@sulala/agent 0.1.6 → 0.1.8

package/dist/gateway/server.js

@@ -1,18 +1,32 @@
 import express from 'express';
 import { createServer } from 'http';
-import { existsSync, readFileSync } from 'fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { randomBytes } from 'crypto';
 import { WebSocketServer } from 'ws';
 import cors from 'cors';
-import { config, getSulalaEnvPath } from '../config.js';
+import { config, getSulalaEnvPath, getPortalGatewayBase, getEffectivePortalApiKey } from '../config.js';
 import { readOnboardEnvKeys, writeOnboardEnvKeys, ONBOARD_ENV_WHITELIST, } from '../onboard-env.js';
-import { initDb, getDb, log, insertTask, getFileStates, updateTaskStatus, setTaskPendingForRetry, getOrCreateAgentSession, getAgentSessionById, getAgentMessages, listAgentSessions, } from '../db/index.js';
+import { initDb, getDb, log, insertTask, getFileStates, updateTaskStatus, setTaskPendingForRetry, getOrCreateAgentSession, getAgentSessionById, getAgentMessages, appendAgentMessage, updateAgentMessageToolResult, listAgentMemories, listAgentMemoryScopeKeys, listAgentSessions, listScheduledJobs, getScheduledJob, insertScheduledJob, updateScheduledJob, deleteScheduledJob, getTasksForJob, getChannelConfig, setChannelConfig, } from '../db/index.js';
+import { scheduleCronById, unscheduleJob } from '../scheduler/cron.js';
+import { getTelegramChannelState, setTelegramChannelConfig } from '../channels/telegram.js';
+import { getDiscordChannelState, setDiscordChannelConfig } from '../channels/discord.js';
+import { getStripeChannelState, setStripeChannelConfig } from '../channels/stripe.js';
+import { reloadProviders } from '../ai/orchestrator.js';
 import { runAgentTurn, runAgentTurnStream } from '../agent/loop.js';
+import { runAgentTurnWithPi, isPiAvailable } from '../agent/pi-runner.js';
+import { listTools, executeTool } from '../agent/tools.js';
 import { listSkills, getAllRequiredBins } from '../agent/skills.js';
 import { getRegistrySkills, getAvailableUpdates, installSkill, uninstallSkill, updateSkillsAll } from '../agent/skill-install.js';
-import { loadSkillsConfig, saveSkillsConfig, getConfigPath, setSkillEnabled } from '../agent/skills-config.js';
+import { getTemplates } from '../agent/skill-templates.js';
+import { generateSkillSpec, writeGeneratedSkill, WIZARD_APPS, WIZARD_TRIGGERS } from '../agent/skill-generate.js';
+import { loadSkillsConfig, saveSkillsConfig, getConfigPath, setSkillEnabled, removeSkillEntry, migrateConfigNameKeysToSlug, getOnboardingComplete, setOnboardingComplete } from '../agent/skills-config.js';
+import { redactSkillsConfig } from '../redact.js';
 import { withSessionLock } from '../agent/session-queue.js';
+import { listPendingActions, getPendingAction, getPendingActionForReplay, setPendingActionApproved, setPendingActionRejected, sanitizeArgsForDisplay, } from '../agent/pending-actions.js';
+import { isOllamaReachable, startOllamaServeForApi, runOllamaInstall, setPullProgressCallback, pullOllamaModel } from '../ollama-setup.js';
+import { getSystemCapabilities } from '../system-capabilities.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const projectRoot = join(__dirname, '..', '..');
 const dashboardDist = join(projectRoot, 'dashboard', 'dist');
@@ -21,6 +35,25 @@ const rateLimitMap = new Map();
 function rateLimitMiddleware(req, res, next) {
     if (!config.rateLimitMax || config.rateLimitMax <= 0)
         return next();
+    if (req.path === '/health')
+        return next();
+    // Don't rate-limit read-only or bootstrap endpoints the dashboard calls often
+    if (req.path.startsWith('/api/onboard'))
+        return next();
+    if (req.path === '/api/agent/pending-actions' && req.method === 'GET')
+        return next();
+    if (req.path === '/api/config' && req.method === 'GET')
+        return next();
+    if (req.path === '/api/integrations/connections' && req.method === 'GET')
+        return next();
+    if (req.path === '/api/integrations/connect' && req.method === 'POST')
+        return next();
+    if (req.path.startsWith('/api/integrations/connections/') && req.method === 'DELETE')
+        return next();
+    if (req.path === '/api/oauth/connect-url' && req.method === 'GET')
+        return next();
+    if (req.path === '/api/oauth/callback' && req.method === 'GET')
+        return next();
     const ip = (req.ip || req.socket?.remoteAddress || 'unknown');
     const now = Date.now();
     let entry = rateLimitMap.get(ip);
@@ -40,11 +73,18 @@ export function createGateway(appMount = null) {
     app.use(cors());
     app.use(express.json());
     app.use(rateLimitMiddleware);
+    try {
+        const skills = listSkills(config, { includeDisabled: true });
+        migrateConfigNameKeysToSlug(skills.map((s) => ({ name: s.name, slug: s.slug ?? s.name })));
+    }
+    catch {
+        /* migration best-effort */
+    }
     if (config.gatewayApiKey) {
         app.use((req, res, next) => {
             if (req.path === '/health')
                 return next();
-            if (req.path === '/onboard' || req.path.startsWith('/api/onboard'))
+            if (req.path === '/onboard' || req.path.startsWith('/api/onboard') || req.path.startsWith('/api/ollama'))
                 return next();
             const key = req.headers['x-api-key'] || req.query.api_key;
             if (key === config.gatewayApiKey)
@@ -93,9 +133,48 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    app.get('/api/system/capabilities', (_req, res) => {
+        try {
+            const caps = getSystemCapabilities();
+            res.json(caps);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({
+                storageFreeBytes: null,
+                isCloudOrContainer: false,
+                cloudReason: '',
+                ollamaSuitable: true,
+                ollamaSuitableReason: 'Check unavailable',
+            });
+        }
+    });
     app.get('/health', (_req, res) => {
         res.json({ status: 'ok', service: 'sulala-gateway' });
     });
+    /** Onboard: check if onboarding is complete (first-launch detection). */
+    app.get('/api/onboard/status', (_req, res) => {
+        try {
+            const complete = getOnboardingComplete();
+            res.json({ complete });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ complete: false, error: e.message });
+        }
+    });
+    /** Onboard: mark onboarding as complete. */
+    app.put('/api/onboard/complete', async (_req, res) => {
+        try {
+            setOnboardingComplete(true);
+            await reloadProviders();
+            res.json({ ok: true, complete: true });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
     /** Onboard: which API keys are set (values never returned). */
     app.get('/api/onboard/env', (_req, res) => {
         try {
@@ -108,8 +187,8 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
-    /** Onboard: save API keys to ~/.sulala/.env (whitelist only). */
-    app.put('/api/onboard/env', (req, res) => {
+    /** Onboard: save API keys to ~/.sulala/.env (whitelist only). Reload AI providers so new keys apply without restart. */
+    app.put('/api/onboard/env', async (req, res) => {
         try {
             const body = req.body;
             if (!body || typeof body !== 'object') {
@@ -117,6 +196,7 @@ export function createGateway(appMount = null) {
                 return;
             }
             writeOnboardEnvKeys(body);
+            await reloadProviders();
             res.json({ ok: true, keys: readOnboardEnvKeys() });
         }
         catch (e) {
@@ -124,6 +204,76 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    /** Ollama status and setup (for onboard and dashboard). */
+    app.get('/api/ollama/status', async (_req, res) => {
+        try {
+            const running = await isOllamaReachable();
+            const baseUrl = process.env.OLLAMA_BASE_URL || 'http://localhost:11434';
+            res.json({ running, baseUrl });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ running: false, error: e.message });
+        }
+    });
+    app.post('/api/ollama/start', async (_req, res) => {
+        try {
+            const result = await startOllamaServeForApi();
+            res.json(result);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ started: false, error: e.message });
+        }
+    });
+    app.post('/api/ollama/install', (_req, res) => {
+        try {
+            runOllamaInstall();
