@syengup/friday-channel-next 0.1.30 → 0.1.36

package/src/http/handlers/agent-config.ts

@@ -0,0 +1,218 @@
+/**
+ * GET/PUT /friday-next/agents/{id}/config
+ *
+ * Reads and edits a single agent's runtime configuration — the same fields
+ * OpenClaw's ControlUI manages, but written through the plugin's own config
+ * channel (`api.runtime.config.mutateConfigFile`, proven by plugin-upgrade) so
+ * NO OpenClaw core changes are needed. All edits land in `agents.list[]` of the
+ * host config file (`~/.clawrc`), exactly where ControlUI's `config.set` writes.
+ *
+ * Editable fields:
+ *  - model           → agents.list[i].model        (string | {primary,fallbacks})
+ *  - thinkingDefault → agents.list[i].thinkingDefault
+ *  - tools           → agents.list[i].tools        ({profile,allow,alsoAllow,deny})
+ *  - skills          → agents.list[i].skills       (string[]; [] disables all, absent inherits defaults)
+ *
+ * Clearing an override MUST delete the field (not leave a stale value) so the
+ * core's config merge falls back to `agents.defaults` — same hazard documented
+ * for the default-model bug. PUT therefore treats an explicit `null` as "clear".
+ */
+
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { getFridayAgentForwardRuntime } from "../../agent-forward-runtime.js";
+import { getUpgradeRuntime } from "../../upgrade-runtime.js";
+import { normalizeAgentId } from "../../agent-id.js";
+import { discoverAvailableSkills, type DiscoveredSkill } from "../../skills-discovery.js";
+import { extractBearerToken } from "../middleware/auth.js";
+import { readJsonBody } from "../middleware/body.js";
+import { createFridayNextLogger } from "../../logging.js";
+
+function json(res: ServerResponse, status: number, body: unknown): true {
+  res.statusCode = status;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify(body));
+  return true;
+}
+
+export interface AgentToolsConfig {
+  profile?: string;
+  allow?: string[];
+  alsoAllow?: string[];
+  deny?: string[];
+}
+
+interface AgentConfigView {
+  id: string;
+  exists: boolean;
+  /** Raw model field verbatim (string or {primary,fallbacks}); undefined inherits defaults. */
+  model?: unknown;
+  thinkingDefault?: string;
+  tools?: AgentToolsConfig;
+  /** Configured skills allow-list; undefined = inherit defaults, [] = all disabled. */
+  skills?: string[];
+  /** Full catalog of loadable skills (id + source category + description), best-effort. */
+  availableSkills: DiscoveredSkill[];
+}
+
+function readString(value: unknown): string | undefined {
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+
+function readStringArray(value: unknown): string[] | undefined {
+  if (!Array.isArray(value)) return undefined;
+  const out = value.filter((v): v is string => typeof v === "string" && v.trim().length > 0).map((v) => v.trim());
+  return out;
+}
+
+function readToolsConfig(value: unknown): AgentToolsConfig | undefined {
+  if (!value || typeof value !== "object") return undefined;
+  const t = value as Record<string, unknown>;
+  const view: AgentToolsConfig = {};
+  const profile = readString(t.profile);
+  if (profile) view.profile = profile;
+  const allow = readStringArray(t.allow);
+  if (allow) view.allow = allow;
+  const alsoAllow = readStringArray(t.alsoAllow);
+  if (alsoAllow) view.alsoAllow = alsoAllow;
+  const deny = readStringArray(t.deny);
+  if (deny) view.deny = deny;
+  return view;
+}
+
+/** Locate the configured `agents.list[]` entry whose normalized id matches `agentId`. */
+function findAgentEntry(cfg: unknown, agentId: string): Record<string, unknown> | undefined {
+  const agents = (cfg as Record<string, unknown> | undefined)?.agents as Record<string, unknown> | undefined;
+  const list = agents?.list as Array<Record<string, unknown>> | undefined;
+  if (!Array.isArray(list)) return undefined;
+  return list.find((a) => a && typeof a === "object" && normalizeAgentId(a.id) === agentId);
+}
+
+function buildConfigView(agentId: string): AgentConfigView {
+  const rt = getFridayAgentForwardRuntime();
+  const cfg = rt?.getConfig();
+  const entry = cfg ? findAgentEntry(cfg, agentId) : undefined;
+  return {
+    id: agentId,
+    exists: entry !== undefined,
+    model: entry?.model,
+    thinkingDefault: readString(entry?.thinkingDefault),
+    tools: readToolsConfig(entry?.tools),
+    // undefined = no `skills` field (inherit defaults); [] = field present but empty (all disabled).
+    skills: readStringArray(entry?.skills),
+    availableSkills: discoverAvailableSkills(cfg, agentId),
+  };
+}
+
+// --- PUT validation helpers --------------------------------------------------
