@rubytech/taskmaster 1.0.76 → 1.0.77

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.0.76",
-  "commit": "5295efe0026f10b84e556b9bef3f4097a879e342",
-  "builtAt": "2026-02-20T17:49:56.005Z"
+  "version": "1.0.77",
+  "commit": "a548906950602227b575ddecaf6b1bd6f9ae576c",
+  "builtAt": "2026-02-20T20:56:14.369Z"
 }

package/dist/gateway/public-chat-api.js

@@ -0,0 +1,721 @@
+/**
+ * REST API for public chat — HTTP alternative to the WebSocket RPC protocol.
+ *
+ * Base path: /public/api/v1/:accountId/
+ *
+ * Endpoints:
+ *   POST /session        — create an anonymous session (returns sessionKey)
+ *   POST /otp/request    — request a WhatsApp OTP code
+ *   POST /otp/verify     — verify OTP and get a verified session (returns sessionKey)
+ *   POST /chat           — send a message, receive the agent reply (sync or SSE stream)
+ *   GET  /chat/history   — retrieve past messages for a session
+ *   POST /chat/abort     — cancel an in-progress agent run
+ *
+ * Authentication mirrors the public chat widget: anonymous sessions use a
+ * client-provided identity string; verified sessions use WhatsApp OTP.
+ * The sessionKey returned from /session or /otp/verify is passed via the
+ * X-Session-Key header on subsequent requests.
+ *
+ * The chat endpoint uses `dispatchInboundMessage` — the same full pipeline
+ * as the WebSocket `chat.send` handler — so filler messages, internal hooks,
+ * and media processing all work identically.
+ */
+import { randomUUID } from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { resolveAgentWorkspaceDir, resolveSessionAgentId } from "../agents/agent-scope.js";
+import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../agents/identity.js";
+import { dispatchInboundMessage } from "../auto-reply/dispatch.js";
+import { createReplyDispatcher } from "../auto-reply/reply/reply-dispatcher.js";
+import { extractShortModelName, } from "../auto-reply/reply/response-prefix-template.js";
+import { loadConfig } from "../config/config.js";
+import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-hooks.js";
+import { emitAgentEvent, onAgentEvent } from "../infra/agent-events.js";
+import { INTERNAL_MESSAGE_CHANNEL } from "../utils/message-channel.js";
+import { requestOtp, verifyOtp } from "./public-chat/otp.js";
+import { deliverOtp } from "./public-chat/deliver-otp.js";
+import { buildPublicSessionKey, resolvePublicAgentId } from "./public-chat/session.js";
+import { loadSessionEntry, readSessionMessages } from "./session-utils.js";
+import { stripBase64ImagesFromMessages, stripEnvelopeFromMessages } from "./chat-sanitize.js";
+import { readJsonBodyOrError, sendInvalidRequest, sendJson, sendMethodNotAllowed, setSseHeaders, writeDone, } from "./http-common.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const API_PREFIX = "/public/api/v1/";
+/** CORS headers for cross-origin REST clients. */
+function setCorsHeaders(res) {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Session-Key");
+    res.setHeader("Access-Control-Max-Age", "86400");
+}
+function sendNotFound(res) {
+    sendJson(res, 404, { error: { message: "Not Found", type: "not_found" } });
+}
+function sendForbidden(res, message) {
+    sendJson(res, 403, { error: { message, type: "forbidden" } });
+}
+function sendUnavailable(res, message) {
+    sendJson(res, 503, { error: { message, type: "unavailable" } });
+}
+/** Validate accountId format: alphanumeric, hyphens, underscores, 1–64 chars. */
+function validateAccountId(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed || !/^[a-z0-9][a-z0-9_-]{0,63}$/i.test(trimmed))
+        return null;
+    return trimmed;
+}
+/** Validate session key format: must be agent:*:dm:* (public DM sessions only). */
+function validateSessionKey(raw) {
+    if (!raw)
+        return null;
+    const trimmed = raw.trim();
+    if (!/^agent:[^:]+:dm:/.test(trimmed))
+        return null;
+    return trimmed;
+}
+function getSessionKeyHeader(req) {
+    const raw = req.headers["x-session-key"];
+    if (typeof raw === "string")
+        return raw.trim();
+    if (Array.isArray(raw))
+        return raw[0]?.trim();
+    return undefined;
+}
+/** Minimal phone format check: starts with +, digits only, 7–15 digits. */
+function isValidPhone(phone) {