+            res.json({ ok: true, message: 'Install started. Check your terminal or install from https://ollama.com' });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.locals.ollamaPullState = { inProgress: false, model: '', lastLine: '', percent: 0 };
+    app.get('/api/ollama/pull-status', (_req, res) => {
+        res.json(app.locals.ollamaPullState ?? { inProgress: false, model: '', lastLine: '', percent: 0 });
+    });
+    setPullProgressCallback((model, line, percent) => {
+        const state = { inProgress: percent >= 0 && percent < 100, model, lastLine: line, percent };
+        app.locals.ollamaPullState = state;
+        const b = app.locals.wsBroadcast;
+        if (b)
+            b({ type: 'ollama_pull_progress', data: state });
+    });
+    app.post('/api/ollama/pull', (req, res) => {
+        try {
+            const { model } = req.body || {};
+            if (!model || typeof model !== 'string' || !model.trim()) {
+                res.status(400).json({ error: 'model required' });
+                return;
+            }
+            pullOllamaModel(model.trim());
+            res.json({ ok: true, model: model.trim(), message: 'Pull started. Check pull-status for progress.' });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Recommended Ollama models for onboarding (size, RAM, CPU/GPU). */
+    const RECOMMENDED_OLLAMA_MODELS = [
+        { id: 'llama3.2', name: 'Llama 3.2', size: '~2GB', ram: '8GB', cpu: 'Any', gpu: 'Optional', description: 'Good balance of speed and quality' },
+        { id: 'llama3.2:1b', name: 'Llama 3.2 1B', size: '~1.3GB', ram: '4GB', cpu: 'Any', gpu: 'None', description: 'Fast, low resource' },
+        { id: 'mistral', name: 'Mistral 7B', size: '~4.1GB', ram: '8GB', cpu: '4+ cores', gpu: 'Recommended', description: 'Strong general model' },
+        { id: 'codellama', name: 'Code Llama', size: '~3.8GB', ram: '8GB', cpu: '4+ cores', gpu: 'Recommended', description: 'Optimized for code' },
+        { id: 'phi3', name: 'Phi-3 Mini', size: '~2.3GB', ram: '8GB', cpu: 'Any', gpu: 'Optional', description: 'Efficient small model' },
+        { id: 'gemma2:2b', name: 'Gemma 2 2B', size: '~1.6GB', ram: '4GB', cpu: 'Any', gpu: 'None', description: 'Lightweight, capable' },
+    ];
+    app.get('/api/onboard/recommended-models', (_req, res) => {
+        res.json({ models: RECOMMENDED_OLLAMA_MODELS });
+    });
     /** Onboard: minimal HTML page to add API keys (no dashboard required). */
     app.get('/onboard', (_req, res) => {
         const keys = ONBOARD_ENV_WHITELIST.map((k) => `<div class="row"><label for="${k}">${k}</label><input type="password" id="${k}" name="${k}" placeholder="optional" autocomplete="off" /></div>`).join('\n');
@@ -137,22 +287,37 @@ export function createGateway(appMount = null) {
     * { box-sizing: border-box; }
     body { font-family: system-ui, sans-serif; max-width: 480px; margin: 2rem auto; padding: 0 1rem; }
     h1 { font-size: 1.25rem; margin-bottom: 0.5rem; }
+    h2 { font-size: 1rem; margin: 1.5rem 0 0.5rem; color: #374151; }
     p { color: #666; font-size: 0.875rem; margin-bottom: 1.25rem; }
     .row { margin-bottom: 0.75rem; }
     label { display: block; font-size: 0.75rem; font-weight: 600; margin-bottom: 0.25rem; color: #374151; }
     input { width: 100%; padding: 0.5rem 0.75rem; border: 1px solid #d1d5db; border-radius: 6px; font-size: 0.875rem; }
     input:focus { outline: none; border-color: #3b82f6; box-shadow: 0 0 0 2px rgba(59,130,246,0.2); }
-    button { background: #2563eb; color: white; border: none; padding: 0.5rem 1rem; border-radius: 6px; font-size: 0.875rem; cursor: pointer; margin-top: 0.5rem; }
+    button { background: #2563eb; color: white; border: none; padding: 0.5rem 1rem; border-radius: 6px; font-size: 0.875rem; cursor: pointer; margin-top: 0.5rem; margin-right: 0.5rem; }
     button:hover { background: #1d4ed8; }
+    button.secondary { background: #6b7280; }
+    button.secondary:hover { background: #4b5563; }
     .msg { margin-top: 1rem; font-size: 0.875rem; }
     .msg.success { color: #059669; }
     .msg.err { color: #dc2626; }
+    .ollama-ok { color: #059669; font-size: 0.875rem; }
     a { color: #2563eb; }
+    #ollama-section { margin-bottom: 1rem; padding: 1rem; background: #f9fafb; border-radius: 8px; }
   </style>
 </head>
 <body>
-  <h1>Sulala — API keys</h1>
-  <p>Add at least one AI provider key. Keys are saved to <code>~/.sulala/.env</code>. Restart the agent for changes to apply.</p>
+  <div id="ollama-section">
+    <h2>Ollama (default AI)</h2>
+    <p id="ollama-status">Checking…</p>
+    <div id="ollama-actions" style="display: none;">
+      <button type="button" id="ollama-install">Install Ollama</button>
+      <button type="button" id="ollama-start">Start Ollama</button>
+      <button type="button" id="ollama-check" class="secondary">Check again</button>
+      <p style="margin-top: 0.75rem; font-size: 0.8rem;">Or install from <a href="https://ollama.com" target="_blank" rel="noopener">ollama.com</a> or run in terminal: <code>ollama serve</code></p>
+    </div>
+  </div>
+  <h1>API keys (optional)</h1>
+  <p>Ollama works with no key. Add keys below to use OpenAI, Claude, Gemini, or OpenRouter. Saved to <code>~/.sulala/.env</code>. Restart the agent for changes.</p>
   <form id="f">
     ${keys}
     <button type="submit">Save</button>
@@ -162,6 +327,47 @@ export function createGateway(appMount = null) {
   <script>
     const form = document.getElementById('f');
     const msg = document.getElementById('msg');
+    const ollamaStatus = document.getElementById('ollama-status');
+    const ollamaActions = document.getElementById('ollama-actions');
+    async function checkOllama() {
+      ollamaStatus.textContent = 'Checking…';
+      ollamaActions.style.display = 'none';
+      try {
+        const r = await fetch('/api/ollama/status');
+        const d = await r.json();
+        if (d.running) {
+          ollamaStatus.textContent = 'Ollama is running. You can use Chat.';
+          ollamaStatus.className = 'ollama-ok';
+        } else {
+          ollamaStatus.textContent = 'Ollama is not running.';
+          ollamaStatus.className = '';
+          ollamaActions.style.display = 'block';
+        }
+      } catch (e) {
+        ollamaStatus.textContent = 'Could not check Ollama.';
+        ollamaActions.style.display = 'block';
+      }
+    }
+    document.getElementById('ollama-install').onclick = async () => {
+      ollamaStatus.textContent = 'Starting install… (see terminal or install from ollama.com)';
+      try {
+        await fetch('/api/ollama/install', { method: 'POST' });
+        ollamaStatus.textContent = 'Install started. After it finishes, run: ollama serve';
+        ollamaActions.style.display = 'block';
+      } catch (e) { ollamaStatus.textContent = e.message; }
+    };
+    document.getElementById('ollama-start').onclick = async () => {
+      ollamaStatus.textContent = 'Starting Ollama…';
+      try {
+        const r = await fetch('/api/ollama/start', { method: 'POST' });
+        const d = await r.json();
+        if (d.started) ollamaStatus.textContent = 'Ollama starting… Check again in a few seconds.';
+        else ollamaStatus.textContent = 'Ollama not found. Install it first (button above or ollama.com).';
+        ollamaActions.style.display = 'block';
+      } catch (e) { ollamaStatus.textContent = e.message; }
+    };
+    document.getElementById('ollama-check').onclick = checkOllama;
+    checkOllama();
     fetch('/api/onboard/env').then(r => r.json()).then(d => {
       for (const [key, status] of Object.entries(d.keys || {})) {
         const el = document.getElementById(key);
@@ -241,10 +447,377 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    app.get('/api/channels/telegram', (_req, res) => {
+        try {
+            const state = getTelegramChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.put('/api/channels/telegram', async (req, res) => {
+        try {
+            const { enabled, botToken, dmPolicy, allowFrom, notificationChatId, defaultProvider, defaultModel } = req.body || {};
+            const result = await setTelegramChannelConfig({
+                enabled: typeof enabled === 'boolean' ? enabled : undefined,
+                botToken: botToken !== undefined ? botToken : undefined,
+                dmPolicy: typeof dmPolicy === 'string' ? dmPolicy : undefined,
+                allowFrom: Array.isArray(allowFrom) ? allowFrom : undefined,
+                notificationChatId: notificationChatId !== undefined ? (typeof notificationChatId === 'number' ? notificationChatId : parseInt(String(notificationChatId), 10)) : undefined,
