@rubytech/taskmaster 1.12.0 → 1.12.2

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-DpMaqt-b.js"></script>
+    <script type="module" crossorigin src="./assets/index-CP9IoaZp.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>

package/dist/gateway/control-ui.js

@@ -527,7 +527,9 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     const avatarValue = resolvedAvatar && /^(https?:\/\/|data:image\/|\/)/i.test(resolvedAvatar)
         ? resolvedAvatar
         : undefined;
-    const authMode = config.publicChat.auth ?? "anonymous";
+    const authMode = (config.publicChat?.accountSettings?.[accountId]?.auth ??
+        config.publicChat?.auth ??
+        "anonymous");
     const cookieTtlDays = config.publicChat.cookieTtlDays ?? 30;
     const brandName = config.ui?.brand?.name;
     const brandIconUrl = resolveBrandIconUrl(config.ui?.brand?.icon, root);
@@ -570,7 +572,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     // Inject public-chat globals before </head>
     const publicScript = `<script>` +
         `window.__TASKMASTER_PUBLIC_CHAT__=true;` +
-        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: normalizeVerifyMethods(config.publicChat?.verifyMethods ?? ["whatsapp", "sms"]), greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
+        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: normalizeVerifyMethods(config.publicChat?.accountSettings?.[accountId]?.verifyMethods ?? config.publicChat?.verifyMethods ?? ["whatsapp", "sms"]), greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
         `</script>`;
     const headClose = baseInjected.indexOf("</head>");
     const withPublic = headClose !== -1
@@ -584,24 +586,37 @@ export function handlePublicChatHttpRequest(req, res, opts) {
 /** Widget script content — self-contained JS for embedding. */
 const WIDGET_SCRIPT = `(function(){
   "use strict";
-  var cfg={server:"",accountId:"",color:"#1a1a2e",bgColor:"#1a1a2e"};
+  var cfg={server:"",accountId:"",color:"",bgColor:"#1a1a2e",btnColor:""};
   var isOpen=false;
   var btn,overlay,iframe;
+  var SVG_NS="http://www.w3.org/2000/svg";
+  function svgEl(tag,attrs){var e=document.createElementNS(SVG_NS,tag);for(var k in attrs)e.setAttribute(k,attrs[k]);return e;}
+  function makeChatIcon(){var s=svgEl("svg",{width:"22",height:"22",viewBox:"0 0 24 24",fill:"none",stroke:"currentColor","stroke-width":"2","stroke-linecap":"round","stroke-linejoin":"round"});s.appendChild(svgEl("path",{d:"M7.9 20A9 9 0 1 0 4 16.1L2 22Z"}));return s;}
+  function makeCloseIcon(){var s=svgEl("svg",{width:"20",height:"20",viewBox:"0 0 24 24",fill:"none",stroke:"currentColor","stroke-width":"2.5","stroke-linecap":"round","stroke-linejoin":"round"});s.appendChild(svgEl("line",{x1:"18",y1:"6",x2:"6",y2:"18"}));s.appendChild(svgEl("line",{x1:"6",y1:"6",x2:"18",y2:"18"}));return s;}
+  function setIcon(el,fn){while(el.firstChild)el.removeChild(el.firstChild);el.appendChild(fn());}
 
   function init(opts){
     if(opts&&opts.server) cfg.server=opts.server.replace(/\\/$/,"");
     if(opts&&opts.accountId) cfg.accountId=opts.accountId;
-    if(opts&&opts.color) cfg.color=opts.color;
+    if(opts&&opts.color) cfg.btnColor=opts.color;
     if(opts&&opts.bgColor) cfg.bgColor=opts.bgColor;
-    build();
+    if(!cfg.btnColor){
+      fetch(cfg.server+"/public/api/v1/"+encodeURIComponent(cfg.accountId)+"/capabilities")
+        .then(function(r){return r.json()})
+        .then(function(d){if(d.background_color) cfg.btnColor=d.background_color; else if(d.accent_color) cfg.btnColor=d.accent_color; build();})
+        .catch(function(){build();});
+    } else {
+      build();
+    }
   }
 
