@pellux/goodvibes-agent 0.1.44 → 0.1.46

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to GoodVibes Agent will be recorded here.
 
+## 0.1.46 - 2026-05-31
+
+- e0addfe Add full daemon capability inventory
+
+## 0.1.45 - 2026-05-31
+
+- 0aa4b3e Add daemon route risk approval review
+
 ## 0.1.44 - 2026-05-31
 
 - fdee09e Add daemon capability gap report

package/README.md

@@ -18,6 +18,8 @@ goodvibes-agent status
 goodvibes-agent capabilities
 goodvibes-agent capabilities daemon
 goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
+goodvibes-agent capabilities daemon inventory
 ```
 
 If Bun reports untrusted lifecycle dependencies, trust only the package and dependencies required by this package:
@@ -46,7 +48,7 @@ bun run publish:check
 
 Inside the Agent TUI, use `/agent`, `/home`, or `/operator` to open the operator workspace. It is the Agent-first fullscreen surface for setup, status, live daemon capability coverage, knowledge, local memory/skills, work-plan/approval review, automation observability, and explicit build delegation to GoodVibes TUI.
 
-Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog, route risk posture, and isolated Agent Knowledge route coverage. Use `goodvibes-agent capabilities daemon gaps` or `/capabilities daemon gaps` to turn that live daemon audit into a prioritized gap plan that separates missing daemon routes from Agent UX work.
+Use `goodvibes-agent capabilities` or `/capabilities` to inspect the OpenClaw/Hermes benchmark, current Agent posture, configuration commands, usage paths, and remaining gaps. Use `goodvibes-agent capabilities daemon` or `/capabilities daemon` for a live read-only audit of the GoodVibes daemon method catalog, route risk posture, and isolated Agent Knowledge route coverage. Use `goodvibes-agent capabilities daemon inventory` for the full public daemon method inventory grouped by category, access, HTTP posture, and dangerous flags. Use `goodvibes-agent capabilities daemon gaps` or `/capabilities daemon gaps` to turn that live daemon audit into a prioritized gap plan that separates missing daemon routes from Agent UX work. Use `goodvibes-agent capabilities daemon risk` or `/approval risk` for route-risk-aware approval posture without mutating approval state.
 
 Inside the workspace, use `/agent-profile guide` to author custom profile starters without leaving the Agent TUI. The guided flow lists starters, exports starter JSON, imports edited local starters, and creates isolated runtime profiles from them.
 
@@ -89,9 +91,11 @@ To verify what the running daemon can expose for the Agent/OpenClaw/Hermes capab
 goodvibes-agent capabilities daemon
 goodvibes-agent capabilities daemon --json
 goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
+goodvibes-agent capabilities daemon inventory
 ```
 
-This audit checks `/api/control-plane/methods` and `/api/goodvibes-agent/knowledge/status`. The gap plan is derived from the same read-only calls. Neither command queries default Knowledge/Wiki or HomeGraph.
+This audit checks `/api/control-plane/methods` and `/api/goodvibes-agent/knowledge/status`. The gap plan, route-risk review, and full method inventory are derived from read-only daemon calls. None of these commands query default Knowledge/Wiki or HomeGraph.
 
 Agent intentionally blocks daemon lifecycle commands:
 

package/docs/operator-capability-benchmark.md

@@ -18,6 +18,8 @@ goodvibes-agent capabilities hermes
 goodvibes-agent capabilities daemon
 goodvibes-agent capabilities daemon --json
 goodvibes-agent capabilities daemon gaps
+goodvibes-agent capabilities daemon risk
+goodvibes-agent capabilities daemon inventory
 goodvibes-agent capabilities daemon knowledge
 ```
 
@@ -29,6 +31,8 @@ Inside the TUI:
 /capabilities knowledge
 /capabilities daemon
 /capabilities daemon gaps
+/capabilities daemon inventory
+/approval risk
 ```
 
 ## Research Baseline
@@ -58,7 +62,7 @@ The benchmark measures two different GoodVibes layers:
 
 If the daemon already has a route but Agent lacks a good setup/workspace/CLI surface, the gap is treated as an Agent product gap rather than a missing platform capability.
 
-Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog, route risk posture, and the isolated Agent Knowledge status route. Use `goodvibes-agent capabilities daemon gaps` to convert that daemon-measured audit into a prioritized gap plan with `version_mismatch`, `agent_route_missing`, `required_method_missing`, `route_risk_review`, and `agent_ux_gap` rows. Both commands intentionally avoid default `/api/knowledge/*`, HomeGraph, and Home Assistant routes.
+Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. It checks the public control-plane method catalog, route risk posture, and the isolated Agent Knowledge status route. Use `goodvibes-agent capabilities daemon inventory` for the full public daemon method inventory grouped by category, access, HTTP method, and dangerous flag. Use `goodvibes-agent capabilities daemon gaps` to convert that daemon-measured audit into a prioritized gap plan with `version_mismatch`, `agent_route_missing`, `required_method_missing`, `route_risk_review`, and `agent_ux_gap` rows. Use `goodvibes-agent capabilities daemon risk` or `/approval risk` for a route-risk-aware approval-center view over read-only, mutating, dangerous, and authenticated route metadata. These commands intentionally avoid default `/api/knowledge/*`, HomeGraph, and Home Assistant routes.
 