+                defaultProvider: defaultProvider !== undefined ? (typeof defaultProvider === 'string' ? defaultProvider : null) : undefined,
+                defaultModel: defaultModel !== undefined ? (typeof defaultModel === 'string' ? defaultModel : null) : undefined,
+            });
+            if (!result.ok) {
+                res.status(400).json({ error: result.error || 'Failed to save' });
+                return;
+            }
+            const state = getTelegramChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.get('/api/channels/discord', (_req, res) => {
+        try {
+            const state = getDiscordChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.put('/api/channels/discord', async (req, res) => {
+        try {
+            const { botToken } = req.body || {};
+            const result = await setDiscordChannelConfig({
+                botToken: botToken !== undefined ? (typeof botToken === 'string' ? botToken : null) : undefined,
+            });
+            if (!result.ok) {
+                res.status(400).json({ error: result.error || 'Failed to save' });
+                return;
+            }
+            const state = getDiscordChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.get('/api/channels/stripe', (_req, res) => {
+        try {
+            const state = getStripeChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.put('/api/channels/stripe', async (req, res) => {
+        try {
+            const { secretKey } = req.body || {};
+            const result = await setStripeChannelConfig({
+                secretKey: secretKey !== undefined ? (typeof secretKey === 'string' ? secretKey : null) : undefined,
+            });
+            if (!result.ok) {
+                res.status(400).json({ error: result.error || 'Failed to save' });
+                return;
+            }
+            const state = getStripeChannelState();
+            res.json(state);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Returns connected integration provider ids (from Portal). When Portal is not configured, returns []. */
+    async function getConnectedIntegrationIds() {
+        const base = getPortalGatewayBase();
+        const key = getEffectivePortalApiKey();
+        if (!base || !key)
+            return [];
+        try {
+            const portalRes = await fetch(`${base}/connections`, {
+                headers: { Authorization: `Bearer ${key}` },
+            });
+            if (!portalRes.ok)
+                return [];
+            const data = (await portalRes.json());
+            const raw = data.connections ?? [];
+            const ids = new Set();
+            for (const c of raw) {
+                const p = (c.provider ?? '').trim();
+                if (p)
+                    ids.add(p);
+            }
+            return Array.from(ids);
+        }
+        catch {
+            return [];
+        }
+    }
+    /** GET /api/integrations/connections — When Portal is configured, proxy list from Portal (dashboard can show connections like direct mode). */
+    app.get('/api/integrations/connections', async (_req, res) => {
+        try {
+            const base = getPortalGatewayBase();
+            const key = getEffectivePortalApiKey();
+            if (!base || !key) {
+                res.status(404).json({ error: 'Portal not configured', connections: [] });
+                return;
+            }
+            const portalRes = await fetch(`${base}/connections`, {
+                headers: { Authorization: `Bearer ${key}` },
+            });
+            if (!portalRes.ok) {
+                const text = await portalRes.text();
+                let err = `Portal: ${portalRes.status}`;
+                try {
+                    const j = JSON.parse(text);
+                    if (j.error)
+                        err = j.error;
+                }
+                catch {
+                    if (text)
+                        err = text.slice(0, 200);
+                }
+                res.status(portalRes.status >= 500 ? 502 : portalRes.status).json({ error: err, connections: [] });
+                return;
+            }
+            const data = (await portalRes.json());
+            const raw = data.connections ?? [];
+            const connections = raw.map((c) => {
+                const created = c.created_at;
+                const createdAt = typeof created === 'number' ? created : created ? new Date(created).getTime() : 0;
+                return {
+                    id: c.connection_id ?? c.id ?? '',
+                    provider: c.provider ?? '',
+                    scopes: [],
+                    createdAt,
+                    updatedAt: undefined,
+                };
+            });
+            res.json({ connections });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message, connections: [] });
+        }
+    });
+    /** POST /api/integrations/connect — When Portal configured, start OAuth via Portal. Body: { provider, redirect_success }. Returns { authUrl, connectionId }. */
+    app.post('/api/integrations/connect', async (req, res) => {
+        try {
+            const base = getPortalGatewayBase();
+            const key = getEffectivePortalApiKey();
+            if (!base || !key) {
+                res.status(404).json({ error: 'Portal not configured' });
+                return;
+            }
+            const body = req.body;
+            const provider = typeof body?.provider === 'string' ? body.provider.trim() : '';
+            if (!provider) {
+                res.status(400).json({ error: 'provider required' });
+                return;
+            }
+            const portalRes = await fetch(`${base}/connect`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${key}` },
+                body: JSON.stringify({ provider, redirect_success: body.redirect_success || undefined }),
+            });
+            const text = await portalRes.text();
+            if (!portalRes.ok) {
+                let err = `Portal: ${portalRes.status}`;
+                try {
+                    const j = JSON.parse(text);
+                    if (j.error)
+                        err = j.error;
+                }
+                catch {
+                    if (text)
+                        err = text.slice(0, 200);
+                }
+                res.status(portalRes.status >= 500 ? 502 : portalRes.status).json({ error: err });
+                return;
+            }
+            const data = JSON.parse(text);
+            if (!data.authUrl) {
+                res.status(502).json({ error: 'No authUrl from Portal' });
+                return;
+            }
+            res.json({ authUrl: data.authUrl, connectionId: data.connectionId ?? null });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** DELETE /api/integrations/connections/:id — When Portal configured, disconnect via Portal. */
+    app.delete('/api/integrations/connections/:id', async (req, res) => {
+        try {
+            const base = getPortalGatewayBase();
+            const key = getEffectivePortalApiKey();
+            if (!base || !key) {
+                res.status(404).json({ error: 'Portal not configured' });
+                return;
+            }
+            const rawId = req.params?.id;
+            const id = Array.isArray(rawId) ? rawId[0] : rawId;
+            if (!id || typeof id !== 'string') {
+                res.status(400).json({ error: 'connection id required' });
+                return;
+            }
+            const portalRes = await fetch(`${base}/connections/${encodeURIComponent(id)}`, {
+                method: 'DELETE',
+                headers: { Authorization: `Bearer ${key}` },
+            });
+            if (!portalRes.ok) {
+                const text = await portalRes.text();
+                let err = `Portal: ${portalRes.status}`;
+                try {
+                    const j = JSON.parse(text);
+                    if (j.error)
+                        err = j.error;
+                }
+                catch {
+                    if (text)
+                        err = text.slice(0, 200);
+                }
+                res.status(portalRes.status >= 500 ? 502 : portalRes.status).json({ error: err });
+                return;
+            }
