@rubytech/taskmaster 1.17.6 → 1.17.7

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-koe4eKhk.js"></script>
+    <script type="module" crossorigin src="./assets/index-ebUt9xoF.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-XqRo9tNW.css">
   </head>
   <body>

package/dist/cron/service/timer.js

@@ -92,6 +92,7 @@ export async function executeJob(state, job, nowMs, opts) {
             status,
             error: err,
             summary,
+            outputText,
             runAtMs: startedAt,
             durationMs: job.state.lastDurationMs,
             nextRunAtMs: job.state.nextRunAtMs,

package/dist/gateway/chat-sanitize.js

@@ -234,7 +234,7 @@ function extractMediaPrefixRefs(text) {
     }
     return refs;
 }
-function mediaRefToUrl(ref, workspaceRoot) {
+function mediaRefToUrl(ref, workspaceRoot, agentId) {
     const relPath = nodePath.relative(workspaceRoot, ref.absPath);
     // Must stay within workspace (no ../ escapes)
     if (relPath.startsWith("..") || nodePath.isAbsolute(relPath))
@@ -248,7 +248,8 @@ function mediaRefToUrl(ref, workspaceRoot) {
     catch {
         /* file may not exist yet */
     }
-    return `/api/media?path=${encodeURIComponent(relPath)}${mtime}`;
+    const agentParam = agentId ? `&agent=${encodeURIComponent(agentId)}` : "";
+    return `/api/media?path=${encodeURIComponent(relPath)}${agentParam}${mtime}`;
 }
 function stripBase64FromContentBlocks(content) {
     let changed = false;
@@ -309,7 +310,7 @@ export function stripBase64ImagesFromMessages(messages) {
  *
  * Must be called BEFORE stripEnvelopeFromMessages (which strips annotations).
  */
-export function sanitizeMediaForChat(messages, workspaceRoot) {
+export function sanitizeMediaForChat(messages, workspaceRoot, agentId) {
     if (messages.length === 0 || !workspaceRoot) {
         // No workspace context — fall back to plain base64 stripping
         return stripBase64ImagesFromMessages(messages);
@@ -325,14 +326,14 @@ export function sanitizeMediaForChat(messages, workspaceRoot) {
         const role = typeof entry?.role === "string" ? entry.role.toLowerCase() : "";
         if (role === "user")
             seenPaths.clear();
-        const result = sanitizeMessageMedia(message, workspaceRoot, seenPaths);
+        const result = sanitizeMessageMedia(message, workspaceRoot, seenPaths, agentId);
         if (result !== message)
             changed = true;
         return result;
     });
     return changed ? next : messages;
 }
-function sanitizeMessageMedia(message, workspaceRoot, seenPaths) {
+function sanitizeMessageMedia(message, workspaceRoot, seenPaths, agentId) {
     if (!message || typeof message !== "object")
         return message;
     const entry = message;
@@ -350,7 +351,7 @@ function sanitizeMessageMedia(message, workspaceRoot, seenPaths) {
     for (const ref of mediaRefs) {
         if (seenPaths.has(ref.absPath))
             continue;
-        const url = mediaRefToUrl(ref, workspaceRoot);
+        const url = mediaRefToUrl(ref, workspaceRoot, agentId);
         if (!url)
             continue;
         seenPaths.add(ref.absPath);

package/dist/gateway/media-http.js

@@ -112,7 +112,10 @@ export function handleMediaRequest(req, res, opts) {
         res.end("Forbidden");
         return true;
     }
-    const workspaceRoot = resolveWorkspaceRoot(opts.config);
+    // Resolve workspace root for the requested agent (supports multi-account).
+    // Falls back to the default "admin" agent when no agent param is provided.
+    const agentParam = urlObj.searchParams.get("agent") ?? "admin";
+    const workspaceRoot = resolveAgentWorkspaceRoot(opts.config, agentParam);
     const filePath = path.resolve(workspaceRoot, relPath);
     // Boundary check: must stay within workspace
     if (!filePath.startsWith(workspaceRoot + path.sep) && filePath !== workspaceRoot) {