+    return /^\+\d{7,15}$/.test(phone);
+}
+/** Strip spaces, dashes, and parentheses from a phone number. */
+function normalizePhone(raw) {
+    return raw.replace(/[\s\-()]/g, "");
+}
+/** Check whether the auth mode allows anonymous sessions. */
+function allowsAnonymous(cfg) {
+    const mode = cfg.publicChat?.auth ?? "anonymous";
+    return mode === "anonymous" || mode === "choice";
+}
+/** Check whether the auth mode allows OTP verification. */
+function allowsVerified(cfg) {
+    const mode = cfg.publicChat?.auth ?? "anonymous";
+    return mode === "verified" || mode === "choice";
+}
+function writeSse(res, data) {
+    res.write(`data: ${JSON.stringify(data)}\n\n`);
+}
+// ---------------------------------------------------------------------------
+// Attachment processing (mirrors WebSocket chat.send handler)
+// ---------------------------------------------------------------------------
+const IMAGE_EXT_MAP = {
+    "image/jpeg": ".jpg",
+    "image/png": ".png",
+    "image/gif": ".gif",
+    "image/webp": ".webp",
+    "image/heic": ".heic",
+    "image/heif": ".heif",
+    "image/svg+xml": ".svg",
+    "image/avif": ".avif",
+};
+function saveAttachments(attachments, uploadsDir) {
+    const imagePaths = [];
+    const imageTypes = [];
+    const docPaths = [];
+    for (const att of attachments) {
+        if (!att.content || typeof att.content !== "string")
+            continue;
+        const isDocument = att.type === "document";
+        if (isDocument) {
+            const safeName = (att.fileName ?? `file-${randomUUID().slice(0, 8)}`).replace(/[^a-zA-Z0-9._-]/g, "_");
+            const destPath = path.join(uploadsDir, safeName);
+            try {
+                fs.writeFileSync(destPath, Buffer.from(att.content, "base64"));
+                docPaths.push(destPath);
+            }
+            catch {
+                /* skip failed saves */
+            }
+        }
+        else {
+            try {
+                let b64 = att.content.trim();
+                const dataUrlMatch = /^data:[^;]+;base64,(.*)$/.exec(b64);
+                if (dataUrlMatch)
+                    b64 = dataUrlMatch[1];
+                const buffer = Buffer.from(b64, "base64");
+                const mimeBase = att.mimeType?.split(";")[0]?.trim();
+                const ext = (mimeBase && IMAGE_EXT_MAP[mimeBase]) ?? ".jpg";
+                const uuid = randomUUID();
+                let safeName;
+                if (att.fileName) {
+                    const base = path
+                        .parse(att.fileName)
+                        .name.replace(/[^a-zA-Z0-9._-]/g, "_")
+                        .slice(0, 60);
+                    safeName = base ? `${base}---${uuid}${ext}` : `${uuid}${ext}`;
+                }
+                else {
+                    safeName = `${uuid}${ext}`;
+                }
+                const destPath = path.join(uploadsDir, safeName);
+                fs.writeFileSync(destPath, buffer);
+                imagePaths.push(destPath);
+                imageTypes.push(mimeBase ?? "image/png");
+            }
+            catch {
+                /* skip failed saves */
+            }
+        }
+    }
+    return { imagePaths, imageTypes, docPaths };
+}
+// ---------------------------------------------------------------------------
+// Route: POST /session
+// ---------------------------------------------------------------------------
+async function handleSession(req, res, accountId, cfg, maxBodyBytes) {
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return;
+    }
+    if (!allowsAnonymous(cfg)) {
+        sendForbidden(res, "anonymous sessions are disabled — use OTP verification");
+        return;
+    }
+    const body = await readJsonBodyOrError(req, res, maxBodyBytes);
+    if (body === undefined)
+        return;
+    const payload = (body && typeof body === "object" ? body : {});
+    const sessionId = typeof payload.session_id === "string" ? payload.session_id.trim() : "";
+    if (!sessionId || sessionId.length < 8 || sessionId.length > 128) {
+        sendInvalidRequest(res, "session_id must be 8–128 characters");
+        return;
+    }
+    if (!/^[a-zA-Z0-9_-]+$/.test(sessionId)) {