 ## Capability Targets
 
@@ -80,7 +84,7 @@ Use `goodvibes-agent capabilities daemon` for the live read-only daemon audit. I
 
 GoodVibes Agent should exceed OpenClaw/Hermes by making these properties true from day one:
 
-- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `goodvibes-agent capabilities daemon`, `goodvibes-agent capabilities daemon gaps`, `/capabilities`, `/capabilities daemon`, onboarding, and the operator workspace.
+- Capability surfaces are discoverable through `goodvibes-agent capabilities`, `goodvibes-agent capabilities daemon`, `goodvibes-agent capabilities daemon inventory`, `goodvibes-agent capabilities daemon gaps`, `goodvibes-agent capabilities daemon risk`, `/capabilities`, `/capabilities daemon`, `/approval risk`, onboarding, and the operator workspace.
 - Agent Knowledge isolation is a release gate, not a convention.
 - Routine-to-schedule promotion preserves Agent Knowledge isolation, uses only public external daemon schedule routes, supports explicit delivery targets, and stores redacted receipts.
 - Model-visible tools are policy-gated for serial, non-secret, non-destructive use.
@@ -96,5 +100,5 @@ GoodVibes Agent should exceed OpenClaw/Hermes by making these properties true fr
 - Artifact and multimodal Agent Knowledge ingestion when the isolated Agent route accepts artifact-backed media.
 - Deeper live run/delivery history and delivery error surfacing for promoted routines.
 - Delegation receipts and artifact review inside the operator workspace.
-- Approval center with route risk labels and saved policy presets.
+- Saved policy presets for the route-risk-aware approval center.
 - Intent-gated tool exposure so the model sees fewer irrelevant tools per turn while retaining broad capability coverage.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-agent",
-  "version": "0.1.44",
+  "version": "0.1.46",
   "private": false,
   "description": "Near-fork GoodVibes operator assistant with the GoodVibes TUI shell, renderer, input, fullscreen workspace, and daemon-connected Agent product brain.",
   "type": "module",

package/src/cli/capabilities-command.ts

@@ -7,17 +7,23 @@ import {
 } from '../operator/capability-benchmark.ts';
 import {
   buildDaemonCapabilityGapReport,
+  buildDaemonCapabilityRouteRiskReport,
   fetchLiveDaemonCapabilityAudit,
+  fetchLiveDaemonCapabilityInventory,
   filterDaemonCapabilityAuditAreas,
   filterDaemonCapabilityGaps,
+  filterDaemonCapabilityInventoryGroups,
+  filterDaemonCapabilityRouteRiskAreas,
   renderDaemonCapabilityAudit,
   renderDaemonCapabilityFailure,
   renderDaemonCapabilityGaps,
+  renderDaemonCapabilityInventory,
+  renderDaemonCapabilityRouteRisk,
 } from '../operator/daemon-capability-audit.ts';
 import { resolveAgentDaemonConnection } from '../agent/routine-schedule-promotion.ts';
 
 interface CapabilityCommandArgs {
-  readonly mode: 'benchmark' | 'daemon' | 'daemon-gaps';
+  readonly mode: 'benchmark' | 'daemon' | 'daemon-gaps' | 'daemon-risk' | 'daemon-inventory';
   readonly query: string | undefined;
 }
 
@@ -32,6 +38,14 @@ function readCapabilityArgs(args: readonly string[]): CapabilityCommandArgs {
       const query = values.slice(2).join(' ').trim();
       return { mode: 'daemon-gaps', query: query.length > 0 ? query : undefined };
     }
+    if (values[1] === 'risk' || values[1] === 'route-risk') {
+      const query = values.slice(2).join(' ').trim();
+      return { mode: 'daemon-risk', query: query.length > 0 ? query : undefined };
+    }
+    if (values[1] === 'inventory' || values[1] === 'methods' || values[1] === 'routes') {
+      const query = values.slice(2).join(' ').trim();
+      return { mode: 'daemon-inventory', query: query.length > 0 ? query : undefined };
+    }
     const query = values.slice(1).join(' ').trim();
     return { mode: 'daemon', query: query.length > 0 ? query : undefined };
   }
@@ -79,6 +93,45 @@ export async function handleCapabilitiesCommand(runtime: CliCommandRuntime): Pro
       exitCode: 0,
     };
   }
+  if (args.mode === 'daemon-risk') {
+    const connection = resolveAgentDaemonConnection(runtime.configManager, runtime.homeDirectory);
+    const audit = await fetchLiveDaemonCapabilityAudit(connection);
+    if (!audit.ok) {
+      return {
+        output: runtime.cli.flags.outputFormat === 'json'
+          ? JSON.stringify(audit, null, 2)
+          : renderDaemonCapabilityFailure(audit),
+        exitCode: audit.kind === 'auth_required' || audit.kind === 'daemon_unavailable' ? 1 : 2,
+      };
+    }
+    const report = buildDaemonCapabilityRouteRiskReport(audit);
+    const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, args.query);
+    return {
+      output: runtime.cli.flags.outputFormat === 'json'
+        ? JSON.stringify({ ...report, matchedAreaCount: areas.length, areas }, null, 2)
+        : renderDaemonCapabilityRouteRisk(report, areas),
+      exitCode: 0,
+    };
+  }
+  if (args.mode === 'daemon-inventory') {
+    const connection = resolveAgentDaemonConnection(runtime.configManager, runtime.homeDirectory);
+    const inventory = await fetchLiveDaemonCapabilityInventory(connection);
+    if (!inventory.ok) {
+      return {
+        output: runtime.cli.flags.outputFormat === 'json'
+          ? JSON.stringify(inventory, null, 2)
+          : renderDaemonCapabilityFailure(inventory),
+        exitCode: inventory.kind === 'auth_required' || inventory.kind === 'daemon_unavailable' ? 1 : 2,
+      };
+    }
+    const groups = filterDaemonCapabilityInventoryGroups(inventory.groups, args.query);
+    return {
+      output: runtime.cli.flags.outputFormat === 'json'
+        ? JSON.stringify({ ...inventory, matchedGroupCount: groups.length, groups }, null, 2)
+        : renderDaemonCapabilityInventory(inventory, groups),
+      exitCode: 0,
+    };
+  }
   const report = buildOperatorCapabilityBenchmarkReport();
   const capabilities = filterOperatorCapabilities(report.capabilities, args.query);
   if (runtime.cli.flags.outputFormat === 'json') {

