@rubytech/taskmaster 1.16.3 → 1.17.4

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-Bd75cI7J.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-BkymP95Y.css">
+    <script type="module" crossorigin src="./assets/index-koe4eKhk.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-XqRo9tNW.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/cron/preloaded.js

@@ -20,11 +20,11 @@ export async function saveSeedTracker(trackerPath, tracker) {
     const json = JSON.stringify(tracker, null, 2);
     await fs.promises.writeFile(trackerPath, json, "utf-8");
 }
-export function isTemplateSeeded(tracker, templateId) {
-    return tracker.seeded.some((e) => e.templateId === templateId);
+export function isTemplateSeeded(tracker, templateId, accountId) {
+    return tracker.seeded.some((e) => e.templateId === templateId && e.accountId === accountId);
 }
-export function markTemplateSeeded(tracker, templateId, jobId) {
-    tracker.seeded.push({ templateId, jobId, seededAtMs: Date.now() });
+export function markTemplateSeeded(tracker, templateId, jobId, accountId) {
+    tracker.seeded.push({ templateId, accountId, jobId, seededAtMs: Date.now() });
 }
 // ---------------------------------------------------------------------------
 // Template loader — scan bundled skills for cron-template.json files
@@ -63,30 +63,34 @@ export function loadCronTemplatesFromBundledSkills(bundledSkillsDir) {
 // Seeding function — create cron jobs from un-seeded templates
 // ---------------------------------------------------------------------------
 export async function seedPreloadedCronJobs(params) {
-    const { bundledSkillsDir, trackerPath, cronService, defaultAccountId } = params;
+    const { bundledSkillsDir, trackerPath, cronService, accountIds } = params;
+    if (accountIds.length === 0)
+        return 0;
     const templates = loadCronTemplatesFromBundledSkills(bundledSkillsDir);
     if (templates.length === 0)
         return 0;
     const tracker = await loadSeedTracker(trackerPath);
     let seeded = 0;
-    for (const template of templates) {
-        if (isTemplateSeeded(tracker, template.templateId))
-            continue;
-        const job = await cronService.add({
-            name: template.name,
-            description: template.description,
-            enabled: template.enabled,
-            agentId: template.agentId,
-            accountId: defaultAccountId,
-            schedule: template.schedule,
-            sessionTarget: template.sessionTarget,
-            wakeMode: template.wakeMode,
-            payload: template.payload,
-            isolation: template.isolation,
-        });
-        markTemplateSeeded(tracker, template.templateId, job.id);
-        await saveSeedTracker(trackerPath, tracker);
-        seeded++;
+    for (const accountId of accountIds) {
+        for (const template of templates) {
+            if (isTemplateSeeded(tracker, template.templateId, accountId))
+                continue;
+            const job = await cronService.add({
+                name: template.name,
+                description: template.description,
+                enabled: template.enabled,
+                agentId: template.agentId,
+                accountId,
+                schedule: template.schedule,
+                sessionTarget: template.sessionTarget,
+                wakeMode: template.wakeMode,
+                payload: template.payload,
+                isolation: template.isolation,
+            });
+            markTemplateSeeded(tracker, template.templateId, job.id, accountId);
+            await saveSeedTracker(trackerPath, tracker);
+            seeded++;
+        }
     }
     return seeded;
 }

package/dist/cron/service/timer.js

@@ -103,7 +103,11 @@ export async function executeJob(state, job, nowMs, opts) {
         }
         if (job.sessionTarget === "isolated") {
             const prefix = job.isolation?.postToMainPrefix?.trim() || "Cron";
-            const mode = job.isolation?.postToMainMode ?? "summary";
+            const configuredMode = job.isolation?.postToMainMode ?? "summary";
+            // When delivery was skipped (best-effort, no external channel configured),
+            // promote to "full" so the admin sees the actual report in their main chat
+            // instead of a delivery-error summary.
+            const mode = status === "skipped" && outputText ? "full" : configuredMode;
             let body = (summary ?? err ?? status).trim();
             if (mode === "full") {
                 // Prefer full agent output if available; fall back to summary.