+        sendInvalidRequest(res, "session_id must contain only alphanumeric characters, hyphens, and underscores");
+        return;
+    }
+    const agentId = resolvePublicAgentId(cfg, accountId);
+    const identifier = `anon-${sessionId}`;
+    const sessionKey = buildPublicSessionKey(agentId, identifier);
+    sendJson(res, 200, { session_key: sessionKey, agent_id: agentId });
+}
+// ---------------------------------------------------------------------------
+// Route: POST /otp/request
+// ---------------------------------------------------------------------------
+async function handleOtpRequest(req, res, _accountId, cfg, maxBodyBytes) {
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return;
+    }
+    if (!allowsVerified(cfg)) {
+        sendForbidden(res, "OTP verification is disabled for this account");
+        return;
+    }
+    const body = await readJsonBodyOrError(req, res, maxBodyBytes);
+    if (body === undefined)
+        return;
+    const payload = (body && typeof body === "object" ? body : {});
+    const phone = typeof payload.phone === "string" ? normalizePhone(payload.phone.trim()) : "";
+    if (!phone || !isValidPhone(phone)) {
+        sendInvalidRequest(res, "invalid phone number — use E.164 format (e.g. +447123456789)");
+        return;
+    }
+    const result = requestOtp(phone);
+    if (!result.ok) {
+        sendJson(res, 429, {
+            error: { message: "rate limited — try again shortly", type: "rate_limited" },
+            retry_after_ms: result.retryAfterMs,
+        });
+        return;
+    }
+    try {
+        await deliverOtp(phone, result.code);
+    }
+    catch {
+        sendUnavailable(res, "failed to send verification code — is WhatsApp connected?");
+        return;
+    }
+    sendJson(res, 200, { ok: true });
+}
+// ---------------------------------------------------------------------------
+// Route: POST /otp/verify
+// ---------------------------------------------------------------------------
+async function handleOtpVerify(req, res, accountId, cfg, maxBodyBytes) {
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return;
+    }
+    if (!allowsVerified(cfg)) {
+        sendForbidden(res, "OTP verification is disabled for this account");
+        return;
+    }
+    const body = await readJsonBodyOrError(req, res, maxBodyBytes);
+    if (body === undefined)
+        return;
+    const payload = (body && typeof body === "object" ? body : {});
+    const phone = typeof payload.phone === "string" ? normalizePhone(payload.phone.trim()) : "";
+    const code = typeof payload.code === "string" ? payload.code.trim() : "";
+    const name = typeof payload.name === "string" ? payload.name.trim() : undefined;
+    if (!phone || !isValidPhone(phone)) {
+        sendInvalidRequest(res, "invalid phone number");
+        return;
+    }
+    if (!code) {
+        sendInvalidRequest(res, "code is required");
+        return;
+    }
+    const result = verifyOtp(phone, code);
+    if (!result.ok) {
+        const messages = {
+            not_found: "no pending verification for this number",
+            expired: "verification code expired",
+            max_attempts: "too many attempts — request a new code",
+            invalid: "incorrect code",
+        };
+        sendJson(res, 400, {
+            error: {
+                message: messages[result.error] ?? "verification failed",
+                type: result.error,
+            },
+        });
+        return;
+    }
+    const agentId = resolvePublicAgentId(cfg, accountId);
+    const sessionKey = buildPublicSessionKey(agentId, phone);
+    sendJson(res, 200, {
+        session_key: sessionKey,
+        agent_id: agentId,
+        phone,
+        ...(name ? { name } : {}),
+    });
+}
+// ---------------------------------------------------------------------------
+// Route: POST /chat — uses dispatchInboundMessage (full pipeline)
+// ---------------------------------------------------------------------------
+async function handleChat(req, res, _accountId, cfg, maxBodyBytes) {
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return;
+    }
+    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    if (!sessionKey) {
+        sendInvalidRequest(res, "X-Session-Key header required (obtain from /session or /otp/verify)");