package/src/cli/help.ts

@@ -104,6 +104,8 @@ export function renderGoodVibesHelp(binary = 'goodvibes-agent'): string {
     `  ${binary} capabilities`,
     `  ${binary} capabilities daemon`,
     `  ${binary} capabilities daemon gaps`,
+    `  ${binary} capabilities daemon risk`,
+    `  ${binary} capabilities daemon inventory`,
     `  ${binary} knowledge status`,
     `  ${binary} knowledge ask "What is GoodVibes Agent?"`,
     `  ${binary} ask "What is GoodVibes Agent?"`,
@@ -198,9 +200,9 @@ const COMMAND_HELP: Record<string, CommandHelp> = {
     examples: ['compat', 'compat --json'],
   },
   capabilities: {
-    usage: ['capabilities [openclaw|hermes|query]', 'capabilities daemon [query]', 'capabilities daemon gaps [query]', 'capabilities --json'],
-    summary: 'Show the OpenClaw/Hermes capability benchmark, Agent readiness, live GoodVibes daemon method coverage, and daemon-measured product gaps.',
-    examples: ['capabilities', 'capabilities hermes', 'capabilities daemon', 'capabilities daemon gaps', 'capabilities daemon knowledge --json'],
+    usage: ['capabilities [openclaw|hermes|query]', 'capabilities daemon [query]', 'capabilities daemon gaps [query]', 'capabilities daemon risk [query]', 'capabilities daemon inventory [query]', 'capabilities --json'],
+    summary: 'Show the OpenClaw/Hermes capability benchmark, Agent readiness, live GoodVibes daemon method coverage, route risk, and daemon-measured product gaps.',
+    examples: ['capabilities', 'capabilities hermes', 'capabilities daemon', 'capabilities daemon gaps', 'capabilities daemon risk --json', 'capabilities daemon inventory channels --json'],
   },
   knowledge: {
     usage: [

package/src/input/agent-workspace.ts

@@ -490,6 +490,8 @@ export const AGENT_WORKSPACE_CATEGORIES: readonly AgentWorkspaceCategory[] = [
       { id: 'capabilities-benchmark', label: 'Benchmark report', detail: 'Show the OpenClaw/Hermes parity benchmark with Agent posture, setup commands, usage paths, and remaining product gaps.', command: '/capabilities', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon', label: 'Live daemon audit', detail: 'Inspect the public daemon method catalog plus isolated Agent Knowledge route coverage. Does not query default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-gaps', label: 'Daemon gap plan', detail: 'Classify live daemon coverage into platform gaps, Agent route gaps, route-risk reviews, and Agent UX work without querying default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon gaps', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-risk', label: 'Route risk review', detail: 'Inspect daemon read-only, mutating, dangerous, and authenticated route metadata for approval-center planning.', command: '/capabilities daemon risk', kind: 'command', safety: 'read-only' },
+      { id: 'capabilities-daemon-inventory', label: 'Full method inventory', detail: 'List every public daemon method by category, HTTP posture, access, and dangerous flag without querying default Knowledge/Wiki or HomeGraph.', command: '/capabilities daemon inventory', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-knowledge', label: 'Knowledge coverage', detail: 'Filter the live daemon audit to the isolated Agent Knowledge segment.', command: '/capabilities daemon knowledge', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-channels', label: 'Channel coverage', detail: 'Filter the live daemon audit to channel and delivery gateway route coverage.', command: '/capabilities daemon channels', kind: 'command', safety: 'read-only' },
       { id: 'capabilities-daemon-automation', label: 'Automation coverage', detail: 'Filter the live daemon audit to automation, schedule, run, and capacity route coverage.', command: '/capabilities daemon automation', kind: 'command', safety: 'read-only' },
@@ -581,6 +583,7 @@ export const AGENT_WORKSPACE_CATEGORIES: readonly AgentWorkspaceCategory[] = [
       { id: 'workplan', label: 'Open work plan', detail: 'Open the workspace-scoped work plan panel.', command: '/workplan panel', kind: 'command', safety: 'read-only' },
       { id: 'workplan-list', label: 'List work plan', detail: 'Print a concise work plan summary.', command: '/workplan list', kind: 'command', safety: 'read-only' },
       { id: 'approvals', label: 'Review approvals', detail: 'Open/read approval posture. This workspace does not approve or deny requests.', command: '/approval open', kind: 'command', safety: 'read-only' },
+      { id: 'approval-risk', label: 'Route risk review', detail: 'Inspect daemon route risk and dangerous method metadata without approving, denying, or mutating requests.', command: '/approval risk', kind: 'command', safety: 'read-only' },
     ],
   },
   {

