@rubytech/taskmaster 1.0.80 → 1.0.82

package/dist/agents/workspace.js

@@ -132,7 +132,12 @@ export async function ensureAgentWorkspace(params) {
         .access(bootstrapDonePath)
         .then(() => true)
         .catch(() => false);
-    if (!bootstrapDone) {
+    // Only write BOOTSTRAP.md for brand-new workspaces.  If other workspace
+    // files already exist (IDENTITY.md, SOUL.md, etc.) the workspace has been
+    // bootstrapped — don't re-create BOOTSTRAP.md even if .bootstrap-done is
+    // missing.  This prevents the onboarding flow from re-activating after a
+    // restart, session reset, or AI failure to write the sentinel.
+    if (!bootstrapDone && isBrandNewWorkspace) {
         await writeFileIfMissing(bootstrapPath, bootstrapTemplate);
     }
     await ensureGitRepo(dir, isBrandNewWorkspace);
@@ -179,8 +184,19 @@ export async function loadWorkspaceBootstrapFiles(dir) {
             filePath: path.join(resolvedDir, DEFAULT_BOOTSTRAP_FILENAME),
         },
     ];
+    // If .bootstrap-done exists, treat BOOTSTRAP.md as absent so the onboarding
+    // flow is never injected into agent context on a bootstrapped workspace.
+    const bootstrapDonePath = path.join(resolvedDir, BOOTSTRAP_DONE_SENTINEL);
+    const bootstrapDone = await fs
+        .access(bootstrapDonePath)
+        .then(() => true)
+        .catch(() => false);
     const result = [];
     for (const entry of entries) {
+        if (bootstrapDone && entry.name === DEFAULT_BOOTSTRAP_FILENAME) {
+            result.push({ name: entry.name, path: entry.filePath, missing: true });
+            continue;
+        }
         try {
             const content = await fs.readFile(entry.filePath, "utf-8");
             result.push({

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.0.80",
-  "commit": "4b23b81707c4c708452321ea22668367d4337662",
-  "builtAt": "2026-02-20T21:20:38.650Z"
+  "version": "1.0.82",
+  "commit": "4707adc4b128245c2e265a9e6fec6b2d0315ad08",
+  "builtAt": "2026-02-20T22:56:04.720Z"
 }

package/dist/gateway/server-methods/files.js

@@ -6,9 +6,19 @@ import { ErrorCodes, errorShape } from "../protocol/index.js";
 const MAX_PREVIEW_BYTES = 256 * 1024; // 256 KB for preview
 const MAX_DOWNLOAD_BYTES = 5 * 1024 * 1024; // 5 MB for download
 const MAX_UPLOAD_BYTES = 5 * 1024 * 1024; // 5 MB for upload
+/**
+ * Multi-agent workspaces set each agent's workspace to a subdirectory
+ * (e.g. ~/taskmaster/agents/admin).  The files page should show the
+ * workspace root (~/taskmaster), not the agent subdir.
+ */
+function stripAgentSubdir(agentWorkspaceDir) {
+    const normalised = agentWorkspaceDir.replace(/\/+$/, "");
+    const match = normalised.match(/^(.+)\/agents\/[^/]+$/);
+    return match ? match[1] : normalised;
+}
 function resolveWorkspaceRoot() {
     const cfg = loadConfig();
-    return resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
+    return stripAgentSubdir(resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg)));
 }
 /**
  * Resolve workspace root from request params.
@@ -20,7 +30,7 @@ function resolveWorkspaceForRequest(params) {
     if (!agentId)
         return resolveWorkspaceRoot();
     const cfg = loadConfig();
-    return resolveAgentWorkspaceDir(cfg, agentId);
+    return stripAgentSubdir(resolveAgentWorkspaceDir(cfg, agentId));
 }
 /**
  * Validate and resolve a relative path within the workspace.