package/dist/gateway/protocol/index.js

@@ -1,5 +1,5 @@
 import AjvPkg from "ajv";
-import { AgentEventSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, AgentParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, AgentWaitParamsSchema, ChannelsLogoutParamsSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatInjectParamsSchema, ChatSendParamsSchema, ConfigApplyParamsSchema, ConfigGetParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, ConfigSetParamsSchema, ConnectParamsSchema, CronAddParamsSchema, CronJobSchema, CronListParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, CronStatusParamsSchema, CronUpdateParamsSchema, DevicePairApproveParamsSchema, DevicePairListParamsSchema, DevicePairRejectParamsSchema, DeviceTokenRevokeParamsSchema, DeviceTokenRotateParamsSchema, ExecApprovalsGetParamsSchema, ExecApprovalsNodeGetParamsSchema, ExecApprovalsNodeSetParamsSchema, ExecApprovalsSetParamsSchema, ExecApprovalRequestParamsSchema, ExecApprovalResolveParamsSchema, ErrorCodes, ErrorShapeSchema, EventFrameSchema, errorShape, GatewayFrameSchema, HelloOkSchema, LogsTailParamsSchema, LogsTailResultSchema, SessionsTranscriptParamsSchema, SessionsTranscriptResultSchema, ModelsListParamsSchema, NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, PollParamsSchema, PROTOCOL_VERSION, PresenceEntrySchema, ProtocolSchemas, RequestFrameSchema, ResponseFrameSchema, SendParamsSchema, SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, ShutdownEventSchema, SkillsBinsParamsSchema, SkillsCreateParamsSchema, SkillsDeleteParamsSchema, SkillsDeleteDraftParamsSchema, SkillsDraftsParamsSchema, SkillsSaveDraftParamsSchema, SkillsInstallParamsSchema, SkillsReadParamsSchema, SkillsStatusParamsSchema, SkillsUpdateParamsSchema, SnapshotSchema, StateVersionSchema, TalkModeParamsSchema, TickEventSchema, UpdateRunParamsSchema, WakeParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, WizardCancelParamsSchema, WizardNextParamsSchema, WizardNextResultSchema, WizardStartParamsSchema, WizardStartResultSchema, WizardStatusParamsSchema, WizardStatusResultSchema, WizardStepSchema, } from "./schema.js";
+import { AgentEventSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, AgentParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, AgentWaitParamsSchema, ChannelsLogoutParamsSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatInjectParamsSchema, ChatSendParamsSchema, ConfigApplyParamsSchema, ConfigGetParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, ConfigSetParamsSchema, ConnectParamsSchema, CronAddParamsSchema, CronJobSchema, CronListParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, CronStatusParamsSchema, CronUpdateParamsSchema, DevicePairApproveParamsSchema, DevicePairListParamsSchema, DevicePairRejectParamsSchema, DeviceTokenRevokeParamsSchema, DeviceTokenRotateParamsSchema, ExecApprovalsGetParamsSchema, ExecApprovalsNodeGetParamsSchema, ExecApprovalsNodeSetParamsSchema, ExecApprovalsSetParamsSchema, ExecApprovalRequestParamsSchema, ExecApprovalResolveParamsSchema, ErrorCodes, ErrorShapeSchema, EventFrameSchema, errorShape, GatewayFrameSchema, HelloOkSchema, LogsTailParamsSchema, LogsTailResultSchema, SessionsTranscriptParamsSchema, SessionsTranscriptResultSchema, ModelsListParamsSchema, NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, PollParamsSchema, PROTOCOL_VERSION, PresenceEntrySchema, ProtocolSchemas, RequestFrameSchema, ResponseFrameSchema, SendParamsSchema, SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, ShutdownEventSchema, SkillsBinsParamsSchema, SkillsCreateParamsSchema, SkillsDeleteParamsSchema, SkillsDeleteDraftParamsSchema, SkillsDraftsParamsSchema, SkillsSaveDraftParamsSchema, SkillsInstallParamsSchema, SkillsReadParamsSchema, SkillsStatusParamsSchema, SkillsUpdateParamsSchema, SnapshotSchema, StateVersionSchema, TalkModeParamsSchema, TickEventSchema, UpdateRunParamsSchema, WakeParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, WizardCancelParamsSchema, WizardNextParamsSchema, WizardNextResultSchema, WhatsAppConversationsParamsSchema, WhatsAppGroupInfoParamsSchema, WhatsAppMessagesParamsSchema, WhatsAppSendMessageParamsSchema, WhatsAppSetActivationParamsSchema, WizardStartParamsSchema, WizardStartResultSchema, WizardStatusParamsSchema, WizardStatusResultSchema, WizardStepSchema, } from "./schema.js";
 const ajv = new AjvPkg({
     allErrors: true,
     strict: false,
@@ -85,6 +85,11 @@ export const validateChatEvent = ajv.compile(ChatEventSchema);
 export const validateUpdateRunParams = ajv.compile(UpdateRunParamsSchema);