package/src/input/commands/capabilities-runtime.ts

@@ -6,12 +6,18 @@ import {
 } from '../../operator/capability-benchmark.ts';
 import {
   buildDaemonCapabilityGapReport,
+  buildDaemonCapabilityRouteRiskReport,
   fetchLiveDaemonCapabilityAudit,
+  fetchLiveDaemonCapabilityInventory,
   filterDaemonCapabilityAuditAreas,
   filterDaemonCapabilityGaps,
+  filterDaemonCapabilityInventoryGroups,
+  filterDaemonCapabilityRouteRiskAreas,
   renderDaemonCapabilityAudit,
   renderDaemonCapabilityFailure,
   renderDaemonCapabilityGaps,
+  renderDaemonCapabilityInventory,
+  renderDaemonCapabilityRouteRisk,
 } from '../../operator/daemon-capability-audit.ts';
 import { resolveAgentDaemonConnection } from '../../agent/routine-schedule-promotion.ts';
 
@@ -37,6 +43,24 @@ export function registerCapabilitiesRuntimeCommands(registry: CommandRegistry):
           ctx.print(renderDaemonCapabilityGaps(report, gaps));
           return;
         }
+        if (args[1] === 'risk' || args[1] === 'route-risk') {
+          const report = buildDaemonCapabilityRouteRiskReport(audit);
+          const query = args.slice(2).join(' ').trim() || undefined;
+          const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, query);
+          ctx.print(renderDaemonCapabilityRouteRisk(report, areas));
+          return;
+        }
+        if (args[1] === 'inventory' || args[1] === 'methods' || args[1] === 'routes') {
+          const inventory = await fetchLiveDaemonCapabilityInventory(connection);
+          if (!inventory.ok) {
+            ctx.print(renderDaemonCapabilityFailure(inventory));
+            return;
+          }
+          const query = args.slice(2).join(' ').trim() || undefined;
+          const groups = filterDaemonCapabilityInventoryGroups(inventory.groups, query);
+          ctx.print(renderDaemonCapabilityInventory(inventory, groups));
+          return;
+        }
         const query = args.slice(1).join(' ').trim() || undefined;
         const areas = filterDaemonCapabilityAuditAreas(audit.areas, query);
         ctx.print(renderDaemonCapabilityAudit(audit, areas));

package/src/input/commands/experience-runtime.ts

@@ -3,6 +3,14 @@ import { dirname, resolve } from 'node:path';
 import type { CommandRegistry } from '../command-registry.ts';
 import { requirePanelManager, requireShellPaths } from './runtime-services.ts';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
+import { resolveAgentDaemonConnection } from '../../agent/routine-schedule-promotion.ts';
+import {
+  buildDaemonCapabilityRouteRiskReport,
+  fetchLiveDaemonCapabilityAudit,
+  filterDaemonCapabilityRouteRiskAreas,
+  renderDaemonCapabilityFailure,
+  renderDaemonCapabilityRouteRisk,
+} from '../../operator/daemon-capability-audit.ts';
 
 interface VoiceBundle {
   readonly version: 1;
@@ -178,8 +186,8 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
     name: 'approval',
     aliases: ['approvals'],
     description: 'Review action-specific approval classes and the specialized security UX matrix',
-    usage: '[matrix|review <kind>]',
-    handler(args, ctx) {
+    usage: '[matrix|risk|review <kind>]',
+    async handler(args, ctx) {
       const sub = (args[0] ?? 'matrix').toLowerCase();
       if (sub === 'open' || sub === 'panel') {
         if (ctx.showPanel) ctx.showPanel('approval');
@@ -205,9 +213,25 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
         ctx.print([
           'Approval Matrix',
           ...matrix.map(([kind, summary]) => `  ${kind.padEnd(10)} ${summary}`),
+          '',
+          'Live daemon route risk: /approval risk',
         ].join('\n'));
         return;
       }
+      if (sub === 'risk' || sub === 'route-risk') {
+        const shellPaths = requireShellPaths(ctx);
+        const connection = resolveAgentDaemonConnection(ctx.platform.configManager, shellPaths.homeDirectory);
+        const audit = await fetchLiveDaemonCapabilityAudit(connection);
+        if (!audit.ok) {
+          ctx.print(renderDaemonCapabilityFailure(audit));
+          return;
+        }
+        const report = buildDaemonCapabilityRouteRiskReport(audit);
+        const query = args.slice(1).join(' ').trim() || undefined;
+        const areas = filterDaemonCapabilityRouteRiskAreas(report.areas, query);
+        ctx.print(renderDaemonCapabilityRouteRisk(report, areas));
+        return;
+      }
       if (sub === 'review') {
         const kind = (args[1] ?? '').toLowerCase();
         const entry = matrix.find(([id]) => id === kind);
@@ -222,7 +246,7 @@ export function registerExperienceRuntimeCommands(registry: CommandRegistry): vo
         ].join('\n'));
         return;
       }
-      ctx.print('Usage: /approval [open|matrix|review <kind>]');
+      ctx.print('Usage: /approval [open|matrix|risk|review <kind>]');
     },
   });
 

package/src/operator/daemon-capability-audit.ts

@@ -49,6 +49,9 @@ export interface DaemonCapabilityAuditArea {
     readonly coverage: DaemonCapabilityRouteCoverage;
   }[];
   readonly routeRisk: {
+    readonly readOnlyMethodIds: readonly string[];
+    readonly mutatingMethodIds: readonly string[];
+    readonly authenticatedMethodIds: readonly string[];
     readonly readOnlyMethodCount: number;
     readonly mutatingMethodCount: number;
     readonly authenticatedMethodCount: number;
@@ -100,6 +103,85 @@ export interface DaemonCapabilityGapReport {
   readonly gaps: readonly DaemonCapabilityGap[];
 }
 