+            res.json({ ok: true });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** GET /api/oauth/connect-url — Build Portal "Connect with Sulala" URL for dashboard. Requires PORTAL_GATEWAY_URL, PORTAL_OAUTH_CLIENT_ID; redirect_uri = this gateway base + /api/oauth/callback. Optional return_to encoded in state for callback redirect. */
+    app.get('/api/oauth/connect-url', (req, res) => {
+        try {
+            const portalGateway = getPortalGatewayBase();
+            const portalBase = portalGateway ? portalGateway.replace(/\/api\/gateway$/i, '') : '';
+            const clientId = (process.env.PORTAL_OAUTH_CLIENT_ID || '').trim();
+            if (!portalBase || !clientId) {
+                res.status(503).json({
+                    error: 'OAuth not configured',
+                    hint: 'Set PORTAL_GATEWAY_URL and PORTAL_OAUTH_CLIENT_ID (and PORTAL_OAUTH_CLIENT_SECRET for callback). Register redirect_uri in the Portal.',
+                });
+                return;
+            }
+            const proto = req.headers['x-forwarded-proto'] || (req.secure ? 'https' : 'http');
+            const host = req.headers['x-forwarded-host'] || req.headers.host || '';
+            const publicBase = (process.env.PUBLIC_URL || process.env.GATEWAY_PUBLIC_URL || '').trim() || `${proto}://${host}`;
+            const callbackUrl = `${publicBase.replace(/\/$/, '')}/api/oauth/callback`;
+            const return_to = req.query.return_to?.trim() || undefined;
+            const statePayload = JSON.stringify({ r: randomBytes(12).toString('base64url'), return_to });
+            const state = Buffer.from(statePayload, 'utf8').toString('base64url');
+            const url = `${portalBase}/connect?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(callbackUrl)}&state=${encodeURIComponent(state)}`;
+            res.json({ url });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    function parseOAuthReturnTo(req) {
+        try {
+            const stateRaw = req.query.state || '';
+            const statePayload = JSON.parse(Buffer.from(stateRaw, 'base64url').toString('utf8'));
+            if (statePayload && typeof statePayload.return_to === 'string' && statePayload.return_to.trim()) {
+                return statePayload.return_to.trim();
+            }
+        }
+        catch {
+            /* state may be legacy random string */
+        }
+        return undefined;
+    }
+    /** GET /api/oauth/callback — Portal redirects here with code & state. Exchange for access token, save as PORTAL_API_KEY, redirect to dashboard. */
+    app.get('/api/oauth/callback', async (req, res) => {
+        const dashboardOrigin = (req.headers['x-forwarded-proto'] ? `${req.headers['x-forwarded-proto']}://${req.headers['x-forwarded-host']}` : null) || (req.headers.origin || `${req.protocol}://${req.get('host')}`);
+        const return_to = parseOAuthReturnTo(req);
+        const returnFragment = return_to ? `&return_to=${encodeURIComponent(return_to)}` : '';
+        try {
+            const code = req.query.code || '';
+            const portalGateway = getPortalGatewayBase();
+            const portalBase = portalGateway ? portalGateway.replace(/\/api\/gateway$/i, '') : '';
+            const clientId = (process.env.PORTAL_OAUTH_CLIENT_ID || '').trim();
+            const clientSecret = (process.env.PORTAL_OAUTH_CLIENT_SECRET || '').trim();
+            if (!code || !portalBase || !clientId || !clientSecret) {
+                res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=error&message=missing_config${returnFragment}`);
+                return;
+            }
+            const proto = req.headers['x-forwarded-proto'] || (req.secure ? 'https' : 'http');
+            const host = req.headers['x-forwarded-host'] || req.headers.host || '';
+            const publicBase = (process.env.PUBLIC_URL || process.env.GATEWAY_PUBLIC_URL || '').trim() || `${proto}://${host}`;
+            const redirectUri = `${publicBase.replace(/\/$/, '')}/api/oauth/callback`;
+            const tokenRes = await fetch(`${portalBase}/api/oauth/token`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    grant_type: 'authorization_code',
+                    code,
+                    client_id: clientId,
+                    client_secret: clientSecret,
+                    redirect_uri: redirectUri,
+                }),
+            });
+            const tokenText = await tokenRes.text();
+            if (!tokenRes.ok) {
+                log('gateway', 'error', `OAuth token exchange failed: ${tokenRes.status} ${tokenText}`);
+                res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=error&message=exchange_failed${returnFragment}`);
+                return;
+            }
+            let tokenData;
+            try {
+                tokenData = JSON.parse(tokenText);
+            }
+            catch {
+                res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=error&message=invalid_response${returnFragment}`);
+                return;
+            }
+            const accessToken = tokenData.access_token?.trim();
+            if (!accessToken) {
+                res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=error&message=no_token${returnFragment}`);
+                return;
+            }
+            writeOnboardEnvKeys({ PORTAL_API_KEY: accessToken });
+            res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=success${returnFragment}`);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            const dashboardOrigin = (req.headers.origin || (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-host'] ? `${req.headers['x-forwarded-proto']}://${req.headers['x-forwarded-host']}` : null) || `${req.protocol}://${req.get('host')}`);
+            const return_to = parseOAuthReturnTo(req);
+            const returnFragment = return_to ? `&return_to=${encodeURIComponent(return_to)}` : '';
+            res.redirect(302, `${dashboardOrigin || '/'}/?page=integrations&oauth=error&message=server_error${returnFragment}`);
+        }
+    });
     app.get('/api/config', (_req, res) => {
         try {
+            const portalUrl = getPortalGatewayBase();
+            const portalKey = getEffectivePortalApiKey();
+            const portalSet = !!(portalUrl && portalKey);
+            const directSet = !!config.integrationsUrl?.trim();
+            const integrationsMode = portalSet ? 'portal' : directSet ? 'direct' : null;
+            const portalOAuthClientId = (process.env.PORTAL_OAUTH_CLIENT_ID || '').trim();
             res.json({
                 watchFolders: config.watchFolders || [],
+                agentUsePi: config.agentUsePi,
+                piAvailable: isPiAvailable(),
+                /** When set, dashboard can use this for Integrations page instead of VITE_INTEGRATIONS_URL. */
+                integrationsUrl: config.integrationsUrl || null,
+                /** 'portal' = agent uses Portal for connections; 'direct' = agent uses INTEGRATIONS_URL; null = neither. */
+                integrationsMode,
+                portalGatewayUrl: portalUrl || config.portalGatewayUrl || null,
+                /** When set, dashboard can show "Connect with Sulala (OAuth)" and use /api/oauth/connect-url. */
+                portalOAuthConnectAvailable: !!(portalUrl && portalOAuthClientId),
                 aiProviders: [
                     { id: 'openai', label: 'OpenAI', defaultModel: process.env.AI_OPENAI_DEFAULT_MODEL || 'gpt-4o-mini' },
                     { id: 'openrouter', label: 'OpenRouter', defaultModel: process.env.AI_OPENROUTER_DEFAULT_MODEL || 'openai/gpt-4o-mini' },
@@ -259,6 +832,51 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    const JOB_DEFAULT_KEY = 'job_default';
+    app.get('/api/settings/job-default', (_req, res) => {
+        try {
+            const raw = getChannelConfig(JOB_DEFAULT_KEY);
+            if (!raw?.trim()) {
+                res.json({ defaultProvider: null, defaultModel: null });
+                return;
+            }
+            const o = JSON.parse(raw);
+            const defaultProvider = typeof o.defaultProvider === 'string' ? o.defaultProvider.trim() || null : null;
+            const defaultModel = typeof o.defaultModel === 'string' ? o.defaultModel.trim() || null : null;
+            res.json({ defaultProvider, defaultModel });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.put('/api/settings/job-default', (req, res) => {
+        try {
+            const { defaultProvider, defaultModel } = req.body || {};
