOKEN', 'scoped-v', { agent_group_id: 'A' });
-    expect(resolveInjectableSecrets('A').get('TOKEN')).toBe('scoped-v');
-  });
-  it('scoped create in selective mode is visible via listInjectableSecretsForGroup, tagged scope=scoped', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    putSecret('TOKEN', 'scoped-v', { agent_group_id: 'A' });
-    const rows = listInjectableSecretsForGroup('A');
-    expect(rows).toHaveLength(1);
-    expect(rows[0].name).toBe('TOKEN');
-    expect(rows[0].scope).toBe('scoped');
-  });
-  it('global create does NOT write any secret_assignments row', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    const id = putSecret('GLOBAL_TOKEN', 'v');
-    expect(listAssignments(id)).toEqual([]);
-    const total = db.prepare<{ n: number }>(`SELECT COUNT(*) AS n FROM secret_assignments`).get();
-    expect(total?.n).toBe(0);
-  });
-  it('rotate (UPDATE path) does NOT touch the assignment set', () => {
-    // Operator may have deliberately revoked the auto-seeded assignment —
-    // a rotate must not re-seed it. The auto-seed is INSERT-only.
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    const id = putSecret('TOKEN', 'v1', { agent_group_id: 'A' });
-    expect(listAssignments(id)).toEqual(['A']);
-    // Operator revokes.
-    removeAssignment(id, 'A');
-    expect(listAssignments(id)).toEqual([]);
-    // Rotate plaintext — assignment set stays empty.
-    const id2 = putSecret('TOKEN', 'v2', { agent_group_id: 'A' });
-    expect(id2).toBe(id);
-    expect(listAssignments(id)).toEqual([]);
-  });
-  it('two scoped creates with different owners each seed their own row', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    seedAgentGroup(db, 'B', 'selective');
-    const aId = putSecret('TOKEN', 'va', { agent_group_id: 'A' });
-    const bId = putSecret('TOKEN', 'vb', { agent_group_id: 'B' });
-    expect(aId).not.toBe(bId);
-    expect(listAssignments(aId)).toEqual(['A']);
-    expect(listAssignments(bId)).toEqual(['B']);
-    // Each scoped create is visible only in its own group, never across.
-    expect(resolveInjectableSecrets('A').get('TOKEN')).toBe('va');
-    expect(resolveInjectableSecrets('B').get('TOKEN')).toBe('vb');
-  });
-});
-describe('secret assignments (selective mode)', () => {
-  it('round-trips: assignment to A injects into A, not B', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    seedAgentGroup(db, 'B', 'selective');
-    const secretId = putSecret('SHARED_KEY', 'top-secret');
-    addAssignment(secretId, 'A');
-    expect(resolveInjectableSecrets('A').get('SHARED_KEY')).toBe('top-secret');
-    expect(resolveInjectableSecrets('B').has('SHARED_KEY')).toBe(false);
-  });
-  it('list/replace/add/remove cycle', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A');
-    seedAgentGroup(db, 'B');
-    seedAgentGroup(db, 'C');
-    const id = putSecret('K', 'v');
-    expect(listAssignments(id)).toEqual([]);
-    replaceAssignments(id, ['A', 'B']);
-    expect(listAssignments(id)).toEqual(['A', 'B']);
-    addAssignment(id, 'C');
-    expect(listAssignments(id)).toEqual(['A', 'B', 'C']);
-    // re-add is a no-op (composite PK)
-    expect(addAssignment(id, 'C')).toBe(false);
-    removeAssignment(id, 'A');
-    expect(listAssignments(id)).toEqual(['B', 'C']);
-    replaceAssignments(id, []);
-    expect(listAssignments(id)).toEqual([]);
-  });
-  it('replaceAssignments throws on unknown secret', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    expect(() => replaceAssignments('does-not-exist', [])).toThrow(/secret not found/);
-  });
-  it('deleting a secret cascades its assignments', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A');
-    const id = putSecret('K', 'v');
-    addAssignment(id, 'A');
-    expect(listAssignments(id)).toEqual(['A']);
-    deleteSecret(id);
-    const remaining = db.prepare<{ n: number }>(`SELECT COUNT(*) AS n FROM secret_assignments`).get();
-    expect(remaining?.n).toBe(0);
-  });
-  it('selective group + assignment + scoped secret in mode=all peer group', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    seedAgentGroup(db, 'B', 'all');
-    // Global with explicit assignment to A only — A sees it via assignment,
-    // B sees its own scoped row instead (scoped wins on name collision).