+export interface DaemonCapabilityRouteRiskArea {
+  readonly areaId: string;
+  readonly title: string;
+  readonly coverage: DaemonCapabilityCoverage;
+  readonly readOnlyMethodIds: readonly string[];
+  readonly mutatingMethodIds: readonly string[];
+  readonly authenticatedMethodIds: readonly string[];
+  readonly readOnlyMethodCount: number;
+  readonly mutatingMethodCount: number;
+  readonly authenticatedMethodCount: number;
+  readonly dangerousMethodIds: readonly string[];
+}
+
+export interface DaemonCapabilityRouteRiskReport {
+  readonly ok: true;
+  readonly kind: 'daemon.capabilities.route_risk';
+  readonly baseUrl: string;
+  readonly daemonVersion: string;
+  readonly expectedSdkVersion: string;
+  readonly daemonCompatible: boolean;
+  readonly methodCatalogRoute: typeof DAEMON_METHOD_CATALOG_ROUTE;
+  readonly agentKnowledgeRoute: typeof AGENT_KNOWLEDGE_STATUS_ROUTE;
+  readonly agentKnowledgeRouteReady: boolean;
+  readonly defaultKnowledgeFallback: false;
+  readonly homeGraphFallback: false;
+  readonly totalReadOnlyMethodCount: number;
+  readonly totalMutatingMethodCount: number;
+  readonly totalAuthenticatedMethodCount: number;
+  readonly totalDangerousMethodCount: number;
+  readonly areas: readonly DaemonCapabilityRouteRiskArea[];
+}
+
+export interface DaemonCapabilityInventoryMethod {
+  readonly id: string;
+  readonly title?: string;
+  readonly category: string;
+  readonly access: string;
+  readonly invokable: boolean | null;
+  readonly dangerous: boolean;
+  readonly httpMethod: string;
+  readonly path?: string;
+  readonly readOnly: boolean;
+  readonly mutating: boolean;
+}
+
+export interface DaemonCapabilityInventoryGroup {
+  readonly category: string;
+  readonly methodCount: number;
+  readonly readOnlyMethodCount: number;
+  readonly mutatingMethodCount: number;
+  readonly authenticatedMethodCount: number;
+  readonly dangerousMethodCount: number;
+  readonly methods: readonly DaemonCapabilityInventoryMethod[];
+}
+
+export interface DaemonCapabilityInventoryReport {
+  readonly ok: true;
+  readonly kind: 'daemon.capabilities.inventory';
+  readonly baseUrl: string;
+  readonly daemonVersion: string;
+  readonly expectedSdkVersion: string;
+  readonly daemonCompatible: boolean;
+  readonly methodCatalogRoute: typeof DAEMON_METHOD_CATALOG_ROUTE;
+  readonly methodCount: number;
+  readonly agentKnowledgeRoute: typeof AGENT_KNOWLEDGE_STATUS_ROUTE;
+  readonly agentKnowledgeRouteReady: boolean;
+  readonly defaultKnowledgeFallback: false;
+  readonly homeGraphFallback: false;
+  readonly readOnlyMethodCount: number;
+  readonly mutatingMethodCount: number;
+  readonly authenticatedMethodCount: number;
+  readonly dangerousMethodCount: number;
+  readonly accessCounts: readonly {
+    readonly access: string;
+    readonly count: number;
+  }[];
+  readonly groups: readonly DaemonCapabilityInventoryGroup[];
+}
+
 export interface DaemonCapabilityAuditFailure {
   readonly ok: false;
   readonly kind: DaemonCapabilityAuditFailureKind;
@@ -345,6 +427,36 @@ function readMethodSummaries(body: unknown): readonly DaemonMethodSummary[] {
   });
 }
 