 export const validateWebLoginStartParams = ajv.compile(WebLoginStartParamsSchema);
 export const validateWebLoginWaitParams = ajv.compile(WebLoginWaitParamsSchema);
+export const validateWhatsAppConversationsParams = ajv.compile(WhatsAppConversationsParamsSchema);
+export const validateWhatsAppMessagesParams = ajv.compile(WhatsAppMessagesParamsSchema);
+export const validateWhatsAppGroupInfoParams = ajv.compile(WhatsAppGroupInfoParamsSchema);
+export const validateWhatsAppSetActivationParams = ajv.compile(WhatsAppSetActivationParamsSchema);
+export const validateWhatsAppSendMessageParams = ajv.compile(WhatsAppSendMessageParamsSchema);
 export function formatValidationErrors(errors) {
     if (!errors?.length)
         return "unknown validation error";
@@ -113,4 +118,4 @@ export function formatValidationErrors(errors) {
     }
     return unique.join("; ");
 }
-export { ConnectParamsSchema, HelloOkSchema, RequestFrameSchema, ResponseFrameSchema, EventFrameSchema, GatewayFrameSchema, PresenceEntrySchema, SnapshotSchema, ErrorShapeSchema, StateVersionSchema, AgentEventSchema, ChatEventSchema, SendParamsSchema, PollParamsSchema, AgentParamsSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, WakeParamsSchema, NodePairRequestParamsSchema, NodePairListParamsSchema, NodePairApproveParamsSchema, NodePairRejectParamsSchema, NodePairVerifyParamsSchema, NodeListParamsSchema, NodeInvokeParamsSchema, SessionsListParamsSchema, SessionsPreviewParamsSchema, SessionsPatchParamsSchema, SessionsResetParamsSchema, SessionsDeleteParamsSchema, SessionsCompactParamsSchema, ConfigGetParamsSchema, ConfigSetParamsSchema, ConfigApplyParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, WizardStartParamsSchema, WizardNextParamsSchema, WizardCancelParamsSchema, WizardStatusParamsSchema, WizardStepSchema, WizardNextResultSchema, WizardStartResultSchema, WizardStatusResultSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChannelsLogoutParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, ModelsListParamsSchema, SkillsStatusParamsSchema, SkillsInstallParamsSchema, SkillsUpdateParamsSchema, CronJobSchema, CronListParamsSchema, CronStatusParamsSchema, CronAddParamsSchema, CronUpdateParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, LogsTailParamsSchema, LogsTailResultSchema, SessionsTranscriptParamsSchema, SessionsTranscriptResultSchema, ChatHistoryParamsSchema, ChatSendParamsSchema, ChatInjectParamsSchema, UpdateRunParamsSchema, TickEventSchema, ShutdownEventSchema, ProtocolSchemas, PROTOCOL_VERSION, ErrorCodes, errorShape, };
+export { ConnectParamsSchema, HelloOkSchema, RequestFrameSchema, ResponseFrameSchema, EventFrameSchema, GatewayFrameSchema, PresenceEntrySchema, SnapshotSchema, ErrorShapeSchema, StateVersionSchema, AgentEventSchema, ChatEventSchema, SendParamsSchema, PollParamsSchema, AgentParamsSchema, AgentIdentityParamsSchema, AgentIdentityResultSchema, WakeParamsSchema, NodePairRequestParamsSchema, NodePairListParamsSchema, NodePairApproveParamsSchema, NodePairRejectParamsSchema, NodePairVerifyParamsSchema, NodeListParamsSchema, NodeInvokeParamsSchema, SessionsListParamsSchema, SessionsPreviewParamsSchema, SessionsPatchParamsSchema, SessionsResetParamsSchema, SessionsDeleteParamsSchema, SessionsCompactParamsSchema, ConfigGetParamsSchema, ConfigSetParamsSchema, ConfigApplyParamsSchema, ConfigPatchParamsSchema, ConfigSchemaParamsSchema, ConfigSchemaResponseSchema, WizardStartParamsSchema, WizardNextParamsSchema, WizardCancelParamsSchema, WizardStatusParamsSchema, WizardStepSchema, WizardNextResultSchema, WizardStartResultSchema, WizardStatusResultSchema, ChannelsStatusParamsSchema, ChannelsStatusResultSchema, ChannelsLogoutParamsSchema, WebLoginStartParamsSchema, WebLoginWaitParamsSchema, WhatsAppConversationsParamsSchema, WhatsAppGroupInfoParamsSchema, WhatsAppMessagesParamsSchema, WhatsAppSendMessageParamsSchema, WhatsAppSetActivationParamsSchema, AgentSummarySchema, AgentsListParamsSchema, AgentsListResultSchema, ModelsListParamsSchema, SkillsStatusParamsSchema, SkillsInstallParamsSchema, SkillsUpdateParamsSchema, CronJobSchema, CronListParamsSchema, CronStatusParamsSchema, CronAddParamsSchema, CronUpdateParamsSchema, CronRemoveParamsSchema, CronRunParamsSchema, CronRunsParamsSchema, LogsTailParamsSchema, LogsTailResultSchema, SessionsTranscriptParamsSchema, SessionsTranscriptResultSchema, ChatHistoryParamsSchema, ChatSendParamsSchema, ChatInjectParamsSchema, UpdateRunParamsSchema, TickEventSchema, ShutdownEventSchema, ProtocolSchemas, PROTOCOL_VERSION, ErrorCodes, errorShape, };