+        return;
+    }
+    const body = await readJsonBodyOrError(req, res, maxBodyBytes);
+    if (body === undefined)
+        return;
+    const payload = (body && typeof body === "object" ? body : {});
+    const message = typeof payload.message === "string" ? payload.message.trim() : "";
+    const stream = Boolean(payload.stream);
+    const rawAttachments = Array.isArray(payload.attachments)
+        ? payload.attachments
+        : [];
+    if (!message && rawAttachments.length === 0) {
+        sendInvalidRequest(res, "message or attachment required");
+        return;
+    }
+    const runId = `pub_${randomUUID()}`;
+    const now = Date.now();
+    // --- Save attachments to workspace uploads dir ---
+    let savedImagePaths = [];
+    let savedImageTypes = [];
+    let savedDocPaths = [];
+    const normalizedAttachments = rawAttachments
+        .map((a) => ({
+        type: typeof a?.type === "string" ? a.type : undefined,
+        mimeType: typeof a?.mimeType === "string" ? a.mimeType : undefined,
+        fileName: typeof a?.fileName === "string" ? a.fileName : undefined,
+        content: typeof a?.content === "string" ? a.content : undefined,
+    }))
+        .filter((a) => a.content);
+    if (normalizedAttachments.length > 0) {
+        const agentId = resolveSessionAgentId({ sessionKey, config: cfg });
+        const workspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
+        const uploadsDir = path.join(workspaceDir, "uploads");
+        try {
+            fs.mkdirSync(uploadsDir, { recursive: true });
+        }
+        catch {
+            /* ignore if exists */
+        }
+        const saved = saveAttachments(normalizedAttachments, uploadsDir);
+        savedImagePaths = saved.imagePaths;
+        savedImageTypes = saved.imageTypes;
+        savedDocPaths = saved.docPaths;
+    }
+    // --- Build MsgContext (same shape as WebSocket chat.send) ---
+    const docNote = savedDocPaths.length > 0 ? savedDocPaths.map((p) => `[file: ${p}]`).join("\n") + "\n\n" : "";
+    const messageWithDocs = docNote + message;
+    const ctx = {
+        Body: messageWithDocs,
+        BodyForAgent: messageWithDocs,
+        BodyForCommands: messageWithDocs,
+        RawBody: messageWithDocs,
+        CommandBody: messageWithDocs,
+        SessionKey: sessionKey,
+        Provider: INTERNAL_MESSAGE_CHANNEL,
+        Surface: INTERNAL_MESSAGE_CHANNEL,
+        OriginatingChannel: INTERNAL_MESSAGE_CHANNEL,
+        ChatType: "direct",
+        CommandAuthorized: false, // public clients never have command authority
+        MessageSid: runId,
+        MediaPaths: savedImagePaths.length > 0 ? savedImagePaths : undefined,
+        MediaPath: savedImagePaths[0],
+        MediaTypes: savedImageTypes.length > 0 ? savedImageTypes : undefined,
+        MediaType: savedImageTypes[0],
+    };
+    const agentId = resolveSessionAgentId({ sessionKey, config: cfg });
+    // --- Fire message:inbound hook for conversation archiving ---
+    const imageNote = savedImagePaths.length > 0 ? savedImagePaths.map((ip) => `[image: ${ip}]`).join("\n") : "";
+    const archiveText = [message, imageNote].filter(Boolean).join("\n").trim();
+    void triggerInternalHook(createInternalHookEvent("message", "inbound", sessionKey, {
+        text: archiveText || undefined,
+        timestamp: now,
+        chatType: "direct",
+        agentId,
+        channel: "webchat",
+        cfg,
+    }));
+    // --- Set up response prefix context ---
+    let prefixContext = {
+        identityName: resolveIdentityName(cfg, agentId),
+    };
+    // --- Dispatch via the full pipeline ---
+    const abortController = new AbortController();
+    const finalReplyParts = [];
+    let agentRunStarted = false;
+    if (!stream) {
+        // ---- Synchronous mode ----
+        try {
+            const dispatcher = createReplyDispatcher({
+                responsePrefix: resolveEffectiveMessagesConfig(cfg, agentId).responsePrefix,
+                responsePrefixContextProvider: () => prefixContext,
+                onError: () => { },
+                deliver: async (replyPayload, info) => {
+                    const text = replyPayload.text?.trim() ?? "";
+                    if (!text)