+            const provider = defaultProvider !== undefined ? (typeof defaultProvider === 'string' ? defaultProvider.trim() || null : null) : undefined;
+            const model = defaultModel !== undefined ? (typeof defaultModel === 'string' ? defaultModel.trim() || null : null) : undefined;
+            const current = getChannelConfig(JOB_DEFAULT_KEY);
+            let next = {};
+            if (current?.trim()) {
+                try {
+                    next = JSON.parse(current);
+                }
+                catch {
+                    // ignore
+                }
+            }
+            if (provider !== undefined)
+                next.defaultProvider = provider;
+            if (model !== undefined)
+                next.defaultModel = model;
+            setChannelConfig(JOB_DEFAULT_KEY, JSON.stringify(next));
+            res.json({ defaultProvider: next.defaultProvider ?? null, defaultModel: next.defaultModel ?? null });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
     app.get('/api/agent/skills/required-bins', (_req, res) => {
         try {
             const bins = getAllRequiredBins(config);
@@ -282,7 +900,7 @@ export function createGateway(appMount = null) {
     app.get('/api/agent/skills/config', (_req, res) => {
         try {
             const cfg = loadSkillsConfig();
-            res.json({ skills: cfg, configPath: getConfigPath() });
+            res.json({ skills: redactSkillsConfig(cfg), configPath: getConfigPath() });
         }
         catch (e) {
             log('gateway', 'error', e.message);
@@ -294,7 +912,22 @@ export function createGateway(appMount = null) {
             const { skills } = req.body || {};
             if (skills && typeof skills === 'object')
                 saveSkillsConfig(skills);
-            res.json({ skills: loadSkillsConfig(), configPath: getConfigPath() });
+            res.json({ skills: redactSkillsConfig(loadSkillsConfig()), configPath: getConfigPath() });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.post('/api/agent/skills/config/remove', (req, res) => {
+        try {
+            const { slug } = req.body || {};
+            if (!slug || typeof slug !== 'string') {
+                res.status(400).json({ error: 'slug required' });
+                return;
+            }
+            removeSkillEntry(slug);
+            res.json({ removed: slug, skills: redactSkillsConfig(loadSkillsConfig()), configPath: getConfigPath() });
         }
         catch (e) {
             log('gateway', 'error', e.message);
@@ -311,8 +944,17 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
-    app.get('/api/agent/skills/registry', async (_req, res) => {
+    app.get('/api/agent/skills/registry', async (req, res) => {
         try {
+            const url = req.query.url?.trim();
+            if (url && (url.startsWith('http://') || url.startsWith('https://'))) {
+                const resp = await fetch(url);
+                if (!resp.ok)
+                    throw new Error(`Registry fetch failed: ${resp.status}`);
+                const data = (await resp.json());
+                res.json({ skills: data.skills ?? [] });
+                return;
+            }
             const skills = await getRegistrySkills();
             res.json({ skills });
         }
@@ -374,9 +1016,150 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
-    /** List models for a provider. For openrouter, proxies OpenRouter Models API (id + name). */
+    /** Skill Wizard: generate spec and optionally write skill to workspace. */
+    app.get('/api/agent/skills/wizard-apps', (_req, res) => {
+        res.json({ apps: WIZARD_APPS, triggers: WIZARD_TRIGGERS });
+    });
+    app.get('/api/agent/skills/templates', async (_req, res) => {
+        try {
+            const registrySkills = await getRegistrySkills();
+            const templates = getTemplates(registrySkills);
+            res.json({ templates });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.post('/api/agent/skills/generate', (req, res) => {
+        try {
+            const { goal = '', app: appId = 'other', trigger: triggerId = 'manual', write } = req.body || {};
+            const spec = generateSkillSpec(typeof goal === 'string' ? goal : '', typeof appId === 'string' ? appId : 'other', typeof triggerId === 'string' ? triggerId : 'manual');
+            if (write) {
+                const { path: filePath, slug } = writeGeneratedSkill(config, spec);
+                res.status(201).json({ spec, path: filePath, slug, written: true });
+            }
+            else {
+                res.json({ spec, written: false });
+            }
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Execution preview: list pending tool actions awaiting approval. */
+    app.get('/api/agent/pending-actions', (req, res) => {
+        try {
+            const sessionId = typeof req.query.session_id === 'string' ? req.query.session_id : undefined;
+            const list = listPendingActions(sessionId).map((a) => ({
+                ...a,
+                args: sanitizeArgsForDisplay(a.args),
+            }));
+            res.json({ pendingActions: list });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.post('/api/agent/pending-actions/:id/approve', async (req, res) => {
+        const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+        if (!id) {
+            res.status(400).json({ error: 'Pending action id required' });
+            return;
+        }
+        try {
+            const pending = getPendingActionForReplay(id);
+            if (!pending) {
+                res.status(404).json({ error: 'Pending action not found or already handled' });
+                return;
+            }
+            let result;
+            try {
+                result = await executeTool(pending.toolName, pending.args, {
+                    sessionId: pending.sessionId,
+                    toolCallId: pending.toolCallId,
+                    skipApproval: true,
+                });
+            }
+            catch (err) {
+                result = { error: err instanceof Error ? err.message : String(err) };
+            }
+            const resultContent = typeof result === 'string' ? result : JSON.stringify(result);
+            const updated = updateAgentMessageToolResult(pending.sessionId, pending.toolCallId, resultContent);
+            if (!updated) {
+                appendAgentMessage({
+                    session_id: pending.sessionId,
+                    role: 'tool',
+                    tool_call_id: pending.toolCallId,
+                    name: pending.toolName,
+                    content: resultContent,
+                });
+            }
+            setPendingActionApproved(id, result);
+            res.json({ ok: true, result });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.post('/api/agent/pending-actions/:id/reject', (req, res) => {
+        const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+        if (!id) {
+            res.status(400).json({ error: 'Pending action id required' });
+            return;
+        }
+        try {
+            const pending = getPendingAction(id);
+            if (!pending || pending.status !== 'pending') {
+                res.status(404).json({ error: 'Pending action not found or already handled' });
+                return;
+            }
+            setPendingActionRejected(id);
+            const rejectedContent = JSON.stringify({ error: 'User rejected this action.' });
+            const updated = updateAgentMessageToolResult(pending.sessionId, pending.toolCallId, rejectedContent);
+            if (!updated) {
+                appendAgentMessage({
+                    session_id: pending.sessionId,
+                    role: 'tool',
+                    tool_call_id: pending.toolCallId,
+                    name: pending.toolName,
+                    content: rejectedContent,
+                });
+            }
+            res.json({ ok: true });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** List models for a provider. Ollama: local /api/tags; OpenRouter: proxies OpenRouter API. */
     app.get('/api/agent/models', async (req, res) => {
         const provider = req.query.provider || '';
+        if (provider === 'ollama') {
+            try {
+                const base = process.env.OLLAMA_BASE_URL || 'http://localhost:11434';
+                const r = await fetch(`${base}/api/tags`, { signal: AbortSignal.timeout(5000) });
+                if (!r.ok) {
+                    res.json({ models: [] });
+                    return;