package/dist/gateway/public-chat-api.js

@@ -25,7 +25,7 @@
 import { randomUUID } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
-import { resolveAgentWorkspaceDir, resolveSessionAgentId } from "../agents/agent-scope.js";
+import { resolveAgentWorkspaceDir, resolveAgentWorkspaceRoot, resolveSessionAgentId } from "../agents/agent-scope.js";
 import { loadOrCreateSessionSecret, signSessionKey, verifySessionToken, } from "./public-chat/session-token.js";
 import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../agents/identity.js";
 import { dispatchInboundMessage } from "../auto-reply/dispatch.js";
@@ -41,7 +41,6 @@ import { deliverOtp, detectOtpChannels, hasPhoneMethod, normalizeVerifyMethods,
 import { buildPublicSessionKey, resolvePublicAgentId } from "./public-chat/session.js";
 import { loadSessionEntry, readSessionMessages } from "./session-utils.js";
 import { extractFileAttachments, sanitizeMediaForChat, stripEnvelopeFromMessages, } from "./chat-sanitize.js";
-import { resolveWorkspaceRoot } from "./media-http.js";
 import { readJsonBodyOrError, sendInvalidRequest, sendJson, sendMethodNotAllowed, setSseHeaders, writeDone, } from "./http-common.js";
 // ---------------------------------------------------------------------------
 // Helpers
@@ -536,7 +535,7 @@ async function handleChat(req, res, _accountId, cfg, maxBodyBytes) {
                 }));
             }
             // Extract file attachments from tool results in this session
-            const workspaceRoot = resolveWorkspaceRoot(cfg);
+            const workspaceRoot = resolveAgentWorkspaceRoot(cfg, agentId);
             const { entry: sessionEntry, storePath } = loadSessionEntry(sessionKey);
             let attachments = [];
             if (sessionEntry?.sessionId && storePath) {
@@ -691,7 +690,7 @@ async function handleChat(req, res, _accountId, cfg, maxBodyBytes) {
             if (!closed) {
                 // Emit file attachments (e.g. PDFs from document_to_pdf) before closing
                 try {
-                    const workspaceRoot = resolveWorkspaceRoot(cfg);
+                    const workspaceRoot = resolveAgentWorkspaceRoot(cfg, agentId);
                     const { entry: sessionEntry, storePath } = loadSessionEntry(sessionKey);
                     if (sessionEntry?.sessionId && storePath) {
                         const sessionMsgs = readSessionMessages(sessionEntry.sessionId, storePath, sessionEntry.sessionFile);
@@ -748,8 +747,9 @@ async function handleChatHistory(req, res) {
     const limitParam = url.searchParams.get("limit");
     const requested = limitParam ? Math.min(10_000, Math.max(1, Number(limitParam) || 5000)) : 5000;
     const messages = rawMessages.length > requested ? rawMessages.slice(-requested) : rawMessages;
-    const workspaceRoot = resolveWorkspaceRoot(cfg);
-    const sanitized = stripEnvelopeFromMessages(sanitizeMediaForChat(messages, workspaceRoot));
+    const historyAgentId = resolveSessionAgentId({ sessionKey, config: cfg });
+    const workspaceRoot = resolveAgentWorkspaceRoot(cfg, historyAgentId);
+    const sanitized = stripEnvelopeFromMessages(sanitizeMediaForChat(messages, workspaceRoot, historyAgentId));
     sendJson(res, 200, {
         session_key: sessionKey,
         messages: sanitized,

package/dist/gateway/server-methods/chat.js

@@ -2,7 +2,7 @@ import { randomUUID } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { CURRENT_SESSION_VERSION } from "@mariozechner/pi-coding-agent";
-import { resolveAgentWorkspaceDir, resolveSessionAgentId } from "../../agents/agent-scope.js";
+import { resolveAgentWorkspaceDir, resolveAgentWorkspaceRoot, resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../../agents/identity.js";
 import { resolveThinkingDefault } from "../../agents/model-selection.js";
 import { resolveAgentTimeoutMs } from "../../agents/timeout.js";
@@ -16,7 +16,6 @@ import { abortChatRunById, abortChatRunsForSessionKey, isChatStopCommandText, re
 import { ErrorCodes, errorShape, formatValidationErrors, validateChatAbortParams, validateChatHistoryParams, validateChatInjectParams, validateChatSendParams, } from "../protocol/index.js";
 import { loadSessionEntry, readSessionMessages, resolveSessionModelRef } from "../session-utils.js";
 import { sanitizeMediaForChat, stripEnvelopeFromMessages } from "../chat-sanitize.js";
-import { resolveWorkspaceRoot } from "../media-http.js";
 import { formatForLog } from "../ws-log.js";
 import { fireSuggestion } from "../../suggestions/broadcast.js";
 function resolveTranscriptPath(params) {
@@ -195,8 +194,9 @@ export const chatHandlers = {
         const end = totalMessages - skip;
         const start = Math.max(0, end - max);
         const messages = start === 0 && end === totalMessages ? rawMessages : rawMessages.slice(start, end);
-        const workspaceRoot = resolveWorkspaceRoot(cfg);
-        const withMediaUrls = sanitizeMediaForChat(messages, workspaceRoot);
+        const historyAgentId = resolveSessionAgentId({ sessionKey, config: cfg });
+        const workspaceRoot = resolveAgentWorkspaceRoot(cfg, historyAgentId);
+        const withMediaUrls = sanitizeMediaForChat(messages, workspaceRoot, historyAgentId);
         const sanitized = preserveEnvelopes ? withMediaUrls : stripEnvelopeFromMessages(withMediaUrls);
         // Diagnostic: log resolution details so we can trace "lost history" reports.
         const prevCount = entry?.previousSessions?.length ?? 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.17.6",
+  "version": "1.17.7",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/stripe/SKILL.md

@@ -1,29 +1,38 @@
 ---
 name: stripe
-description: Guide users through getting Stripe API credentials — the secret key for payment links and the webhook signing secret for automatic post-payment workflows.
+description: Stripe integration — set up API credentials (secret key + webhook signing secret), create payment links via Checkout Sessions, and handle webhook events for automatic post-payment workflows.
 metadata: {"taskmaster":{"emoji":"💳"}}
 ---
 
-# Stripe Setup
+# Stripe Integration
 
-Walks users through creating a Stripe account (or logging in to an existing one), obtaining their secret API key, setting up a webhook endpoint, and saving both credentials. One guided flow covers both keys — the secret key enables payment link creation; the webhook signing secret enables automatic post-payment workflow dispatch without any manual user step.
+Handles Stripe credential setup and payment operations. One guided flow covers both credentials — the secret key enables payment link creation; the webhook signing secret enables automatic post-payment workflow dispatch without requiring any manual step from the customer.
 
 ## When to activate
 
-- User asks about Stripe setup or connecting Stripe to Taskmaster
-- Control panel shows Stripe or Stripe Webhook Secret as unconfigured and payment features are in use
+- User asks about connecting Stripe or setting up payments
+- `stripe` or `stripe_webhook_secret` API key slots are empty and payment features are in use
 - BOOTSTRAP detects missing Stripe key when payment link generation is needed
 - User asks why payments aren't working or why post-payment automation isn't firing
 
 ## What it unlocks
 
-- **Payment link generation** — create Stripe Checkout Sessions for collecting booking fees or other payments
-- **Automatic post-payment dispatch** — Taskmaster receives `checkout.session.completed` webhook events and triggers follow-up workflows without requiring the customer to manually confirm payment
+- **Payment link generation** — create Stripe Checkout Sessions for collecting fees or payments
+- **Automatic post-payment dispatch** — Taskmaster receives webhook events and triggers follow-up workflows without any manual customer step
+
+## Key Storage
+
+| Slot | Value | Purpose |
+|------|-------|---------|
+| `stripe` | `sk_test_...` or `sk_live_...` | Secret key for API calls (creating Checkout Sessions, verifying payments) |
+| `stripe_webhook_secret` | `whsec_...` | Signing secret for verifying incoming webhook events are genuinely from Stripe |
+
+Both stored via `api_keys` tool. Check `api_keys` before starting — skip any step where a credential already exists.
 
