@rubytech/taskmaster 1.0.68 → 1.0.70

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-Tpr1NFEw.js"></script>
+    <script type="module" crossorigin src="./assets/index-lEyZ7hzB.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-BCh3mx9Z.css">
   </head>
   <body>

package/dist/gateway/control-ui.js

@@ -387,11 +387,16 @@ export function handlePublicChatHttpRequest(req, res, opts) {
         res.end("Method Not Allowed");
         return true;
     }
-    // Only /public/chat (the SPA route)
-    if (pathname !== "/public/chat" && !pathname.startsWith("/public/chat/")) {
+    // Only /public/chat/:accountId (the SPA route)
+    if (!pathname.startsWith("/public/chat/")) {
         // /public/widget.js is handled separately
         if (pathname === "/public/widget.js")
             return false;
+        // Bare /public/chat without accountId → 404
+        if (pathname === "/public/chat") {
+            respondNotFound(res);
+            return true;
+        }
         respondNotFound(res);
         return true;
     }
@@ -400,6 +405,12 @@ export function handlePublicChatHttpRequest(req, res, opts) {
         respondNotFound(res);
         return true;
     }
+    // Extract accountId from /public/chat/:accountId
+    const accountId = pathname.slice("/public/chat/".length).split("/")[0]?.trim();
+    if (!accountId || !/^[a-z0-9][a-z0-9_-]{0,63}$/i.test(accountId)) {
+        respondNotFound(res);
+        return true;
+    }
     const root = resolveControlUiRoot();
     if (!root) {
         res.statusCode = 503;
@@ -412,7 +423,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
         respondNotFound(res);
         return true;
     }
-    const publicAgentId = resolvePublicAgentId(config);
+    const publicAgentId = resolvePublicAgentId(config, accountId);
     const identity = resolveAssistantIdentity({ cfg: config, agentId: publicAgentId });
     // Only inject avatar if it resolves to an actual image URL/path (not a
     // single-letter fallback like "D" which would render as a broken <img>).
@@ -421,7 +432,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
         agentId: publicAgentId,
         basePath: "",
     });
-    const avatarValue = resolvedAvatar && (/^(https?:\/\/|data:image\/|\/)/i.test(resolvedAvatar))
+    const avatarValue = resolvedAvatar && /^(https?:\/\/|data:image\/|\/)/i.test(resolvedAvatar)
         ? resolvedAvatar
         : undefined;
     const authMode = config.publicChat.auth ?? "anonymous";
@@ -438,15 +449,23 @@ export function handlePublicChatHttpRequest(req, res, opts) {
         brandIconUrl,
         accentColor,
     });
-    // Inject public-chat globals
+    // Inject <base href="/"> right after <head> so relative asset paths (./assets/...)
+    // resolve from root. The URL is /public/chat/:accountId — 3 levels deep, so without
+    // <base> the browser would look for /public/chat/assets/... which doesn't exist.
+    // The <base> tag MUST appear before any tags that use relative URLs.
+    const headOpen = injected.indexOf("<head>");
+    const baseInjected = headOpen !== -1
+        ? `${injected.slice(0, headOpen + 6)}<base href="/">${injected.slice(headOpen + 6)}`
+        : injected;
+    // Inject public-chat globals before </head>
     const publicScript = `<script>` +
         `window.__TASKMASTER_PUBLIC_CHAT__=true;` +
-        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ auth: authMode, cookieTtlDays })};` +
+        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays })};` +
         `</script>`;
-    const headClose = injected.indexOf("</head>");
+    const headClose = baseInjected.indexOf("</head>");
     const withPublic = headClose !== -1
-        ? `${injected.slice(0, headClose)}${publicScript}${injected.slice(headClose)}`
-        : `${publicScript}${injected}`;
+        ? `${baseInjected.slice(0, headClose)}${publicScript}${baseInjected.slice(headClose)}`
+        : `${publicScript}${baseInjected}`;
     res.setHeader("Content-Type", "text/html; charset=utf-8");
     res.setHeader("Cache-Control", "no-cache");
     res.end(withPublic);
@@ -455,12 +474,13 @@ export function handlePublicChatHttpRequest(req, res, opts) {
 /** Widget script content — self-contained JS for embedding. */
 const WIDGET_SCRIPT = `(function(){
   "use strict";
-  var cfg={server:""};
+  var cfg={server:"",accountId:""};
   var isOpen=false;
   var btn,overlay,iframe;
 
   function init(opts){
     if(opts&&opts.server) cfg.server=opts.server.replace(/\\/$/,"");
+    if(opts&&opts.accountId) cfg.accountId=opts.accountId;
     build();
   }
 