+
+/** A field present in the body: `undefined` = not sent (keep), `null` = clear, else new value. */
+type Patch<T> = { sent: boolean; clear: boolean; value?: T };
+
+function readPatch<T>(body: Record<string, unknown>, key: string, coerce: (raw: unknown) => T | undefined): Patch<T> {
+  if (!(key in body)) return { sent: false, clear: false };
+  const raw = body[key];
+  if (raw === null) return { sent: true, clear: true };
+  const value = coerce(raw);
+  if (value === undefined) return { sent: false, clear: false };
+  return { sent: true, clear: false, value };
+}
+
+function coerceModel(raw: unknown): unknown | undefined {
+  if (typeof raw === "string") return raw.trim() || undefined;
+  if (raw && typeof raw === "object") {
+    const primary = readString((raw as Record<string, unknown>).primary);
+    if (!primary) return undefined;
+    const fallbacks = readStringArray((raw as Record<string, unknown>).fallbacks);
+    return fallbacks && fallbacks.length > 0 ? { primary, fallbacks } : { primary };
+  }
+  return undefined;
+}
+
+function coerceTools(raw: unknown): AgentToolsConfig | undefined {
+  return readToolsConfig(raw);
+}
+
+/** Skills: array (incl. empty = disable all) only; non-arrays are rejected upstream. */
+function coerceSkills(raw: unknown): string[] | undefined {
+  return Array.isArray(raw) ? readStringArray(raw) ?? [] : undefined;
+}
+
+// --- handler -----------------------------------------------------------------
+
+export async function handleAgentConfig(
+  req: IncomingMessage,
+  res: ServerResponse,
+  rawAgentId: string,
+): Promise<boolean> {
+  if (req.method !== "GET" && req.method !== "PUT") {
+    return json(res, 405, { error: "Method Not Allowed" });
+  }
+  if (!extractBearerToken(req)) {
+    return json(res, 401, { error: "Unauthorized: bearer token mismatch" });
+  }
+
+  const agentId = normalizeAgentId(rawAgentId);
+
+  if (req.method === "GET") {
+    return json(res, 200, { ok: true, ...buildConfigView(agentId) });
+  }
+
+  // PUT — partial patch.
+  const body = await readJsonBody(req);
+  if (!body) return json(res, 400, { error: "Invalid or missing JSON body" });
+
+  const model = readPatch(body, "model", coerceModel);
+  const thinkingDefault = readPatch(body, "thinkingDefault", (r) => readString(r));
+  const tools = readPatch(body, "tools", coerceTools);
+  const skills = readPatch(body, "skills", coerceSkills);
+
+  if ("skills" in body && body.skills !== null && !Array.isArray(body.skills)) {
+    return json(res, 400, { error: "skills must be an array of skill ids, [] to disable all, or null to inherit defaults" });
+  }
+  if (!model.sent && !thinkingDefault.sent && !tools.sent && !skills.sent) {
+    return json(res, 400, { error: "No editable fields provided (model, thinkingDefault, tools, skills)" });
+  }
+
+  const upgrade = getUpgradeRuntime();
+  if (!upgrade) return json(res, 503, { error: "Config write runtime unavailable" });
+
+  const log = createFridayNextLogger("agent-config");
+  try {
+    await upgrade.mutateConfigFile({
+      afterWrite: { mode: "auto" },
+      mutate: (draftRaw) => {
+        const draft = draftRaw as Record<string, unknown>;
+        const agents = (draft.agents ??= {}) as Record<string, unknown>;
+        const list = (agents.list ??= []) as Array<Record<string, unknown>>;
+        let entry = list.find((a) => a && typeof a === "object" && normalizeAgentId(a.id) === agentId);
+        if (!entry) {
+          // Implicit agent (e.g. "main") with no list entry yet — create a bare one.
+          // Never set `default: true`: that would change default-agent resolution.
+          entry = { id: agentId };
+          list.push(entry);
+        }
+        applyField(entry, "model", model);
+        applyField(entry, "thinkingDefault", thinkingDefault);
+        applyField(entry, "tools", tools);
+        applyField(entry, "skills", skills);
+      },
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    log.error(`agent config write failed for "${agentId}": ${msg}`);
+    return json(res, 500, { error: "Failed to write agent config", detail: msg });
+  }
+
+  log.info(`agent config updated for "${agentId}"`);
+  return json(res, 200, { ok: true, ...buildConfigView(agentId) });
+}
+
+/** Apply a patch: clear → delete the key; set → assign; not sent → leave as-is. */
+function applyField(entry: Record<string, unknown>, key: string, patch: Patch<unknown>): void {
+  if (!patch.sent) return;
+  if (patch.clear) {
+    delete entry[key];
+    return;
+  }
+  entry[key] = patch.value;
+}