-    const globalId = putSecret('TOKEN', 'shared-via-allowlist');
-    addAssignment(globalId, 'A');
-    putSecret('TOKEN', 'b-only', { agent_group_id: 'B' });
-    expect(resolveInjectableSecrets('A').get('TOKEN')).toBe('shared-via-allowlist');
-    expect(resolveInjectableSecrets('B').get('TOKEN')).toBe('b-only');
-  });
-});
-describe('findStaleSessionsForSecret', () => {
-  function seedSession(
-    db: ReturnType<typeof initTestDb>,
-    sessionId: string,
-    agentGroupId: string,
-    createdAt: string,
-    containerStatus: 'running' | 'idle' | 'stopped' = 'running',
-  ) {
-    db.prepare(
-      `INSERT INTO sessions
-         (id, agent_group_id, messaging_group_id, thread_id, agent_provider, status, container_status, last_active, created_at)
-       VALUES (?, ?, NULL, NULL, NULL, 'active', ?, NULL, ?)`,
-    ).run(sessionId, agentGroupId, containerStatus, createdAt);
-  }
-  function bumpSecretUpdatedAt(db: ReturnType<typeof initTestDb>, secretId: string, updatedAt: string) {
-    db.prepare(`UPDATE secrets SET updated_at = ? WHERE id = ?`).run(updatedAt, secretId);
-  }
-  it('returns sessions spawned before a global secret was updated, when assigned', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    // Session created at t=10
-    seedSession(db, 'sess-A', 'A', '2026-01-01T00:00:10.000Z');
-    // Global secret with assignment to A; secret updated at t=20 (after spawn)
-    const sid = putSecret('TOKEN', 'v');
-    addAssignment(sid, 'A');
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:20.000Z');
-    const stale = findStaleSessionsForSecret(sid);
-    expect(stale).toHaveLength(1);
-    expect(stale[0].sessionId).toBe('sess-A');
-    expect(stale[0].agentGroupId).toBe('A');
-    expect(stale[0].secretUpdatedAt).toBe('2026-01-01T00:00:20.000Z');
-    expect(stale[0].sessionCreatedAt).toBe('2026-01-01T00:00:10.000Z');
-  });
-  it('skips sessions spawned AFTER the secret update', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    const sid = putSecret('TOKEN', 'v');
-    addAssignment(sid, 'A');
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:10.000Z');
-    // Session spawned at t=20 — after the secret update — already has env.
-    seedSession(db, 'sess-A', 'A', '2026-01-01T00:00:20.000Z');
-    expect(findStaleSessionsForSecret(sid)).toEqual([]);
-  });
-  it('skips non-running sessions (idle and stopped)', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    const sid = putSecret('TOKEN', 'v');
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:20.000Z');
-    seedSession(db, 'sess-running', 'A', '2026-01-01T00:00:10.000Z', 'running');
-    seedSession(db, 'sess-idle', 'A', '2026-01-01T00:00:10.000Z', 'idle');
-    seedSession(db, 'sess-stopped', 'A', '2026-01-01T00:00:10.000Z', 'stopped');
-    const stale = findStaleSessionsForSecret(sid);
-    expect(stale.map((s) => s.sessionId)).toEqual(['sess-running']);
-  });
-  it('skips groups that would not inject the global (selective + no assignment)', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    seedAgentGroup(db, 'B', 'selective');
-    const sid = putSecret('TOKEN', 'v');
-    addAssignment(sid, 'A'); // only A is assigned
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:20.000Z');
-    seedSession(db, 'sess-A', 'A', '2026-01-01T00:00:10.000Z');
-    seedSession(db, 'sess-B', 'B', '2026-01-01T00:00:10.000Z');
-    const stale = findStaleSessionsForSecret(sid);
-    expect(stale.map((s) => s.sessionId)).toEqual(['sess-A']);
-  });
-  it('includes mode=all groups even without an explicit assignment', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    const sid = putSecret('TOKEN', 'v');
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:20.000Z');
-    seedSession(db, 'sess-A', 'A', '2026-01-01T00:00:10.000Z');
-    expect(findStaleSessionsForSecret(sid).map((s) => s.sessionId)).toEqual(['sess-A']);
-  });
-  it('scoped secret only marks its own group stale', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    seedAgentGroup(db, 'B', 'all');