package/dist/gateway/protocol/schema/logs-chat.js

@@ -4,6 +4,12 @@ export const LogsTailParamsSchema = Type.Object({
     cursor: Type.Optional(Type.Integer({ minimum: 0 })),
     limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 5000 })),
     maxBytes: Type.Optional(Type.Integer({ minimum: 1, maximum: 1_000_000 })),
+    minLevel: Type.Optional(Type.Union([
+        Type.Literal("fatal"),
+        Type.Literal("error"),
+        Type.Literal("warn"),
+        Type.Literal("info"),
+    ])),
 }, { additionalProperties: false });
 export const LogsTailResultSchema = Type.Object({
     file: NonEmptyString,

package/dist/gateway/protocol/schema/protocol-schemas.js

@@ -10,6 +10,7 @@ import { ChatAbortParamsSchema, ChatEventSchema, ChatHistoryParamsSchema, ChatIn
 import { NodeDescribeParamsSchema, NodeEventParamsSchema, NodeInvokeParamsSchema, NodeInvokeResultParamsSchema, NodeInvokeRequestEventSchema, NodeListParamsSchema, NodePairApproveParamsSchema, NodePairListParamsSchema, NodePairRejectParamsSchema, NodePairRequestParamsSchema, NodePairVerifyParamsSchema, NodeRenameParamsSchema, } from "./nodes.js";
 import { SessionsCompactParamsSchema, SessionsDeleteParamsSchema, SessionsListParamsSchema, SessionsPatchParamsSchema, SessionsPreviewParamsSchema, SessionsResetParamsSchema, SessionsResolveParamsSchema, } from "./sessions.js";
 import { PresenceEntrySchema, SnapshotSchema, StateVersionSchema } from "./snapshot.js";
+import { WhatsAppConversationsParamsSchema, WhatsAppGroupInfoParamsSchema, WhatsAppMessagesParamsSchema, WhatsAppSendMessageParamsSchema, WhatsAppSetActivationParamsSchema, } from "./whatsapp.js";
 import { WizardCancelParamsSchema, WizardNextParamsSchema, WizardNextResultSchema, WizardStartParamsSchema, WizardStartResultSchema, WizardStatusParamsSchema, WizardStatusResultSchema, WizardStepSchema, } from "./wizard.js";
 export const ProtocolSchemas = {
     ConnectParams: ConnectParamsSchema,
@@ -117,6 +118,11 @@ export const ProtocolSchemas = {
     ChatInjectParams: ChatInjectParamsSchema,
     ChatEvent: ChatEventSchema,
     UpdateRunParams: UpdateRunParamsSchema,
+    WhatsAppConversationsParams: WhatsAppConversationsParamsSchema,
+    WhatsAppMessagesParams: WhatsAppMessagesParamsSchema,
+    WhatsAppGroupInfoParams: WhatsAppGroupInfoParamsSchema,
+    WhatsAppSetActivationParams: WhatsAppSetActivationParamsSchema,
+    WhatsAppSendMessageParams: WhatsAppSendMessageParamsSchema,
     TickEvent: TickEventSchema,
     ShutdownEvent: ShutdownEventSchema,
 };

package/dist/gateway/protocol/schema/sessions-transcript.js

@@ -3,6 +3,7 @@ export const SessionsTranscriptParamsSchema = Type.Object({
     cursors: Type.Optional(Type.Record(Type.String(), Type.Integer({ minimum: 0 }))),
     limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 10_000 })),
     agents: Type.Optional(Type.Array(Type.String())),
+    errorsOnly: Type.Optional(Type.Boolean()),
 }, { additionalProperties: false });
 export const SessionsTranscriptEntrySchema = Type.Object({
     sessionId: Type.String(),

