@rubytech/taskmaster 1.3.0 → 1.4.0

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-DQ1kxYd4.js"></script>
+    <script type="module" crossorigin src="./assets/index-BDETQp97.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CPawOl_z.css">
   </head>
   <body>

package/dist/gateway/chat-sanitize.js

@@ -208,6 +208,8 @@ export function mimeFromExt(ext) {
             return "audio/wav";
         case "m4a":
             return "audio/mp4";
+        case "webm":
+            return "audio/webm";
         default:
             return "application/octet-stream";
     }
@@ -243,7 +245,9 @@ function mediaRefToUrl(ref, workspaceRoot) {
         const stat = nodeFs.statSync(ref.absPath);
         mtime = `&t=${stat.mtimeMs | 0}`;
     }
-    catch { /* file may not exist yet */ }
+    catch {
+        /* file may not exist yet */
+    }
     return `/api/media?path=${encodeURIComponent(relPath)}${mtime}`;
 }
 function stripBase64FromContentBlocks(content) {

package/dist/gateway/server/tls.js

@@ -1,4 +1,4 @@
 import { loadGatewayTlsRuntime as loadGatewayTlsRuntimeConfig, } from "../../infra/tls/gateway.js";
-export async function loadGatewayTlsRuntime(cfg, log) {
-    return await loadGatewayTlsRuntimeConfig(cfg, log);
+export async function loadGatewayTlsRuntime(cfg, log, hostnames) {
+    return await loadGatewayTlsRuntimeConfig(cfg, log, hostnames);
 }

package/dist/gateway/server-http.js

@@ -1,5 +1,6 @@
 import { createServer as createHttpServer, } from "node:http";
 import { createServer as createHttpsServer } from "node:https";
+import net from "node:net";
 import { handleA2uiHttpRequest } from "../canvas-host/a2ui.js";
 import { loadConfig } from "../config/config.js";
 import { handleSlackHttpRequest } from "../slack/http/index.js";
@@ -141,13 +142,42 @@ export function createHooksRequestHandler(opts) {
 }
 export function createGatewayHttpServer(opts) {
     const { canvasHost, controlUiEnabled, controlUiBasePath, openAiChatCompletionsEnabled, openResponsesEnabled, openResponsesConfig, handleHooksRequest, handlePluginRequest, resolvedAuth, } = opts;
-    const httpServer = opts.tlsOptions
-        ? createHttpsServer(opts.tlsOptions, (req, res) => {
+    // When TLS is enabled, create a dual-protocol server: a net.Server listens
+    // on the port, peeks at the first byte of each connection to detect TLS vs
+    // plain HTTP, and dispatches accordingly. Plain HTTP gets a 301 redirect to
+    // HTTPS so bookmarks and muscle-memory URLs keep working.
+    let httpServer;
+    if (opts.tlsOptions) {
+        const httpsServer = createHttpsServer(opts.tlsOptions, (req, res) => {
             void handleRequest(req, res);
-        })
-        : createHttpServer((req, res) => {
+        });
+        const redirectServer = createHttpServer((req, res) => {
+            const host = req.headers.host ?? "localhost";
+            res.writeHead(301, { Location: `https://${host}${req.url ?? "/"}`, Connection: "close" });
+            res.end();
+        });
+        const tcpServer = net.createServer((socket) => {
+            socket.once("data", (buf) => {
+                socket.pause();
+                socket.unshift(buf);
+                // TLS ClientHello starts with byte 0x16 (22)
+                const target = buf[0] === 0x16 ? httpsServer : redirectServer;
+                target.emit("connection", socket);
+                process.nextTick(() => socket.resume());
+            });
+        });
+        // Forward upgrade events from the HTTPS server to the TCP wrapper
+        // so WebSocket handlers attached via attachGatewayUpgradeHandler work.
+        httpsServer.on("upgrade", (req, socket, head) => {
+            tcpServer.emit("upgrade", req, socket, head);
+        });
+        httpServer = tcpServer;
+    }
+    else {
+        httpServer = createHttpServer((req, res) => {
             void handleRequest(req, res);
         });
+    }
     async function handleRequest(req, res) {
         // Don't interfere with WebSocket upgrades; ws handles the 'upgrade' event.
         if (String(req.headers.upgrade ?? "").toLowerCase() === "websocket")