-    const sid = putSecret('TOKEN', 'v', { agent_group_id: 'A' });
-    bumpSecretUpdatedAt(db, sid, '2026-01-01T00:00:20.000Z');
-    seedSession(db, 'sess-A', 'A', '2026-01-01T00:00:10.000Z');
-    seedSession(db, 'sess-B', 'B', '2026-01-01T00:00:10.000Z');
-    expect(findStaleSessionsForSecret(sid).map((s) => s.sessionId)).toEqual(['sess-A']);
-  });
-  it('returns [] for a missing secret id', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    expect(findStaleSessionsForSecret('does-not-exist')).toEqual([]);
-  });
-});
-describe('getSecretById', () => {
-  it('returns the metadata row, never the value', () => {
-    const id = putSecret('NAME', 'plaintext');
-    const row = getSecretById(id);
-    expect(row?.id).toBe(id);
-    expect(row?.name).toBe('NAME');
-    expect(row).not.toHaveProperty('value_encrypted');
-  });
-  it('returns undefined for a missing id', () => {
-    expect(getSecretById('does-not-exist')).toBeUndefined();
-  });
-});
-describe('listInjectableSecretsForGroup', () => {
-  it('tags scoped, assigned, and global rows correctly', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    // Three inclusion paths:
-    //   SCOPED   — owned by group A
-    //   ASSIGNED — global, with explicit assignment row → A
-    //   GLOBAL   — global, included only because A is mode='all'
-    const scopedId = putSecret('SCOPED_TOKEN', 'v', { agent_group_id: 'A' });
-    const assignedId = putSecret('ASSIGNED_TOKEN', 'v');
-    addAssignment(assignedId, 'A');
-    const globalId = putSecret('GLOBAL_TOKEN', 'v');
-    const rows = listInjectableSecretsForGroup('A');
-    const byName = new Map(rows.map((r) => [r.name, r]));
-    expect(byName.get('SCOPED_TOKEN')?.scope).toBe('scoped');
-    expect(byName.get('SCOPED_TOKEN')?.id).toBe(scopedId);
-    expect(byName.get('ASSIGNED_TOKEN')?.scope).toBe('assigned');
-    expect(byName.get('ASSIGNED_TOKEN')?.id).toBe(assignedId);
-    expect(byName.get('GLOBAL_TOKEN')?.scope).toBe('global');
-    expect(byName.get('GLOBAL_TOKEN')?.id).toBe(globalId);
-  });
-  it('selective mode hides globals that have no assignment row', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'selective');
-    putSecret('UNREACHABLE_GLOBAL', 'v');
-    const assignedId = putSecret('ASSIGNED', 'v');
-    addAssignment(assignedId, 'A');
-    const rows = listInjectableSecretsForGroup('A');
-    expect(rows.map((r) => r.name).sort()).toEqual(['ASSIGNED']);
-    expect(rows[0].scope).toBe('assigned');
-  });
-  it('assignment row + mode=all → assigned wins (more specific wins)', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    const id = putSecret('SHARED', 'v');
-    addAssignment(id, 'A');
-    const rows = listInjectableSecretsForGroup('A');
-    expect(rows).toHaveLength(1);
-    expect(rows[0].scope).toBe('assigned');
-  });
-  it('on name collision, scoped row wins and reports scope=scoped', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    putSecret('TOKEN', 'global-v');
-    putSecret('TOKEN', 'scoped-v', { agent_group_id: 'A' });
-    const rows = listInjectableSecretsForGroup('A');
-    expect(rows).toHaveLength(1);
-    expect(rows[0].name).toBe('TOKEN');
-    expect(rows[0].scope).toBe('scoped');
-  });
-  it('returns an empty list for an unknown agent group', () => {
-    putSecret('GLOBAL', 'v');
-    expect(listInjectableSecretsForGroup('does-not-exist')).toEqual([]);
-  });
-  it('never carries the encrypted value', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    putSecret('K', 'super-secret');
-    const rows = listInjectableSecretsForGroup('A');
-    expect(rows[0]).not.toHaveProperty('value_encrypted');
-  });
-});
-describe('resolveInjectableSecrets ↔ listInjectableSecretsForGroup lockstep (paraclaw#129)', () => {
-  /**
-   * Mechanical guard against drift between the two SQL-identical functions in
-   * src/secrets/index.ts. Both walk identical row predicates + gate clauses;
-   * any future SQL edit must touch both. Today the invariant is preserved by
-   * careful reading + a load-bearing doc-comment. This block tests it.