+                        return;
+                    if (info.kind === "final")
+                        finalReplyParts.push(text);
+                },
+            });
+            await dispatchInboundMessage({
+                ctx,
+                cfg,
+                dispatcher,
+                replyOptions: {
+                    runId,
+                    abortSignal: abortController.signal,
+                    disableBlockStreaming: true,
+                    onAgentRunStart: () => {
+                        agentRunStarted = true;
+                    },
+                    onModelSelected: (modelCtx) => {
+                        prefixContext.provider = modelCtx.provider;
+                        prefixContext.model = extractShortModelName(modelCtx.model);
+                        prefixContext.modelFull = `${modelCtx.provider}/${modelCtx.model}`;
+                        prefixContext.thinkingLevel = modelCtx.thinkLevel ?? "off";
+                    },
+                },
+            });
+            // Wait for any queued reply delivery to complete.
+            await dispatcher.waitForIdle();
+            const combinedReply = finalReplyParts
+                .map((part) => part.trim())
+                .filter(Boolean)
+                .join("\n\n")
+                .trim();
+            // Fire message:outbound hook
+            if (combinedReply) {
+                void triggerInternalHook(createInternalHookEvent("message", "outbound", sessionKey, {
+                    text: combinedReply,
+                    timestamp: Date.now(),
+                    chatType: "direct",
+                    agentId,
+                    channel: "webchat",
+                    cfg,
+                }));
+            }
+            sendJson(res, 200, {
+                id: runId,
+                session_key: sessionKey,
+                message: combinedReply || null,
+                created: Math.floor(Date.now() / 1000),
+            });
+        }
+        catch (err) {
+            sendJson(res, 500, {
+                error: { message: String(err), type: "agent_error" },
+            });
+        }
+        return;
+    }
+    // ---- Streaming mode: SSE ----
+    setCorsHeaders(res);
+    setSseHeaders(res);
+    let closed = false;
+    // Listen for agent streaming events (text deltas, thinking, lifecycle).
+    const unsubscribe = onAgentEvent((evt) => {
+        if (evt.runId !== runId)
+            return;
+        if (closed)
+            return;
+        if (evt.stream === "assistant") {
+            const delta = evt.data?.delta;
+            const text = evt.data?.text;
+            const content = typeof delta === "string" ? delta : typeof text === "string" ? text : "";
+            if (!content)
+                return;
+            writeSse(res, { id: runId, type: "delta", content });
+            return;
+        }
+        if (evt.stream === "thinking") {
+            const text = evt.data?.text;
+            if (typeof text === "string" && text) {
+                writeSse(res, { id: runId, type: "thinking", content: text });
+            }
+            return;
+        }
+        if (evt.stream === "lifecycle") {
+            const phase = evt.data?.phase;
+            if (phase === "end" || phase === "error") {
+                if (!closed) {
+                    closed = true;
+                    unsubscribe();
+                    writeDone(res);
+                    res.end();
+                }
+            }
+        }
+    });
+    req.on("close", () => {
+        if (!closed) {
+            closed = true;
+            unsubscribe();
+            abortController.abort();
+        }
+    });
+    const dispatcher = createReplyDispatcher({
+        responsePrefix: resolveEffectiveMessagesConfig(cfg, agentId).responsePrefix,
+        responsePrefixContextProvider: () => prefixContext,
+        onError: () => { },
+        deliver: async (replyPayload, info) => {
+            if (closed)
+                return;
+            const text = replyPayload.text?.trim() ?? "";
+            if (!text)
+                return;
+            if (info.kind === "block") {
+                // Filler/block message — stream as a distinct event type.