package/dist/gateway/server-methods/chat.js

@@ -379,8 +379,12 @@ export const chatHandlers = {
                 }
             }
         }
-        // Save document attachments to workspace uploads dir (persistent, accessible by agent)
+        // Save document attachments to workspace uploads dir (persistent, accessible by agent).
+        // Audio files are separated so they can be routed through the media understanding
+        // pipeline (STT) instead of being treated as generic file attachments.
         const savedDocPaths = [];
+        const savedAudioPaths = [];
+        const savedAudioTypes = [];
         if (documentAttachments.length > 0 && uploadsDir) {
             for (const doc of documentAttachments) {
                 if (!doc.content || typeof doc.content !== "string")
@@ -389,7 +393,14 @@ export const chatHandlers = {
                 const destPath = path.join(uploadsDir, safeName);
                 try {
                     fs.writeFileSync(destPath, Buffer.from(doc.content, "base64"));
-                    savedDocPaths.push(destPath);
+                    const mimeBase = doc.mimeType?.split(";")[0]?.trim() ?? "";
+                    if (mimeBase.startsWith("audio/")) {
+                        savedAudioPaths.push(destPath);
+                        savedAudioTypes.push(doc.mimeType ?? "audio/webm");
+                    }
+                    else {
+                        savedDocPaths.push(destPath);
+                    }
                 }
                 catch (err) {
                     context.logGateway.warn(`chat document save failed: ${String(err)}`);
@@ -460,18 +471,29 @@ export const chatHandlers = {
             const trimmedMessage = p.message.trim();
             const injectThinking = Boolean(p.thinking && trimmedMessage && !trimmedMessage.startsWith("/"));
             const commandBody = injectThinking ? `/think ${p.thinking} ${p.message}` : p.message;
-            // If documents were saved, prepend file paths to message so the agent knows about them
+            // If non-audio documents were saved, prepend file paths to message.
+            // Audio files are NOT annotated here — they go through MediaPaths so the
+            // media understanding pipeline (STT) handles them, and buildInboundMediaNote
+            // generates the proper [media attached: ...] annotation.
             const docNote = savedDocPaths.length > 0
                 ? savedDocPaths.map((p) => `[file: ${p}]`).join("\n") + "\n\n"
                 : "";
-            const messageWithDocs = docNote + p.message;
+            // Audio-only message (voice note, no text): use placeholder so
+            // applyMediaUnderstanding knows to replace with transcript or error.
+            const hasAudioMedia = savedAudioPaths.length > 0;
+            const effectiveBody = hasAudioMedia && !trimmedMessage ? "<media:audio>" : p.message;
+            const messageWithDocs = docNote + effectiveBody;
+            const effectiveCommandBody = hasAudioMedia && !trimmedMessage ? "<media:audio>" : commandBody;
+            // Merge image and audio paths so the media understanding pipeline sees both.
+            const allMediaPaths = [...savedImagePaths, ...savedAudioPaths];
+            const allMediaTypes = [...savedImageTypes, ...savedAudioTypes];
             const clientInfo = client?.connect?.client;
             const ctx = {
                 Body: messageWithDocs,
                 BodyForAgent: messageWithDocs,
-                BodyForCommands: docNote + commandBody,
+                BodyForCommands: docNote + effectiveCommandBody,
                 RawBody: messageWithDocs,
-                CommandBody: docNote + commandBody,
+                CommandBody: docNote + effectiveCommandBody,
                 SessionKey: p.sessionKey,
                 Provider: INTERNAL_MESSAGE_CHANNEL,
                 Surface: INTERNAL_MESSAGE_CHANNEL,
@@ -485,10 +507,10 @@ export const chatHandlers = {
                 // Image/media paths — same pattern as WhatsApp. buildInboundMediaNote()
                 // will generate [media attached: ...] annotations that the agent runner
                 // detects and loads from disk at inference time.
-                MediaPaths: savedImagePaths.length > 0 ? savedImagePaths : undefined,
-                MediaPath: savedImagePaths[0],