+function normalizeMethodCategory(method: DaemonMethodSummary): string {
+  const category = method.category?.trim();
+  if (category) return category;
+  const [prefix] = method.id.split('.');
+  return prefix || 'uncategorized';
+}
+
+function normalizeAccess(method: DaemonMethodSummary): string {
+  const access = method.access?.trim();
+  return access || 'unknown';
+}
+
+function normalizeHttpMethod(method: DaemonMethodSummary): string {
+  return method.http?.method?.trim().toUpperCase() || 'UNKNOWN';
+}
+
+function isReadOnlyHttpMethod(httpMethod: string): boolean {
+  return httpMethod === 'GET' || httpMethod === 'HEAD';
+}
+
+function compareInventoryMethods(left: DaemonCapabilityInventoryMethod, right: DaemonCapabilityInventoryMethod): number {
+  return left.id.localeCompare(right.id);
+}
+
+function compareInventoryGroups(left: DaemonCapabilityInventoryGroup, right: DaemonCapabilityInventoryGroup): number {
+  const countDelta = right.methodCount - left.methodCount;
+  if (countDelta !== 0) return countDelta;
+  return left.category.localeCompare(right.category);
+}
+
 function daemonVersionFromStatus(body: unknown): string {
   if (!isRecord(body)) return 'unknown';
   return readString(body, 'version')
@@ -452,15 +564,17 @@ export function buildDaemonCapabilityAuditAreas(
       const method = methodsById.get(methodId);
       return method ? [method] : [];
     });
-    const readOnlyMethodCount = areaMethods.filter((method) => {
+    const readOnlyMethodIds = areaMethods.filter((method) => {
       const verb = method.http?.method?.toUpperCase();
       return verb === 'GET' || verb === 'HEAD';
-    }).length;
-    const mutatingMethodCount = areaMethods.filter((method) => {
+    }).map((method) => method.id);
+    const mutatingMethodIds = areaMethods.filter((method) => {
       const verb = method.http?.method?.toUpperCase();
       return Boolean(verb) && verb !== 'GET' && verb !== 'HEAD';
-    }).length;
-    const authenticatedMethodCount = areaMethods.filter((method) => method.access === 'authenticated').length;
+    }).map((method) => method.id);
+    const authenticatedMethodIds = areaMethods
+      .filter((method) => method.access === 'authenticated')
+      .map((method) => method.id);
     const dangerousMethodIds = areaMethods
       .filter((method) => method.dangerous === true)
       .map((method) => method.id);
@@ -484,9 +598,12 @@ export function buildDaemonCapabilityAuditAreas(
       missingOptionalMethodIds,
       agentRoutes,
       routeRisk: {
-        readOnlyMethodCount,
-        mutatingMethodCount,
-        authenticatedMethodCount,
+        readOnlyMethodIds,
+        mutatingMethodIds,
+        authenticatedMethodIds,
+        readOnlyMethodCount: readOnlyMethodIds.length,
+        mutatingMethodCount: mutatingMethodIds.length,
+        authenticatedMethodCount: authenticatedMethodIds.length,
         dangerousMethodIds,
       },
       next: requirement.next,
@@ -545,6 +662,116 @@ export async function fetchLiveDaemonCapabilityAudit(
   }
 }
 
+export function buildDaemonCapabilityInventoryReport(
+  connection: AgentDaemonConnection,
+  daemonVersion: string,
+  agentKnowledgeRouteReady: boolean,
+  methodSummaries: readonly DaemonMethodSummary[],
+): DaemonCapabilityInventoryReport {
+  const methods = methodSummaries.map((method): DaemonCapabilityInventoryMethod => {
+    const httpMethod = normalizeHttpMethod(method);
+    const readOnly = isReadOnlyHttpMethod(httpMethod);
+    return {
+      id: method.id,
+      title: method.title,
+      category: normalizeMethodCategory(method),
+      access: normalizeAccess(method),
+      invokable: typeof method.invokable === 'boolean' ? method.invokable : null,
+      dangerous: method.dangerous === true,
+      httpMethod,
+      path: method.http?.path,
+      readOnly,
+      mutating: httpMethod !== 'UNKNOWN' && !readOnly,
+    };
+  }).sort(compareInventoryMethods);
+
+  const groupsByCategory = new Map<string, DaemonCapabilityInventoryMethod[]>();
+  for (const method of methods) {
+    const existing = groupsByCategory.get(method.category) ?? [];
+    existing.push(method);
+    groupsByCategory.set(method.category, existing);
+  }
+
+  const groups = [...groupsByCategory.entries()].map(([category, categoryMethods]): DaemonCapabilityInventoryGroup => ({
+    category,
+    methodCount: categoryMethods.length,
+    readOnlyMethodCount: categoryMethods.filter((method) => method.readOnly).length,
+    mutatingMethodCount: categoryMethods.filter((method) => method.mutating).length,
+    authenticatedMethodCount: categoryMethods.filter((method) => method.access === 'authenticated').length,
+    dangerousMethodCount: categoryMethods.filter((method) => method.dangerous).length,
+    methods: categoryMethods,
+  })).sort(compareInventoryGroups);
+
+  const accessEntries = new Map<string, number>();
+  for (const method of methods) {
+    accessEntries.set(method.access, (accessEntries.get(method.access) ?? 0) + 1);
+  }
+  const accessCounts = [...accessEntries.entries()]
+    .map(([access, count]) => ({ access, count }))
+    .sort((left, right) => {
+      const countDelta = right.count - left.count;
+      if (countDelta !== 0) return countDelta;
+      return left.access.localeCompare(right.access);
+    });
+
+  return {
+    ok: true,
+    kind: 'daemon.capabilities.inventory',
+    baseUrl: connection.baseUrl,
+    daemonVersion,
+    expectedSdkVersion: SDK_VERSION,
+    daemonCompatible: daemonVersion === SDK_VERSION,
+    methodCatalogRoute: DAEMON_METHOD_CATALOG_ROUTE,
+    methodCount: methods.length,
+    agentKnowledgeRoute: AGENT_KNOWLEDGE_STATUS_ROUTE,
+    agentKnowledgeRouteReady,
+    defaultKnowledgeFallback: false,
+    homeGraphFallback: false,
+    readOnlyMethodCount: methods.filter((method) => method.readOnly).length,
+    mutatingMethodCount: methods.filter((method) => method.mutating).length,
+    authenticatedMethodCount: methods.filter((method) => method.access === 'authenticated').length,
+    dangerousMethodCount: methods.filter((method) => method.dangerous).length,
+    accessCounts,
+    groups,
+  };
+}
+
+export type DaemonCapabilityInventoryResult =
+  | DaemonCapabilityInventoryReport
+  | DaemonCapabilityAuditFailure;
+
+export async function fetchLiveDaemonCapabilityInventory(
+  connection: AgentDaemonConnection,
+): Promise<DaemonCapabilityInventoryResult> {
+  let daemonVersion = 'unknown';
+  try {
+    const status = await fetchJson(connection, DAEMON_STATUS_ROUTE);
+    if (status.ok) {
+      daemonVersion = daemonVersionFromStatus(status.body);
+    } else if (status.status === 401 || status.status === 403) {
+      return failureFromResponse(status, connection, DAEMON_STATUS_ROUTE, daemonVersion);
+    }
+
+    const methods = await fetchJson(connection, DAEMON_METHOD_CATALOG_ROUTE);
+    if (!methods.ok) return failureFromResponse(methods, connection, DAEMON_METHOD_CATALOG_ROUTE, daemonVersion);
+
+    const agentKnowledge = await fetchJson(connection, AGENT_KNOWLEDGE_STATUS_ROUTE);
+    if (!agentKnowledge.ok) {
+      const failure = failureFromResponse(agentKnowledge, connection, AGENT_KNOWLEDGE_STATUS_ROUTE, daemonVersion);
+      if (failure.kind === 'auth_required') return failure;
+    }
+
+    return buildDaemonCapabilityInventoryReport(
+      connection,
+      daemonVersion,
+      agentKnowledge.ok,
+      readMethodSummaries(methods.body),
+    );
+  } catch (error) {
+    return failureFromThrown(error, connection, daemonVersion === 'unknown' ? DAEMON_STATUS_ROUTE : DAEMON_METHOD_CATALOG_ROUTE);
+  }
+}
+
 export function filterDaemonCapabilityAuditAreas(
   areas: readonly DaemonCapabilityAuditArea[],
   query: string | undefined,
@@ -721,6 +948,178 @@ export function renderDaemonCapabilityGaps(
   return lines.join('\n').trimEnd();
 }
 