 ## References
 
 | Task | When to use | Reference |
 |------|-------------|-----------|
-| Guided setup | User wants help getting both credentials | `references/setup-guide.md` |
+| Credential setup | `stripe` or `stripe_webhook_secret` slot is empty | `references/setup-guide.md` |
 
 Load the reference and follow its instructions.

package/skills/stripe/references/setup-guide.md

@@ -1,156 +1,102 @@
-# Stripe — Guided Setup
+# Stripe — Setup Guide
 
-Walk the user through getting both Stripe credentials: the secret API key (used to create payment links) and the webhook signing secret (used to verify incoming payment confirmation events). Guide with clear step-by-step instructions.
+Walk the user through getting both Stripe credentials: the secret API key and the webhook signing secret.
 
-**Important:** Stripe's dashboard is dense and aimed at developers. The user only needs two things: their secret key and a webhook endpoint. Guide them directly to both — do not let them get lost in the product catalogue, reports, or analytics.
+## Before You Start
 
----
+1. Check `api_keys` to see which slots are already filled — skip any step where a credential exists
+2. Check memory (e.g. `memory/admin/infrastructure.md`) for the Tailscale/public URL — do NOT ask the user for it
+3. If the URL is not in memory, construct it as `https://{tailscale-or-public-host}/webhook/stripe`
 
-## Prerequisites
-
-- User has a Stripe account, or is ready to create one
-- Taskmaster's public URL — the user needs to know their hostname to construct the webhook endpoint URL (e.g. `https://taskmaster-19000.local:19000` or their public domain)
-
----
-
-## Step 1: Explain
-
-Tell the user what you are setting up and why both keys are needed:
+## What to tell the user
 
 > "To take payments, Taskmaster needs two things from your Stripe account:
 >
 > 1. **Secret key** — lets Taskmaster create payment links on your behalf
-> 2. **Webhook signing secret** — tells Taskmaster when a customer has actually paid, so it can automatically trigger follow-up actions (like releasing booking details) without waiting for the customer to say anything
+> 2. **Webhook signing secret** — tells Taskmaster when a customer has actually paid, so it can automatically trigger follow-up actions without waiting for the customer to say anything
 >
 > This takes about 5 minutes. I'll walk you through both."
 
----
+## Step 1: Log in to Stripe
 
-## Step 2: Log in to Stripe
+> "Go to **dashboard.stripe.com** and sign in. If you don't have an account yet, click **Start now** — it's free to set up."
 
-> "Go to **dashboard.stripe.com** and sign in. If you don't have an account yet, click **Start now** and create one — it's free to set up.
->
-> Let me know when you're in the dashboard."
-
-Wait for the user to confirm.
+Wait for confirmation.
 
----
-
-## Step 3: Get the secret key
+## Step 2: Get the secret key
 
 **Navigation: Dashboard → Developers → API keys**
 
-> "In the left sidebar, click **Developers** (near the bottom), then click **API keys**.
+> "In the left sidebar, click **Developers**, then **API keys**.
 >
 > You'll see two keys:
-> - **Publishable key** — starts with `pk_` — we don't need this one
-> - **Secret key** — starts with `sk_` — this is the one we need
+> - **Publishable key** (`pk_...`) — we don't need this
+> - **Secret key** (`sk_...`) — this is the one
 >
-> Click **Reveal live key** (or **Reveal test key** if you're still testing). Copy the full key — it starts with `sk_live_` or `sk_test_` and is quite long. Send it to me."
-
-Wait for the user to send the key.
+> Click **Reveal** next to the secret key. Copy the full value and send it to me."
 
