@openparachute/agent 0.1.2 → 0.2.2

package/.claude/skills/x-integration/scripts/retweet.ts

@@ -1,62 +0,0 @@
-#!/usr/bin/env pnpm exec tsx
-/**
- * X Integration - Retweet
- * Usage: echo '{"tweetUrl":"https://x.com/user/status/123"}' | pnpm exec tsx retweet.ts
- */
-
-import { getBrowserContext, navigateToTweet, runScript, config, ScriptResult } from '../lib/browser.js';
-
-interface RetweetInput {
-  tweetUrl: string;
-}
-
-async function retweet(input: RetweetInput): Promise<ScriptResult> {
-  const { tweetUrl } = input;
-
-  if (!tweetUrl) {
-    return { success: false, message: 'Please provide a tweet URL' };
-  }
-
-  let context = null;
-  try {
-    context = await getBrowserContext();
-    const { page, success, error } = await navigateToTweet(context, tweetUrl);
-
-    if (!success) {
-      return { success: false, message: error || 'Navigation failed' };
-    }
-
-    const tweet = page.locator('article[data-testid="tweet"]').first();
-    const unretweetButton = tweet.locator('[data-testid="unretweet"]');
-    const retweetButton = tweet.locator('[data-testid="retweet"]');
-
-    // Check if already retweeted
-    const alreadyRetweeted = await unretweetButton.isVisible().catch(() => false);
-    if (alreadyRetweeted) {
-      return { success: true, message: 'Tweet already retweeted' };
-    }
-
-    await retweetButton.waitFor({ timeout: config.timeouts.elementWait });
-    await retweetButton.click();
-    await page.waitForTimeout(config.timeouts.afterClick);
-
-    // Click retweet confirm option
-    const retweetConfirm = page.locator('[data-testid="retweetConfirm"]');
-    await retweetConfirm.waitFor({ timeout: config.timeouts.elementWait });
-    await retweetConfirm.click();
-    await page.waitForTimeout(config.timeouts.afterClick * 2);
-
-    // Verify
-    const nowRetweeted = await unretweetButton.isVisible().catch(() => false);
-    if (nowRetweeted) {
-      return { success: true, message: 'Retweet successful' };
-    }
-
-    return { success: false, message: 'Retweet action completed but could not verify success' };
-
-  } finally {
-    if (context) await context.close();
-  }
-}
-
-runScript<RetweetInput>(retweet);

package/.claude/skills/x-integration/scripts/setup.ts

@@ -1,87 +0,0 @@
-#!/usr/bin/env pnpm exec tsx
-/**
- * X Integration - Authentication Setup
- * Usage: pnpm exec tsx setup.ts
- *
- * Interactive script - opens browser for manual login
- */
-
-import { chromium } from 'playwright';
-import * as readline from 'readline';
-import fs from 'fs';
-import path from 'path';
-import { config, cleanupLockFiles } from '../lib/browser.js';
-
-async function setup(): Promise<void> {
-  console.log('=== X (Twitter) Authentication Setup ===\n');
-  console.log('This will open Chrome for you to log in to X.');
-  console.log('Your login session will be saved for automated interactions.\n');
-  console.log(`Chrome path: ${config.chromePath}`);
-  console.log(`Profile dir: ${config.browserDataDir}\n`);
-
-  // Ensure directories exist
-  fs.mkdirSync(path.dirname(config.authPath), { recursive: true });
-  fs.mkdirSync(config.browserDataDir, { recursive: true });
-
-  cleanupLockFiles();
-
-  console.log('Launching browser...\n');
-
-  const context = await chromium.launchPersistentContext(config.browserDataDir, {
-    executablePath: config.chromePath,
-    headless: false,
-    viewport: config.viewport,
-    args: config.chromeArgs.slice(0, 3), // Use first 3 args for setup (less restrictive)
-    ignoreDefaultArgs: config.chromeIgnoreDefaultArgs,
-  });
-
-  const page = context.pages()[0] || await context.newPage();
-
-  // Navigate to login page
-  await page.goto('https://x.com/login');
-
-  console.log('Please log in to X in the browser window.');
-  console.log('After you see your home feed, come back here and press Enter.\n');
-
-  // Wait for user to complete login
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  });
-
-  await new Promise<void>(resolve => {
-    rl.question('Press Enter when logged in... ', () => {
-      rl.close();
-      resolve();
-    });
-  });
-
-  // Verify login by navigating to home and checking for account button
-  console.log('\nVerifying login status...');
-  await page.goto('https://x.com/home');
-  await page.waitForTimeout(config.timeouts.pageLoad);
-
-  const isLoggedIn = await page.locator('[data-testid="SideNav_AccountSwitcher_Button"]').isVisible().catch(() => false);
-
-  if (isLoggedIn) {
-    // Save auth marker
-    fs.writeFileSync(config.authPath, JSON.stringify({
-      authenticated: true,
-      timestamp: new Date().toISOString()
-    }, null, 2));
-
-    console.log('\n✅ Authentication successful!');
-    console.log(`Session saved to: ${config.browserDataDir}`);
-    console.log('\nYou can now use X integration features.');
-  } else {
-    console.log('\n❌ Could not verify login status.');
-    console.log('Please try again and make sure you are logged in to X.');
-  }
-
-  await context.close();
-}
-
-setup().catch(err => {
-  console.error('Setup failed:', err.message);
-  process.exit(1);
-});

package/.github/CODEOWNERS

@@ -1,10 +0,0 @@
-# Core code - maintainer only
-/src/ @gavrielc @gabi-simons
-/container/ @gavrielc @gabi-simons
-/groups/ @gavrielc @gabi-simons
-/launchd/ @gavrielc @gabi-simons
-/package.json @gavrielc @gabi-simons
-/package-lock.json @gavrielc @gabi-simons
-
-# Skills - open to contributors
-/.claude/skills/