package/dist/gateway/server-methods/web.js

@@ -4,6 +4,15 @@ import { ErrorCodes, errorShape, formatValidationErrors, validateWebLoginStartPa
 import { formatForLog } from "../ws-log.js";
 const WEB_LOGIN_METHODS = new Set(["web.login.start", "web.login.wait"]);
 const resolveWebLoginProvider = () => listChannelPlugins().find((plugin) => (plugin.gatewayMethods ?? []).some((method) => WEB_LOGIN_METHODS.has(method))) ?? null;
+/**
+ * Given an admin agent ID, find the matching public agent.
+ * "admin" → "public", "foo-admin" → "foo-public".
+ */
+function resolvePublicCounterpart(adminAgentId, agents) {
+    const lower = adminAgentId.toLowerCase();
+    const target = lower === "admin" ? "public" : adminAgentId.replace(/-admin$/i, "-public");
+    return agents.find((a) => (a.id ?? "").toLowerCase() === target.toLowerCase())?.id ?? undefined;
+}
 /**
  * After a successful WhatsApp QR pairing, auto-create a paired admin binding
  * for the self phone number.  This is the single code path for all businesses:
@@ -101,9 +110,31 @@ async function ensurePairedAdminBinding(selfPhone, accountId) {
             },
             meta: { paired: true },
         };
+        const newBindings = [newBinding];
+        // Ensure a channel-level catch-all for the public agent so unbound DMs
+        // route to public, not admin.  Without this, the routing default fallback
+        // sends every unknown phone number to admin.
+        const publicAgentId = resolvePublicCounterpart(adminAgentId, agents);
+        if (publicAgentId) {
+            const hasPublicCatchAll = bindings.some((b) => b.agentId === publicAgentId &&
+                b.match.channel === "whatsapp" &&
+                !b.match.peer &&
+                !b.match.guildId &&
+                !b.match.teamId);
+            if (!hasPublicCatchAll) {
+                newBindings.push({
+                    agentId: publicAgentId,
+                    match: {
+                        channel: "whatsapp",
+                        ...(accountId ? { accountId } : {}),
+                    },
+                });
+                console.log(`[web] ensurePairedAdminBinding: created catch-all binding for ${publicAgentId} (account=${effectiveAccount})`);
+            }
+        }
         const updatedCfg = {
             ...cfg,
-            bindings: [...bindings, newBinding],
+            bindings: [...bindings, ...newBindings],
         };
         await writeConfigFile(updatedCfg);
         console.log(`[web] ensurePairedAdminBinding: created paired binding for ${adminAgentId} → ${selfPhone} (account=${effectiveAccount})`);

package/dist/routing/resolve-route.js

@@ -1,4 +1,4 @@
-import { resolveDefaultAgentId } from "../agents/agent-scope.js";
+import { resolveDefaultAgentId, listAgentIds } from "../agents/agent-scope.js";
 import { listBindings } from "./bindings.js";
 import { buildAgentMainSessionKey, buildAgentPeerSessionKey, DEFAULT_ACCOUNT_ID, DEFAULT_MAIN_KEY, normalizeAgentId, sanitizeAgentId, } from "./session-key.js";
 export { DEFAULT_ACCOUNT_ID, DEFAULT_AGENT_ID } from "./session-key.js";
@@ -136,5 +136,28 @@ export function resolveAgentRoute(input) {
     const anyAccountMatch = bindings.find((b) => b.match?.accountId?.trim() === "*" && !b.match?.peer && !b.match?.guildId && !b.match?.teamId);
     if (anyAccountMatch)
         return choose(anyAccountMatch.agentId, "binding.channel");
-    return choose(resolveDefaultAgentId(input.cfg), "default");
+    // Admin agents should only be reached via explicit peer binding.
+    // When falling to default for a DM, prefer a public counterpart so that
+    // unbound phone numbers never route to admin.
+    const defaultId = resolveDefaultAgentId(input.cfg);
+    if (peer) {
+        const publicFallback = resolvePublicFallback(input.cfg, defaultId);
+        if (publicFallback)
+            return choose(publicFallback, "default");
+    }
+    return choose(defaultId, "default");
+}
+/**
+ * When the default agent is an admin agent and a public counterpart exists,
+ * return the public agent ID.  This prevents unbound DMs from reaching admin.
+ */
+function resolvePublicFallback(cfg, defaultId) {
+    const lower = defaultId.toLowerCase();
+    const isAdmin = lower === "admin" || lower.endsWith("-admin");
+    if (!isAdmin)
+        return undefined;
+    const allIds = listAgentIds(cfg);
+    // "foo-admin" → "foo-public"; "admin" → "public"
+    const publicId = lower === "admin" ? "public" : defaultId.replace(/-admin$/i, "-public");
+    return allIds.find((id) => id.toLowerCase() === publicId.toLowerCase());
 }