-                MediaTypes: savedImageTypes.length > 0 ? savedImageTypes : undefined,
-                MediaType: savedImageTypes[0],
+                MediaPaths: allMediaPaths.length > 0 ? allMediaPaths : undefined,
+                MediaPath: allMediaPaths[0],
+                MediaTypes: allMediaTypes.length > 0 ? allMediaTypes : undefined,
+                MediaType: allMediaTypes[0],
             };
             const agentId = resolveSessionAgentId({
                 sessionKey: p.sessionKey,
@@ -496,16 +518,26 @@ export const chatHandlers = {
             });
             // Fire message:inbound hook for conversation archiving.
             // Include image paths so the archive references the attached media.
+            // Audio archive is deferred until after media understanding resolves (see
+            // onMediaResolved below) so the transcript is available instead of the
+            // raw <media:audio> placeholder.
             const imageNote = savedImagePaths.length > 0 ? savedImagePaths.map((ip) => `[image: ${ip}]`).join("\n") : "";
-            const archiveText = [p.message, imageNote].filter(Boolean).join("\n").trim();
-            void triggerInternalHook(createInternalHookEvent("message", "inbound", p.sessionKey, {
-                text: archiveText || undefined,
-                timestamp: now,
-                chatType: "direct",
-                agentId,
-                channel: "webchat",
-                cfg,
-            }));
+            const fireArchiveHook = (resolvedBody) => {
+                const body = resolvedBody ?? p.message;
+                const archiveText = [body, imageNote].filter(Boolean).join("\n").trim();
+                void triggerInternalHook(createInternalHookEvent("message", "inbound", p.sessionKey, {
+                    text: archiveText || undefined,
+                    timestamp: now,
+                    chatType: "direct",
+                    agentId,
+                    channel: "webchat",
+                    cfg,
+                }));
+            };
+            if (!hasAudioMedia) {
+                // No audio — fire immediately (no STT to wait for).
+                fireArchiveHook();
+            }
             let prefixContext = {
                 identityName: resolveIdentityName(cfg, agentId),
             };
@@ -541,7 +573,7 @@ export const chatHandlers = {
                 },
             });
             let agentRunStarted = false;
-            context.logGateway.info(`webchat dispatch: sessionKey=${p.sessionKey} runId=${clientRunId} body=${messageWithDocs.length}ch images=${savedImagePaths.length} docs=${savedDocPaths.length}`);
+            context.logGateway.info(`webchat dispatch: sessionKey=${p.sessionKey} runId=${clientRunId} body=${messageWithDocs.length}ch images=${savedImagePaths.length} audio=${savedAudioPaths.length} docs=${savedDocPaths.length}`);
             void dispatchInboundMessage({
                 ctx,
                 cfg,
@@ -554,11 +586,18 @@ export const chatHandlers = {
                         agentRunStarted = true;
                         context.logGateway.info(`webchat agent run started: sessionKey=${p.sessionKey} runId=${runId}`);
                     },
-                    onModelSelected: (ctx) => {
-                        prefixContext.provider = ctx.provider;
-                        prefixContext.model = extractShortModelName(ctx.model);
-                        prefixContext.modelFull = `${ctx.provider}/${ctx.model}`;
-                        prefixContext.thinkingLevel = ctx.thinkLevel ?? "off";
+                    onMediaResolved: hasAudioMedia
+                        ? () => {
+                            // STT complete — archive the resolved body (transcript) instead
+                            // of the raw <media:audio> placeholder.
+                            fireArchiveHook(ctx.Body);
+                        }
+                        : undefined,
+                    onModelSelected: (modelCtx) => {
+                        prefixContext.provider = modelCtx.provider;
+                        prefixContext.model = extractShortModelName(modelCtx.model);
+                        prefixContext.modelFull = `${modelCtx.provider}/${modelCtx.model}`;
+                        prefixContext.thinkingLevel = modelCtx.thinkLevel ?? "off";
                     },
                 },
             })