package/dist/gateway/protocol/schema/sessions.js

@@ -56,7 +56,12 @@ export const SessionsPatchParamsSchema = Type.Object({
     model: Type.Optional(Type.Union([NonEmptyString, Type.Null()])),
     spawnedBy: Type.Optional(Type.Union([NonEmptyString, Type.Null()])),
     sendPolicy: Type.Optional(Type.Union([Type.Literal("allow"), Type.Literal("deny"), Type.Null()])),
-    groupActivation: Type.Optional(Type.Union([Type.Literal("mention"), Type.Literal("always"), Type.Null()])),
+    groupActivation: Type.Optional(Type.Union([
+        Type.Literal("mention"),
+        Type.Literal("always"),
+        Type.Literal("off"),
+        Type.Null(),
+    ])),
     fillerEnabled: Type.Optional(Type.Union([Type.Boolean(), Type.Null()])),
 }, { additionalProperties: false });
 export const SessionsResetParamsSchema = Type.Object({ key: NonEmptyString }, { additionalProperties: false });

package/dist/gateway/protocol/schema/whatsapp.js

@@ -0,0 +1,24 @@
+import { Type } from "@sinclair/typebox";
+import { NonEmptyString } from "./primitives.js";
+export const WhatsAppConversationsParamsSchema = Type.Object({
+    accountId: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const WhatsAppMessagesParamsSchema = Type.Object({
+    jid: NonEmptyString,
+    limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 200 })),
+    accountId: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const WhatsAppGroupInfoParamsSchema = Type.Object({
+    jid: NonEmptyString,
+    accountId: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const WhatsAppSetActivationParamsSchema = Type.Object({
+    jid: NonEmptyString,
+    activation: Type.Union([Type.Literal("always"), Type.Literal("mention"), Type.Literal("off")]),
+    accountId: Type.Optional(Type.String()),
+}, { additionalProperties: false });
+export const WhatsAppSendMessageParamsSchema = Type.Object({
+    jid: NonEmptyString,
+    body: NonEmptyString,
+    accountId: Type.Optional(Type.String()),
+}, { additionalProperties: false });

package/dist/gateway/protocol/schema.js

@@ -14,4 +14,5 @@ export * from "./schema/protocol-schemas.js";
 export * from "./schema/sessions.js";
 export * from "./schema/snapshot.js";
 export * from "./schema/types.js";
+export * from "./schema/whatsapp.js";
 export * from "./schema/wizard.js";

package/dist/gateway/public-chat/session-token.js

@@ -0,0 +1,52 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+const SECRET_FILE = path.join(os.homedir(), ".taskmaster", "identity", "public-session.secret");
+let _cachedSecret = null;
+/**
+ * Load the HMAC secret from disk, generating and persisting it if it does not exist.
+ * The secret is a 32-byte value stored as a 64-char hex string.
+ * Cached in memory after first load.
+ */
+export function loadOrCreateSessionSecret() {
+    if (_cachedSecret)
+        return _cachedSecret;
+    try {
+        const raw = fs.readFileSync(SECRET_FILE, "utf8").trim();
+        if (/^[0-9a-f]{64}$/.test(raw)) {
+            _cachedSecret = raw;
+            return raw;
+        }
+        // File exists but content is not a valid 64-char hex secret — regenerate.
+        // This invalidates all previously issued session tokens; users will re-authenticate.
+    }
+    catch {
+        // File absent or unreadable — fall through to generate.
+    }
+    const secret = randomBytes(32).toString("hex");
+    fs.mkdirSync(path.dirname(SECRET_FILE), { recursive: true });
+    fs.writeFileSync(SECRET_FILE, secret, { mode: 0o600 });
+    _cachedSecret = secret;
+    return secret;
+}
+/** Compute HMAC-SHA256(secret, sessionKey) and return as lowercase hex. */
+export function signSessionKey(secret, sessionKey) {
+    return createHmac("sha256", secret).update(sessionKey).digest("hex");
+}
+/**
+ * Verify that token == HMAC-SHA256(secret, sessionKey).
+ * Uses timingSafeEqual to prevent timing attacks.
+ * Returns false for tokens of wrong length without performing the comparison.
+ */
+export function verifySessionToken(secret, sessionKey, token) {
+    if (!token || token.length !== 64)
+        return false;
+    const expected = signSessionKey(secret, sessionKey);
+    try {
+        return timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(token, "hex"));
+    }
+    catch {
+        return false;
+    }
+}

