@rubytech/taskmaster 1.19.8 → 1.20.2

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-wJYMFZnC.js"></script>
+    <script type="module" crossorigin src="./assets/index-DbeiXb7c.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-0WHVrpg7.css">
   </head>
   <body>

package/dist/gateway/server-methods/auth.js

@@ -47,6 +47,7 @@ export const authHandlers = {
                     provider: "anthropic",
                     email: profile.email,
                     message: "Connected",
+                    ...(profile.type === "oauth" && profile.refresh ? { refreshToken: profile.refresh } : {}),
                 });
                 return;
             }
@@ -85,6 +86,7 @@ export const authHandlers = {
                 message: isExpired
                     ? "Connection expired — click to reconnect"
                     : `Connected · expires in ${expiresInMinutes}m`,
+                ...(profile.type === "oauth" && profile.refresh ? { refreshToken: profile.refresh } : {}),
             });
         }
         catch (err) {
@@ -280,4 +282,42 @@ export const authHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
         }
     },
+    /**
+     * Import a refresh token from another device
+     * Validates the token by minting fresh credentials, then stores them
+     */
+    "auth.importRefreshToken": async ({ params, respond }) => {
+        try {
+            const { refreshToken } = params;
+            if (!refreshToken || typeof refreshToken !== "string") {
+                respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "Missing refreshToken"));
+                return;
+            }
+            // Validate the token by using it to mint fresh credentials
+            const credentials = await refreshAnthropicToken(refreshToken);
+            upsertAuthProfile({
+                profileId: CLAUDE_CLI_PROFILE_ID,
+                credential: {
+                    type: "oauth",
+                    provider: "anthropic",
+                    access: credentials.access,
+                    refresh: credentials.refresh,
+                    expires: credentials.expires,
+                    email: credentials.email,
+                },
+            });
+            writeClaudeCliCredentials(credentials);
+            const expiresInMinutes = Math.max(0, Math.round((credentials.expires - Date.now()) / 60000));
+            respond(true, {
+                connected: true,
+                provider: "anthropic",
+                email: credentials.email,
+                expiresIn: expiresInMinutes,
+                message: "Connected via imported refresh token",
+            });
+        }
+        catch (err) {
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, `Invalid refresh token: ${formatForLog(err)}`));
+        }
+    },
 };