+export function buildDaemonCapabilityRouteRiskReport(
+  audit: DaemonCapabilityAuditSuccess,
+  areas: readonly DaemonCapabilityAuditArea[] = audit.areas,
+): DaemonCapabilityRouteRiskReport {
+  const riskAreas = areas.map((area): DaemonCapabilityRouteRiskArea => ({
+    areaId: area.id,
+    title: area.title,
+    coverage: area.coverage,
+    readOnlyMethodIds: area.routeRisk.readOnlyMethodIds,
+    mutatingMethodIds: area.routeRisk.mutatingMethodIds,
+    authenticatedMethodIds: area.routeRisk.authenticatedMethodIds,
+    readOnlyMethodCount: area.routeRisk.readOnlyMethodCount,
+    mutatingMethodCount: area.routeRisk.mutatingMethodCount,
+    authenticatedMethodCount: area.routeRisk.authenticatedMethodCount,
+    dangerousMethodIds: area.routeRisk.dangerousMethodIds,
+  }));
+  const readOnlyMethodIds = new Set(riskAreas.flatMap((area) => area.readOnlyMethodIds));
+  const mutatingMethodIds = new Set(riskAreas.flatMap((area) => area.mutatingMethodIds));
+  const authenticatedMethodIds = new Set(riskAreas.flatMap((area) => area.authenticatedMethodIds));
+  const dangerousMethodIds = new Set(riskAreas.flatMap((area) => area.dangerousMethodIds));
+
+  return {
+    ok: true,
+    kind: 'daemon.capabilities.route_risk',
+    baseUrl: audit.baseUrl,
+    daemonVersion: audit.daemonVersion,
+    expectedSdkVersion: audit.expectedSdkVersion,
+    daemonCompatible: audit.daemonCompatible,
+    methodCatalogRoute: audit.methodCatalogRoute,
+    agentKnowledgeRoute: audit.agentKnowledgeRoute,
+    agentKnowledgeRouteReady: audit.agentKnowledgeRouteReady,
+    defaultKnowledgeFallback: false,
+    homeGraphFallback: false,
+    totalReadOnlyMethodCount: readOnlyMethodIds.size,
+    totalMutatingMethodCount: mutatingMethodIds.size,
+    totalAuthenticatedMethodCount: authenticatedMethodIds.size,
+    totalDangerousMethodCount: dangerousMethodIds.size,
+    areas: riskAreas,
+  };
+}
+
+export function filterDaemonCapabilityRouteRiskAreas(
+  areas: readonly DaemonCapabilityRouteRiskArea[],
+  query: string | undefined,
+): readonly DaemonCapabilityRouteRiskArea[] {
+  const normalized = query?.trim().toLowerCase();
+  if (!normalized) return areas;
+  return areas.filter((area) => {
+    return area.areaId.includes(normalized)
+      || area.title.toLowerCase().includes(normalized)
+      || area.coverage.includes(normalized)
+      || area.dangerousMethodIds.some((methodId) => methodId.includes(normalized));
+  });
+}
+
+export function renderDaemonCapabilityRouteRisk(
+  report: DaemonCapabilityRouteRiskReport,
+  areas: readonly DaemonCapabilityRouteRiskArea[] = report.areas,
+): string {
+  const lines: string[] = [
+    'GoodVibes daemon route risk review',
+    `  daemon: ${report.baseUrl}`,
+    `  SDK: Agent expects ${report.expectedSdkVersion}; daemon reports ${report.daemonVersion}`,
+    `  compatibility: ${report.daemonCompatible ? 'matched' : 'mismatch'}`,
+    `  method catalog: ${report.methodCatalogRoute}`,
+    `  Agent Knowledge: ${report.agentKnowledgeRouteReady ? 'ready' : 'missing'} ${report.agentKnowledgeRoute}`,
+    '  isolation: default Knowledge/Wiki fallback no; HomeGraph fallback no',
+    `  totals: ${report.totalReadOnlyMethodCount} read-only; ${report.totalMutatingMethodCount} mutating; ${report.totalDangerousMethodCount} dangerous; ${report.totalAuthenticatedMethodCount} authenticated`,
+    '  policy: exact command plus confirmation for side effects; ordinary chat never triggers mutating routes',
+    '',
+  ];
+
+  const visibleAreas = areas.filter((area) => {
+    return area.readOnlyMethodCount > 0
+      || area.mutatingMethodCount > 0
+      || area.authenticatedMethodCount > 0
+      || area.dangerousMethodIds.length > 0;
+  });
+  if (visibleAreas.length === 0) {
+    lines.push('No route risk metadata matched this query.');
+    return lines.join('\n');
+  }
+
+  for (const area of visibleAreas) {
+    lines.push(`${area.title} [${area.coverage}]`);
+    lines.push(`  methods: ${area.readOnlyMethodCount} read-only; ${area.mutatingMethodCount} mutating; ${area.dangerousMethodIds.length} dangerous; ${area.authenticatedMethodCount} authenticated`);
+    if (area.dangerousMethodIds.length > 0) {