package/dist/gateway/server.impl.js

@@ -54,6 +54,7 @@ import { ensureWatchdogUnitOnStartup, scheduleWatchdogStabilityConfirmation, } f
 import { startGatewayTailscaleExposure } from "./server-tailscale.js";
 import { startWifiWatchdog } from "./server-wifi-watchdog.js";
 import { loadGatewayTlsRuntime } from "./server/tls.js";
+import { isLoopbackHost } from "./net.js";
 import { createWizardSessionTracker } from "./server-wizard-sessions.js";
 import { attachGatewayWsHandlers } from "./server-ws-runtime.js";
 import { isLicenseValid } from "../license/validate.js";
@@ -226,10 +227,30 @@ export async function startGatewayServer(port = 18789, opts = {}) {
     const { wizardSessions, findRunningWizard, purgeWizardSession } = createWizardSessionTracker();
     const deps = createDefaultDeps();
     let canvasHostServer = null;
-    const gatewayTls = await loadGatewayTlsRuntime(cfgAtStart.gateway?.tls, log.child("tls"));
-    if (cfgAtStart.gateway?.tls?.enabled && !gatewayTls.enabled) {
+    // Auto-enable TLS when binding to a non-loopback address (LAN, custom, etc.)
+    // so that browser secure-context APIs (getUserMedia, etc.) work over .local.
+    // Only auto-enable when the user hasn't explicitly configured tls.enabled.
+    const tlsExplicit = cfgAtStart.gateway?.tls?.enabled;
+    const tlsAutoEnable = tlsExplicit === undefined && !isLoopbackHost(bindHost);
+    const effectiveTlsConfig = tlsAutoEnable
+        ? { ...cfgAtStart.gateway?.tls, enabled: true }
+        : cfgAtStart.gateway?.tls;
+    if (tlsAutoEnable) {
+        log.child("tls").info("gateway tls: auto-enabled for non-loopback bind");
+    }
+    const bonjourHostname = cfgAtStart.discovery?.bonjourHostname || "taskmaster";
+    const tlsHostnames = [bonjourHostname];
+    const gatewayTls = await loadGatewayTlsRuntime(effectiveTlsConfig, log.child("tls"), tlsHostnames);
+    if (tlsExplicit === true && !gatewayTls.enabled) {
+        // User explicitly enabled TLS — fail hard if it can't start.
         throw new Error(gatewayTls.error ?? "gateway tls: failed to enable");
     }
+    if (tlsAutoEnable && !gatewayTls.enabled) {
+        // Auto-enabled TLS failed — fall back to HTTP with a warning.
+        log
+            .child("tls")
+            .warn(`gateway tls: auto-enable failed (${gatewayTls.error ?? "unknown"}), continuing with HTTP`);
+    }
     const { canvasHost, httpServer, httpServers, httpBindHosts, wss, clients, broadcast, agentRunSeq, dedupe, chatRunState, chatRunBuffers, chatDeltaSentAt, addChatRun, removeChatRun, chatAbortControllers, } = await createGatewayRuntimeState({
         cfg: cfgAtStart,
         bindHost,
@@ -283,9 +304,6 @@ export async function startGatewayServer(port = 18789, opts = {}) {
     });
     const { getRuntimeSnapshot, startChannels, startChannel, stopChannel, markChannelLoggedOut } = channelManager;
     const machineDisplayName = await getMachineDisplayName();
-    // Default to "taskmaster" hostname for mDNS so taskmaster.local works out of the box.
-    // Users can override via discovery.bonjourHostname config if needed.
-    const bonjourHostname = cfgAtStart.discovery?.bonjourHostname || "taskmaster";
     const discovery = await startGatewayDiscovery({
         machineDisplayName,
         port,