package/src/http/handlers/agent-files.test.ts

@@ -0,0 +1,136 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { EventEmitter } from "node:events";
+import { Readable } from "node:stream";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { handleAgentFiles, CORE_AGENT_FILES } from "./agent-files.js";
+import { setMockRuntime } from "../../test-support/mock-runtime.js";
+import {
+  setFridayAgentForwardRuntime,
+  resetFridayAgentForwardRuntimeForTest,
+} from "../../agent-forward-runtime.js";
+
+class MockRes extends EventEmitter {
+  statusCode = 0;
+  headers: Record<string, string> = {};
+  body = "";
+  setHeader(name: string, value: string): void {
+    this.headers[name.toLowerCase()] = value;
+  }
+  end(body?: string): void {
+    if (body) this.body += body;
+  }
+}
+
+const AUTH = { authorization: "Bearer test-token" };
+
+function makeReq(headers: Record<string, string> = {}, method = "GET", body?: unknown): any {
+  const stream = Readable.from(body === undefined ? [] : [Buffer.from(JSON.stringify(body))]);
+  return Object.assign(stream, { method, url: "/friday-next/agents/main/files", headers });
+}
+
+function setWorkspace(workspace: string | undefined): void {
+  setFridayAgentForwardRuntime({
+    runtime: {
+      agent: {
+        session: { resolveStorePath: () => "", loadSessionStore: () => ({}) },
+        ...(workspace ? { resolveAgentWorkspaceDir: () => workspace } : {}),
+      },
+      config: { current: () => ({}) },
+    },
+  } as any);
+}
+
+describe("handleAgentFiles", () => {
+  let workspace: string;
+
+  beforeEach(() => {
+    setMockRuntime();
+    workspace = fs.mkdtempSync(path.join(os.tmpdir(), "friday-files-"));
+    setWorkspace(workspace);
+  });
+
+  afterEach(() => {
+    resetFridayAgentForwardRuntimeForTest();
+    fs.rmSync(workspace, { recursive: true, force: true });
+  });
+
+  it("rejects unsupported methods with 405", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH, "DELETE"), res as any, "main", undefined);
+    expect(res.statusCode).toBe(405);
+  });
+
+  it("rejects missing token with 401", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq({}, "GET"), res as any, "main", undefined);
+    expect(res.statusCode).toBe(401);
+  });
+
+  it("503 when the workspace can't be resolved", async () => {
+    setWorkspace(undefined);
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", undefined);
+    expect(res.statusCode).toBe(503);
+  });
+
+  it("GET lists every whitelist file with existence + size", async () => {
+    fs.writeFileSync(path.join(workspace, "IDENTITY.md"), "hello");
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", undefined);
+    expect(res.statusCode).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.files).toHaveLength(CORE_AGENT_FILES.length);
+    const identity = body.files.find((f: { name: string }) => f.name === "IDENTITY.md");
+    expect(identity).toEqual({ name: "IDENTITY.md", exists: true, bytes: 5 });
+    const soul = body.files.find((f: { name: string }) => f.name === "SOUL.md");
+    expect(soul).toEqual({ name: "SOUL.md", exists: false, bytes: 0 });
+  });
+
+  it("GET one file returns its content", async () => {
+    fs.writeFileSync(path.join(workspace, "AGENTS.md"), "# rules\n");
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", "AGENTS.md");
+    expect(res.statusCode).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body).toMatchObject({ ok: true, name: "AGENTS.md", exists: true, content: "# rules\n" });
+  });
+
+  it("GET a missing whitelisted file returns exists:false with empty content", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", "MEMORY.md");
+    const body = JSON.parse(res.body);
+    expect(body).toMatchObject({ exists: false, content: "" });
+  });
+
+  it("rejects a non-whitelisted file name with 400", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", "secrets.env");
+    expect(res.statusCode).toBe(400);
+  });
+
+  it("rejects path-traversal names with 400", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH), res as any, "main", "../escape.md");
+    expect(res.statusCode).toBe(400);
+  });
+
+  it("PUT writes content and the file lands on disk", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(
+      makeReq(AUTH, "PUT", { content: "You are Friday." }),
+      res as any,
+      "main",
+      "IDENTITY.md",
+    );
+    expect(res.statusCode).toBe(200);
+    expect(fs.readFileSync(path.join(workspace, "IDENTITY.md"), "utf-8")).toBe("You are Friday.");
+  });
+
+  it("PUT without a content string returns 400", async () => {
+    const res = new MockRes();
+    await handleAgentFiles(makeReq(AUTH, "PUT", { foo: 1 }), res as any, "main", "IDENTITY.md");
+    expect(res.statusCode).toBe(400);
+  });
+});