+      lines.push(`  dangerous methods: ${area.dangerousMethodIds.join(', ')}`);
+    }
+    lines.push('  approval posture: read-only by default; exact command and confirmation required for side effects.');
+    lines.push('');
+  }
+
+  return lines.join('\n').trimEnd();
+}
+
+export function filterDaemonCapabilityInventoryGroups(
+  groups: readonly DaemonCapabilityInventoryGroup[],
+  query: string | undefined,
+): readonly DaemonCapabilityInventoryGroup[] {
+  const normalized = query?.trim().toLowerCase();
+  if (!normalized) return groups;
+  return groups.flatMap((group): DaemonCapabilityInventoryGroup[] => {
+    const categoryMatches = group.category.toLowerCase().includes(normalized);
+    const methods = categoryMatches
+      ? group.methods
+      : group.methods.filter((method) => {
+          return method.id.toLowerCase().includes(normalized)
+            || method.title?.toLowerCase().includes(normalized) === true
+            || method.access.toLowerCase().includes(normalized)
+            || method.httpMethod.toLowerCase().includes(normalized)
+            || method.path?.toLowerCase().includes(normalized) === true;
+        });
+    if (methods.length === 0) return [];
+    return [{
+      category: group.category,
+      methodCount: methods.length,
+      readOnlyMethodCount: methods.filter((method) => method.readOnly).length,
+      mutatingMethodCount: methods.filter((method) => method.mutating).length,
+      authenticatedMethodCount: methods.filter((method) => method.access === 'authenticated').length,
+      dangerousMethodCount: methods.filter((method) => method.dangerous).length,
+      methods,
+    }];
+  });
+}
+
+function renderInventoryMethod(method: DaemonCapabilityInventoryMethod): string {
+  const risk = method.dangerous
+    ? ' dangerous'
+    : method.mutating
+      ? ' mutating'
+      : ' read-only';
+  const route = method.path ? ` ${method.httpMethod} ${method.path}` : ` ${method.httpMethod}`;
+  return `    ${method.id} [${method.access};${risk}]${route}`;
+}
+
+export function renderDaemonCapabilityInventory(
+  report: DaemonCapabilityInventoryReport,
+  groups: readonly DaemonCapabilityInventoryGroup[] = report.groups,
+): string {
+  const lines: string[] = [
+    'GoodVibes daemon method inventory',
+    `  daemon: ${report.baseUrl}`,
+    `  SDK: Agent expects ${report.expectedSdkVersion}; daemon reports ${report.daemonVersion}`,
+    `  compatibility: ${report.daemonCompatible ? 'matched' : 'mismatch'}`,
+    `  method catalog: ${report.methodCount} methods from ${report.methodCatalogRoute}`,
+    `  Agent Knowledge: ${report.agentKnowledgeRouteReady ? 'ready' : 'missing'} ${report.agentKnowledgeRoute}`,
+    '  isolation: default Knowledge/Wiki fallback no; HomeGraph fallback no',
+    `  totals: ${report.readOnlyMethodCount} read-only; ${report.mutatingMethodCount} mutating; ${report.dangerousMethodCount} dangerous; ${report.authenticatedMethodCount} authenticated`,
+    `  access: ${report.accessCounts.map((entry) => `${entry.access} ${entry.count}`).join('; ') || 'none'}`,
+    '',
+  ];
+
+  if (groups.length === 0) {
+    lines.push('No daemon methods matched this query.');
+    return lines.join('\n');
+  }
+
+  for (const group of groups) {
+    lines.push(`${group.category} (${group.methodCount})`);
+    lines.push(`  ${group.readOnlyMethodCount} read-only; ${group.mutatingMethodCount} mutating; ${group.dangerousMethodCount} dangerous; ${group.authenticatedMethodCount} authenticated`);
+    const visibleMethods = group.methods.slice(0, 12);
+    for (const method of visibleMethods) lines.push(renderInventoryMethod(method));
+    if (group.methods.length > visibleMethods.length) {
+      lines.push(`    ... ${group.methods.length - visibleMethods.length} more; use --json or a narrower query for the full list.`);
+    }
+    lines.push('');
+  }
+
+  return lines.join('\n').trimEnd();
+}
+
 export function renderDaemonCapabilityAudit(
   audit: DaemonCapabilityAuditSuccess,
   areas: readonly DaemonCapabilityAuditArea[] = audit.areas,

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.44';
+let _version = '0.1.46';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {