@rubytech/taskmaster 1.17.4 → 1.17.5

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.17.4",
-  "commit": "6926faba7483a7c9b1ec7c332c593b866db3edb3",
-  "builtAt": "2026-03-05T13:47:06.682Z"
+  "version": "1.17.5",
+  "commit": "a8f722442ed79fe5f1a5e64bd066bc4ef1e7a6f1",
+  "builtAt": "2026-03-05T14:01:37.198Z"
 }

package/dist/config/agent-tools-reconcile.js

@@ -255,3 +255,37 @@ export function reconcileBeaglePublicTools(params) {
     }
     return { config, changes };
 }
+/**
+ * Add `skill_read` to admin agents whose explicit allow list lacks it.
+ *
+ * `skill_read` was added to ACCOUNT_ADMIN_TOOLS after some workspaces were
+ * created; those agents have an explicit allow list that predates the addition
+ * and therefore miss the tool. The trigger is the presence of `message` (present
+ * in every admin agent allow list) without `skill_read`.
+ *
+ * Runs unconditionally on gateway startup. Idempotent — skips agents that already
+ * have `skill_read` or `group:skills`.
+ */
+export function reconcileSkillReadTool(params) {
+    const config = structuredClone(params.config);
+    const changes = [];
+    const agents = config.agents?.list;
+    if (!Array.isArray(agents))
+        return { config, changes };
+    for (const agent of agents) {
+        if (!agent || !isAdminAgent(agent))
+            continue;
+        const allow = agent.tools?.allow;
+        if (!Array.isArray(allow))
+            continue;
+        // Already covered by group or individual entry
+        if (allow.includes("skill_read") || allow.includes("group:skills"))
+            continue;
+        // Only patch agents that look like full admin agents (have `message`)
+        if (!allow.includes("message"))
+            continue;
+        allow.unshift("skill_read");
+        changes.push(`Added skill_read to agent "${agent.id ?? "<unnamed>"}" tools.allow.`);
+    }
+    return { config, changes };
+}

package/dist/gateway/server.impl.js

@@ -10,7 +10,7 @@ import { CONFIG_PATH_TASKMASTER, isNixMode, loadConfig, migrateLegacyConfig, rea
 import { VERSION } from "../version.js";
 import { isDiagnosticsEnabled } from "../infra/diagnostic-events.js";
 import { logAcceptedEnvOption } from "../infra/env.js";
-import { reconcileAgentContactTools, reconcileBeaglePublicTools, reconcileControlPanelTools, reconcileQrGenerateTool, reconcileStaleToolEntries, } from "../config/agent-tools-reconcile.js";
+import { reconcileAgentContactTools, reconcileBeaglePublicTools, reconcileControlPanelTools, reconcileQrGenerateTool, reconcileSkillReadTool, reconcileStaleToolEntries, } from "../config/agent-tools-reconcile.js";
 import { applyPluginAutoEnable } from "../config/plugin-auto-enable.js";
 import { clearAgentRunContext, onAgentEvent } from "../infra/agent-events.js";
 import { onHeartbeatEvent } from "../infra/heartbeat-events.js";
@@ -213,6 +213,20 @@ export async function startGatewayServer(port = 18789, opts = {}) {
             log.warn(`gateway: failed to persist control-panel tools reconciliation: ${String(err)}`);
         }
     }
+    // Add skill_read to admin agents that predate its addition to ACCOUNT_ADMIN_TOOLS.
+    const skillReadReconcile = reconcileSkillReadTool({ config: configSnapshot.config });
+    if (skillReadReconcile.changes.length > 0) {
+        try {
+            await writeConfigFile(skillReadReconcile.config);
+            configSnapshot = await readConfigFileSnapshot();
+            log.info(`gateway: reconciled skill_read tool:\n${skillReadReconcile.changes
+                .map((entry) => `- ${entry}`)
+                .join("\n")}`);
+        }
+        catch (err) {
+            log.warn(`gateway: failed to persist skill_read tool reconciliation: ${String(err)}`);
+        }
+    }
     // Stamp config with running version on startup so upgrades keep the stamp current.
     const storedVersion = configSnapshot.config.meta?.lastTouchedVersion;
     if (configSnapshot.exists && storedVersion !== VERSION) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.17.4",
+  "version": "1.17.5",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/stripe/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: stripe
+description: Guide users through getting Stripe API credentials — the secret key for payment links and the webhook signing secret for automatic post-payment workflows.
+metadata: {"taskmaster":{"emoji":"💳"}}
+---
+
+# Stripe Setup
+
+Walks users through creating a Stripe account (or logging in to an existing one), obtaining their secret API key, setting up a webhook endpoint, and saving both credentials. One guided flow covers both keys — the secret key enables payment link creation; the webhook signing secret enables automatic post-payment workflow dispatch without any manual user step.
+
+## When to activate
+
+- User asks about Stripe setup or connecting Stripe to Taskmaster
+- Control panel shows Stripe or Stripe Webhook Secret as unconfigured and payment features are in use
+- BOOTSTRAP detects missing Stripe key when payment link generation is needed
+- User asks why payments aren't working or why post-payment automation isn't firing
+
+## What it unlocks
+
+- **Payment link generation** — create Stripe Checkout Sessions for collecting booking fees or other payments
+- **Automatic post-payment dispatch** — Taskmaster receives `checkout.session.completed` webhook events and triggers follow-up workflows without requiring the customer to manually confirm payment
+
+## References
+
+| Task | When to use | Reference |
+|------|-------------|-----------|
+| Guided setup | User wants help getting both credentials | `references/setup-guide.md` |
+
+Load the reference and follow its instructions.