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +0,0 @@
-<!-- contributing-guide: v1 -->
-## Type of Change
-
-- [ ] **Feature skill** - adds a channel or integration (source code changes + SKILL.md)
-- [ ] **Utility skill** - adds a standalone tool (code files in `.claude/skills/<name>/`, no source changes)
-- [ ] **Operational/container skill** - adds a workflow or agent skill (SKILL.md only, no source changes)
-- [ ] **Fix** - bug fix or security fix to source code
-- [ ] **Simplification** - reduces or simplifies source code
-- [ ] **Documentation** - docs, README, or CONTRIBUTING changes only
-
-## Description
-
-
-## For Skills
-
-- [ ] SKILL.md contains instructions, not inline code (code goes in separate files)
-- [ ] SKILL.md is under 500 lines
-- [ ] I tested this skill on a fresh clone

package/.github/workflows/bump-version.yml

@@ -1,35 +0,0 @@
-name: Bump version
-
-on:
-  push:
-    branches: [main]
-    paths: ['src/**', 'container/**']
-
-jobs:
-  bump-version:
-    if: github.repository == 'qwibitai/nanoclaw'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-
-      - uses: pnpm/action-setup@v4
-
-      - name: Bump patch version
-        run: |
-          pnpm version patch --no-git-tag-version
-          git add package.json
-          git diff --cached --quiet && exit 0
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          VERSION=$(node -p "require('./package.json').version")
-          git commit -m "chore: bump version to $VERSION"
-          git pull --rebase
-          git push

package/.github/workflows/ci.yml

@@ -1,39 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: [main]
-
-jobs:
-  ci:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: pnpm
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.12
-      - run: pnpm install --frozen-lockfile
-      - name: Install agent-runner deps (Bun)
-        working-directory: container/agent-runner
-        run: bun install --frozen-lockfile
-
-      - name: Format check
-        run: pnpm run format:check
-
-      - name: Typecheck host
-        run: pnpm exec tsc --noEmit
-
-      - name: Typecheck container
-        run: pnpm exec tsc -p container/agent-runner/tsconfig.json --noEmit
-
-      - name: Host tests
-        run: pnpm exec vitest run
-
-      - name: Container tests
-        working-directory: container/agent-runner
-        run: bun test

package/.github/workflows/label-pr.yml

@@ -1,40 +0,0 @@
-name: Label PR
-
-# SECURITY: this workflow runs with write access to the base repo on fork PRs,
-# because `pull_request_target` executes in the context of the base branch.
-# Keep it metadata-only — do NOT add actions/checkout or any step that
-# executes PR-supplied content (install scripts, build commands, etc.).
-# See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
-on:
-  pull_request_target:
-    types: [opened, edited]
-
-jobs:
-  label:
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: actions/github-script@v7
-        with:
-          script: |
-            const body = context.payload.pull_request.body || '';
-            const labels = [];
-
-            if (body.includes('[x] **Feature skill**'))       { labels.push('PR: Skill'); labels.push('PR: Feature'); }
-            else if (body.includes('[x] **Utility skill**'))   labels.push('PR: Skill');
-            else if (body.includes('[x] **Operational/container skill**')) labels.push('PR: Skill');
-            else if (body.includes('[x] **Fix**'))             labels.push('PR: Fix');
-            else if (body.includes('[x] **Simplification**'))  labels.push('PR: Refactor');
-            else if (body.includes('[x] **Documentation**'))   labels.push('PR: Docs');
-
-            if (body.includes('contributing-guide: v1')) labels.push('follows-guidelines');
-
-            if (labels.length > 0) {
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number,
-                labels,
-              });
-            }

package/.github/workflows/update-tokens.yml

@@ -1,43 +0,0 @@
-name: Update token count
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [main]
-    paths: ['src/**', 'container/**', 'launchd/**', 'CLAUDE.md']
-
-jobs:
-  update-tokens:
-    if: github.repository == 'qwibitai/nanoclaw'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - uses: ./repo-tokens
-        id: tokens
-        with:
-          include: 'src/**/*.ts container/agent-runner/src/**/*.ts container/Dockerfile container/build.sh launchd/com.nanoclaw.plist CLAUDE.md'
-          exclude: 'src/**/*.test.ts'
-          badge-path: 'repo-tokens/badge.svg'
-
-      - name: Commit if changed
-        run: |
-          git add README.md repo-tokens/badge.svg
-          git diff --cached --quiet && exit 0
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git commit -m "docs: update token count to ${{ steps.tokens.outputs.badge }}"
-          git pull --rebase
-          git push