   function build(){
+    if(!cfg.btnColor) cfg.btnColor="#1a1a2e";
     var css=document.createElement("style");
     css.textContent=[
       ".tm-widget-btn{position:fixed;bottom:20px;right:20px;width:48px;height:48px;",
-      "border-radius:50%;background:"+cfg.color+";color:#fff;border:none;cursor:pointer;",
-      "box-shadow:0 2px 8px rgba(0,0,0,.3);z-index:999999;font-size:22px;",
+      "border-radius:50%;background:"+cfg.btnColor+";color:#fff;border:none;cursor:pointer;",
+      "box-shadow:0 2px 8px rgba(0,0,0,.3);z-index:999999;",
       "display:flex;align-items:center;justify-content:center;transition:transform .2s}",
       ".tm-widget-btn:hover{transform:scale(1.08)}",
       ".tm-widget-overlay{position:fixed;bottom:78px;right:20px;width:400px;height:600px;",
@@ -618,7 +633,7 @@ const WIDGET_SCRIPT = `(function(){
 
     btn=document.createElement("button");
     btn.className="tm-widget-btn";
-    btn.textContent="\\uD83D\\uDCAC";
+    setIcon(btn,makeChatIcon);
     btn.setAttribute("aria-label","Chat");
     btn.onclick=toggle;
     document.body.appendChild(btn);
@@ -635,7 +650,7 @@ const WIDGET_SCRIPT = `(function(){
   function toggle(){
     isOpen=!isOpen;
     overlay.classList.toggle("open",isOpen);
-    btn.textContent=isOpen?"\\u2715":"\\uD83D\\uDCAC";
+    setIcon(btn,isOpen?makeCloseIcon:makeChatIcon);
   }
 
   window.Taskmaster={init:init};

package/dist/gateway/protocol/schema/cron.js

@@ -117,38 +117,46 @@ export const CronUpdateParamsSchema = Type.Union([
     Type.Object({
         id: NonEmptyString,
         patch: CronJobPatchSchema,
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
     Type.Object({
         jobId: NonEmptyString,
         patch: CronJobPatchSchema,
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
 ]);
 export const CronRemoveParamsSchema = Type.Union([
     Type.Object({
         id: NonEmptyString,
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
     Type.Object({
         jobId: NonEmptyString,
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
 ]);
 export const CronRunParamsSchema = Type.Union([
     Type.Object({
         id: NonEmptyString,
         mode: Type.Optional(Type.Union([Type.Literal("due"), Type.Literal("force")])),
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
     Type.Object({
         jobId: NonEmptyString,
         mode: Type.Optional(Type.Union([Type.Literal("due"), Type.Literal("force")])),
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
 ]);
 export const CronRunsParamsSchema = Type.Union([
     Type.Object({
         id: NonEmptyString,
         limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 5000 })),
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
     Type.Object({
         jobId: NonEmptyString,
         limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 5000 })),
+        accountId: Type.Optional(Type.String()),
     }, { additionalProperties: false }),
 ]);
 export const CronRunLogEntrySchema = Type.Object({

package/dist/gateway/public-chat/deliver-email.js

@@ -45,24 +45,24 @@ async function fetchVerifiedSender(apiKey) {
  * in order: explicit config value → cached sender → live Brevo API lookup.
  * Returns null if no API key is configured.
  */
-export async function resolveEmailCredentials() {
+export async function resolveEmailCredentials(fromName) {
     const cfg = loadConfig();
     const email = cfg.publicChat?.email;
     if (!email?.apiKey)
         return null;
     // Explicit from address in config — use it directly
     if (email.from)
-        return { apiKey: email.apiKey, from: email.from };
+        return { apiKey: email.apiKey, from: email.from, fromName };
     // Cached sender for this API key
     if (cachedSender && cachedSender.apiKey === email.apiKey) {
-        return { apiKey: email.apiKey, from: cachedSender.from };
+        return { apiKey: email.apiKey, from: cachedSender.from, fromName };
     }
     // Auto-detect from Brevo senders API
     const sender = await fetchVerifiedSender(email.apiKey);
     if (!sender)
         return null;
     cachedSender = { apiKey: email.apiKey, from: sender };
-    return { apiKey: email.apiKey, from: sender };
+    return { apiKey: email.apiKey, from: sender, fromName };
 }
 /**
  * Send an email via the Brevo transactional email API.
@@ -76,7 +76,7 @@ export async function sendEmail(to, subject, body, creds) {
             Accept: "application/json",
         },
         body: JSON.stringify({
-            sender: { email: creds.from },
+            sender: creds.fromName ? { email: creds.from, name: creds.fromName } : { email: creds.from },
             to: [{ email: to }],
             subject,
             textContent: body,