package/dist/license/skill-pack.js

@@ -0,0 +1,199 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import fsp from "node:fs/promises";
+import path from "node:path";
+// ---------------------------------------------------------------------------
+// Canonical JSON
+// ---------------------------------------------------------------------------
+/** Build the canonical JSON string that gets signed. Deterministic key order. */
+export function buildCanonicalPayload(payload) {
+    const ordered = {
+        format: payload.format,
+        pack: {
+            id: payload.pack.id,
+            version: payload.pack.version,
+            name: payload.pack.name,
+            description: payload.pack.description,
+            author: payload.pack.author,
+        },
+        device: {
+            did: payload.device.did,
+            cid: payload.device.cid,
+        },
+        content: {
+            skill: payload.content.skill,
+            references: payload.content.references.map((r) => ({
+                name: r.name,
+                content: r.content,
+            })),
+        },
+        signedAt: payload.signedAt,
+    };
+    return JSON.stringify(ordered);
+}
+// ---------------------------------------------------------------------------
+// Signing
+// ---------------------------------------------------------------------------
+function loadSigningKey() {
+    const raw = process.env.LICENSE_SIGNING_KEY;
+    if (!raw) {
+        throw new Error("LICENSE_SIGNING_KEY not set. Cannot sign skill packs.");
+    }
+    const pem = raw.replace(/\\n/g, "\n");
+    return crypto.createPrivateKey(pem);
+}
+/** Sign a skill pack payload with the Ed25519 private key from LICENSE_SIGNING_KEY. */
+export function signSkillPack(payload) {
+    const privateKey = loadSigningKey();
+    const canonical = buildCanonicalPayload(payload);
+    const signature = crypto.sign(null, Buffer.from(canonical), privateKey);
+    return {
+        ...payload,
+        signature: signature.toString("base64url"),
+    };
+}
+// ---------------------------------------------------------------------------
+// Verification
+// ---------------------------------------------------------------------------
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA/t/C4A4I0rDlj5rEqv6Hy6VdHJr7WiJHWUxgwGz9HcM=
+-----END PUBLIC KEY-----`;
+const publicKey = crypto.createPublicKey(PUBLIC_KEY_PEM);
+/** Verify a skill pack file's structure and Ed25519 signature. */
+export function verifySkillPack(raw) {
+    if (raw === null || typeof raw !== "object") {
+        return { valid: false, message: "Skill pack must be a JSON object" };
+    }
+    const obj = raw;
+    // Check signature field exists
+    if (typeof obj.signature !== "string" || !obj.signature) {
+        return { valid: false, message: "Missing or invalid signature" };
+    }
+    // Validate format
+    if (obj.format !== "skillpack-v1") {
+        return { valid: false, message: "Unsupported skill pack format" };
+    }
+    // Validate pack metadata
+    const pack = obj.pack;
+    if (!pack || typeof pack !== "object") {
+        return { valid: false, message: "Missing pack metadata" };
+    }
+    for (const key of ["id", "version", "name", "author"]) {
+        if (typeof pack[key] !== "string" || !pack[key]) {
+            return { valid: false, message: `Missing or invalid pack.${key}` };
+        }
+    }
+    if (typeof pack.description !== "string") {
+        return { valid: false, message: "Missing or invalid pack.description" };
+    }
+    // Validate device
+    const device = obj.device;
+    if (!device || typeof device !== "object") {
+        return { valid: false, message: "Missing device info" };
+    }
+    if (typeof device.did !== "string" || !device.did) {
+        return { valid: false, message: "Missing or invalid device.did" };
+    }
+    if (typeof device.cid !== "string" || !device.cid) {
+        return { valid: false, message: "Missing or invalid device.cid" };
+    }
+    // Validate content
+    const content = obj.content;
+    if (!content || typeof content !== "object") {
+        return { valid: false, message: "Missing content" };
+    }
+    if (typeof content.skill !== "string") {
+        return { valid: false, message: "Missing or invalid content.skill" };
+    }
+    if (!Array.isArray(content.references)) {
+        return { valid: false, message: "Missing or invalid content.references" };
+    }
+    for (let i = 0; i < content.references.length; i++) {
+        const ref = content.references[i];
+        if (!ref || typeof ref !== "object") {
+            return { valid: false, message: `Invalid reference at index ${i}` };
+        }
+        if (typeof ref.name !== "string" || !ref.name) {
+            return { valid: false, message: `Missing or invalid reference name at index ${i}` };
+        }
+        if (typeof ref.content !== "string") {
+            return { valid: false, message: `Missing or invalid reference content at index ${i}` };
+        }
+    }
+    // Validate signedAt
+    if (typeof obj.signedAt !== "string" || !obj.signedAt) {
+        return { valid: false, message: "Missing or invalid signedAt" };
+    }
+    // Rebuild payload (without signature) for verification
+    const payload = {
+        format: obj.format,
+        pack: {
+            id: pack.id,
+            version: pack.version,
+            name: pack.name,
+            description: pack.description,
+            author: pack.author,
+        },
+        device: {
+            did: device.did,
+            cid: device.cid,
+        },
+        content: {
+            skill: content.skill,
+            references: content.references.map((r) => ({
+                name: r.name,
+                content: r.content,
+            })),
+        },
+        signedAt: obj.signedAt,
+    };
+    // Verify Ed25519 signature
+    const canonical = buildCanonicalPayload(payload);
+    let signatureValid;
+    try {
+        const signature = Buffer.from(obj.signature, "base64url");
+        signatureValid = crypto.verify(null, Buffer.from(canonical), publicKey, signature);
+    }
+    catch {
+        return { valid: false, message: "Signature verification failed" };
+    }
+    if (!signatureValid) {
+        return { valid: false, message: "Invalid skill pack signature" };
+    }
+    return { valid: true, payload };
+}
+// ---------------------------------------------------------------------------
+// Marker file helpers
+// ---------------------------------------------------------------------------
+const MARKER_FILENAME = ".skillpack";
+/** Return the absolute path to the marker file inside a skill directory. */
+export function markerPath(skillDir) {
+    return path.join(skillDir, MARKER_FILENAME);
+}
+/** Synchronously check whether a skill directory has a .skillpack marker. */
+export function hasMarker(skillDir) {
+    return fs.existsSync(markerPath(skillDir));
+}
+/** Read and parse the .skillpack marker, or return null if absent or invalid. */
+export async function readMarker(skillDir) {
+    try {
+        const raw = await fsp.readFile(markerPath(skillDir), "utf8");
+        const data = JSON.parse(raw);
+        if (!data.packId ||
+            !data.version ||
+            !data.author ||
+            !data.installedAt ||
+            !data.deviceId ||
+            !data.customerId) {
+            return null;
+        }
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+/** Write a .skillpack marker file to a skill directory. */
+export async function writeMarker(skillDir, marker) {
+    await fsp.writeFile(markerPath(skillDir), JSON.stringify(marker, null, 2) + "\n", "utf8");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.19.8",
+  "version": "1.20.2",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/skill-pack-distribution/SKILL.md