package/.husky/pre-commit

@@ -1 +0,0 @@
-pnpm run format:fix

package/.mcp.json

@@ -1,3 +0,0 @@
-{
-  "mcpServers": {}
-}

package/.nvmrc

@@ -1 +0,0 @@
-22

package/.prettierrc

@@ -1,4 +0,0 @@
-{
-  "singleQuote": true,
-  "printWidth": 120
-}

package/CHANGELOG.md

@@ -1,263 +0,0 @@
-# Changelog
-
-All notable changes to parachute-agent will be documented in this file.
-
-## [0.1.2] - 2026-05-05
-
-The first patch series after the 0.1.0 paraclaw → parachute-agent rename. Fourteen iterative cuts (rc.1 through rc.14) collapsed into one stable. No operator action required: every change is either a transparent fix, an additive UI affordance, or a behind-the-scenes test addition.
-
-### Fixed
-
-- **Master-key migration: detect the both-exist split-state explicitly.** `migrateMasterKeyLocation` previously silent-no-op'd when both `<PARACHUTE_DIR>/claw/master.key` and `<PARACHUTE_DIR>/agent/master.key` existed — masking the case where an earlier 0.1.x boot generated a fresh key at the new path before the legacy was copied (so encrypted secrets sealed under the legacy key became undecryptable). The function now logs a `warn` with both paths and copy-pasteable recovery commands. Standalone scripts (`init-cli-agent`, `init-first-agent`, `seed-discord`) that ran `migrateCentralDbLocation` now also run `migrateMasterKeyLocation` before opening the DB, so a script-driven first touch no longer skips the key copy. Also: SPA browser title `<title>Paraclaw</title>` → `<title>Parachute Agent</title>` and two stale GitHub repo links pointing at the renamed-from `paraclaw` URL — small follow-ups to the 0.1.0 brand sweep that landed in the same cut.
-
-- **Auto-retag the per-install container image when `INSTALL_SLUG` shifts (paraclaw#114).** `INSTALL_SLUG = sha1(process.cwd())[:8]`, so an operator dir-rename (the trigger that exposed this: `mv paraclaw parachute-agent`) flips the slug. Previously-built images carried the old slug; new container spawns went out under the new slug; `docker run` returned `code=125` ("image not found") and every Telegram message produced a silent crashloop. New `ensureContainerImage()` step at boot detects the mismatch and `docker tag`s any `parachute-agent-image-<peer-slug>:latest` it finds onto the expected name. Pre-0.1.0 `paraclaw-agent-<slug>:latest` peers also match (one cycle of compat). When no peer is on disk, the daemon now fails visibly at startup with an actionable error instead of crashlooping silently.
-
-- **Inbound: extract attachment files only after the row commits (paraclaw#96).** `writeSessionMessage` previously decoded base64 attachments and wrote files to `inbox/<messageId>/` *before* `INSERT … ON CONFLICT(id) DO NOTHING` returned. Once duplicate dispatch became a warm code path (sender-approval replay, Telegram getUpdates retry, chat-sdk re-emit), a replay carrying the same `messages_in.id` but mutated bytes silently clobbered the on-disk file under the original message id while the DB row stayed unchanged — divergent state with no audit trail. Reordered: insert with raw inline-base64 content, check `inserted`, and only when `inserted === true` extract files and `UPDATE messages_in SET content = ?` with the path-replaced form. Disk state now stays strictly downstream of the row commit.
-
-- **Wire-side `senderScope` vocabulary clash (paraclaw#94).** The wire vocab `'allowlist' | 'all'` shared the literal `'all'` with the DB-side `'all' | 'known'` — both meant "no sender filter", but the literal collision meant a grep-based rename of either side would silently break translation without a compile error. Renamed wire-side `'all'` → `'unrestricted'` so the two unions are now literal-disjoint; DB schema untouched (no migration). Touchpoints: HTTP + MCP translators, MCP `update-channel-wire` schema enum (now `['allowlist', 'unrestricted']`), `web/ui/src/lib/api.ts:SenderScope`, and the dropdown copy in `ChannelWireDetail.tsx`. Plus a defensive validation gate on the MCP handler — the SDK does not enforce `inputSchema` against `tools/call` arguments, so a stale-schema client sending the legacy `senderScope: 'all'` (or `ignoredMessagePolicy: 'accumulate'`, or a typo'd `engageMode`) would previously land past the rename gate, never match any branch, and silently no-op. Now explicitly rejected with a diagnostic error. **Breaking change to the API/MCP wire vocabulary** — pre-1.0, no operator-data risk.
-
-- **Mount-security imports `HOME_DIR` from `src/config.ts` (paraclaw#99).** `expandPath` in `src/modules/mount-security/index.ts` previously called `process.env.HOME || os.homedir()` directly — the only remaining offender after the rest of the host's HOME-derived paths routed through `config.ts`. Now imports the canonical `HOME_DIR`, so a future precedence-rule refactor (e.g. add a `PARACHUTE_AGENT_HOME` override) is one edit upstream. Default behavior unchanged. Mount-allowlist's on-disk location intentionally stays at `<HOME>/.config/parachute-agent/` (operator-host policy, not per-install runtime state) — pinned with a regression test.
-