package/skills/stripe/references/setup-guide.md

@@ -0,0 +1,156 @@
+# Stripe — Guided Setup
+
+Walk the user through getting both Stripe credentials: the secret API key (used to create payment links) and the webhook signing secret (used to verify incoming payment confirmation events). Guide with clear step-by-step instructions.
+
+**Important:** Stripe's dashboard is dense and aimed at developers. The user only needs two things: their secret key and a webhook endpoint. Guide them directly to both — do not let them get lost in the product catalogue, reports, or analytics.
+
+---
+
+## Prerequisites
+
+- User has a Stripe account, or is ready to create one
+- Taskmaster's public URL — the user needs to know their hostname to construct the webhook endpoint URL (e.g. `https://taskmaster-19000.local:19000` or their public domain)
+
+---
+
+## Step 1: Explain
+
+Tell the user what you are setting up and why both keys are needed:
+
+> "To take payments, Taskmaster needs two things from your Stripe account:
+>
+> 1. **Secret key** — lets Taskmaster create payment links on your behalf
+> 2. **Webhook signing secret** — tells Taskmaster when a customer has actually paid, so it can automatically trigger follow-up actions (like releasing booking details) without waiting for the customer to say anything
+>
+> This takes about 5 minutes. I'll walk you through both."
+
+---
+
+## Step 2: Log in to Stripe
+
+> "Go to **dashboard.stripe.com** and sign in. If you don't have an account yet, click **Start now** and create one — it's free to set up.
+>
+> Let me know when you're in the dashboard."
+
+Wait for the user to confirm.
+
+---
+
+## Step 3: Get the secret key
+
+**Navigation: Dashboard → Developers → API keys**
+
+> "In the left sidebar, click **Developers** (near the bottom), then click **API keys**.
+>
+> You'll see two keys:
+> - **Publishable key** — starts with `pk_` — we don't need this one
+> - **Secret key** — starts with `sk_` — this is the one we need
+>
+> Click **Reveal live key** (or **Reveal test key** if you're still testing). Copy the full key — it starts with `sk_live_` or `sk_test_` and is quite long. Send it to me."
+
+Wait for the user to send the key.
+
+Verify format (`sk_test_` or `sk_live_` prefix, 30+ characters). If it looks wrong:
+
+> "That doesn't look quite right — the secret key should start with `sk_test_` (for test mode) or `sk_live_` (for production) and be at least 30 characters long. Can you check you've copied the **Secret key**, not the Publishable key?"
+
+Once you have a valid key, save it:
+
+```
+api_keys({ action: "set", provider: "stripe", apiKey: "<the key>" })
+```
+
+Confirm to the user:
+
+> "Secret key saved. Now let's set up the webhook so Taskmaster gets notified automatically when a payment goes through."
+
+---
+
+## Step 4: Create the webhook endpoint
+
+**Navigation: Dashboard → Developers → Webhooks → Add endpoint**
+
+> "Still in the Developers section, click **Webhooks** in the left sidebar.
+>
+> Click **Add endpoint** (top-right of the page).
+>
+> In the **Endpoint URL** field, enter:
+> `https://<your-taskmaster-host>/webhook/stripe`
+>
+> Replace `<your-taskmaster-host>` with your Taskmaster address — for example `taskmaster-19000.local:19000` if you're on your local network, or your public domain if Taskmaster is accessible from the internet.
+>
+> Under **Select events**, click **+ Select events**, search for `checkout.session.completed`, tick it, and click **Add events**.
+>
+> Then click **Add endpoint** to save.
+>
+> Let me know when you've done that."
+