+                writeSse(res, { id: runId, type: "filler", content: text });
+                return;
+            }
+            if (info.kind === "final") {
+                finalReplyParts.push(text);
+            }
+        },
+    });
+    void (async () => {
+        try {
+            await dispatchInboundMessage({
+                ctx,
+                cfg,
+                dispatcher,
+                replyOptions: {
+                    runId,
+                    abortSignal: abortController.signal,
+                    onAgentRunStart: () => {
+                        agentRunStarted = true;
+                    },
+                    onModelSelected: (modelCtx) => {
+                        prefixContext.provider = modelCtx.provider;
+                        prefixContext.model = extractShortModelName(modelCtx.model);
+                        prefixContext.modelFull = `${modelCtx.provider}/${modelCtx.model}`;
+                        prefixContext.thinkingLevel = modelCtx.thinkLevel ?? "off";
+                    },
+                },
+            });
+            await dispatcher.waitForIdle();
+            if (closed)
+                return;
+            // If no agent run started (inline action / command), the response came
+            // through the dispatcher's deliver callback. Emit it as a final message
+            // so the client receives it.
+            if (!agentRunStarted) {
+                const combinedReply = finalReplyParts
+                    .map((part) => part.trim())
+                    .filter(Boolean)
+                    .join("\n\n")
+                    .trim();
+                if (combinedReply) {
+                    writeSse(res, { id: runId, type: "message.final", content: combinedReply });
+                }
+            }
+            // Fire message:outbound hook
+            const outboundText = finalReplyParts.join("\n\n").trim();
+            if (outboundText) {
+                void triggerInternalHook(createInternalHookEvent("message", "outbound", sessionKey, {
+                    text: outboundText,
+                    timestamp: Date.now(),
+                    chatType: "direct",
+                    agentId,
+                    channel: "webchat",
+                    cfg,
+                }));
+            }
+        }
+        catch (err) {
+            if (closed)
+                return;
+            writeSse(res, { id: runId, type: "error", error: String(err) });
+            emitAgentEvent({
+                runId,
+                stream: "lifecycle",
+                data: { phase: "error" },
+            });
+        }
+        finally {
+            if (!closed) {
+                closed = true;
+                unsubscribe();
+                writeDone(res);
+                res.end();
+            }
+        }
+    })();
+}
+// ---------------------------------------------------------------------------
+// Route: GET /chat/history
+// ---------------------------------------------------------------------------
+async function handleChatHistory(req, res) {
+    if (req.method !== "GET") {
+        sendMethodNotAllowed(res, "GET");
+        return;
+    }
+    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    if (!sessionKey) {
+        sendInvalidRequest(res, "X-Session-Key header required");
+        return;
+    }
+    const { storePath, entry } = loadSessionEntry(sessionKey);
+    const sessionId = entry?.sessionId;
+    let rawMessages = [];
+    if (entry && storePath) {
+        // Stitch previous sessions + current session into one continuous history.
+        const previous = entry.previousSessions ?? [];
+        for (const prev of previous) {
+            if (!prev.sessionId)
+                continue;
+            const msgs = readSessionMessages(prev.sessionId, storePath, prev.sessionFile);
+            if (msgs.length > 0)
+                rawMessages.push(...msgs);
+        }
+        if (sessionId) {
+            const current = readSessionMessages(sessionId, storePath, entry.sessionFile);
+            rawMessages.push(...current);
+        }
+    }
+    // Apply limits and sanitize (same as the WebSocket chat.history handler).
+    const url = new URL(req.url ?? "/", `http://${req.headers.host || "localhost"}`);
+    const limitParam = url.searchParams.get("limit");
+    const requested = limitParam ? Math.min(10_000, Math.max(1, Number(limitParam) || 5000)) : 5000;
+    const messages = rawMessages.length > requested ? rawMessages.slice(-requested) : rawMessages;
+    const sanitized = stripEnvelopeFromMessages(stripBase64ImagesFromMessages(messages));
+    sendJson(res, 200, {
+        session_key: sessionKey,
+        messages: sanitized,
+    });
+}
+// ---------------------------------------------------------------------------
+// Route: POST /chat/abort
+// ---------------------------------------------------------------------------
+async function handleChatAbort(req, res, maxBodyBytes) {
+    if (req.method !== "POST") {
+        sendMethodNotAllowed(res);
+        return;
+    }
+    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    if (!sessionKey) {
+        sendInvalidRequest(res, "X-Session-Key header required");
+        return;
+    }
+    const body = await readJsonBodyOrError(req, res, maxBodyBytes);
+    if (body === undefined)
+        return;
+    const payload = (body && typeof body === "object" ? body : {});
+    const runId = typeof payload.run_id === "string" ? payload.run_id.trim() : undefined;
+    // Emit a lifecycle error event — terminates any in-flight SSE stream and
+    // causes the agent runner to detect abort via the abort signal.