-   *
-   * For each fixture, calls both functions and asserts:
-   *   - same set of names (the row gate matches)
-   *   - per-name plaintext from resolveInjectableSecrets matches the value
-   *     getSecret returns when scoped to the same group (the dedup-by-name
-   *     `ORDER BY s.agent_group_id IS NULL` scoped-wins ordering matches)
-   *
-   * If a future SQL change makes one function accept a row the other rejects,
-   * the name-set assertion fails. If the ORDER BY drifts so dedup picks the
-   * wrong row on collision, the per-name plaintext assertion fails.
-   */
-  function expectLockstep(agentGroupId: string, expectedNames: string[]): void {
-    const resolved = resolveInjectableSecrets(agentGroupId);
-    const listed = listInjectableSecretsForGroup(agentGroupId);
-    const sortedExpected = expectedNames.slice().sort();
-    expect([...resolved.keys()].sort()).toEqual(sortedExpected);
-    expect(listed.map((r) => r.name).sort()).toEqual(sortedExpected);
-    for (const view of listed) {
-      expect(resolved.get(view.name)).toBe(getSecret(view.name, agentGroupId));
-    }
-  }
-  it('rich mix: scoped+all + global+assigned + global+mode=all + name collision', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'A', 'all');
-    putSecret('SCOPED_ONLY', 'sv', { agent_group_id: 'A' });
-    const assignedId = putSecret('GLOBAL_ASSIGNED', 'gv-assigned');
-    addAssignment(assignedId, 'A');
-    putSecret('GLOBAL_MODE_ALL', 'gv-mode-all');
-    putSecret('TOKEN', 'global-token');
-    putSecret('TOKEN', 'scoped-token', { agent_group_id: 'A' });
-    expectLockstep('A', ['SCOPED_ONLY', 'GLOBAL_ASSIGNED', 'GLOBAL_MODE_ALL', 'TOKEN']);
-    // Spot-check the collision picked the scoped row in BOTH views.
-    expect(resolveInjectableSecrets('A').get('TOKEN')).toBe('scoped-token');
-    expect(listInjectableSecretsForGroup('A').find((r) => r.name === 'TOKEN')?.scope).toBe('scoped');
-  });
-  it('mode=selective: mixed reachable + unreachable globals + scoped-with-assignment', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'B', 'selective');
-    putSecret('UNREACHABLE_GLOBAL', 'gv'); // mode=selective + no assignment → excluded
-    const reachableId = putSecret('REACHABLE', 'gv2');
-    addAssignment(reachableId, 'B');
-    const scopedAssignedId = putSecret('SCOPED_AND_ASSIGNED', 'sv', { agent_group_id: 'B' });
-    addAssignment(scopedAssignedId, 'B');
-    expectLockstep('B', ['REACHABLE', 'SCOPED_AND_ASSIGNED']);
-  });
-  it('orphaned-scoped (selective + scoped + no assignment): both exclude', () => {
-    // The "structurally unreachable via putSecret" config — selective mode +
-    // scoped secret + no assignment row. paraclaw#127 closed the create path
-    // (putSecret auto-seeds the matching assignment), so to exercise the
-    // shared gate `(g.secret_mode='all' OR a.secret_id IS NOT NULL)` we
-    // construct the orphan directly. If a future SQL change makes one of the
-    // two functions accept it, this catches the drift.
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'C', 'selective');
-    db.prepare(
-      `INSERT INTO secrets (id, name, value_encrypted, kind, agent_group_id, created_at, updated_at)
-         VALUES ('orphan-id', 'ORPHAN', 'ct', 'generic', 'C', datetime('now'), datetime('now'))`,
-    ).run();
-    expectLockstep('C', []);
-  });
-  it('unknown agent_group_id: both return empty (selective default)', () => {
-    putSecret('GLOBAL', 'v');
-    expectLockstep('does-not-exist', []);
-  });
-  it('empty secret store + mode=all: both return empty', () => {
-    const db = initTestDb();
-    runMigrations(db);
-    _setMasterKeyForTest(crypto.randomBytes(32));
-    seedAgentGroup(db, 'D', 'all');
-    expectLockstep('D', []);
-  });
-});