package/dist/gateway/public-chat-api.js

@@ -4,9 +4,9 @@
  * Base path: /public/api/v1/:accountId/
  *
  * Endpoints:
- *   POST /session        — create an anonymous session (returns sessionKey)
+ *   POST /session        — create an anonymous session (returns session_key and session_token)
  *   POST /otp/request    — request an OTP code (phone via WhatsApp/SMS, or email via Brevo)
- *   POST /otp/verify     — verify OTP and get a verified session (returns sessionKey)
+ *   POST /otp/verify     — verify OTP and get a verified session (returns session_key and session_token)
  *   POST /chat           — send a message, receive the agent reply (sync or SSE stream)
  *   GET  /chat/history   — retrieve past messages for a session
  *   POST /chat/abort     — cancel an in-progress agent run
@@ -14,9 +14,9 @@
  *
  * Authentication mirrors the public chat widget: anonymous sessions use a
  * client-provided identity string; verified sessions use OTP sent via phone
- * (WhatsApp with SMS fallback) or email (Brevo). The sessionKey returned
- * from /session or /otp/verify is passed via the X-Session-Key header on
- * subsequent requests.
+ * (WhatsApp with SMS fallback) or email (Brevo). The session_key and
+ * session_token returned from /session or /otp/verify are passed via
+ * X-Session-Key and X-Session-Token headers on subsequent requests.
  *
  * The chat endpoint uses `dispatchInboundMessage` — the same full pipeline
  * as the WebSocket `chat.send` handler — so filler messages, internal hooks,
@@ -26,6 +26,7 @@ import { randomUUID } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { resolveAgentWorkspaceDir, resolveSessionAgentId } from "../agents/agent-scope.js";
+import { loadOrCreateSessionSecret, signSessionKey, verifySessionToken, } from "./public-chat/session-token.js";
 import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../agents/identity.js";
 import { dispatchInboundMessage } from "../auto-reply/dispatch.js";
 import { resolveAgentBoundAccountId } from "../routing/bindings.js";
@@ -50,7 +51,7 @@ const API_PREFIX = "/public/api/v1/";
 function setCorsHeaders(res) {
     res.setHeader("Access-Control-Allow-Origin", "*");
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-    res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Session-Key");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Session-Key, X-Session-Token");
     res.setHeader("Access-Control-Max-Age", "86400");
 }
 function sendNotFound(res) {
@@ -86,6 +87,29 @@ function getSessionKeyHeader(req) {
         return raw[0]?.trim();
     return undefined;
 }
+function getSessionTokenHeader(req) {
+    const raw = req.headers["x-session-token"];
+    if (typeof raw === "string")
+        return raw.trim();
+    if (Array.isArray(raw))
+        return raw[0]?.trim();
+    return undefined;
+}
+/**
+ * Validate both the session key format and its HMAC token.
+ * Returns the session key string on success, null on any failure.
+ */
+function validateSession(req) {
+    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    if (!sessionKey)
+        return null;
+    const token = getSessionTokenHeader(req);
+    if (!token)
+        return null;
+    if (!verifySessionToken(loadOrCreateSessionSecret(), sessionKey, token))
+        return null;
+    return sessionKey;
+}
 /** Minimal phone format check: starts with +, digits only, 7–15 digits. */
 function isValidPhone(phone) {
     return /^\+\d{7,15}$/.test(phone);
@@ -213,7 +237,8 @@ async function handleSession(req, res, accountId, cfg, maxBodyBytes) {
     const agentId = resolvePublicAgentId(cfg, accountId);
     const identifier = `anon-${sessionId}`;
     const sessionKey = buildPublicSessionKey(agentId, identifier);
-    sendJson(res, 200, { session_key: sessionKey, agent_id: agentId });
+    const sessionToken = signSessionKey(loadOrCreateSessionSecret(), sessionKey);
+    sendJson(res, 200, { session_key: sessionKey, session_token: sessionToken, agent_id: agentId });
 }
 // ---------------------------------------------------------------------------
 // Route: POST /otp/request
@@ -351,8 +376,10 @@ async function handleOtpVerify(req, res, accountId, cfg, maxBodyBytes) {
     }
     const agentId = resolvePublicAgentId(cfg, accountId);
     const sessionKey = buildPublicSessionKey(agentId, identifier);
+    const sessionToken = signSessionKey(loadOrCreateSessionSecret(), sessionKey);
     sendJson(res, 200, {
         session_key: sessionKey,
+        session_token: sessionToken,
         agent_id: agentId,
         identifier,
         // Backward-compat: include named field matching the identifier type.
@@ -368,9 +395,9 @@ async function handleChat(req, res, _accountId, cfg, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    const sessionKey = validateSession(req);
     if (!sessionKey) {
-        sendInvalidRequest(res, "X-Session-Key header required (obtain from /session or /otp/verify)");
+        sendInvalidRequest(res, "X-Session-Key and X-Session-Token headers required (obtain from /session or /otp/verify)");
         return;
     }
     const body = await readJsonBodyOrError(req, res, maxBodyBytes);
@@ -693,9 +720,9 @@ async function handleChatHistory(req, res) {
         sendMethodNotAllowed(res, "GET");
         return;
     }
-    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    const sessionKey = validateSession(req);
     if (!sessionKey) {
-        sendInvalidRequest(res, "X-Session-Key header required");
+        sendInvalidRequest(res, "X-Session-Key and X-Session-Token headers required");
         return;
     }
     const { cfg, storePath, entry } = loadSessionEntry(sessionKey);
@@ -736,9 +763,9 @@ async function handleChatAbort(req, res, maxBodyBytes) {
         sendMethodNotAllowed(res);
         return;
     }
-    const sessionKey = validateSessionKey(getSessionKeyHeader(req));
+    const sessionKey = validateSession(req);
     if (!sessionKey) {
-        sendInvalidRequest(res, "X-Session-Key header required");
+        sendInvalidRequest(res, "X-Session-Key and X-Session-Token headers required");
         return;
     }
     const body = await readJsonBodyOrError(req, res, maxBodyBytes);