package/dist/web/auth-store.js

@@ -107,8 +107,17 @@ async function clearLegacyBaileysAuthState(authDir) {
 export async function logoutWeb(params) {
     const runtime = params.runtime ?? defaultRuntime;
     const resolvedAuthDir = resolveUserPath(params.authDir ?? resolveDefaultWebAuthDir());
-    const exists = await webAuthExists(resolvedAuthDir);
-    if (!exists) {
+    // Check whether the auth directory exists on disk — not whether creds are
+    // valid JSON.  Corrupt or partial state must still be cleaned up.
+    let dirExists = false;
+    try {
+        await fs.access(resolvedAuthDir);
+        dirExists = true;
+    }
+    catch {
+        // directory doesn't exist
+    }
+    if (!dirExists) {
         runtime.log(info("No WhatsApp Web session found; nothing to delete."));
         return false;
     }

package/dist/web/login-qr.js

@@ -79,14 +79,14 @@ export async function startWebLoginWithQr(opts = {}) {
             message: `WhatsApp is already linked (${who}). Say "relink" if you want a fresh QR.`,
         };
     }
-    // Force mode: clear stale credentials before generating new QR
-    if (hasWeb && opts.force) {
-        await logoutWeb({
-            authDir: account.authDir,
-            isLegacyAuthDir: account.isLegacyAuthDir,
-            runtime,
-        });
-    }
+    // Always clear credentials before generating a new QR.  Even when
+    // webAuthExists() returns false, corrupt or partial files may remain on disk
+    // and cause Baileys to generate QR codes that WhatsApp rejects.
+    await logoutWeb({
+        authDir: account.authDir,
+        isLegacyAuthDir: account.isLegacyAuthDir,
+        runtime,
+    });
     const existing = activeLogins.get(account.accountId);
     if (existing && isLoginFresh(existing) && existing.qrDataUrl) {
         return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.0.80",
+  "version": "1.0.82",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/scripts/install.sh

@@ -42,6 +42,16 @@ case "$OS" in
 esac
 echo "Platform: $PLATFORM ($OS)"
 
+# ── Helper: run a command as root (uses sudo if not already root) ────────────
+
+as_root() {
+  if [ "$(id -u)" = "0" ]; then
+    "$@"
+  else
+    sudo "$@"
+  fi
+}
+
 # ── Check Node.js ────────────────────────────────────────────────────────────
 
 REQUIRED_NODE_MAJOR=22
@@ -68,8 +78,8 @@ install_node() {
   echo "Installing Node.js v${REQUIRED_NODE_MAJOR}..."
   if [ "$PLATFORM" = "linux" ]; then
     if command -v apt-get >/dev/null 2>&1; then
-      curl -fsSL "https://deb.nodesource.com/setup_${REQUIRED_NODE_MAJOR}.x" | sudo -E bash -
-      sudo apt-get install -y nodejs
+      curl -fsSL "https://deb.nodesource.com/setup_${REQUIRED_NODE_MAJOR}.x" | as_root bash -
+      as_root apt-get install -y nodejs
     else
       echo "Unsupported Linux package manager. Install Node.js v${REQUIRED_NODE_MAJOR}+ manually."
       exit 1
@@ -99,11 +109,7 @@ fi
 
 echo ""
 echo "Installing Taskmaster..."
-if [ "$(id -u)" = "0" ]; then
-  npm install -g @rubytech/taskmaster
-else
-  sudo npm install -g @rubytech/taskmaster
-fi
+as_root npm install -g @rubytech/taskmaster
 