+    if (runId) {
+        emitAgentEvent({
+            runId,
+            stream: "lifecycle",
+            data: { phase: "error", error: "aborted via REST API" },
+        });
+    }
+    sendJson(res, 200, { ok: true, run_id: runId ?? null });
+}
+// ---------------------------------------------------------------------------
+// Main handler
+// ---------------------------------------------------------------------------
+/**
+ * Handle all `/public/api/v1/:accountId/*` HTTP requests.
+ *
+ * Returns `true` if the request was handled (response written), `false` if
+ * the URL doesn't match and should fall through to the next handler.
+ */
+export async function handlePublicChatApiRequest(req, res, opts) {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host || "localhost"}`);
+    if (!url.pathname.startsWith(API_PREFIX))
+        return false;
+    const maxBodyBytes = opts?.maxBodyBytes ?? 1024 * 1024;
+    // CORS preflight
+    setCorsHeaders(res);
+    if (req.method === "OPTIONS") {
+        res.statusCode = 204;
+        res.end();
+        return true;
+    }
+    // Parse: /public/api/v1/:accountId/:route
+    const rest = url.pathname.slice(API_PREFIX.length); // e.g. "myaccount/chat"
+    const slashIdx = rest.indexOf("/");
+    const rawAccountId = slashIdx >= 0 ? rest.slice(0, slashIdx) : rest;
+    const route = slashIdx >= 0 ? rest.slice(slashIdx + 1).replace(/\/+$/, "") : "";
+    const accountId = validateAccountId(rawAccountId);
+    if (!accountId) {
+        sendInvalidRequest(res, "invalid or missing accountId in URL");
+        return true;
+    }
+    const cfg = loadConfig();
+    if (!cfg.publicChat?.enabled) {
+        sendJson(res, 404, {
+            error: { message: "public chat is not enabled", type: "not_found" },
+        });
+        return true;
+    }
+    // CORS headers on all responses
+    setCorsHeaders(res);
+    switch (route) {
+        case "session":
+            await handleSession(req, res, accountId, cfg, maxBodyBytes);
+            return true;
+        case "otp/request":
+            await handleOtpRequest(req, res, accountId, cfg, maxBodyBytes);
+            return true;
+        case "otp/verify":
+            await handleOtpVerify(req, res, accountId, cfg, maxBodyBytes);
+            return true;
+        case "chat":
+            await handleChat(req, res, accountId, cfg, maxBodyBytes);
+            return true;
+        case "chat/history":
+            await handleChatHistory(req, res);
+            return true;
+        case "chat/abort":
+            await handleChatAbort(req, res, maxBodyBytes);
+            return true;
+        default:
+            sendNotFound(res);
+            return true;
+    }
+}

package/dist/gateway/server-http.js

@@ -6,6 +6,7 @@ import { handleSlackHttpRequest } from "../slack/http/index.js";
 import { createCloudApiWebhookHandler } from "../web/providers/cloud/webhook-http.js";
 import { resolveAgentAvatar } from "../agents/identity-avatar.js";
 import { handleBrandIconRequest, handleControlUiAvatarRequest, handleControlUiHttpRequest, handlePublicChatHttpRequest, handlePublicWidgetRequest, } from "./control-ui.js";
+import { handlePublicChatApiRequest } from "./public-chat-api.js";
 import { isLicensed } from "../license/state.js";
 import { getEffectiveTrustedProxies, isExternalRequest } from "./net.js";
 import { extractHookToken, getHookChannelError, normalizeAgentPayload, normalizeHookHeaders, normalizeWakePayload, readJsonBody, resolveHookChannel, resolveHookDeliver, } from "./hooks.js";
@@ -154,6 +155,8 @@ export function createGatewayHttpServer(opts) {
             const configSnapshot = loadConfig();
             // Public chat routes — served before license enforcement so public visitors
             // are never redirected to /setup.