@@ -495,7 +515,7 @@ const WIDGET_SCRIPT = `(function(){
     overlay.className="tm-widget-overlay";
     iframe=document.createElement("iframe");
     iframe.className="tm-widget-iframe";
-    iframe.src=cfg.server+"/public/chat";
+    iframe.src=cfg.server+"/public/chat/"+encodeURIComponent(cfg.accountId);
     overlay.appendChild(iframe);
     document.body.appendChild(overlay);
   }

package/dist/gateway/public-chat/session.js

@@ -1,24 +1,21 @@
 /**
  * Resolve public-chat session keys (anonymous and verified).
  *
- * The public agent is the agent handling WhatsApp DMs for the default account.
+ * The public agent is the agent handling unknown WhatsApp DMs for a given account.
+ * The account is determined by the URL path: /public/chat/:accountId.
  * Anonymous sessions use a cookie-based identifier; verified sessions use the
  * phone number so they share the same DM session as WhatsApp.
  */
-import { listBoundAccountIds } from "../../routing/bindings.js";
 import { resolveAgentRoute } from "../../routing/resolve-route.js";
 import { normalizeAgentId } from "../../routing/session-key.js";
 /**
- * Find the agent that handles public-facing WhatsApp DMs.
+ * Find the agent that handles public-facing WhatsApp DMs for the given account.
  *
  * Uses the same routing logic as WhatsApp itself: calls resolveAgentRoute
- * with a synthetic unknown-peer DM on the first WhatsApp account. This
- * guarantees the public chat routes to the exact same agent that handles
- * unknown WhatsApp DMs.
+ * with a synthetic unknown-peer DM. This guarantees the public chat routes
+ * to the exact same agent that handles unknown WhatsApp DMs for that account.
  */
-export function resolvePublicAgentId(cfg) {
-    const accountIds = listBoundAccountIds(cfg, "whatsapp");
-    const accountId = accountIds[0] ?? "default";
+export function resolvePublicAgentId(cfg, accountId) {
     const route = resolveAgentRoute({
         cfg,
         channel: "whatsapp",

package/dist/gateway/server/ws-connection/message-handler.js

@@ -660,6 +660,7 @@ export function attachGatewayWsMessageHandler(params) {
                         version: process.env.TASKMASTER_VERSION ?? process.env.npm_package_version ?? "dev",
                         commit: process.env.GIT_COMMIT,
                         host: os.hostname(),
+                        platform: os.platform(),
                         connId,
                     },
                     features: { methods: gatewayMethods, events },

package/dist/gateway/server-methods/chat.js

@@ -11,9 +11,7 @@ import { createReplyDispatcher } from "../../auto-reply/reply/reply-dispatcher.j
 import { extractShortModelName, } from "../../auto-reply/reply/response-prefix-template.js";
 import { resolveSendPolicy } from "../../sessions/send-policy.js";
 import { createInternalHookEvent, triggerInternalHook } from "../../hooks/internal-hooks.js";
-import { loadConfig as loadConfigFn } from "../../config/config.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../../utils/message-channel.js";
-import { resolvePublicAgentId } from "../public-chat/session.js";
 import { abortChatRunById, abortChatRunsForSessionKey, isChatStopCommandText, resolveChatRunExpiresAtMs, } from "../chat-abort.js";
 import { ErrorCodes, errorShape, formatValidationErrors, validateChatAbortParams, validateChatHistoryParams, validateChatInjectParams, validateChatSendParams, } from "../protocol/index.js";
 import { loadSessionEntry, readSessionMessages, resolveSessionModelRef } from "../session-utils.js";
@@ -127,10 +125,9 @@ function broadcastChatError(params) {
 function validatePublicSessionAccess(role, sessionKey) {
     if (role !== "public")
         return null;
-    const cfg = loadConfigFn();
-    const publicAgentId = resolvePublicAgentId(cfg);
-    const prefix = `agent:${publicAgentId}:dm:`;
-    if (!sessionKey.startsWith(prefix)) {
+    // Public clients can only access agent DM sessions (issued by public.session / public.otp.verify).
+    // Format: agent:{agentId}:dm:{identifier}
+    if (!/^agent:[^:]+:dm:/.test(sessionKey)) {
         return errorShape(ErrorCodes.INVALID_REQUEST, "unauthorized session key");
     }
     return null;