package/dist/gateway/server-methods/apikeys.js

@@ -27,6 +27,8 @@ const PROVIDER_CATALOG = [
     { id: "brave", name: "Brave", category: "Web Search" },
     { id: "elevenlabs", name: "ElevenLabs", category: "Voice" },
     { id: "brevo", name: "Brevo", category: "Email" },
+    { id: "stripe", name: "Stripe", category: "Payments" },
+    { id: "stripe_webhook_secret", name: "Stripe Webhook Secret", category: "Payments" },
 ];
 const VALID_PROVIDER_IDS = new Set(PROVIDER_CATALOG.map((p) => p.id));
 export const apikeysHandlers = {

package/dist/gateway/server-methods/logs.js

@@ -1,6 +1,8 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { getResolvedLoggerSettings } from "../../logging.js";
+import { levelToMinLevel, ALLOWED_LOG_LEVELS } from "../../logging/levels.js";
+import { parseLogLine } from "../../logging/parse-log-line.js";
 import { ErrorCodes, errorShape, formatValidationErrors, validateLogsTailParams, } from "../protocol/index.js";
 const DEFAULT_LIMIT = 500;
 const DEFAULT_MAX_BYTES = 250_000;
@@ -134,7 +136,21 @@ export const logsHandlers = {
                 limit: p.limit ?? DEFAULT_LIMIT,
                 maxBytes: p.maxBytes ?? DEFAULT_MAX_BYTES,
             });
-            respond(true, { file, ...result }, undefined);
+            const minLevelNum = p.minLevel !== undefined ? levelToMinLevel(p.minLevel) : undefined;
+            const filteredLines = minLevelNum !== undefined
+                ? result.lines.filter((line) => {
+                    const parsed = parseLogLine(line);
+                    if (!parsed || parsed.level === undefined)
+                        return true; // keep unparseable
+                    const levelNum = ALLOWED_LOG_LEVELS.includes(parsed.level)
+                        ? levelToMinLevel(parsed.level)
+                        : undefined;
+                    if (levelNum === undefined)
+                        return true; // unknown level — keep
+                    return levelNum <= minLevelNum;
+                })
+                : result.lines;
+            respond(true, { file, ...result, lines: filteredLines }, undefined);
         }
         catch (err) {
             respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, `log read failed: ${String(err)}`));

package/dist/gateway/server-methods/public-chat.js

@@ -8,6 +8,7 @@ import { ErrorCodes, errorShape } from "../protocol/index.js";
 import { requestOtp, verifyOtp } from "../public-chat/otp.js";
 import { deliverOtp, hasPhoneMethod, normalizeVerifyMethods } from "../public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "../public-chat/session.js";
+import { loadOrCreateSessionSecret, signSessionKey } from "../public-chat/session-token.js";
 /** Strip spaces, dashes, and parentheses from a phone number. */
 function normalizePhone(raw) {
     return raw.replace(/[\s\-()]/g, "");
@@ -155,9 +156,11 @@ export const publicChatHandlers = {
         }
         const agentId = resolvePublicAgentId(cfg, accountId);
         const sessionKey = buildPublicSessionKey(agentId, identifier);
+        const sessionToken = signSessionKey(loadOrCreateSessionSecret(), sessionKey); // secret is memoised after first load
         respond(true, {
             ok: true,
             sessionKey,
+            sessionToken,
             agentId,
             identifier,
             // Backward compat: include named field matching the identifier type.
@@ -188,9 +191,11 @@ export const publicChatHandlers = {
         const agentId = resolvePublicAgentId(cfg, accountId);
         const identifier = `anon-${cookieId}`;
         const sessionKey = buildPublicSessionKey(agentId, identifier);
+        const sessionToken = signSessionKey(loadOrCreateSessionSecret(), sessionKey); // secret is memoised after first load
         respond(true, {
             ok: true,
             sessionKey,
+            sessionToken,
             agentId,
         });
     },