+If the user is unsure of their Taskmaster address:
+
+> "Your Taskmaster address is the URL you use to access the control panel — just the host and port, without any path. For example, if your control panel is at `http://taskmaster-19000.local:19000`, your webhook URL would be `https://taskmaster-19000.local:19000/webhook/stripe`."
+
+Wait for the user to confirm the endpoint is created.
+
+---
+
+## Step 5: Get the webhook signing secret
+
+> "After creating the endpoint, Stripe shows a **Signing secret** — it starts with `whsec_`. Click **Reveal** to show it, then copy it and send it to me.
+>
+> If you've already navigated away, click on the endpoint you just created in the Webhooks list — the signing secret is shown on that endpoint's detail page."
+
+Wait for the user to send the signing secret.
+
+Verify format (`whsec_` prefix). If it looks wrong:
+
+> "The webhook signing secret should start with `whsec_` — that's different from the API key. Click on your webhook endpoint in the Webhooks list and look for the **Signing secret** section."
+
+Once you have a valid signing secret, save it:
+
+```
+api_keys({ action: "set", provider: "stripe_webhook_secret", apiKey: "<the whsec key>" })
+```
+
+---
+
+## Step 6: Confirm
+
+> "Both Stripe credentials are saved:
+>
+> - **Secret key** — payment links can now be created
+> - **Webhook signing secret** — Taskmaster will receive and verify payment confirmations automatically
+>
+> You're all set. As soon as a customer completes a payment, Taskmaster will be notified and can trigger follow-up actions immediately — no manual step needed from the customer."
+
+---
+
+## If the user already has a Stripe account
+
+Skip Step 2 (they're already logged in). Proceed from Step 3.
+
+If they already have a secret key saved somewhere, skip to Step 4.
+
+---
+
+## Test mode vs live mode
+
+| | Test mode | Live mode |
+|---|---|---|
+| Key prefix | `sk_test_` | `sk_live_` |
+| Webhooks | Use test webhook endpoints | Use live webhook endpoints |
+| Payments | No real money moves | Real payments |
+
+Start with test mode (`sk_test_`) if the user is still building or testing their flow. Switch to live keys when ready for real payments. Both key types are stored the same way — just replace the value in the API Keys panel.
+
+---
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| Can't find Developers menu | It's in the left sidebar, near the bottom. If you're on the Stripe home page, you may need to scroll down or look for a collapsed sidebar — click the hamburger or expand icon. |
+| Secret key is hidden / "Restricted key" shown | You may be looking at a restricted key. Click **API keys** in the Developers section — the secret key is under **Standard keys**. |
+| Can't find signing secret after creating endpoint | Click on the endpoint row in the Webhooks list. The signing secret is on the endpoint's detail page under **Signing secret**. |
+| Webhook URL not accepted (must be HTTPS) | Stripe requires HTTPS for webhook endpoints. If Taskmaster is only on HTTP locally, use a tunnel tool like ngrok during development, or configure a TLS certificate on your Taskmaster host. |
+| Payments confirmed in Stripe but Taskmaster isn't notified | Check the webhook endpoint's delivery log in Stripe (Developers → Webhooks → click endpoint → Recent deliveries). If deliveries are failing, the URL may be unreachable from the internet. |
+| "I already had a webhook set up" | You can use the existing endpoint if it already points to `/webhook/stripe` on your host. Just copy the signing secret from its detail page. |