package/src/http/handlers/agent-files.ts

@@ -0,0 +1,149 @@
+/**
+ * GET/PUT /friday-next/agents/{id}/files[/{name}]
+ *
+ * Reads and edits an agent's core workspace files — the same whitelist ControlUI
+ * exposes (AGENTS/IDENTITY/SOUL/TOOLS/MEMORY/USER/HEARTBEAT/BOOTSTRAP.md). These
+ * are plain workspace files, not config: written directly via Node fs into the
+ * dir resolved by `api.runtime.agent.resolveAgentWorkspaceDir` (the same call
+ * agents-list uses to read IDENTITY.md). No config mutation, no gateway restart —
+ * the agent re-reads them on its next run.
+ *
+ *  - GET  /agents/{id}/files          → status of every whitelist file
+ *  - GET  /agents/{id}/files/{name}   → one file's content
+ *  - PUT  /agents/{id}/files/{name}   → write one file (body: { content })
+ *
+ * Security: the file name MUST be in the whitelist (no path traversal), and the
+ * resolved path is re-checked to stay inside the workspace dir as defense in depth.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { getFridayAgentForwardRuntime } from "../../agent-forward-runtime.js";
+import { normalizeAgentId } from "../../agent-id.js";
+import { extractBearerToken } from "../middleware/auth.js";
+import { readJsonBody } from "../middleware/body.js";
+import { createFridayNextLogger } from "../../logging.js";
+
+/** Core workspace files an agent edits, mirroring ControlUI's `agents.files` whitelist. */
+export const CORE_AGENT_FILES = [
+  "AGENTS.md",
+  "IDENTITY.md",
+  "SOUL.md",
+  "TOOLS.md",
+  "MEMORY.md",
+  "USER.md",
+  "HEARTBEAT.md",
+  "BOOTSTRAP.md",
+] as const;
+
+const CORE_FILE_SET = new Set<string>(CORE_AGENT_FILES);
+
+/** Max core-file size on write (256 KiB) — these are prompts, not data dumps. */
+const MAX_FILE_BYTES = 256 * 1024;
+
+function json(res: ServerResponse, status: number, body: unknown): true {
+  res.statusCode = status;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify(body));
+  return true;
+}
+
+/** Resolve the agent's workspace dir, or undefined if the runtime can't. */
+function resolveWorkspace(agentId: string): string | undefined {
+  const rt = getFridayAgentForwardRuntime();
+  if (!rt?.resolveAgentWorkspaceDir) return undefined;
+  try {
+    const dir = rt.resolveAgentWorkspaceDir(rt.getConfig(), agentId);
+    return dir || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/** Whitelisted, traversal-safe absolute path for `name` inside `workspace`, or null. */
+function safeFilePath(workspace: string, name: string): string | null {
+  if (!CORE_FILE_SET.has(name)) return null;
+  const resolved = path.resolve(workspace, name);
+  // Defense in depth: the resolved path must sit directly inside the workspace.
+  if (path.dirname(resolved) !== path.resolve(workspace)) return null;