 # Verify
 if ! command -v taskmaster >/dev/null 2>&1; then
@@ -114,87 +120,87 @@ fi
 
 echo "Taskmaster: $(taskmaster --version 2>/dev/null || echo 'installed')"
 
-# ── Run provision ────────────────────────────────────────────────────────────
+# ── Linux platform setup (hostname, mDNS, linger) ───────────────────────────
 
-echo ""
-PROVISION_ARGS=""
-if [ -n "$PORT" ]; then
-  PROVISION_ARGS="--port $PORT"
-fi
-
-REAL_USER="${SUDO_USER:-$(whoami)}"
 MDNS_PORT="${PORT:-18789}"
 
-if [ "$(id -u)" = "0" ] && [ "$REAL_USER" != "root" ]; then
-  # ── Running as root via sudo ──
-  # Platform setup needs root. Provision (config, workspace, daemon) needs
-  # to run as the real user so paths resolve to their home and systemctl
-  # --user has a D-Bus session.
-
-  if [ "$PLATFORM" = "linux" ]; then
-    echo "Platform setup..."
+if [ "$PLATFORM" = "linux" ]; then
+  echo ""
+  echo "Platform setup..."
 
-    # Avahi / mDNS
-    apt-get install -y avahi-daemon avahi-utils >/dev/null 2>&1 \
-      && echo "  avahi-daemon installed" \
-      || echo "  avahi-daemon install failed (continuing)"
+  # Avahi / mDNS
+  as_root apt-get install -y avahi-daemon avahi-utils >/dev/null 2>&1 \
+    && echo "  avahi-daemon installed" \
+    || echo "  avahi-daemon install failed (continuing)"
 
-    # Hostname — include port to avoid conflicts with other instances on the network
-    if [ "$MDNS_PORT" = "18789" ]; then
-      TM_HOSTNAME="taskmaster"
+  # Hostname — include port to avoid conflicts with other instances on the network
+  if [ "$MDNS_PORT" = "18789" ]; then
+    TM_HOSTNAME="taskmaster"
+  else
+    TM_HOSTNAME="taskmaster-${MDNS_PORT}"
+  fi
+  as_root hostnamectl set-hostname "$TM_HOSTNAME" 2>/dev/null \
+    && echo "  hostname set to '${TM_HOSTNAME}'" \
+    || echo "  hostname set failed (continuing)"
+
+  # Ensure /etc/hosts resolves the new hostname (sudo warns otherwise).
+  # Raspberry Pi OS uses 127.0.1.1 for the hostname; other distros may use
+  # 127.0.0.1. We update an existing 127.0.1.1 line if present (replacing
+  # the old hostname like "raspberrypi"), otherwise append a new entry.
+  if ! grep -q "$TM_HOSTNAME" /etc/hosts 2>/dev/null; then
+    if grep -q "^127\.0\.1\.1" /etc/hosts 2>/dev/null; then
+      as_root sed -i "s/^127\.0\.1\.1.*/127.0.1.1\t$TM_HOSTNAME/" /etc/hosts
     else
-      TM_HOSTNAME="taskmaster-${MDNS_PORT}"
-    fi
-    hostnamectl set-hostname "$TM_HOSTNAME" 2>/dev/null \
-      && echo "  hostname set to '${TM_HOSTNAME}'" \
-      || echo "  hostname set failed (continuing)"
-
-    # Ensure /etc/hosts resolves the new hostname (sudo warns otherwise).
-    # Raspberry Pi OS uses 127.0.1.1 for the hostname; other distros may use
-    # 127.0.0.1. We update an existing 127.0.1.1 line if present (replacing
-    # the old hostname like "raspberrypi"), otherwise append a new entry.
-    if ! grep -q "$TM_HOSTNAME" /etc/hosts 2>/dev/null; then
-      if grep -q "^127\.0\.1\.1" /etc/hosts 2>/dev/null; then
-        sed -i "s/^127\.0\.1\.1.*/127.0.1.1\t$TM_HOSTNAME/" /etc/hosts
-      else
-        echo "127.0.1.1	$TM_HOSTNAME" >> /etc/hosts
-      fi
+      echo "127.0.1.1	$TM_HOSTNAME" | as_root tee -a /etc/hosts >/dev/null
     fi
+  fi
 