+            if (await handlePublicChatApiRequest(req, res))
+                return;
             if (handlePublicChatHttpRequest(req, res, { config: configSnapshot }))
                 return;
             if (handlePublicWidgetRequest(req, res, { config: configSnapshot }))

package/dist/memory/embeddings.js

@@ -13,7 +13,7 @@ import { importNodeLlamaCpp } from "./node-llama.js";
  * runaway memory consumption (40-76 GB) on Intel x64 Mac + AMD GPU.
  */
 const DEFAULT_LOCAL_MODEL = {
-    model: "hf:ggml-org/embeddinggemma-300M-Q8_0-GGUF/embeddinggemma-300M-Q8_0.gguf",
+    model: "hf:ggml-org/embeddinggemma-300M-GGUF/embeddinggemma-300M-Q8_0.gguf",
     label: "embeddinggemma-300M",
 };
 function selectDefaultLocalModel() {

package/dist/plugins/bundled-dir.js

@@ -2,15 +2,20 @@ import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 export function resolveBundledPluginsDir() {
+    return resolveBundledPluginsDirDetailed().dir;
+}
+export function resolveBundledPluginsDirDetailed() {
+    const triedPaths = [];
     const override = process.env.TASKMASTER_BUNDLED_PLUGINS_DIR?.trim();
     if (override)
-        return override;
+        return { dir: override, source: "env" };
     // bun --compile: ship a sibling `extensions/` next to the executable.
     try {
         const execDir = path.dirname(process.execPath);
         const sibling = path.join(execDir, "extensions");
+        triedPaths.push(sibling);
         if (fs.existsSync(sibling))
-            return sibling;
+            return { dir: sibling, source: "exec-sibling" };
     }
     catch {
         // ignore
@@ -20,8 +25,9 @@ export function resolveBundledPluginsDir() {
         let cursor = path.dirname(fileURLToPath(import.meta.url));
         for (let i = 0; i < 6; i += 1) {
             const candidate = path.join(cursor, "extensions");
+            triedPaths.push(candidate);
             if (fs.existsSync(candidate))
-                return candidate;
+                return { dir: candidate, source: "walk-up" };
             const parent = path.dirname(cursor);
             if (parent === cursor)
                 break;
@@ -31,5 +37,5 @@ export function resolveBundledPluginsDir() {
     catch {
         // ignore
     }
-    return undefined;
+    return { dir: undefined, triedPaths };
 }

package/dist/plugins/discovery.js

@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import { resolveConfigDir, resolveUserPath } from "../utils.js";
-import { resolveBundledPluginsDir } from "./bundled-dir.js";
+import { resolveBundledPluginsDirDetailed } from "./bundled-dir.js";
 const EXTENSION_EXTS = new Set([".ts", ".js", ".mts", ".cts", ".mjs", ".cjs"]);
 function isExtensionFile(filePath) {
     const ext = path.extname(filePath);
@@ -262,15 +262,22 @@ export function discoverTaskmasterPlugins(params) {
         diagnostics,
         seen,
     });
-    const bundledDir = resolveBundledPluginsDir();
-    if (bundledDir) {
+    const bundled = resolveBundledPluginsDirDetailed();
+    if (bundled.dir) {
         discoverInDirectory({
-            dir: bundledDir,
+            dir: bundled.dir,
             origin: "bundled",
             candidates,
             diagnostics,
             seen,
         });
     }
+    else {
+        diagnostics.push({
+            level: "warn",
+            message: `bundled extensions dir not resolved${bundled.triedPaths?.length ? ` (tried: ${bundled.triedPaths.join(", ")})` : ""}`,
+            source: "bundled-dir",
+        });
+    }
     return { candidates, diagnostics };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.0.76",
+  "version": "1.0.77",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"