+  return resolved;
+}
+
+export async function handleAgentFiles(
+  req: IncomingMessage,
+  res: ServerResponse,
+  rawAgentId: string,
+  fileName: string | undefined,
+): Promise<boolean> {
+  const method = req.method;
+  if (method !== "GET" && method !== "PUT") {
+    return json(res, 405, { error: "Method Not Allowed" });
+  }
+  if (!extractBearerToken(req)) {
+    return json(res, 401, { error: "Unauthorized: bearer token mismatch" });
+  }
+
+  const agentId = normalizeAgentId(rawAgentId);
+  const workspace = resolveWorkspace(agentId);
+  if (!workspace) return json(res, 503, { error: "Agent workspace not resolvable" });
+
+  // GET /files — list whitelist status.
+  if (method === "GET" && !fileName) {
+    const files = CORE_AGENT_FILES.map((name) => {
+      try {
+        const stat = fs.statSync(path.join(workspace, name));
+        return { name, exists: true, bytes: stat.size };
+      } catch {
+        return { name, exists: false, bytes: 0 };
+      }
+    });
+    return json(res, 200, { ok: true, id: agentId, files });
+  }
+
+  if (!fileName || !CORE_FILE_SET.has(fileName)) {
+    return json(res, 400, {
+      error: `Unknown core file; allowed: ${CORE_AGENT_FILES.join(", ")}`,
+    });
+  }
+  const filePath = safeFilePath(workspace, fileName);
+  if (!filePath) return json(res, 400, { error: "Invalid file name" });
+
+  if (method === "GET") {
+    try {
+      const content = fs.readFileSync(filePath, "utf-8");
+      return json(res, 200, { ok: true, id: agentId, name: fileName, exists: true, content });
+    } catch {
+      return json(res, 200, { ok: true, id: agentId, name: fileName, exists: false, content: "" });
+    }
+  }
+
+  // PUT — write content.
+  const body = await readJsonBody(req);
+  if (!body || typeof body.content !== "string") {
+    return json(res, 400, { error: "Missing required field: content (string)" });
+  }
+  const content = body.content;
+  if (Buffer.byteLength(content, "utf-8") > MAX_FILE_BYTES) {
+    return json(res, 413, { error: `content exceeds ${MAX_FILE_BYTES} bytes` });
+  }
+
+  const log = createFridayNextLogger("agent-files");
+  try {
+    fs.mkdirSync(workspace, { recursive: true });
+    fs.writeFileSync(filePath, content, "utf-8");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    log.error(`write ${fileName} for "${agentId}" failed: ${msg}`);
+    return json(res, 500, { error: "Failed to write file", detail: msg });
+  }
+
+  log.info(`wrote ${fileName} for "${agentId}" (${Buffer.byteLength(content, "utf-8")} bytes)`);
+  return json(res, 200, {
+    ok: true,
+    id: agentId,
+    name: fileName,
+    exists: true,
+    bytes: Buffer.byteLength(content, "utf-8"),
+  });
+}