+                }
+                const data = (await r.json());
+                const toolsWhitelist = /^(qwen3|qwen3\.5|qwen3-vl|qwen3-next|deepseek-r1|deepseek-v3|gpt-oss|glm-4\.7-flash|nemotron-3-nano|magistral|llama3|hermes3|mistral|gemma2|codellama|solar|qwen2|wizardlm2|neural-chat|starling-lm)(:|$)/i;
+                const models = (data.models || [])
+                    .filter((m) => toolsWhitelist.test(m.name))
+                    .filter((m) => !/:1b$|:1\.5b$|:0\.6b$|:2b$/i.test(m.name))
+                    .map((m) => ({ id: m.name, name: m.name }));
+                res.json({ models });
+            }
+            catch {
+                res.json({ models: [] });
+            }
+            return;
+        }
         if (provider !== 'openrouter') {
             res.json({ models: [] });
             return;
@@ -416,6 +1199,33 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    /** POST /api/tools/invoke — direct tool execution. Same policy as agent run. */
+    app.post('/api/tools/invoke', async (req, res) => {
+        try {
+            const body = (req.body || {});
+            const toolName = typeof body.tool === 'string' ? body.tool.trim() : '';
+            if (!toolName) {
+                res.status(400).json({ error: 'body.tool (string) required' });
+                return;
+            }
+            const args = body.args != null && typeof body.args === 'object' && !Array.isArray(body.args)
+                ? body.args
+                : {};
+            const allowed = listTools();
+            const tool = allowed.find((t) => t.name === toolName);
+            if (!tool) {
+                res.status(404).json({ error: `Tool "${toolName}" not found or not allowed` });
+                return;
+            }
+            const result = await executeTool(toolName, args);
+            res.json({ ok: true, result });
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            log('gateway', 'error', msg, { stack: e instanceof Error ? e.stack : undefined });
+            res.status(500).json({ error: msg });
+        }
+    });
     // --- Agent runner (sessions + tool loop) ---
     app.get('/api/agent/sessions', (req, res) => {
         try {
@@ -428,6 +1238,42 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    /** GET /api/agent/memory/scope-keys — distinct scope_key per scope (for Settings > Memory dropdowns). */
+    app.get('/api/agent/memory/scope-keys', (_req, res) => {
+        try {
+            const keys = listAgentMemoryScopeKeys();
+            res.json(keys);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** GET /api/agent/memory — list memory entries. Query: scope (session|shared), scope_key, limit (default 100). */
+    app.get('/api/agent/memory', (req, res) => {
+        try {
+            const scope = req.query.scope === 'shared' ? 'shared' : 'session';
+            const scopeKey = typeof req.query.scope_key === 'string' ? req.query.scope_key.trim() : '';
+            if (!scopeKey) {
+                res.status(400).json({ error: 'scope_key is required' });
+                return;
+            }
+            const limit = Math.min(parseInt(req.query.limit || '100', 10), 500);
+            const rows = listAgentMemories(scope, scopeKey, limit);
+            const entries = rows.map((r) => ({
+                id: r.id,
+                scope: r.scope,
+                scope_key: r.scope_key,
+                content: r.content,
+                created_at: r.created_at,
+            }));
+            res.json({ entries });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
     app.post('/api/agent/sessions', (req, res) => {
         try {
             const sessionKey = req.body?.session_key || `default_${Date.now()}`;
@@ -463,6 +1309,17 @@ export function createGateway(appMount = null) {
                         msg.tool_calls = [];
                     }
                 }
+                if (r.usage) {
+                    try {
+                        msg.usage = JSON.parse(r.usage);
+                    }
+                    catch {
+                        // ignore
+                    }
+                }
+                const costUsd = r.cost_usd;
+                if (costUsd != null)
+                    msg.cost_usd = costUsd;
                 return msg;
             });
             res.json({ ...session, messages });
@@ -485,19 +1342,55 @@ export function createGateway(appMount = null) {
         }
         const controller = new AbortController();
         req.on('close', () => controller.abort());
-        const { message, system_prompt, provider, model, max_tokens, timeout_ms } = req.body || {};
+        const { message, system_prompt, provider, model, max_tokens, timeout_ms, use_pi, required_integrations, attachment_urls } = req.body || {};
+        const urls = Array.isArray(attachment_urls) ? attachment_urls.filter((u) => typeof u === 'string' && u.trim()) : [];
+        const userMessageText = typeof message === 'string' ? message : '';
+        const fullUserMessage = urls.length > 0 ? `${userMessageText}\n\n[Attached media (use these URLs when posting images, e.g. Facebook photo post): ${urls.join(', ')}]` : userMessageText;
+        const required = Array.isArray(required_integrations)
+            ? required_integrations.filter((k) => typeof k === 'string' && k.trim())
+            : [];
+        if (required.length > 0) {
+            const connected = await getConnectedIntegrationIds();
+            const missing = required.filter((k) => !connected.includes(k));
+            if (missing.length > 0) {
+                res.status(422).json({
+                    type: 'missing_integrations',
+                    error: 'Missing required integrations',
+                    missing,
+                });
+                return;
+            }
+        }
         const timeoutMs = typeof timeout_ms === 'number' ? timeout_ms : config.agentTimeoutMs || 0;
+        const usePi = config.agentUsePi || use_pi === true || use_pi === '1';
+        if (usePi && !isPiAvailable()) {
+            res.status(503).json({
+                error: 'Pi runner requested but not available. Install optional deps: npm install @mariozechner/pi-agent-core @mariozechner/pi-ai @mariozechner/pi-coding-agent',
+            });
+            return;
+        }
         try {
-            const result = await withSessionLock(id, () => runAgentTurn({
-                sessionId: id,
-                userMessage: typeof message === 'string' ? message : null,
-                systemPrompt: typeof system_prompt === 'string' ? system_prompt : null,
-                provider: typeof provider === 'string' ? provider : undefined,
-                model: typeof model === 'string' ? model : undefined,
-                max_tokens: typeof max_tokens === 'number' ? max_tokens : undefined,
-                timeoutMs: timeoutMs > 0 ? timeoutMs : undefined,
-                signal: controller.signal,
-            }));
+            const result = await withSessionLock(id, () => usePi
+                ? runAgentTurnWithPi({
+                    sessionId: id,
+                    userMessage: fullUserMessage || null,
+                    systemPrompt: typeof system_prompt === 'string' ? system_prompt : null,
+                    provider: typeof provider === 'string' ? provider : undefined,
+                    model: typeof model === 'string' ? model : undefined,
+                    max_tokens: typeof max_tokens === 'number' ? max_tokens : undefined,
+                    timeoutMs: timeoutMs > 0 ? timeoutMs : undefined,
+                    signal: controller.signal,
+                })
+                : runAgentTurn({
+                    sessionId: id,
+                    userMessage: fullUserMessage || null,
+                    systemPrompt: typeof system_prompt === 'string' ? system_prompt : null,
+                    provider: typeof provider === 'string' ? provider : undefined,
+                    model: typeof model === 'string' ? model : undefined,
+                    max_tokens: typeof max_tokens === 'number' ? max_tokens : undefined,
+                    timeoutMs: timeoutMs > 0 ? timeoutMs : undefined,
+                    signal: controller.signal,
+                }));
             res.json(result);
         }
         catch (e) {
@@ -506,6 +1399,7 @@ export function createGateway(appMount = null) {
                 res.status(499).json({ error: 'Client closed request or run timed out' });