package/dist/infra/tls/gateway.js

@@ -1,6 +1,7 @@
 import { execFile } from "node:child_process";
 import { X509Certificate } from "node:crypto";
 import fs from "node:fs/promises";
+import os from "node:os";
 import path from "node:path";
 import { promisify } from "node:util";
 import { CONFIG_DIR, ensureDir, resolveUserPath, shortenHomeInString } from "../../utils.js";
@@ -15,6 +16,18 @@ async function fileExists(filePath) {
         return false;
     }
 }
+function buildSanString(hostnames) {
+    const sans = new Set(["DNS:localhost", "IP:127.0.0.1"]);
+    const raw = hostnames?.length ? hostnames : [os.hostname()];
+    for (const h of raw) {
+        const name = h.replace(/\.local$/i, "").trim();
+        if (!name)
+            continue;
+        sans.add(`DNS:${name}`);
+        sans.add(`DNS:${name}.local`);
+    }
+    return [...sans].join(",");
+}
 async function generateSelfSignedCert(params) {
     const certDir = path.dirname(params.certPath);
     const keyDir = path.dirname(params.keyPath);
@@ -22,6 +35,7 @@ async function generateSelfSignedCert(params) {
     if (keyDir !== certDir) {
         await ensureDir(keyDir);
     }
+    const san = buildSanString(params.hostnames);
     await execFileAsync("openssl", [
         "req",
         "-x509",
@@ -37,12 +51,14 @@ async function generateSelfSignedCert(params) {
         params.certPath,
         "-subj",
         "/CN=taskmaster-gateway",
+        "-addext",
+        `subjectAltName=${san}`,
     ]);
     await fs.chmod(params.keyPath, 0o600).catch(() => { });
     await fs.chmod(params.certPath, 0o600).catch(() => { });
-    params.log?.info?.(`gateway tls: generated self-signed cert at ${shortenHomeInString(params.certPath)}`);
+    params.log?.info?.(`gateway tls: generated self-signed cert at ${shortenHomeInString(params.certPath)} (SAN: ${san})`);
 }
-export async function loadGatewayTlsRuntime(cfg, log) {
+export async function loadGatewayTlsRuntime(cfg, log, hostnames) {
     if (!cfg || cfg.enabled !== true)
         return { enabled: false, required: false };
     const autoGenerate = cfg.autoGenerate !== false;
@@ -54,7 +70,7 @@ export async function loadGatewayTlsRuntime(cfg, log) {
     const hasKey = await fileExists(keyPath);
     if (!hasCert && !hasKey && autoGenerate) {
         try {
-            await generateSelfSignedCert({ certPath, keyPath, log });
+            await generateSelfSignedCert({ certPath, keyPath, hostnames, log });
         }
         catch (err) {
             return {

package/dist/memory/audit.js

@@ -55,11 +55,20 @@ function writeAuditFile(workspaceDir, data) {
         // Audit is best-effort — don't fail writes over audit persistence
     }
 }
+/** Deduplicate window: ignore a second write to the same path by the same agent within this period. */
+const DEDUP_WINDOW_MS = 60_000;
 /**
  * Record an audit entry for a memory write.
+ * Skips the entry if an identical path+agent combination was recorded within the dedup window.
  */
 export function recordAuditEntry(workspaceDir, entry) {
     const audit = readAuditFile(workspaceDir);
+    // Deduplicate: skip if same path + agent recorded within the last DEDUP_WINDOW_MS
+    const dominated = audit.entries.some((e) => e.path === entry.path &&
+        e.agentId === entry.agentId &&
+        entry.timestamp - e.timestamp < DEDUP_WINDOW_MS);
+    if (dominated)
+        return;
     audit.entries.push(entry);
     // Cap at 500 entries to prevent unbounded growth.
     if (audit.entries.length > 500) {