package/dist/gateway/public-chat/deliver-otp.js

@@ -55,12 +55,12 @@ export function detectOtpChannels(whatsappAccountId) {
  * Phone identifiers try WhatsApp then SMS, but only channels that
  * are enabled in `enabledMethods` are attempted.
  */
-export async function deliverOtp(identifier, code, accountId, enabledMethods) {
+export async function deliverOtp(identifier, code, accountId, enabledMethods, brandName) {
     const message = `Your verification code is: ${code}`;
     const methods = enabledMethods ?? ["whatsapp", "sms", "email"];
     // Email identifiers — deliver via Brevo email API
     if (isEmail(identifier)) {
-        const emailCreds = await resolveEmailCredentials();
+        const emailCreds = await resolveEmailCredentials(brandName);
         if (!emailCreds) {
             throw new Error("Email verification is not configured. Add a Brevo API key and verify a sender in the Brevo console.");
         }
@@ -80,7 +80,7 @@ export async function deliverOtp(identifier, code, accountId, enabledMethods) {
         }
     }
     if (trySms) {
-        const smsCreds = await resolveSmsCredentials();
+        const smsCreds = await resolveSmsCredentials(brandName);
         if (smsCreds) {
             await sendSms(identifier, message, smsCreds);
             return { channel: "sms" };

package/dist/gateway/public-chat/deliver-sms.js

@@ -72,11 +72,15 @@ export function hasSmsApiKey() {
  * brand identity. The name is truncated to 11 characters (GSM limit).
  * Returns null if no API key is configured.
  */
-export async function resolveSmsCredentials() {
+export async function resolveSmsCredentials(brandName) {
     const cfg = loadConfig();
     const apiKey = cfg.publicChat?.email?.apiKey;
     if (!apiKey)
         return null;
+    // Brand name override takes precedence — use it directly (truncated to GSM limit)
+    if (brandName) {
+        return { apiKey, sender: truncateSender(brandName) };
+    }
     if (cachedSenderName &&
         cachedSenderName.apiKey === apiKey &&
         cachedSenderName.name.length <= 11) {