                 return;
             }
+            console.error('[gateway] POST /api/agent/sessions/:id/messages error:', err.message, err.stack);
             log('gateway', 'error', err.message, { stack: err.stack });
             res.status(500).json({ error: err.message });
         }
@@ -521,6 +1415,21 @@ export function createGateway(appMount = null) {
             res.status(404).json({ error: 'Session not found' });
             return;
         }
+        const bodyRequired = Array.isArray(req.body?.required_integrations)
+            ? (req.body.required_integrations.filter((k) => typeof k === 'string' && k.trim()))
+            : [];
+        if (bodyRequired.length > 0) {
+            const connected = await getConnectedIntegrationIds();
+            const missing = bodyRequired.filter((k) => !connected.includes(k));
+            if (missing.length > 0) {
+                res.status(422).json({
+                    type: 'missing_integrations',
+                    error: 'Missing required integrations',
+                    missing,
+                });
+                return;
+            }
+        }
         res.setHeader('Content-Type', 'text/event-stream');
         res.setHeader('Cache-Control', 'no-cache');
         res.setHeader('Connection', 'keep-alive');
@@ -538,12 +1447,17 @@ export function createGateway(appMount = null) {
         send('start', { runId });
         const controller = new AbortController();
         req.on('close', () => controller.abort());
-        const { message, system_prompt, provider, model, max_tokens, timeout_ms } = req.body || {};
+        const { message, continue: continueAfterApproval, system_prompt, provider, model, max_tokens, timeout_ms, attachment_urls: streamAttachmentUrls } = req.body || {};
         const timeoutMs = typeof timeout_ms === 'number' ? timeout_ms : config.agentTimeoutMs || 0;
+        const isContinue = continueAfterApproval === true || continueAfterApproval === 'true';
+        const streamUrls = Array.isArray(streamAttachmentUrls) ? streamAttachmentUrls.filter((u) => typeof u === 'string' && u.trim()) : [];
+        const streamMsg = typeof message === 'string' ? message : '';
+        const streamFullMessage = streamUrls.length > 0 ? `${streamMsg}\n\n[Attached media (use these URLs when posting images, e.g. Facebook photo post): ${streamUrls.join(', ')}]` : streamMsg;
+        const userMessage = isContinue ? null : (streamFullMessage || null);
         try {
-            await withSessionLock(id, () => runAgentTurnStream({
+            const runResult = await withSessionLock(id, () => runAgentTurnStream({
                 sessionId: id,
-                userMessage: typeof message === 'string' ? message : null,
+                userMessage,
                 systemPrompt: typeof system_prompt === 'string' ? system_prompt : null,
                 provider: typeof provider === 'string' ? provider : undefined,
                 model: typeof model === 'string' ? model : undefined,
@@ -553,19 +1467,25 @@ export function createGateway(appMount = null) {
             }, (ev) => {
                 if (ev.type === 'assistant')
                     send('assistant', { delta: ev.delta });
+                else if (ev.type === 'thinking')
+                    send('thinking', { delta: ev.delta });
                 else if (ev.type === 'tool_call')
                     send('tool_call', { name: ev.name, result: ev.result });
                 else if (ev.type === 'done')
-                    send('done', { finalContent: ev.finalContent, turnCount: ev.turnCount });
+                    send('done', { finalContent: ev.finalContent, turnCount: ev.turnCount, usage: ev.usage });
                 else if (ev.type === 'error')
                     send('error', { message: ev.message });
             }));
+            if (runResult.pendingActionId) {
+                send('pending_approval', { pendingActionId: runResult.pendingActionId });
+            }
         }
         catch (e) {
             const err = e;
             if (err.name === 'AbortError')
                 send('error', { message: 'Client closed request or run timed out' });
             else {
+                console.error('[gateway] POST /api/agent/sessions/:id/messages/stream error:', err.message, err.stack);
                 log('gateway', 'error', err.message, { stack: err.stack });
                 send('error', { message: err.message });
             }
@@ -610,6 +1530,8 @@ export function createGateway(appMount = null) {
         }, (ev) => {
             if (ev.type === 'assistant')
                 sendWs('assistant', { delta: ev.delta });
+            else if (ev.type === 'thinking')
+                sendWs('thinking', { delta: ev.delta });
             else if (ev.type === 'tool_call')
                 sendWs('tool_call', { name: ev.name, result: ev.result });
             else if (ev.type === 'done')
@@ -666,6 +1588,279 @@ export function createGateway(appMount = null) {
             res.status(500).json({ error: e.message });
         }
     });
+    // Scheduled jobs (cron → task type)
+    app.get('/api/schedules', (_req, res) => {
+        try {
+            const jobs = listScheduledJobs(false);
+            res.json({ schedules: jobs });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.post('/api/schedules', (req, res) => {
+        try {
+            const { name, description, cron_expression, task_type, payload, prompt, delivery, provider, model } = req.body || {};
+            if (!cron_expression?.trim()) {
+                res.status(400).json({ error: 'cron_expression required' });
+                return;
+            }
+            const isAgentJob = typeof prompt === 'string' && prompt.trim().length > 0;
+            const effectiveType = isAgentJob ? 'agent_job' : (task_type?.trim() || 'agent_job');
+            const id = `job_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+            const payloadStr = !isAgentJob && payload != null ? JSON.stringify(payload) : null;
+            const deliveryStr = isAgentJob && delivery != null ? JSON.stringify(delivery) : null;
+            const providerStr = typeof provider === 'string' ? provider.trim() || null : null;
+            const modelStr = typeof model === 'string' ? model.trim() || null : null;
+            insertScheduledJob({
+                id,
+                name: name?.trim() ?? '',
+                description: description?.trim() ?? '',
+                cron_expression: cron_expression.trim(),
+                task_type: effectiveType,
+                payload: payloadStr,
+                prompt: isAgentJob ? prompt.trim() : null,
+                delivery: deliveryStr,
+                provider: providerStr,
+                model: modelStr,
+                enabled: 1,
+            });
+            try {
+                if (isAgentJob) {
+                    const deliveryList = Array.isArray(delivery) ? delivery : (delivery ? [delivery] : []);
+                    const agentPayload = {
+                        jobId: id,
+                        name: name?.trim() || id,
+                        prompt: prompt.trim(),
+                        delivery: deliveryList,
+                    };
+                    if (providerStr)
+                        agentPayload.provider = providerStr;
+                    if (modelStr)
+                        agentPayload.model = modelStr;
+                    scheduleCronById(id, cron_expression.trim(), 'agent_job', agentPayload);
+                }
+                else {
+                    scheduleCronById(id, cron_expression.trim(), effectiveType, payload ?? null);
+                }
+            }
+            catch (e) {
+                deleteScheduledJob(id);
+                throw e;
+            }
+            const row = getScheduledJob(id);
+            log('gateway', 'info', 'Schedule created', { id, task_type: effectiveType });
+            res.status(201).json(row);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.patch('/api/schedules/:id', (req, res) => {
+        try {
+            const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+            if (!id) {
+                res.status(400).json({ error: 'Schedule id required' });
+                return;
+            }
+            const row = getScheduledJob(id);
+            if (!row) {
+                res.status(404).json({ error: 'Schedule not found' });
+                return;
+            }