-Verify format (`sk_test_` or `sk_live_` prefix, 30+ characters). If it looks wrong:
+Validate: must start with `sk_test_` or `sk_live_`, 30+ characters.
 
-> "That doesn't look quite right — the secret key should start with `sk_test_` (for test mode) or `sk_live_` (for production) and be at least 30 characters long. Can you check you've copied the **Secret key**, not the Publishable key?"
+Store: `api_keys({ action: "set", provider: "stripe", apiKey: "<key>" })`
 
-Once you have a valid key, save it:
+## Step 3: Create the webhook endpoint
 
-```
-api_keys({ action: "set", provider: "stripe", apiKey: "<the key>" })
-```
+**Navigation: Dashboard → Developers → Webhooks → + Add destination**
 
-Confirm to the user:
+Look up the webhook URL from memory before this step. If not found, construct it as `https://{tailscale-url}/webhook/stripe`.
 
-> "Secret key saved. Now let's set up the webhook so Taskmaster gets notified automatically when a payment goes through."
-
----
-
-## Step 4: Create the webhook endpoint
-
-**Navigation: Dashboard → Developers → Webhooks → Add endpoint**
-
-> "Still in the Developers section, click **Webhooks** in the left sidebar.
->
-> Click **Add endpoint** (top-right of the page).
->
-> In the **Endpoint URL** field, enter:
-> `https://<your-taskmaster-host>/webhook/stripe`
->
-> Replace `<your-taskmaster-host>` with your Taskmaster address — for example `taskmaster-19000.local:19000` if you're on your local network, or your public domain if Taskmaster is accessible from the internet.
+> "Still in Developers, click **Webhooks**, then **+ Add destination**.
 >
-> Under **Select events**, click **+ Select events**, search for `checkout.session.completed`, tick it, and click **Add events**.
+> First, select events. Expand **Checkout** and tick **Select all Checkout events** (4 events: completed, expired, async_payment_failed, async_payment_succeeded). Click **Continue**.
 >
-> Then click **Add endpoint** to save.
+> On the next screen:
+> - **Destination name:** something that identifies this service
+> - **Endpoint URL:** `{webhook_url}`
+> - **Description:** optional
 >
-> Let me know when you've done that."
+> Click **Create destination**."
 
-If the user is unsure of their Taskmaster address:
+Wait for confirmation.
 
-> "Your Taskmaster address is the URL you use to access the control panel — just the host and port, without any path. For example, if your control panel is at `http://taskmaster-19000.local:19000`, your webhook URL would be `https://taskmaster-19000.local:19000/webhook/stripe`."
+## Step 4: Get the webhook signing secret
 
-Wait for the user to confirm the endpoint is created.
+> "On the endpoint page you just created, find the **Signing secret** section. Click **Reveal**, then copy the `whsec_...` value and send it to me."
 
----
+Validate: must start with `whsec_`.
 
-## Step 5: Get the webhook signing secret
+Store: `api_keys({ action: "set", provider: "stripe_webhook_secret", apiKey: "<key>" })`
 
-> "After creating the endpoint, Stripe shows a **Signing secret** — it starts with `whsec_`. Click **Reveal** to show it, then copy it and send it to me.
->
-> If you've already navigated away, click on the endpoint you just created in the Webhooks list — the signing secret is shown on that endpoint's detail page."
-
-Wait for the user to send the signing secret.
-
-Verify format (`whsec_` prefix). If it looks wrong:
-
-> "The webhook signing secret should start with `whsec_` — that's different from the API key. Click on your webhook endpoint in the Webhooks list and look for the **Signing secret** section."
-
-Once you have a valid signing secret, save it:
-
-```
-api_keys({ action: "set", provider: "stripe_webhook_secret", apiKey: "<the whsec key>" })
-```
-
----
+## Step 5: Confirm
 