package/src/http/handlers/agent-tools-catalog.ts

@@ -0,0 +1,42 @@
+/**
+ * GET /friday-next/agents/{id}/tools/catalog
+ *
+ * Returns the agent's full tool catalog (core + plugin tools, grouped by category,
+ * with descriptions, profiles, and per-tool effective `enabled`/`inProfile` state) for
+ * the app's toolbox editor — mirroring ControlUI. Edits are saved via the existing
+ * `PUT /agents/{id}/config` (tools.{profile,allow,alsoAllow,deny}).
+ */
+
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { getFridayAgentForwardRuntime } from "../../agent-forward-runtime.js";
+import { normalizeAgentId } from "../../agent-id.js";
+import { buildAgentToolsCatalog } from "../../tool-catalog.js";
+import { extractBearerToken } from "../middleware/auth.js";
+
+function json(res: ServerResponse, status: number, body: unknown): true {
+  res.statusCode = status;
+  res.setHeader("Content-Type", "application/json");
+  res.end(JSON.stringify(body));
+  return true;
+}
+
+export async function handleAgentToolsCatalog(
+  req: IncomingMessage,
+  res: ServerResponse,
+  rawAgentId: string,
+): Promise<boolean> {
+  if (req.method !== "GET") {
+    return json(res, 405, { error: "Method Not Allowed" });
+  }
+  if (!extractBearerToken(req)) {
+    return json(res, 401, { error: "Unauthorized: bearer token mismatch" });
+  }
+
+  const agentId = normalizeAgentId(rawAgentId);
+  const cfg = getFridayAgentForwardRuntime()?.getConfig();
+  const catalog = await buildAgentToolsCatalog(cfg, agentId);
+  if (!catalog) {
+    return json(res, 503, { error: "Tool catalog unavailable" });
+  }
+  return json(res, 200, { ok: true, id: agentId, ...catalog });
+}

package/src/http/handlers/agents-list.ts

@@ -6,11 +6,7 @@ import {
   type FridayAgentForwardRuntime,
 } from "../../agent-forward-runtime.js";
 import { extractBearerToken } from "../middleware/auth.js";
-
-const DEFAULT_AGENT_ID = "main";
-
-/** Agent ids already in path/shell-safe form skip the slug rewrite below. */
-const SAFE_AGENT_ID = /^[a-z0-9][a-z0-9_-]*$/;
+import { DEFAULT_AGENT_ID, normalizeAgentId } from "../../agent-id.js";
 
 export interface FridayAgentEntry {
   id: string;
@@ -29,23 +25,6 @@ interface ResolvedAgents {
   defaultAgentId: string;
 }
 
-/**
- * Mirror of OpenClaw's `normalizeAgentId` (src/routing/session-key.ts): trim,
- * lowercase, keep path/shell-safe. Empty → "main".
- */
-function normalizeAgentId(value: unknown): string {
-  const trimmed = typeof value === "string" ? value.trim() : "";
-  if (!trimmed) return DEFAULT_AGENT_ID;
-  const lowered = trimmed.toLowerCase();
-  if (SAFE_AGENT_ID.test(lowered)) return lowered;
-  return (
-    lowered
-      .replace(/[^a-z0-9_-]+/g, "-")
-      .replace(/^-+|-+$/g, "")
-      .slice(0, 64) || DEFAULT_AGENT_ID
-  );
-}
-
 /** Extract a primary model ref from the `model` field (string or {primary,...}). */
 function resolvePrimaryModel(model: unknown): string | undefined {
   if (typeof model === "string") return readString(model);

package/src/http/handlers/cancel.test.ts

@@ -47,7 +47,7 @@ describe("handleCancel", () => {
     expect((res as unknown as MockRes).statusCode).toBe(401);
   });
 