-- **`putSecret` auto-seeds the owner assignment for scoped creates (paraclaw#127).** The default `agent_groups.secret_mode` is `selective` (migration 023). Before this fix, `putSecret(name, value, { agent_group_id })` inserted the `secrets` row without writing the matching `secret_assignments` row — leaving the row silently invisible to `resolveInjectableSecrets` (which gates on `secret_mode='all' OR assignment row exists`). The "+ New secret" → CredentialForm "free" mode in the SPA called only `putSecret` with no follow-up `setSecretAssignments`, so the standard create flow produced orphan rows whose values would never reach the agent container. Fix: `putSecret` writes the (id, owning_group) assignment row in the same transaction on INSERT (idempotent via `ON CONFLICT … DO NOTHING`); UPDATE/rotate leaves the assignment set alone (operator may have deliberately revoked an assignment, and a value rotation must not undo that).
-
-- **SPA OAuth bootstrap — three narrowing fixes (paraclaw#136, #137, #138).** (1) Drop `vault:read vault:write` from `REQUESTED_SCOPES` — the agent SPA is self-contained, every vault flow already runs the per-vault re-consent pattern (`vault:<name>:admin` via `extraScopes`), so the broad bootstrap scopes were dead weight on the consent screen ("this app wants to read/write all your vaults" — wrong story for an SPA whose vault touches are narrowly per-vault and on-demand). (2) Regression-pin OAuth `client_name` in the registerClient body — the hub renders this string verbatim on its DCR consent screen; the 0.1.0 brand sweep renamed it from `Paraclaw web UI` to `Parachute Agent web UI`, this pins the wire-level test. (3) Re-register OAuth client when `redirect_uri` changes — the hub binds each DCR `client_id` to the redirect_uri it registered with; if the SPA's mount path changes (operator flips `PARACHUTE_AGENT_WEB_MOUNT` from `/claw/` → `/agent/`, or any custom remount), the cached client_id stops matching and `/oauth/authorize` errors out before the consent screen. Extended `ClientRecord` to `{ client_id, redirect_uri }`, compare in `ensureClient`, treat mismatch (or legacy missing-field record) as cache miss → re-register. Legacy records self-heal on first 0.1.x reload.
-
-### Changed
-
-- **`services.json` self-registers `installDir` (paraclaw#115).** The agent's startup self-registration into `~/.parachute/services.json` now includes `installDir: process.cwd()` alongside the existing `name`/`port`/`paths`/`health`/`version` fields. Without it, hub's third-party-module lifecycle resolution (parachute-hub#84) couldn't locate the start command for `parachute restart agent` — the agent had a `.parachute/module.json` with `startCmd`, but hub needed `installDir` to know which checkout to drive.
-
-- **GroupDetail "Secrets" panel — what the agent will receive at next session spawn (paraclaw#104).** `/agent/groups/:folder` now surfaces a read-only Secrets section showing the same set `resolveInjectableSecrets()` would inject into a new container, with three scope badges that explain *why* each row is included: `scoped` (owned by this group), `assigned` (global with explicit assignment row), `global` (global reaching the group only because `secret_mode='all'`). On a name collision the scoped row wins and reports `scoped`, mirroring the host's resolution rule. Click-through routes to `/secrets?edit=<id>` with a deep-link param for SecretEditor. New `GET /api/groups/:folder/secrets` endpoint (scope `agent:read`) — metadata only, never decrypts. Empty state distinguishes between mode='selective' (reads as "by design") and mode='all' (suggests creating a secret).
-
-- **GroupDetail Secrets section — Retry button on error state (paraclaw#128).** Mirrors the existing AgentProviderSection pattern: the error banner now renders a Retry button bound to the same fetch callback so operators don't have to navigate away after a transient API failure.
-
-- **Channel-wire translator extracted into a single shared module (paraclaw#123).** `src/web/routes/channels.ts` and `src/mcp/tools/channels.ts` each maintained their own copy of the `Api*` types, the `VALID_API_*` enum arrays, the `dbToApi*` translator pair, and the `ChannelWireView` shape. That duplication was the structural drift hazard paraclaw#94 surfaced concretely. Lifted everything into `src/channels/api-translator.ts`; the HTTP route file now owns only the transport layer, the MCP file only the tool-def plumbing. A future enum change touches one file and both surfaces pick it up automatically. (Behavioral side note: the inline MCP handler used to silently *drop* `engagePattern='.'` because the DB sentinel for `engageMode='all'` would round-trip back as `'all'` on the next read; the shared validator now hard-rejects that input identically on both surfaces. Use `'\\.'` to match a literal dot.)
-
-- **Depersonalize test fixtures + comments.** Removed a real install-slug (`16f7e9e8`, the sha1 prefix of one operator's specific path) that had snuck into `src/container-runtime.test.ts` peer-image fixtures, plus a comment in `src/container-runtime.ts` that named the specific `mv` command from one operator's environment. Codebase should be operator-agnostic. Replaced with synthetic `cafef00d`. No behavior change.