package/dist/gateway/public-chat-api.js

@@ -98,14 +98,23 @@ function isValidEmail(email) {
 function normalizePhone(raw) {
     return raw.replace(/[\s\-()]/g, "");
 }
+/** Resolve the auth mode for a specific account, falling back to the global setting. */
+function resolveAccountAuthMode(cfg, accountId) {
+    return cfg.publicChat?.accountSettings?.[accountId]?.auth ?? cfg.publicChat?.auth ?? "anonymous";
+}
+/** Resolve the verify methods for a specific account, falling back to the global setting. */
+function resolveAccountVerifyMethods(cfg, accountId) {
+    return (cfg.publicChat?.accountSettings?.[accountId]?.verifyMethods ??
+        cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
+}
 /** Check whether the auth mode allows anonymous sessions. */
-function allowsAnonymous(cfg) {
-    const mode = cfg.publicChat?.auth ?? "anonymous";
+function allowsAnonymous(cfg, accountId) {
+    const mode = resolveAccountAuthMode(cfg, accountId);
     return mode === "anonymous" || mode === "choice";
 }
 /** Check whether the auth mode allows OTP verification. */
-function allowsVerified(cfg) {
-    const mode = cfg.publicChat?.auth ?? "anonymous";
+function allowsVerified(cfg, accountId) {
+    const mode = resolveAccountAuthMode(cfg, accountId);
     return mode === "verified" || mode === "choice";
 }
 function writeSse(res, data) {
@@ -184,7 +193,7 @@ async function handleSession(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsAnonymous(cfg)) {
+    if (!allowsAnonymous(cfg, accountId)) {
         sendForbidden(res, "anonymous sessions are disabled — use OTP verification");
         return;
     }
@@ -214,7 +223,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsVerified(cfg)) {
+    if (!allowsVerified(cfg, accountId)) {
         sendForbidden(res, "OTP verification is disabled for this account");
         return;
     }
@@ -229,7 +238,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
             ? payload.phone.trim()
             : "";
     const isEmailId = rawIdentifier.includes("@");
-    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
+    const verifyMethods = normalizeVerifyMethods(resolveAccountVerifyMethods(cfg, accountId));
     let identifier;
     if (isEmailId) {
         if (!verifyMethods.includes("email")) {
@@ -270,8 +279,9 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
     const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
         ? [preferredChannel]
         : verifyMethods;
+    const brandName = accountId || undefined;
     try {
-        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
+        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods, brandName);
         sendJson(res, 200, { ok: true, channel: delivery.channel });
     }
     catch (err) {
@@ -287,7 +297,7 @@ async function handleOtpVerify(req, res, accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    if (!allowsVerified(cfg)) {
+    if (!allowsVerified(cfg, accountId)) {
         sendForbidden(res, "OTP verification is disabled for this account");
         return;
     }
@@ -755,14 +765,19 @@ async function handleCapabilities(req, res, accountId, cfg) {
         sendMethodNotAllowed(res, "GET");
         return;
     }
-    const authMode = cfg.publicChat?.auth ?? "anonymous";
-    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
+    const authMode = resolveAccountAuthMode(cfg, accountId);
+    const verifyMethods = normalizeVerifyMethods(resolveAccountVerifyMethods(cfg, accountId));
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
     const channels = detectOtpChannels(whatsappAccountId);
+    const wsBrand = cfg.workspaces?.[accountId]?.brand;
+    const accentColor = wsBrand?.accentColor ?? cfg.ui?.seamColor ?? null;
+    const backgroundColor = wsBrand?.backgroundColor ?? null;
     sendJson(res, 200, {
         auth: authMode,
         verify_methods: verifyMethods,
+        accent_color: accentColor,
+        background_color: backgroundColor,
         otp: {
             available: channels.length > 0,
             channels,

package/dist/gateway/server-channels.js

@@ -65,10 +65,12 @@ export function createChannelManager(opts) {
                 ? plugin.config.isEnabled(account, cfg)
                 : isAccountEnabled(account);
             if (!enabled) {
+                const disabledReason = plugin.config.disabledReason?.(account, cfg) ?? "disabled";
+                channelLogs[channelId].info?.(`[${id}] channel not starting: ${disabledReason}`);
                 setRuntime(channelId, id, {
                     accountId: id,
                     running: false,
-                    lastError: plugin.config.disabledReason?.(account, cfg) ?? "disabled",
+                    lastError: disabledReason,
                 });
                 return;
             }
@@ -77,10 +79,12 @@ export function createChannelManager(opts) {
                 configured = await plugin.config.isConfigured(account, cfg);
             }
             if (!configured) {
+                const unconfiguredReason = plugin.config.unconfiguredReason?.(account, cfg) ?? "not configured";
+                channelLogs[channelId].warn?.(`[${id}] channel not starting: ${unconfiguredReason}`);
                 setRuntime(channelId, id, {
                     accountId: id,
                     running: false,
-                    lastError: plugin.config.unconfiguredReason?.(account, cfg) ?? "not configured",
+                    lastError: unconfiguredReason,
                 });
                 return;
             }

package/dist/gateway/server-methods/cron.js

@@ -66,6 +66,14 @@ export const cronHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid cron.update params: missing id"));
             return;
         }
+        if (p.accountId) {
+            const jobs = await context.cron.list({ includeDisabled: true });
+            const target = jobs.find((j) => j.id === jobId);
+            if (!target || target.accountId !== p.accountId) {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `cron job not found: ${jobId}`));
+                return;
+            }
+        }
         const job = await context.cron.update(jobId, p.patch);
         respond(true, job, undefined);
     },
@@ -80,6 +88,14 @@ export const cronHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid cron.remove params: missing id"));
             return;
         }
+        if (p.accountId) {
+            const jobs = await context.cron.list({ includeDisabled: true });
+            const target = jobs.find((j) => j.id === jobId);
+            if (!target || target.accountId !== p.accountId) {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `cron job not found: ${jobId}`));
+                return;
+            }
+        }
         const result = await context.cron.remove(jobId);
         respond(true, result, undefined);
     },
@@ -94,6 +110,14 @@ export const cronHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid cron.run params: missing id"));
             return;
         }
+        if (p.accountId) {
+            const jobs = await context.cron.list({ includeDisabled: true });
+            const target = jobs.find((j) => j.id === jobId);
+            if (!target || target.accountId !== p.accountId) {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `cron job not found: ${jobId}`));
+                return;
+            }
+        }
         const result = await context.cron.run(jobId, p.mode);
         respond(true, result, undefined);
     },
@@ -108,6 +132,14 @@ export const cronHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid cron.runs params: missing id"));
             return;
         }
+        if (p.accountId) {
+            const jobs = await context.cron.list({ includeDisabled: true });
+            const target = jobs.find((j) => j.id === jobId);
+            if (!target || target.accountId !== p.accountId) {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `cron job not found: ${jobId}`));
+                return;
+            }
+        }
         const logPath = resolveCronRunLogPath({
             storePath: context.cronStorePath,
             jobId,