-  it("returns 400 for missing runId", async () => {
+  it("returns 400 when neither sessionKey nor runId is provided", async () => {
     const req = mockReq("POST", { authorization: "Bearer test-token" });
     const res = new MockRes() as unknown as ServerResponse;
     const p = handleCancel(req as unknown as IncomingMessage, res);
@@ -56,7 +56,17 @@ describe("handleCancel", () => {
     expect((res as unknown as MockRes).statusCode).toBe(400);
   });
 
-  it("untracks run under Vitest (abort skipped)", async () => {
+  it("accepts sessionKey and returns 200 (abort skipped under Vitest)", async () => {
+    const req = mockReq("POST", { authorization: "Bearer test-token" });
+    const res = new MockRes() as unknown as ServerResponse;
+    const p = handleCancel(req as unknown as IncomingMessage, res);
+    req.end(JSON.stringify({ sessionKey: "sk-1" }));
+    await p;
+    expect((res as unknown as MockRes).statusCode).toBe(200);
+    expect(JSON.parse((res as unknown as MockRes).body)).toMatchObject({ ok: true, sessionKey: "sk-1" });
+  });
+
+  it("untracks run by runId fallback under Vitest (abort skipped)", async () => {
     const req = mockReq("POST", { authorization: "Bearer test-token" });
     const res = new MockRes() as unknown as ServerResponse;
     const spyUntrack = vi.spyOn(sseEmitter, "untrackRun").mockImplementation(() => {});

package/src/http/handlers/cancel.ts

@@ -1,5 +1,6 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
-import { abortRun } from "../../agent/abort-run.js";
+import { abortRunForSessionKey } from "../../agent/abort-run.js";
+import { getRunRoute } from "../../run-metadata.js";
 import { sseEmitter } from "../../sse/emitter.js";
 import { readJsonBody } from "../middleware/body.js";
 import { extractBearerToken } from "../middleware/auth.js";
@@ -20,16 +21,21 @@ export async function handleCancel(req: IncomingMessage, res: ServerResponse): P
   }
   const body = await readJsonBody(req);
   const runId = typeof body?.runId === "string" ? body.runId.trim() : "";
-  if (!runId) {
+  // sessionKey is the primary identifier (one active run per session); runId is a
+  // back-compat fallback for older apps — resolve it to a sessionKey via the run route.
+  const sessionKey =
+    (typeof body?.sessionKey === "string" ? body.sessionKey.trim() : "") ||
+    (runId ? getRunRoute(runId)?.sessionKey?.trim() ?? "" : "");
+  if (!sessionKey && !runId) {
     res.statusCode = 400;
     res.setHeader("Content-Type", "application/json");
-    res.end(JSON.stringify({ error: "Missing runId" }));
+    res.end(JSON.stringify({ error: "Missing sessionKey or runId" }));
     return true;
   }
-  await abortRun(runId);
-  sseEmitter.untrackRun(runId);
+  const result = sessionKey ? await abortRunForSessionKey(sessionKey) : { aborted: false, drained: false };
+  if (runId) sseEmitter.untrackRun(runId);
   res.statusCode = 200;
   res.setHeader("Content-Type", "application/json");
-  res.end(JSON.stringify({ ok: true, runId, cancelled: true }));
+  res.end(JSON.stringify({ ok: true, sessionKey, runId, cancelled: true, ...result }));
   return true;
 }