package/dist/gateway/server-methods/public-chat.js

@@ -10,6 +10,14 @@ import { buildPublicSessionKey, resolvePublicAgentId } from "../public-chat/sess
 function isValidPhone(phone) {
     return /^\+\d{7,15}$/.test(phone);
 }
+function validateAccountId(raw) {
+    if (typeof raw !== "string")
+        return null;
+    const trimmed = raw.trim();
+    if (!trimmed || !/^[a-z0-9][a-z0-9_-]{0,63}$/i.test(trimmed))
+        return null;
+    return trimmed;
+}
 export const publicChatHandlers = {
     /**
      * Request an OTP code — sends a 6-digit code to the given phone via WhatsApp.
@@ -43,12 +51,13 @@ export const publicChatHandlers = {
     },
     /**
      * Verify an OTP code and return the session key.
-     * Params: { phone: string, code: string, name?: string }
+     * Params: { phone: string, code: string, accountId: string, name?: string }
      */
     "public.otp.verify": async ({ params, respond }) => {
         const phone = typeof params.phone === "string" ? params.phone.trim() : "";
         const code = typeof params.code === "string" ? params.code.trim() : "";
         const name = typeof params.name === "string" ? params.name.trim() : undefined;
+        const accountId = validateAccountId(params.accountId);
         if (!phone || !isValidPhone(phone)) {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid phone number"));
             return;
@@ -57,6 +66,10 @@ export const publicChatHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "code required"));
             return;
         }
+        if (!accountId) {
+            respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "accountId required"));
+            return;
+        }
         const cfg = loadConfig();
         if (!cfg.publicChat?.enabled) {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "public chat disabled"));
@@ -73,7 +86,7 @@ export const publicChatHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, messages[result.error] ?? "verification failed"));
             return;
         }
-        const agentId = resolvePublicAgentId(cfg);
+        const agentId = resolvePublicAgentId(cfg, accountId);
         const sessionKey = buildPublicSessionKey(agentId, phone);
         respond(true, {
             ok: true,
@@ -85,20 +98,25 @@ export const publicChatHandlers = {
     },
     /**
      * Resolve a session key for anonymous public chat.
-     * Params: { cookieId: string }
+     * Params: { cookieId: string, accountId: string }
      */
     "public.session": async ({ params, respond }) => {
         const cookieId = typeof params.cookieId === "string" ? params.cookieId.trim() : "";
+        const accountId = validateAccountId(params.accountId);
         if (!cookieId || cookieId.length < 8 || cookieId.length > 128) {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid cookieId"));
             return;
         }
+        if (!accountId) {
+            respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "accountId required"));
+            return;
+        }
         const cfg = loadConfig();
         if (!cfg.publicChat?.enabled) {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "public chat disabled"));
             return;
         }
-        const agentId = resolvePublicAgentId(cfg);
+        const agentId = resolvePublicAgentId(cfg, accountId);
         const identifier = `anon-${cookieId}`;
         const sessionKey = buildPublicSessionKey(agentId, identifier);
         respond(true, {

package/dist/memory/embeddings.js

@@ -104,7 +104,7 @@ async function createLocalEmbeddingProvider(options) {
     else {
         const selected = selectDefaultLocalModel();
         modelPath = selected.model;
-        log.info(`selected tier ${selected.label} (system RAM: ${(os.totalmem() / (1024 ** 3)).toFixed(1)} GB)`);
+        log.info(`selected tier ${selected.label} (system RAM: ${(os.totalmem() / 1024 ** 3).toFixed(1)} GB)`);
     }
     const modelCacheDir = options.local?.modelCacheDir?.trim();
     // Lazy-load node-llama-cpp to keep startup light unless local is enabled.
@@ -213,9 +213,7 @@ export async function createEmbeddingProvider(options) {
         catch (err) {
             errors.push(formatLocalSetupError(err));
         }
-        throw new Error(errors.length > 0
-            ? errors.join("\n\n")
-            : "No embeddings provider available.");
+        throw new Error(errors.length > 0 ? errors.join("\n\n") : "No embeddings provider available.");
     }
     try {
         const primary = await createProvider(requestedProvider);

package/dist/memory/manager.js

@@ -515,7 +515,11 @@ export class MemoryIndexManager {
         const wrappedParams = {
             ...params,
             progress: (update) => {
-                this.syncProgress = { completed: update.completed, total: update.total };
+                this.syncProgress = {
+                    completed: update.completed,
+                    total: update.total,
+                    label: update.label,
+                };
                 outerProgress?.(update);
             },
         };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.0.68",
+  "version": "1.0.70",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/taskmaster-docs/USER-GUIDE.md

@@ -514,7 +514,7 @@ You get 1,000 free search credits per month — more than enough for daily busin
 4. **Copy the key** (it starts with `AIza`)
 5. Go to your Taskmaster **Setup** page, click the **API Keys** row, find **Google**, paste the key, and click **Save**
 
-The free tier is generous — no credit card required and sufficient for small business use.
+The free tier works for low-volume use (a handful of voice notes or images per day). For higher volumes, you'll need to enable billing in your Google Cloud account — see [Google AI pricing](https://ai.google.dev/pricing) for details.
 
 ---
 
@@ -533,7 +533,7 @@ All files are markdown (`.md`) — plain text with simple formatting. You can up
 
 When you add or change a file, your assistant picks it up automatically — no restart needed. The status light on the Files page turns red when files have changed since the last index, so you can see at a glance whether a re-index is needed.
 
-After a fresh install or upgrade, the embedding model downloads automatically (~640 MB for most devices, larger on devices with more RAM). During the download, a full-screen overlay blocks all navigation with a "Downloading embedding model" message — this is a one-time download and typically takes a few minutes. Memory search is unavailable until the download completes.
+After a fresh install or upgrade, the embedding model downloads automatically (~330 MB). During the download, a full-screen overlay blocks all navigation with a "Downloading embedding model" message — this is a one-time download and typically takes a few minutes. Memory search is unavailable until the download completes.
 
 When your assistant writes to **public/** or **shared/**, a shield icon appears in the navigation bar so you can review what was written (see [Data Safety Alert](#data-safety-alert) above).