package/dist/gateway/server-methods/public-chat.js

@@ -47,7 +47,8 @@ export const publicChatHandlers = {
             return;
         }
         const isEmailId = rawIdentifier.includes("@");
-        const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
+        const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.accountSettings?.[accountId ?? ""]?.verifyMethods ??
+            cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
         let identifier;
         if (isEmailId) {
             if (!verifyMethods.includes("email")) {
@@ -87,8 +88,9 @@ export const publicChatHandlers = {
         const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
             ? [preferredChannel]
             : verifyMethods;
+        const brandName = accountId || undefined;
         try {
-            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
+            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods, brandName);
             respond(true, { ok: true, channel: delivery.channel });
         }
         catch (err) {

package/dist/gateway/server-methods/tailscale.js

@@ -278,6 +278,15 @@ export const tailscaleHandlers = {
             catch (serveErr) {
                 const errObj = serveErr;
                 const combined = `${typeof errObj.stdout === "string" ? errObj.stdout : ""}\n${typeof errObj.stderr === "string" ? errObj.stderr : ""}`;
+                // Check for "Serve is not enabled" — extract the enable URL
+                if (combined.includes("Serve is not enabled") ||
+                    combined.includes("not enabled on your tailnet")) {
+                    const enableUrlMatch = combined.match(/https:\/\/login\.tailscale\.com\/f\/serve\S*/);
+                    const enableUrl = enableUrlMatch?.[0] ?? "https://login.tailscale.com/admin/machines";
+                    context.logGateway.warn(`tailscale.serve.enable: Serve not enabled on tailnet`);
+                    respond(false, { enableUrl }, errorShape(ErrorCodes.INVALID_REQUEST, "Serve is not enabled on your Tailscale account. Open the link in the browser to enable it, then try again."));
+                    return;
+                }
                 context.logGateway.warn(`tailscale.serve.enable pre-flight failed: ${combined.slice(0, 500)}`);
                 respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, `Serve command failed — ${combined.trim().split("\n")[0] || "unknown error"}`));
                 return;

package/dist/gateway/server-methods/workspaces.js

@@ -12,6 +12,52 @@ import { normalizeAgentId } from "../../routing/session-key.js";
 import { resolveUserPath } from "../../utils.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 // ---------------------------------------------------------------------------
+// Per-account agent tool sets
+// ---------------------------------------------------------------------------
+const ACCOUNT_ADMIN_TOOLS = {
+    allow: [
+        "skill_read",
+        "message",
+        "group:memory",
+        "group:documents",
+        "image",
+        "image_generate",
+        "web_search",
+        "web_fetch",
+        "current_time",
+        "sessions_list",
+        "sessions_history",
+        "session_status",
+        "cron",
+        "authorize_admin",
+        "revoke_admin",
+        "list_admins",
+        "bootstrap_complete",
+        "relay_message",
+        "browser",
+        "group:contacts",
+        "document_to_pdf",
+        "skill_draft_save",
+        "group:control-panel",
+        "api_keys",
+        "software_update",
+    ],
+    deny: ["exec", "group:fs", "group:runtime", "canvas"],
+};
+const ACCOUNT_PUBLIC_TOOLS = {
+    allow: [
+        "message",
+        "memory_search",
+        "memory_get",
+        "memory_write",
+        "memory_save_media",
+        "web_search",
+        "web_fetch",
+        "current_time",
+    ],
+    deny: ["exec", "group:fs", "group:runtime", "group:sessions", "group:automation", "browser"],
+};
+// ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 function requireBaseHash(params, snapshot, respond) {
@@ -396,10 +442,16 @@ export const workspacesHandlers = {
             // Each agent's workspace points to its agent subdirectory, not the root.
             for (const agentName of scan.agents) {
                 const agentId = normalizeAgentId(`${name}-${agentName}`);
+                const tools = agentName === "admin"
+                    ? ACCOUNT_ADMIN_TOOLS
+                    : agentName === "public"
+                        ? ACCOUNT_PUBLIC_TOOLS
+                        : undefined;
                 cfg = applyAgentConfig(cfg, {
                     agentId,
                     name: `${name} ${agentName}`,
                     workspace: path.join(workspaceDir, "agents", agentName),
+                    tools,
                 });
                 agentIds.push(agentId);
             }