-
-### Tests
-
-- **Integration coverage for `writeSessionMessage` dup-skip + sender-approval replay (paraclaw#97).** The unit test added with #95 proved `insertMessage` returns `inserted=false` on a duplicate id, but the write-path side effects layered above it were never asserted at the integration level. New `src/session-manager.dup-skip.test.ts` (4 tests using real session DBs and real fs: dup dispatch doesn't bump `sessions.last_active`, log payload shape, N-concurrent same-id absorption to one row + one inbox file, distinct ids in the same burst still land), plus 2 new tests in `src/modules/permissions/sender-approval.test.ts` exercising the approval-replay chain end-to-end (file at `inbox/<id>:<agentGroupId>/photo.jpg`, byte-preserved on `original_message` mutation under accumulate-mode wiring). Stash-and-rerun confirmed both regression tests catch the underlying #92/#95/#96 bugs.
-
-- **Parallel-equality lockstep guard for `resolveInjectableSecrets ↔ listInjectableSecretsForGroup` (paraclaw#129).** The two functions in `src/secrets/index.ts` are SQL-identical mirrors with a load-bearing doc-comment requiring lockstep edits — previously preserved only by careful reading and a #126-era reviewer note. Adds a `describe('… lockstep …')` block with an `expectLockstep` helper that calls both functions, asserts name-set equality, and walks each name through `getSecret` to verify the chosen row id (the `ORDER BY s.agent_group_id IS NULL` scoped-wins ordering) agrees with the plaintext returned. Five fixtures cover the rich-mix (scoped+all + global+assigned + global+mode=all + name collision), mode=selective, the orphaned-scoped corner, the unknown-agent-group selective-default path, and an empty store. Mechanical guard, no production code change.
-
----
-
-For per-rc commit-level detail of the 0.1.2 patch series, see `git log v0.1.1..v0.1.2 -- src/ web/ui/src/` or the merged PRs (#113 through #139).
-
-## [0.1.1] - 2026-05-05
-
-### Changed
-
-- **License.** parachute-agent now declares **AGPL-3.0** in `package.json` and `LICENSE`, matching the rest of the Parachute ecosystem (vault, hub, scribe, notes). The original NanoClaw MIT license is preserved verbatim as `LICENSE-NANOCLAW-MIT` to honor the upstream copyright (Copyright (c) 2026 Gavriel — https://github.com/qwibitai/nanoclaw). Modifications and the combined work are AGPL-3.0; the original NanoClaw code remains MIT-licensed and obtainable from the upstream project. Resolves the npm "Proprietary" display that came from the missing `license` field at 0.1.0.
-
-## [0.1.0] - 2026-05-05
-
-Renamed paraclaw → **parachute-agent**, joining the Parachute ecosystem's named-after-purpose convention (vault, notes, scribe, hub). The name on disk, in the npm registry, on the mount path, and on the wire all change. Operator data migrates automatically on first boot; tokens, container labels, and module manifests carry one cycle of back-compat.
-
-- **npm package.** `paraclaw` → `@openparachute/agent`. The `parachute-agent` bin wraps the same entry point.
-- **`.parachute/module.json` `name`** → `parachute-agent`. The hub picks up the new identifier from the manifest; old installs that re-pull will see the rename without intervention.
-- **Mount path.** `/claw/*` → `/agent/*`. Hub-fronted UI lives under `/agent/`. The SPA derives its mount from `import.meta.env.BASE_URL`, so the same bundle works at any prefix. **No 301 redirect** — hard cut. Re-bookmark.
-- **Data dir.** `~/.parachute/claw/{paraclaw.db,master.key}` → `~/.parachute/agent/{agent.db,master.key}`. **Auto-migrated on startup** the first time 0.1.x boots: the legacy file copies to the new path with mode 0600, and the legacy file is left in place as a manual-rm backup. Honors `PARACHUTE_HOME`. Both legacies (pre-0.0.6 in-tree `data/v2.db` and pre-0.1.0 `~/.parachute/claw/paraclaw.db`) are preferred over an absent current; if both exist, the paraclaw-era file wins.
-- **Container labels.** Spawn label is now `parachute-agent-install=<slug>`. Cleanup reaps both the new label and the legacy `paraclaw-install=<slug>` label for one upgrade cycle, so a 0.1.x host coming up against pre-0.1.0 orphan containers cleans them up correctly. **Drop `paraclaw-install` compat in 0.2.0** (tracked as a follow-up issue).
-- **Container image tag.** `paraclaw-agent-<slug>:latest` → `parachute-agent-image-<slug>:latest`. `container/build.sh` produces the new tag; `container-runner` spawns from it. The `-image-` infix avoids colliding with the npm package name.
-- **MCP scope strings + symbols.** Wire scopes are `agent:read|write|admin` (was `claw:*`). Hub-issued JWTs carrying legacy `claw:*` grants still pass — they normalize to their `agent:*` equivalents inside `hasScope` and `pickEffectiveScope`. **Drop `claw:*` normalization in 0.2.0.** TS symbols renamed: `ClawScope` → `AgentScope`; `SCOPE_CLAW_*` → `SCOPE_AGENT_*`.
-- **MCP server name.** `paraclaw` → `parachute-agent`. Tools advertise as `mcp__parachute_agent__<verb>-<noun>` to clients. Renamed in three places that all need to agree: the host-side stdio entrypoint (operator wires this into Claude Code via `claude mcp add parachute-agent …`), the host-side HTTP `/mcp` endpoint, and the container-side built-in MCP server that the in-container agent calls. **⚠ Operator action**: restart any active sessions on first boot — existing in-flight sessions have message history referencing `mcp__paraclaw__*` tool calls and need a fresh container to pick up the new tool prefix. New tool calls in restarted sessions use the new prefix; the historical log entries stay (they're conversation history, not tool routing). Closes paraclaw#110.
-- **Service registry.** `services-manifest` displayName `Paraclaw` → `Parachute Agent`; service identifiers (`parachute-agent-web-server`) and the `name: 'agent'` route entry follow.
-- **launchd / systemd.** No service-file generator changes in this PR — service install is now owned by the hub install path. Operators on existing installs who still have the old `computer.parachute.claw-<slug>.plist` / `paraclaw-<slug>.service` units will continue to work; re-running the hub installer rewrites them with the new label/unit name.
-
-### Operator migration steps (existing installs)
-
-1. **Stop the daemon** (so the migration sees a quiescent state):
-   - macOS: `launchctl unload ~/Library/LaunchAgents/computer.parachute.claw-<slug>.plist`
-   - Linux: `systemctl --user stop paraclaw-<slug>`
-2. **Pull the rename**: `git pull --ff-only` on the install dir, then `pnpm install` (the `postinstall` hook rebuilds the SPA bundle).
-3. **Start the daemon**. On first boot, you'll see one or both of these log lines once and only once:
-   ```
-   Central DB migrated from legacy location  from=…/paraclaw.db  to=…/agent.db
-   Master key migrated from legacy location   from=…/claw/master.key  to=…/agent/master.key
-   ```
-4. **Verify** via the web UI at the new mount: `/agent/` (was `/claw/`).
-5. **Re-register the MCP server** in any Claude Code (or other MCP client) configs. The stdio entrypoint hasn't moved, but the server name has — old `claude mcp add paraclaw …` registrations keep pointing at the old name and tools advertise as `mcp__paraclaw__*` instead of `mcp__parachute_agent__*`:
-   ```sh
-   claude mcp remove paraclaw
-   claude mcp add parachute-agent bun /path/to/install/src/mcp/stdio.ts
-   ```
-6. **Cleanup (optional)**: once you've verified the new install boots and decrypts secrets, delete the legacy backups: `rm ~/.parachute/claw/paraclaw.db ~/.parachute/claw/master.key && rmdir ~/.parachute/claw`.
-
-Browser sessions auto-migrate the SPA's `paraclaw.*` localStorage / sessionStorage keys (cached OAuth discovery, DCR client_id, tokens, in-flight flow state, setup-wizard resume state) to `parachute-agent.*` on first reload after the upgrade — no manual action required.
-
-- **Log filenames.** `logs/paraclaw.log` + `logs/paraclaw.error.log` → `logs/parachute-agent.log` + `logs/parachute-agent.error.log`. **Auto-renamed on first 0.1.0 boot** so historical entries stay accessible under the new name. The supervisor (launchd plist / systemd unit) is what routes the *live* daemon's stdout/stderr — until the operator re-runs `parachute install parachute-agent` to regenerate the unit, new entries continue landing in `paraclaw.log` (recreated by the supervisor after the rename) and the next supervisor-driven respawn opens it fresh. Once the unit is regenerated, subsequent boots write to `parachute-agent.log` directly. Operators tailing the new path see migrated history immediately; live writes follow on the next install-run.
-- **Env var prefix.** `PARACLAW_*` → `PARACHUTE_AGENT_*` (six vars: `_HUB_ORIGIN`, `_WEB_PORT`, `_WEB_BIND`, `_WEB_MOUNT`, `_WEB_ORIGIN`, `_CENTRAL_DB_PATH`). Each callsite reads the new name first, falls back to the legacy `PARACLAW_*` name if only that's set, and emits a one-shot deprecation warning per legacy name read. Operators can update their `.env` files at their leisure through 0.1.x; the legacy compat-read drops in 0.2.0. The Vite type declaration `VITE_PARACLAW_WEB_SERVER_URL` is also renamed to `VITE_PARACHUTE_AGENT_WEB_SERVER_URL` (the SPA doesn't read the value — it's a leftover declaration), no operator action needed.
-- **Allowlist directory.** `~/.config/paraclaw/{mount,sender}-allowlist.json` → `~/.config/parachute-agent/{mount,sender}-allowlist.json`. **Auto-moved on first 0.1.0 boot**: the legacy directory is left in place (operators may have stashed unrelated files there) but each known allowlist file is renamed to the new dir if the new path is absent. If both exist (e.g. operator pre-populated the new dir before upgrading), the new file wins and the legacy orphan is left for the operator to `rm`. Drop the auto-move in 0.2.0.