+            const { name, description, cron_expression, task_type, payload, prompt, delivery, provider, model, enabled } = req.body || {};
+            const updates = {};
+            if (typeof name === 'string')
+                updates.name = name;
+            if (typeof description === 'string')
+                updates.description = description;
+            if (typeof cron_expression === 'string')
+                updates.cron_expression = cron_expression;
+            if (typeof task_type === 'string')
+                updates.task_type = task_type;
+            if (payload !== undefined)
+                updates.payload = payload == null ? null : JSON.stringify(payload);
+            if (prompt !== undefined)
+                updates.prompt = prompt == null ? null : String(prompt).trim() || null;
+            if (delivery !== undefined)
+                updates.delivery = delivery == null ? null : JSON.stringify(delivery);
+            if (provider !== undefined)
+                updates.provider = provider == null ? null : (typeof provider === 'string' ? provider.trim() || null : null);
+            if (model !== undefined)
+                updates.model = model == null ? null : (typeof model === 'string' ? model.trim() || null : null);
+            if (enabled !== undefined)
+                updates.enabled = enabled ? 1 : 0;
+            updateScheduledJob(id, updates);
+            unscheduleJob(id);
+            const updated = getScheduledJob(id);
+            if (updated.enabled) {
+                if (updated.prompt?.trim()) {
+                    const deliveryList = updated.delivery?.trim() ? JSON.parse(updated.delivery) : [];
+                    const agentPayload = {
+                        jobId: id,
+                        name: updated.name || id,
+                        prompt: updated.prompt,
+                        delivery: deliveryList,
+                    };
+                    const prov = updated.provider;
+                    const mod = updated.model;
+                    if (prov?.trim())
+                        agentPayload.provider = prov.trim();
+                    if (mod?.trim())
+                        agentPayload.model = mod.trim();
+                    scheduleCronById(id, updated.cron_expression, 'agent_job', agentPayload);
+                }
+                else {
+                    const payloadVal = updated.payload ? JSON.parse(updated.payload) : null;
+                    scheduleCronById(id, updated.cron_expression, updated.task_type, payloadVal);
+                }
+            }
+            log('gateway', 'info', 'Schedule updated', { id });
+            res.json(updated);
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.delete('/api/schedules/:id', (req, res) => {
+        try {
+            const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+            if (!id) {
+                res.status(400).json({ error: 'Schedule id required' });
+                return;
+            }
+            const row = getScheduledJob(id);
+            if (!row) {
+                res.status(404).json({ error: 'Schedule not found' });
+                return;
+            }
+            unscheduleJob(id);
+            deleteScheduledJob(id);
+            log('gateway', 'info', 'Schedule deleted', { id });
+            res.status(204).send();
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Run a scheduled job immediately (test run). */
+    app.post('/api/schedules/:id/run', (req, res) => {
+        try {
+            const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+            if (!id) {
+                res.status(400).json({ error: 'Schedule id required' });
+                return;
+            }
+            const row = getScheduledJob(id);
+            if (!row) {
+                res.status(404).json({ error: 'Schedule not found' });
+                return;
+            }
+            let payload;
+            let taskType;
+            if (row.prompt?.trim()) {
+                const deliveryList = row.delivery?.trim() ? JSON.parse(row.delivery) : [];
+                const r = row;
+                const agentPayload = { jobId: id, name: row.name || id, prompt: row.prompt, delivery: deliveryList };
+                if (r.provider?.trim())
+                    agentPayload.provider = r.provider.trim();
+                if (r.model?.trim())
+                    agentPayload.model = r.model.trim();
+                payload = agentPayload;
+                taskType = 'agent_job';
+            }
+            else {
+                payload = row.payload ? JSON.parse(row.payload) : null;
+                taskType = row.task_type;
+            }
+            const taskId = `run_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+            insertTask({ id: taskId, type: taskType, payload, scheduled_at: Date.now() });
+            const enqueueTaskId = app.locals.enqueueTaskId;
+            if (typeof enqueueTaskId === 'function')
+                enqueueTaskId(taskId);
+            log('gateway', 'info', 'Schedule test run enqueued', { scheduleId: id, taskId });
+            res.status(201).json({ id: taskId, type: taskType, status: 'pending' });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Get run history for a scheduled job. */
+    app.get('/api/schedules/:id/runs', (req, res) => {
+        try {
+            const id = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+            if (!id) {
+                res.status(400).json({ error: 'Schedule id required' });
+                return;
+            }
+            const row = getScheduledJob(id);
+            if (!row) {
+                res.status(404).json({ error: 'Schedule not found' });
+                return;
+            }
+            const limit = Math.min(parseInt(req.query.limit || '30', 10), 100);
+            const runs = getTasksForJob(id, limit);
+            res.json({ runs });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    /** Chat attachments: upload image/file, get a URL the agent can use (e.g. for Facebook photo posts). */
+    const uploadsDir = join(projectRoot, 'uploads');
+    const ALLOWED_EXT = /\.(jpg|jpeg|png|gif|webp)$/i;
+    app.post('/api/upload', express.json({ limit: '10mb' }), (req, res) => {
+        try {
+            const { filename, data } = req.body || {};
+            if (typeof data !== 'string') {
+                res.status(400).json({ error: 'Missing or invalid body: { filename, data (base64) }' });
+                return;
+            }
+            const base = typeof filename === 'string' ? filename.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 80) : 'file';
+            const ext = base.includes('.') ? base.slice(base.lastIndexOf('.')) : '';
+            const safeExt = ALLOWED_EXT.test(ext) ? ext : '.jpg';
+            const name = `${randomBytes(8).toString('hex')}${safeExt}`;
+            if (!existsSync(uploadsDir))
+                mkdirSync(uploadsDir, { recursive: true });
+            const path = join(uploadsDir, name);
+            const buf = Buffer.from(data, 'base64');
+            if (buf.length > 8 * 1024 * 1024) {
+                res.status(400).json({ error: 'File too large (max 8MB)' });
+                return;
+            }
+            writeFileSync(path, buf);
+            const host = req.get('host') || `${config.host}:${config.port}`;
+            const protocol = req.get('x-forwarded-proto') || req.protocol || 'http';
+            const url = `${protocol}://${host}/api/uploads/${name}`;
+            res.json({ url, name });
+        }
+        catch (e) {
+            log('gateway', 'error', e.message);
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.get('/api/uploads/:name', (req, res) => {
+        const name = Array.isArray(req.params.name) ? req.params.name[0] : req.params.name;
+        if (!name || !/^[a-f0-9]{16}\.(jpg|jpeg|png|gif|webp)$/i.test(name)) {
+            res.status(400).json({ error: 'Invalid upload name' });
+            return;
+        }
+        const path = join(uploadsDir, name);
+        if (!existsSync(path)) {
+            res.status(404).json({ error: 'Not found' });
+            return;
+        }
+        res.sendFile(path, { maxAge: 86400 * 7 }, (err) => {
+            if (err)
+                res.status(500).json({ error: err.message });
+        });
+    });
     if (existsSync(dashboardDist)) {
         app.use(express.static(dashboardDist));
         app.get(/^\/(?!api|health|ws)/, (_req, res) => {