package/dist/memory/manager.js

@@ -1245,7 +1245,7 @@ export class MemoryIndexManager {
             }
             const action = record ? "updated" : "added";
             log.info(`file ${action} (${this.agentId}): ${entry.path}`);
-            if (isAuditablePath(entry.path)) {
+            if (isAuditablePath(entry.path) && record?.hash !== entry.hash) {
                 recordAuditEntry(this.workspaceDir, {
                     path: entry.path,
                     timestamp: Date.now(),

package/dist/web/auto-reply/monitor/process-message.js

@@ -130,23 +130,32 @@ export async function processMessage(params) {
         params.echoForget(combinedEchoKey);
         return false;
     }
-    // Fire message:inbound hook for conversation archiving
-    const inboundHookEvent = createInternalHookEvent("message", "inbound", params.route.sessionKey, {
-        from: params.msg.senderE164 ?? params.msg.from,
-        to: params.msg.to,
-        text: params.msg.body,
-        timestamp: params.msg.timestamp ?? Date.now(),
-        chatType: params.msg.chatType,
-        agentId: params.route.agentId,
-        channel: "whatsapp",
-        mediaType: params.msg.mediaType,
-        senderName: params.msg.senderName,
-        senderE164: params.msg.senderE164,
-        groupSubject: params.msg.groupSubject,
-        conversationId,
-        cfg: params.cfg,
-    });
-    void triggerInternalHook(inboundHookEvent);
+    // Fire message:inbound hook for conversation archiving.
+    // For media messages (audio, image, video) the raw body is a placeholder like
+    // `<media:audio>`.  Defer the hook until after media understanding resolves so
+    // the archive records the transcript / description instead of the dead link.
+    // Text-only messages fire immediately (unchanged behaviour).
+    const hasMediaAttachment = Boolean(params.msg.mediaType);
+    const fireInboundArchiveHook = (text) => {
+        void triggerInternalHook(createInternalHookEvent("message", "inbound", params.route.sessionKey, {
+            from: params.msg.senderE164 ?? params.msg.from,
+            to: params.msg.to,
+            text,
+            timestamp: params.msg.timestamp ?? Date.now(),
+            chatType: params.msg.chatType,
+            agentId: params.route.agentId,
+            channel: "whatsapp",
+            mediaType: params.msg.mediaType,
+            senderName: params.msg.senderName,
+            senderE164: params.msg.senderE164,
+            groupSubject: params.msg.groupSubject,
+            conversationId,
+            cfg: params.cfg,
+        }));
+    };
+    if (!hasMediaAttachment) {
+        fireInboundArchiveHook(params.msg.body);
+    }
     // Send ack reaction immediately upon message receipt (post-gating).
     // Suppress when running silently on un-mentioned group messages.
     if (params.suppressDelivery) {
@@ -364,6 +373,24 @@ export async function processMessage(params) {
                 ? !params.cfg.channels.whatsapp.blockStreaming
                 : undefined,
             onModelSelected: prefixContext.onModelSelected,
+            // For media messages the inbound archive hook was deferred until after
+            // media understanding resolves.  Fire it now with the resolved text.
+            ...(hasMediaAttachment
+                ? {
+                    onMediaResolved: () => {
+                        const raw = params.msg.body ?? "";
+                        // Prefer the raw transcript for audio.  For other media or failed
+                        // transcription fall back to the resolved Body (which contains the
+                        // description or a human-readable failure reason).  The regex guard
+                        // prevents using the envelope-formatted Body for plain text messages.
+                        const resolvedText = ctxPayload.Transcript ??
+                            (/^<media:[^>]+>/i.test(raw.trim())
+                                ? String(ctxPayload.Body ?? raw)
+                                : raw);
+                        fireInboundArchiveHook(String(resolvedText));
+                    },
+                }
+                : {}),
         },
     });
     if (!queuedFinal) {