-- **Vault token-label default.** Fresh mints from the web UI's attach-vault flow and the new-group wizard now default to `agent-<folder>` (was `claw-<folder>`). Existing operator-typed labels keep working — the label is opaque to the vault, so prior `claw-<folder>` tokens continue to authenticate. Operators who want consistency can re-mint via the vault tokens UI. Reverses the parachute-agent#108 §2 deliberation in favor of brand consistency at the 0.1.0-stable cut.
-- **HKDF info strings — intentionally NOT renamed.** Five HKDF info constants (`paraclaw.secrets.v1`, `paraclaw.oauth.{client,access,refresh}.v1`, `paraclaw.provider-credentials.v1`) keep the `paraclaw.` prefix forever. They're cryptographic domain separators mixed into key derivation, not user-facing strings — renaming them would derive a different key and render every existing ciphertext row (secrets, OAuth tokens, provider credentials) undecryptable. Documented at each constant-definition site so a future brand sweep knows to skip these five lines. No operator action.
-
-## [Unreleased]
-
-Hard fork from NanoClaw v2. Paraclaw is now its own service: single Bun process (host + web merged), native AES-GCM secrets layer, channels inlined permanently, skills system retired, capability card published at `/.well-known/parachute.json`. OneCLI is no longer a dependency.
-
-- **Schema relocate.** Central DB moved to `~/.parachute/claw/paraclaw.db`. Per-session two-file split (`inbound.db` + `outbound.db`) preserved — empirically validated as the only safe shape across Docker bind-mounts.
-- **Native secrets.** Master key at `~/.parachute/claw/master.key` (32 bytes, mode 0600), AES-256-GCM with HKDF domain separation per subsystem, redacted error messages. Migration 015 drops the vestigial `host_pattern` column.
-- **Web UI** ships native pages for paraclaw primitives: `/secrets`, `/approvals`, `/sessions`, `/channels`. Wizard's credential-capture step removed (replaced by `/secrets`).
-- **Lifecycle.** Install via `parachute install paraclaw`; start runs `bun src/index.ts`. Module manifest at `.parachute/module.json`.
-- **fix(secrets):** per-secret mode radio for global secrets was a silent UI illusion (paraclaw#9-era migration moved mode to `agent_groups.secret_mode`). Globals now hide the radio with explainer; scoped secrets reframe the radio as `<group> accepts: [all in-scope | only assigned]`, surfacing the per-group nature of the setting.
-- **feat(secrets):** post-save staleness banner detects running containers spawned before the secret update + per-session `[Restart]` + `Restart all N`. Calls existing `closeSession`; next inbound message respawns fresh with new env. New `GET /api/secrets/:id/stale-sessions` (claw:read).
-- **feat(GroupDetail):** per-session `[Restart]` button on the Live status list + inline help on the spawn-time env model — operators can restart any running container without leaving the agent group page, for code/env/agent-provider changes too, not just secrets.
-
-## [2.0.0] - 2026-04-22 (NanoClaw v2 — paraclaw's ancestor)
-
-Major version. NanoClaw v2 was a substantial architectural rewrite that paraclaw forks from.
-
-- [BREAKING] **New entity model.** Users, roles (owner/admin), messaging groups, and agent groups are now tracked as separate entities, wired via `messaging_group_agents`. Privilege is user-level instead of channel-level, so the old "main channel = admin" concept is retired. See [docs/architecture.md](docs/architecture.md) and [docs/isolation-model.md](docs/isolation-model.md).
-- [BREAKING] **Two-DB session split.** Each session now has `inbound.db` (host writes, container reads) and `outbound.db` (container writes, host reads) with exactly one writer each. Replaces the single shared session DB and eliminates cross-mount SQLite contention. See [docs/db-session.md](docs/db-session.md).
-- [BREAKING] **Install flow replaced.** `bash nanoclaw.sh` is the new default: a scripted installer that hands off to Claude Code for error recovery and guided decisions. The `/setup` Claude-guided skill still works as an alternative.
-- [BREAKING] **Channels moved to the `channels` branch.** Trunk no longer ships Discord, Slack, Telegram, WhatsApp, iMessage, Teams, Linear, GitHub, WeChat, Matrix, Google Chat, Webex, Resend, or WhatsApp Cloud. Install them per fork via `/add-<channel>` skills, which copy from the `channels` branch. `/update-nanoclaw` will re-install the channels your fork had.
-- [BREAKING] **Alternative providers moved to the `providers` branch.** OpenCode, Codex, and Ollama install via `/add-opencode`, `/add-codex`, `/add-ollama-provider`. Claude remains the default provider baked into trunk.
-- [BREAKING] **Three-level channel isolation.** Wire channels to their own agent (separate agent groups), share an agent with independent conversations (`session_mode: 'shared'`), or merge channels into one shared session (`session_mode: 'agent-shared'`). Chosen per channel via `/manage-channels`.
-- [BREAKING] **Apple Container removed from default setup.** Still available as an opt-in via `/convert-to-apple-container`.
-- **Shared-source agent-runner.** Per-group `agent-runner-src/` overlays are gone; all groups mount the same agent-runner read-only. Per-group customization flows through composed `CLAUDE.md` (shared base + per-group fragments).