package/dist/web/auto-reply/monitor.js

@@ -223,6 +223,7 @@ export async function monitorWebChannel(verbose, listenerFactory = monitorWebInb
         emitStatus();
         // Surface a concise connection event for the next main-session turn/heartbeat.
         const { e164: selfE164 } = readWebSelfId(account.authDir);
+        reconnectLogger.info({ accountId: account.accountId, selfE164: selfE164 ?? null, reconnectAttempts }, "WhatsApp connected");
         const connectRoute = resolveAgentRoute({
             cfg,
             channel: "whatsapp",
@@ -273,6 +274,8 @@ export async function monitorWebChannel(verbose, listenerFactory = monitorWebInb
                     : null;
                 const logData = {
                     connectionId,
+                    accountId: account.accountId,
+                    selfE164: selfE164 ?? null,
                     reconnectAttempts,
                     messagesHandled: handledMessages,
                     lastMessageAt,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.12.0",
+  "version": "1.12.2",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/tailscale/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: tailscale
-description: Guide users through Tailscale remote access setup — installing the app, creating an account, and connecting their device.
+description: Guide users through Tailscale remote access setup — installing the app, connecting their device, and enabling Serve for remote access to the control panel.
 metadata: {"taskmaster":{"emoji":"🔐"}}
 ---
 
@@ -13,10 +13,18 @@ Helps users set up remote access to their Taskmaster device using Tailscale. Tai
 - User asks about remote access, accessing their device from outside the local network, or connecting while away from home
 - User encounters issues during the Tailscale connection flow on the setup page
 - User sees a QR code on the setup page and doesn't know what to do
+- User asks about enabling Serve or making the control panel accessible remotely
 
-## Recommended path
+## Critical: what NOT to tell users
 
-The simplest setup path for non-technical users:
+- **Never suggest CLI commands** — Taskmaster handles all Tailscale operations through the setup page. Users do not need to SSH into the Pi, open a terminal, or run any `tailscale` commands.
+- **Never reference `tailscale serve`, `tailscale up`, `sudo`, or any shell commands** — the gateway runs these internally when the user clicks buttons in the UI.
+- **Never suggest port numbers, `--bg` flags, or `--https` flags** — these are implementation details the user never sees.
+- **Never suggest the Tailscale admin console as the primary path** — the setup page is the primary interface. The admin console link is only relevant when Serve or Funnel needs one-time tailnet-level enablement (the UI provides the link automatically).
+
+## Setup flow (from the setup page)
+
+### Step 1: Connect to Tailscale
 
 1. **Install the Tailscale app on your phone** — available on iOS App Store and Google Play Store. Search for "Tailscale" and install the official app.
 2. **Create a Tailscale account** — open the app and sign up. You can use Google, Microsoft, Apple, or email to create your account.
@@ -24,24 +32,44 @@ The simplest setup path for non-technical users:
 4. **Click "Connect" next to Remote Access** — a modal will appear showing progress while the connection starts.
 5. **Scan the QR code with your phone camera** — when the QR code appears, point your phone camera at it. This links your Taskmaster device to your Tailscale account.
 6. **Approve the device in the Tailscale app** — you may be asked to confirm the new device. Tap approve/allow.
-7. **Done** — the modal will show a success message and close automatically. Your device is now accessible from anywhere you have Tailscale installed.
+7. **Done** — the modal will show a success message and close automatically.
+
+### Step 2: Enable Remote Access (Serve)
+
+After connecting, the setup page shows Remote Access as "Connected (not enabled)." The next step:
+
+1. **Click the power button** next to Remote Access on the setup page.
+2. **If it succeeds** — remote access is now active. The setup page shows a green light and "Active."
+3. **If a link appears** — Serve must be enabled on your Tailscale account first. This is a one-time step. Click the link that appears (it opens the Tailscale admin page). Enable Serve, then come back and click the power button again.
+
+Once enabled, remote access persists across restarts.
+
+### Step 3: Access from other devices
+
+- Install Tailscale on any other device (laptop, tablet, phone) where you want to access the control panel.
+- Sign in with the **same Tailscale account**.
+- Your Taskmaster device will appear in the Tailscale app — access it using the Tailscale URL shown on the setup page.
+
+## Internet Access (Funnel) — optional
 
-## After connecting
+Funnel makes the control panel accessible to anyone on the internet, not just devices on your Tailscale network. This is optional and most users don't need it.
 
-- Install Tailscale on any other device (laptop, tablet) where you want to access the control panel
-- Sign in with the same Tailscale account
-- Your Taskmaster device will appear in the Tailscale network — access it using the Tailscale URL shown on the setup page
+- After Remote Access is active, a globe icon appears on the setup page.
+- Clicking it enables Funnel. If Funnel isn't enabled on your tailnet, a link appears — same one-click flow as Serve.
 
 ## Troubleshooting
 
 - **QR code doesn't appear**: The Tailscale service may not be running on the device. Check the setup page for error details. Restarting the gateway may help.
 - **Authentication times out**: The QR code is valid for a limited time. Click "Connect" again to generate a new one.
 - **"Tailscale not installed" message**: Tailscale needs to be installed on the Taskmaster device itself (the server). This is separate from installing it on your phone.
+- **"Serve must be enabled" with a link**: Click the link to open Tailscale's admin page. Enable Serve for this device, then retry from the setup page.
 - **Connection drops**: Make sure both devices (phone/laptop and Taskmaster) have Tailscale running and are signed into the same account.
+- **Remote Access shows "Enabled but not active"**: Tailscale may have disconnected. Try disabling and re-enabling from the setup page, or check that the device is still connected in the Tailscale app.
 
 ## Key concepts
 
 - **Tailscale** is a mesh VPN — devices connect directly to each other through encrypted tunnels
 - **Free for personal use** — up to 100 devices on the free plan
 - **No port forwarding needed** — works through firewalls and NAT automatically
-- **Internet Access** (Funnel) — an optional feature that gives your device a public URL reachable by anyone, not just Tailscale users. Enable this from the setup page after remote access is connected.
+- **Serve** (Remote Access) — makes the control panel accessible over HTTPS to devices on the same Tailscale account. Private to your tailnet.
+- **Funnel** (Internet Access) — makes the control panel accessible to anyone with the URL. Public.

package/templates/beagle-taxi/agents/admin/AGENTS.md

@@ -0,0 +1,25 @@
+# AGENTS.md — Admin Agent (Beagle Corporate Admin)
+
+You help the operator manage the Beagle corporate site. You handle inbound interest, knowledge base maintenance, and operational oversight of the public-facing agent.
+
+## First-Run Check
+
+**If BOOTSTRAP.md is present in your context, STOP and follow its instructions.** BOOTSTRAP.md means this workspace hasn't been set up yet. Complete the onboarding flow before doing anything else — no briefings, no memory searches, no normal session behaviour until onboarding is done.
+
+## Every Session
+
+Before doing anything else:
+1. Read `SOUL.md` — this is who you are
+2. Read `IDENTITY.md` — your role and boundaries
+3. Check memory for recent inbound interest and any pending follow-ups
+
+## Tools
+
+| Tool | Use |
+|------|-----|
+| `memory_search` | Find stored interest, enquiries, knowledge base content |
+| `memory_get` | Read specific files |
+| `memory_write` | Update knowledge base, store notes, flag follow-ups |
+| `sessions_list` | Review recent conversations the public agent has had |
+| `sessions_history` | Read specific past sessions for context |
+| `current_time` | Timestamps for notes and follow-up scheduling |