package/dist/gateway/server-methods/sessions-transcript.js

@@ -30,6 +30,18 @@ function extractTextFromContentBlocks(blocks) {
     }
     return parts.join("\n");
 }
+/** Detect soft-failure tool results: content is JSON with success === false. */
+function isToolResultSoftError(content) {
+    if (!content.trim().startsWith("{"))
+        return false;
+    try {
+        const parsed = JSON.parse(content);
+        return parsed.success === false;
+    }
+    catch {
+        return false;
+    }
+}
 /** Format tool input as readable key=value pairs instead of raw JSON. */
 function formatToolInput(input) {
     if (input == null)
@@ -76,11 +88,12 @@ function expandLineToEntries(line, sessionId, sessionKey, agentId, fileMtimeMs)
         return entries;
     }
     if (line.type === "tool_result") {
-        const content = line.result != null
+        const rawContent = line.result != null
             ? typeof line.result === "string"
                 ? line.result
                 : JSON.stringify(line.result)
             : "";
+        const content = isToolResultSoftError(rawContent) ? `[error] ${rawContent}` : rawContent;
         entries.push({
             sessionId,
             sessionKey,
@@ -102,7 +115,10 @@ function expandLineToEntries(line, sessionId, sessionKey, agentId, fileMtimeMs)
         if (msg.role === "toolResult") {
             const textParts = [];
             for (const block of contentBlocks) {
-                if (block && typeof block === "object" && typeof block.text === "string" && block.text.trim()) {
+                if (block &&
+                    typeof block === "object" &&
+                    typeof block.text === "string" &&
+                    block.text.trim()) {
                     textParts.push(block.text.trim());
                 }
             }
@@ -112,13 +128,14 @@ function expandLineToEntries(line, sessionId, sessionKey, agentId, fileMtimeMs)
             const content = textParts.length > 0 ? textParts.join("\n") : "(empty result)";
             const toolName = typeof msg.toolName === "string" ? msg.toolName : undefined;
             const toolCallId = typeof msg.toolCallId === "string" ? msg.toolCallId : undefined;
+            const isError = msg.isError || isToolResultSoftError(content);
             entries.push({
                 sessionId,
                 sessionKey,
                 agentId,
                 timestamp: ts,
                 type: "tool_result",
-                content: msg.isError ? `[error] ${content}` : content,
+                content: isError ? `[error] ${content}` : content,
                 ...(toolName ? { toolName } : {}),
                 ...(toolCallId ? { toolCallId } : {}),
                 ...(model ? { model } : {}),
@@ -259,6 +276,7 @@ export const sessionsTranscriptHandlers = {
         }
         const p = params;
         const limit = p.limit ?? DEFAULT_LIMIT;
+        const errorsOnly = p.errorsOnly === true;
         const inputCursors = p.cursors ?? {};
         const agentFilter = p.agents && p.agents.length > 0 ? new Set(p.agents) : null;
         try {
@@ -343,13 +361,19 @@ export const sessionsTranscriptHandlers = {
                     }
                 }
             }
-            // Sort by timestamp descending and truncate to limit
-            allEntries.sort((a, b) => {
+            // Filter to errors only if requested: session-level errors OR tool results that failed
+            const filtered = errorsOnly
+                ? allEntries.filter((e) => e.type === "error" ||
+                    (e.type === "tool_result" &&
+                        typeof e.content === "string" &&
+                        e.content.startsWith("[error]")))
+                : allEntries;
+            filtered.sort((a, b) => {
                 const ta = new Date(a.timestamp).getTime();
                 const tb = new Date(b.timestamp).getTime();
                 return tb - ta;
             });
-            const entries = allEntries.slice(0, limit);
+            const entries = filtered.slice(0, limit);
             // Include configured agents so UI filter chips appear even when an
             // agent has no sessions yet. When an agent filter is active (account
             // scoping), only add config agents that match the filter — otherwise