-    # Remove stale avahi service file from previous installs (conflicts with gateway Bonjour)
-    rm -f /etc/avahi/services/taskmaster.service
+  # Remove stale avahi service file from previous installs (conflicts with gateway Bonjour)
+  as_root rm -f /etc/avahi/services/taskmaster.service
 
-    # Restart avahi so it picks up the new hostname
-    systemctl restart avahi-daemon 2>/dev/null || true
-    echo "  mDNS: ${TM_HOSTNAME}.local ready"
+  # Restart avahi so it picks up the new hostname
+  as_root systemctl restart avahi-daemon 2>/dev/null || true
+  echo "  mDNS: ${TM_HOSTNAME}.local ready"
 
-    # Tailscale (for optional internet access via Funnel)
-    if ! command -v tailscale >/dev/null 2>&1; then
-      curl -fsSL https://tailscale.com/install.sh | sh >/dev/null 2>&1 \
-        && echo "  tailscale installed" \
-        || echo "  tailscale install failed (continuing)"
-    else
-      echo "  tailscale already installed"
-    fi
+  # Tailscale (for optional internet access via Funnel)
+  if ! command -v tailscale >/dev/null 2>&1; then
+    curl -fsSL https://tailscale.com/install.sh | sh >/dev/null 2>&1 \
+      && echo "  tailscale installed" \
+      || echo "  tailscale install failed (continuing)"
+  else
+    echo "  tailscale already installed"
+  fi
 
-    # Enable user services so systemctl --user works after logout
-    REAL_UID=$(id -u "$REAL_USER")
-    loginctl enable-linger "$REAL_USER" 2>/dev/null || true
-    systemctl start "user@${REAL_UID}.service" 2>/dev/null || true
+  # Enable user services so systemctl --user works after logout
+  REAL_USER="${SUDO_USER:-$(whoami)}"
+  REAL_UID=$(id -u "$REAL_USER")
+  as_root loginctl enable-linger "$REAL_USER" 2>/dev/null || true
+  as_root systemctl start "user@${REAL_UID}.service" 2>/dev/null || true
+
+  # Wait for user D-Bus session bus
+  for _i in $(seq 1 10); do
+    [ -S "/run/user/$REAL_UID/bus" ] && break
+    sleep 0.5
+  done
+fi
 
-    # Wait for user D-Bus session bus
-    for _i in $(seq 1 10); do
-      [ -S "/run/user/$REAL_UID/bus" ] && break
-      sleep 0.5
-    done
-  fi
+# ── Run provision ────────────────────────────────────────────────────────────
+
+echo ""
+PROVISION_ARGS=""
+if [ -n "$PORT" ]; then
+  PROVISION_ARGS="--port $PORT"
+fi
 
-  # Resolve real user's home
+REAL_USER="${SUDO_USER:-$(whoami)}"
+
+if [ "$(id -u)" = "0" ] && [ "$REAL_USER" != "root" ]; then
+  # Running as root via sudo — provision must run as the real user so paths
+  # resolve to their home and systemctl --user has a D-Bus session.
   REAL_HOME=$(getent passwd "$REAL_USER" 2>/dev/null | cut -d: -f6)
   [ -z "$REAL_HOME" ] && REAL_HOME="/home/$REAL_USER"
   REAL_UID=$(id -u "$REAL_USER")
 
-  # Run provision as the real user
   # shellcheck disable=SC2086
   sudo -u "$REAL_USER" \
     HOME="$REAL_HOME" \