@@ -0,0 +1,27 @@
+---
+name: skill-pack-distribution
+description: Sign and distribute licensed skill packs to customer devices
+metadata: {"taskmaster":{"always":true,"emoji":"📦","skillKey":"skill-pack-distribution"}}
+---
+
+# Skill Pack Distribution
+
+You can sign and send licensed skill packs to customers.
+
+## Workflow
+
+1. User asks to send a skill to a customer
+2. Look up the customer's contact record to get their `device_id` and customer ID
+3. Call `skill_pack_sign` with the pack ID, device ID, and customer ID
+4. Send the resulting `.skillpack.json` file to the customer's WhatsApp number
+5. Include a message: "Here's your [Skill Name] skill pack. Forward this file to your admin agent and ask it to install the skill."
+
+## Available Packs
+
+Check the `skill-packs/` folder in this workspace for available templates. Each subfolder is a pack ID containing SKILL.md and optional references/.
+
+## Notes
+
+- Each pack is signed for a specific device — it cannot be installed on other devices
+- To update a customer's skill, sign and send a newer version (bump the version parameter)
+- The customer's admin agent uses `skill_pack_install` to verify and install the pack

package/taskmaster-docs/USER-GUIDE.md

@@ -101,19 +101,63 @@ Your license is tied to this device. If you need to move it to a different devic
 
 ---
 
+## Premium Setup
+
+If you ordered a **Premium Setup**, your device has already been configured for you — installation, license activation, Claude account, agent profiles, skills, knowledge base, and branding are all in place. You can skip straight to using your assistant. Here's what you need to know:
+
+### Accessing Your Control Panel
+
+Your device hostname may have been customised during setup. If so, we will have communicated the address directly (e.g. `http://yourbusiness.local:18789`). The default `http://taskmaster.local:18789` will **not** work if the hostname was changed.
+
+### Change Your PINs Immediately
+
+Both your **admin PIN** and **account PIN** have been set to **123456** during setup. You must change these the first time you log in:
+
+1. Open the control panel and enter **123456** when prompted
+2. Go to **Setup** and scroll to the Security section
+3. Change your **admin PIN** to something only you know (4–6 digits)
+4. Change your **account PIN** to something different from your admin PIN
+
+> **Why two PINs?** The admin PIN controls access to the full dashboard. The account PIN is for individual account access when multiple accounts are configured. See "Security & PINs" below for full details.
+
+### What's Already Done
+
+Depending on your package, some or all of the following will already be configured:
+
+- **Claude account** connected and ready
+- **Agent profiles** tailored to your business
+- **Skills** loaded with industry-specific capabilities
+- **Knowledge base** pre-loaded with your business information
+- **Branding** (business name, colours, logo) applied
+- **WhatsApp** linked (if included in your package)
+
+### What You May Still Need to Do
+
+- **Link WhatsApp** — if not included in your package, follow the "Link WhatsApp" step in the Setting Up section below
+- **Add admin phone numbers** — go to the Admins page to add any phone numbers that should have admin access
+- **Review your knowledge base** — go to Files and check what's been loaded; add or correct anything
+
+Once your PINs are changed, you're ready to start chatting with your assistant.
+
+---
+
 ## Setting Up
 