-- **Agent-runner runtime moved from Node to Bun.** Container image is self-contained; no host-side impact. Host remains on Node + pnpm.
-- **OneCLI Agent Vault is the sole credential path.** Containers never receive raw API keys; credentials are injected at request time.
-
-## [1.2.36] - 2026-03-26
-
-- [BREAKING] Replaced pino logger with built-in logger. WhatsApp users must re-merge the WhatsApp fork to pick up the Baileys logger compatibility fix: `git fetch whatsapp main && git merge whatsapp/main`. If the `whatsapp` remote is not configured: `git remote add whatsapp https://github.com/qwibitai/nanoclaw-whatsapp.git`.
-
-## [1.2.35] - 2026-03-26
-
-- [BREAKING] OneCLI Agent Vault replaces the built-in credential proxy. Check your runtime: `grep CONTAINER_RUNTIME_BIN src/container-runtime.ts` — if it shows `'container'` you are on Apple Container, if `'docker'` you are on Docker. Docker users: run `/init-onecli` to install OneCLI and migrate `.env` credentials to the vault. Apple Container users: re-merge the skill branch (`git fetch upstream skill/apple-container && git merge upstream/skill/apple-container`) then run `/convert-to-apple-container` and follow all instructions (configures credential proxy networking) — do NOT run `/init-onecli`, it requires Docker.
-
-## [1.2.21] - 2026-03-22
-
-- Added opt-in diagnostics via PostHog with explicit user consent (Yes / No / Never ask again)
-
-## [1.2.20] - 2026-03-21
-
-- Added ESLint configuration with error-handling rules
-
-## [1.2.19] - 2026-03-19
-
-- Reduced `docker stop` timeout for faster container restarts (`-t 1` flag)
-
-## [1.2.18] - 2026-03-19
-
-- User prompt content no longer logged on container errors — only input metadata
-- Added Japanese README translation
-
-## [1.2.17] - 2026-03-18
-
-- Added `/capabilities` and `/status` container-agent skills
-
-## [1.2.16] - 2026-03-18
-
-- Tasks snapshot now refreshes immediately after IPC task mutations
-
-## [1.2.15] - 2026-03-16
-
-- Fixed remote-control prompt auto-accept to prevent immediate exit
-- Added `KillMode=process` so remote-control survives service restarts
-
-## [1.2.14] - 2026-03-14
-
-- Added `/remote-control` command for host-level Claude Code access from within containers
-
-## [1.2.13] - 2026-03-14
-
-**Breaking:** Skills are now git branches, channels are separate fork repos.
-
-- Skills live as `skill/*` git branches merged via `git merge`
-- Added Docker Sandboxes support
-- Fixed setup registration to use correct CLI commands
-
-## [1.2.12] - 2026-03-08
-
-- Added `/compact` skill for manual context compaction
-- Enhanced container environment isolation via credential proxy
-
-## [1.2.11] - 2026-03-08
-
-- Added PDF reader, image vision, and WhatsApp reactions skills
-- Fixed task container to close promptly when agent uses IPC-only messaging
-
-## [1.2.10] - 2026-03-06
-
-- Added `LIMIT` to unbounded message history queries for better performance
-
-## [1.2.9] - 2026-03-06
-
-- Agent prompts now include timezone context for accurate time references
-
-## [1.2.8] - 2026-03-06
-
-- Fixed misleading `send_message` tool description for scheduled tasks
-
-## [1.2.7] - 2026-03-06
-
-- Added `/add-ollama` skill for local model inference
-- Added `update_task` tool and return task ID from `schedule_task`
-
-## [1.2.6] - 2026-03-04
-
-- Updated `claude-agent-sdk` to 0.2.68
-
-## [1.2.5] - 2026-03-04
-
-- CI formatting fix
-
-## [1.2.4] - 2026-03-04
-
-- Fixed `_chatJid` rename to `chatJid` in `onMessage` callback
-
-## [1.2.3] - 2026-03-04
-
-- Added sender allowlist for per-chat access control
-
-## [1.2.2] - 2026-03-04
-
-- Added `/use-local-whisper` skill for local voice transcription
-- Atomic task claims prevent scheduled tasks from executing twice
-
-## [1.2.1] - 2026-03-02
-
-- Version bump (no functional changes)
-
-## [1.2.0] - 2026-03-02
-
-**Breaking:** WhatsApp removed from core, now a skill. Run `/add-whatsapp` to re-add.
-
-- Channel registry: channels self-register at startup via `registerChannel()` factory pattern
-- `isMain` flag replaces folder-name-based main group detection
-- `ENABLED_CHANNELS` removed — channels detected by credential presence
-- Prevent scheduled tasks from executing twice when container runtime exceeds poll interval
-
-## [1.1.6] - 2026-03-01
-
-- Added CJK font support for Chromium screenshots
-
-## [1.1.5] - 2026-03-01
-
-- Fixed wrapped WhatsApp message normalization
-
-## [1.1.4] - 2026-03-01
-
-- Added third-party model support
-- Added `/update-nanoclaw` skill for syncing with upstream
-
-## [1.1.3] - 2026-02-25
-
-- Added `/add-slack` skill
-- Restructured Gmail skill for new architecture
-
-## [1.1.2] - 2026-02-24
-
-- Improved error handling for WhatsApp Web version fetch
-
-## [1.1.1] - 2026-02-24
-
-- Added Qodo skills and codebase intelligence
-- Fixed WhatsApp 405 connection failures
-
-## [1.1.0] - 2026-02-23
-
-- Added `/update` skill to pull upstream changes from within Claude Code
-- Enhanced container environment isolation via credential proxy