-## Step 6: Confirm
-
-> "Both Stripe credentials are saved:
->
-> - **Secret key** — payment links can now be created
-> - **Webhook signing secret** — Taskmaster will receive and verify payment confirmations automatically
+> "Both Stripe credentials saved:
+> - **Secret key** — payment links ready
+> - **Webhook signing secret** — automatic payment notifications active
 >
-> You're all set. As soon as a customer completes a payment, Taskmaster will be notified and can trigger follow-up actions immediately — no manual step needed from the customer."
-
----
-
-## If the user already has a Stripe account
+> When a customer pays, Taskmaster will be notified automatically and trigger follow-up actions immediately."
 
-Skip Step 2 (they're already logged in). Proceed from Step 3.
+Store webhook endpoint details in memory (endpoint URL, destination name, events subscribed to) for future reference.
 
-If they already have a secret key saved somewhere, skip to Step 4.
+## Test vs Live Mode
 
----
-
-## Test mode vs live mode
-
-| | Test mode | Live mode |
+| | Test | Live |
 |---|---|---|
 | Key prefix | `sk_test_` | `sk_live_` |
-| Webhooks | Use test webhook endpoints | Use live webhook endpoints |
-| Payments | No real money moves | Real payments |
+| Webhook secret | Same `whsec_` format | Same `whsec_` format |
+| Payments | No real money | Real payments |
+
+Start with test mode. Switch to live keys when ready — just update both API key slots.
 
-Start with test mode (`sk_test_`) if the user is still building or testing their flow. Switch to live keys when ready for real payments. Both key types are stored the same way — just replace the value in the API Keys panel.
+## Tailscale/Funnel Note
 
----
+Stripe's servers need to reach the webhook URL from the public internet. Standard Tailscale URLs are only accessible within the tailnet. **Tailscale Funnel** must be enabled on the host node for Stripe to deliver events. In test mode the endpoint can be created and tested later. Flag this to the user if webhook delivery failures occur.
 
 ## Troubleshooting
 
 | Problem | Solution |
 |---------|----------|
-| Can't find Developers menu | It's in the left sidebar, near the bottom. If you're on the Stripe home page, you may need to scroll down or look for a collapsed sidebar — click the hamburger or expand icon. |
-| Secret key is hidden / "Restricted key" shown | You may be looking at a restricted key. Click **API keys** in the Developers section — the secret key is under **Standard keys**. |
-| Can't find signing secret after creating endpoint | Click on the endpoint row in the Webhooks list. The signing secret is on the endpoint's detail page under **Signing secret**. |
-| Webhook URL not accepted (must be HTTPS) | Stripe requires HTTPS for webhook endpoints. If Taskmaster is only on HTTP locally, use a tunnel tool like ngrok during development, or configure a TLS certificate on your Taskmaster host. |
-| Payments confirmed in Stripe but Taskmaster isn't notified | Check the webhook endpoint's delivery log in Stripe (Developers → Webhooks → click endpoint → Recent deliveries). If deliveries are failing, the URL may be unreachable from the internet. |
-| "I already had a webhook set up" | You can use the existing endpoint if it already points to `/webhook/stripe` on your host. Just copy the signing secret from its detail page. |
+| Can't find Developers menu | In the left sidebar, near the bottom. May need to scroll or expand a collapsed sidebar. |
+| Secret key hidden / "Restricted key" shown | Looking at a restricted key. Click **API keys** → secret key is under **Standard keys**. |
+| Can't find signing secret | Click on the endpoint row in the Webhooks list — signing secret is on the endpoint detail page. |
+| Webhook URL not accepted (must be HTTPS) | Stripe requires HTTPS. For local-only Taskmaster, Tailscale Funnel provides a public HTTPS URL. |
+| Payments confirmed but Taskmaster not notified | Check delivery log: Developers → Webhooks → click endpoint → Event deliveries. |
+| Already had a webhook set up | Use the existing endpoint if it already points to `/webhook/stripe`. Just copy the signing secret. |