-Once your license is activated:
+Once your license is activated, you'll land on the **setup dashboard** where you can configure each part of your assistant at your own pace.
 
-### 1. Connect Your Claude Account
+### 1. Connect to Claude (recommended)
 
-1. Tap **"Connect to Claude"**
-2. Sign in with your Claude Pro account
-3. Copy the code shown and paste it into the setup page
-4. Tap **Submit**
-5. When connected, tap **"Continue to Chat"** to start configuring your assistant
+Your assistant needs an AI provider to work. The easiest option is connecting your Claude Pro account:
 
-> **Don't have Claude Pro?** Click "Or enter your API key" below the Connect button. Paste your Anthropic API key and tap Submit. This is the advanced option — most people find signing in with Claude Pro much easier.
+1. On the setup dashboard, find the **Claude** row and tap the action button
+2. In the modal that opens, tap **"Connect to Claude"**
+3. Sign in with your Claude Pro account in the browser window that opens
+4. Copy the code shown and paste it into the code field
+5. Tap **Submit** — once connected, the Claude row turns green
+
+> **Managing multiple devices?** If you already have Claude connected on another Taskmaster device, you can copy the refresh token from that device's Claude info modal (tap the ⓘ icon next to Claude) and paste it into the **"Import refresh token"** section of the authentication modal on the new device. This avoids re-authenticating with Anthropic.
+
+> **Prefer an API key instead?** You can skip Claude OAuth entirely and enter an Anthropic API key (or keys for other providers like OpenAI or Google) in the **API Keys** section of the setup dashboard.
 
 ---
 
@@ -883,6 +927,7 @@ Each skill has a label:
 | Label | Meaning |
 |-------|---------|
 | **Preloaded** | Ships with the product. Always active. Cannot be disabled or deleted. |
+| **Licensed** | Installed from a skill pack sent by your provider. Can be deleted but not edited. |
 | **User** | Created by you (or by your assistant on your behalf). You can enable, disable, edit, or delete these. |
 
 Each user skill also shows a chip on its card: **Always active** or **On demand**. Tap the chip to switch between modes:
@@ -914,6 +959,23 @@ Toggle a user skill on or off with the switch on its card. A disabled skill stay
 
 Tap the delete icon on a user skill's card. You will be asked to confirm before the skill is removed.
 
+#### Skill Packs (Licensed Skills)
+
+Your Taskmaster provider can send you additional skills as **skill packs** — signed files that install licensed capabilities onto your device. These are skills built specifically for your business or industry.
+
+**How to install a skill pack:**
+
+1. Your provider sends you a `.skillpack.json` file via WhatsApp
+2. Forward that file to your **admin assistant** (the one you chat with directly)
+3. Ask your assistant to install it — for example: "Please install this skill pack"
+4. The assistant verifies the file is genuine and licensed for your device, then installs it
+
+Once installed, the skill appears in the Skills tab with a **Licensed** badge.
+
+**Updating a skill pack:** Your provider sends you a new version of the file. Follow the same steps — forwarding and asking your assistant to install. The new version replaces the old one automatically.
+
+**Removing a licensed skill:** Delete it from the Skills tab the same way you would delete any user skill. Tap the delete icon on its card and confirm.
+
 #### Drafts — creating new skills
 
 You do not need to write skill files by hand. Instead: