@venturewild/workspace 0.3.6 → 0.3.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.3.6",
+  "version": "0.3.8",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/agent.mjs

@@ -246,6 +246,21 @@ export class AgentSession extends EventEmitter {
         this._handleStreamEvent(evt.event);
         return;
       case 'assistant':
+        // The assistant event carries the authoritative per-turn `usage` + `model`
+        // (verified: input/cache_creation/cache_read/output + model on message). We
+        // surface a lightweight `context` chunk for the working-memory gauge (§8) —
+        // additive, independent of text rendering. Arrives even with stream events on.
+        if (evt.message?.usage && evt.message?.model) {
+          this.emit('chunk', {
+            type: 'context',
+            usage: {
+              input_tokens: evt.message.usage.input_tokens || 0,
+              cache_creation_input_tokens: evt.message.usage.cache_creation_input_tokens || 0,
+              cache_read_input_tokens: evt.message.usage.cache_read_input_tokens || 0,
+            },
+            model: evt.message.model,
+          });
+        }
         // Redundant with stream_event when --include-partial-messages is on
         // (it always is). Only the fallback path when partials are disabled.
         if (!this._sawStreamEvent) this._handleAssistantFallback(evt.message);

package/server/src/canvas/core.mjs

@@ -207,16 +207,33 @@ export function normalizeTheme(raw = {}) {
 
 // --- store ----------------------------------------------------------------
 
-export function createCanvas({ baseDir } = {}) {
+// A personKey scopes the user's canvas STATE files (layout/templates/user-theme)
+// to one identity. It becomes a path segment, so harden it against traversal —
+// accountId is a uuid and the role sentinels are safe, but defend in depth.
+function sanitizePersonKey(key) {
+  const s = String(key || '')
+    .replace(/[^a-zA-Z0-9._-]/g, '_')
+    .slice(0, 80);
+  return s && s !== '.' && s !== '..' ? s : 'local';
+}
+
+export function createCanvas({ baseDir, personKey } = {}) {
   const dir = baseDir || defaultCanvasDir();
+  // Agent-made content is workspace-SHARED (the agent builds blocks / sets the
+  // theme for the workspace, not for one person), so it stays at the canvas root.
   const blocksFile = path.join(dir, 'blocks.json');
   const themeFile = path.join(dir, 'theme.json');
-  // Server-side persistence for canvas state (layout, templates, user-theme).
-  // Fixes the localStorage-per-origin divergence bug (req-1 gave the user two
-  // origins → two divergent canvas states for the same workspace).
-  const layoutFile = path.join(dir, 'layout.json');
-  const templatesFile = path.join(dir, 'templates.json');
-  const userThemeFile = path.join(dir, 'user-theme.json');
+  // The user's canvas STATE (layout, saved templates, user-theme) is PER-IDENTITY
+  // when a personKey is given: it lives under <dir>/people/<personKey>/ so two
+  // people sharing one host don't collide, and (via the rails) one person's layout
+  // follows them across hosts. Without a personKey it stays flat at <dir>/ — the
+  // legacy / no-account-install path, which also preserves the existing on-disk
+  // layout for migration. (Originally added to fix the localStorage-per-origin
+  // divergence bug — req-1 gave the user two origins → two divergent states.)
+  const stateDir = personKey ? path.join(dir, 'people', sanitizePersonKey(personKey)) : dir;
+  const layoutFile = path.join(stateDir, 'layout.json');
+  const templatesFile = path.join(stateDir, 'templates.json');
+  const userThemeFile = path.join(stateDir, 'user-theme.json');
 
   function ensureDir() {
     try {
@@ -225,6 +242,14 @@ export function createCanvas({ baseDir } = {}) {
       /* read-only fs — degrades to no persistence */
     }
   }
+  // The per-identity state dir (same as `dir` when no personKey is set).
+  function ensureStateDir() {
+    try {
+      fs.mkdirSync(stateDir, { recursive: true });
+    } catch {
+      /* read-only fs — degrades to no persistence */
+    }
+  }
 
   function listBlocks() {
     const v = readJsonSafe(blocksFile, []);
@@ -316,7 +341,7 @@ export function createCanvas({ baseDir } = {}) {
     const blocks = Array.isArray(layout?.blocks) ? layout.blocks : [];
     const lg = Array.isArray(layout?.layouts?.lg) ? layout.layouts.lg : [];
     const data = { blocks, layouts: { lg }, ts: Date.now() };
-    ensureDir();
+    ensureStateDir();
     try { writeJsonAtomic(layoutFile, data); } catch { /* best-effort */ }
     return data;
   }
@@ -330,7 +355,7 @@ export function createCanvas({ baseDir } = {}) {
 
   function saveTemplates(templates) {
     const data = Array.isArray(templates) ? templates : [];
-    ensureDir();
+    ensureStateDir();
     try { writeJsonAtomic(templatesFile, data); } catch { /* best-effort */ }
     return data;
   }
@@ -361,7 +386,7 @@ export function createCanvas({ baseDir } = {}) {
         if (hex) theme.tokens[key] = hex;
       }
     }
-    ensureDir();
+    ensureStateDir();
     try { writeJsonAtomic(userThemeFile, theme); } catch { /* best-effort */ }
     return theme;
   }
@@ -393,7 +418,7 @@ export function createCanvas({ baseDir } = {}) {
   }
 
   return {
-    dir, blocksFile, themeFile, layoutFile, templatesFile, userThemeFile,
+    dir, stateDir, blocksFile, themeFile, layoutFile, templatesFile, userThemeFile,
     listBlocks, getBlock, addBlock, updateBlock, removeBlock,
     getTheme, setTheme,
     getLayout, saveLayout, getTemplates, saveTemplates,

package/server/src/canvas-rails.mjs

@@ -0,0 +1,108 @@
+// CanvasRails — per-identity canvas state on the rails (multi-host step 1).
+//
+// WHY: canvas layout/templates/user-theme used to be per-INSTALL (one folder on
+// one machine). Multi-host (docs/multi-host-workspaces-design.md §8.1) makes them
+// per-(workspace, person) on VW's rails, so a person's arrangement follows them
+// across hosts/devices/reinstalls. The rails (bmo-sync) are the source of truth;
+// the local ~/.wild-workspace/canvas/people/<personKey>/ files become a
+// read-through + offline cache — the same "server is truth, cache below it"
+// pattern lifted one level up.
+//
+// This is a thin client over bmo-sync's POST /api/canvas-state/{pull,push}
+// (account-token self-authed, exactly like /api/telemetry). person_id and the
+// workspace_slug are DERIVED server-side from the account token today — a caller
+// can only touch its own account's row (no IDOR). Modeled on session-reporter.mjs.
+//
+// degrade-never-throw: every method fails soft (pull → {ok:false}, push → false)
+// so the canvas keeps working from the local cache when the rails are down or the
+// install has no account. `pull` distinguishes "rails answered, empty" (ok:true,
+// state:null → migration may fire) from "rails unreachable" (ok:false → serve the
+// local cache, do NOT migrate).
+
+const DEFAULT_TIMEOUT_MS = 3000;
+
+export class CanvasRails {
+  constructor({
+    bmoSyncUrl,
+    accountToken,
+    slug = null,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+  } = {}) {
+    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
+    this.accountToken = accountToken || null;
+    this.slug = slug;
+    this.timeoutMs = timeoutMs;
+    this.fetchImpl = fetchImpl;
+    // Inert without a token (can't key it) or without a server URL. Unlike
+    // telemetry we do NOT exclude localhost — the e2e test points a local
+    // wild-workspace at a local bmo-sync, and dev installs have no account
+    // token anyway, so they stay inert without an extra guard.
+    this.capable = Boolean(this.accountToken) && Boolean(this.bmoSyncUrl);
+  }
+
+  async _post(path, body) {
+    if (!this.capable) return null;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.timeoutMs);
+    if (timer.unref) timer.unref();
+    try {
+      const r = await this.fetchImpl(`${this.bmoSyncUrl}${path}`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ account_token: this.accountToken, ...body }),
+        signal: ctrl.signal,
+      });
+      if (!r || !r.ok) return null;
+      return await r.json().catch(() => null);
+    } catch {
+      return null; // network / abort / parse — caller degrades to the local cache
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+
+  /**
+   * Pull this person's canvas state from the rails.
+   * @returns {Promise<{ok: boolean, state: object|null}>}
+   *   ok:true  → the rails answered. state is the {layout,templates,userTheme}
+   *              object, or null when the rails have nothing yet (→ migration may fire).
+   *   ok:false → the rails were unreachable / not configured (→ serve the local cache).
+   */
+  async pull(workspaceSlug = this.slug) {
+    const resp = await this._post('/api/canvas-state/pull', { workspace_slug: workspaceSlug });
+    if (!resp || resp.ok !== true) return { ok: false, state: null };
+    // resp.json is the stored blob as a STRING (or null/absent when empty).
+    if (resp.json == null || resp.json === '') return { ok: true, state: null };
+    try {
+      const state = JSON.parse(resp.json);
+      return { ok: true, state: state && typeof state === 'object' ? state : null };
+    } catch {
+      return { ok: true, state: null }; // corrupt row → treat as empty
+    }
+  }
+
+  /**
+   * Push this person's FULL canvas snapshot to the rails (last-write-wins; Node
+   * owns the merge, so the rails always receive the complete {layout,templates,
+   * userTheme}). Best-effort.
+   * @returns {Promise<boolean>} true iff the rails accepted the write.
+   */
+  async push(snapshot, workspaceSlug = this.slug) {
+    const resp = await this._post('/api/canvas-state/push', {
+      workspace_slug: workspaceSlug,
+      json: JSON.stringify(snapshot ?? {}),
+    });
+    return Boolean(resp && resp.ok === true);
+  }
+}
+
+/** Build the rails client from server config + account (or null when not logged in). */
+export function createCanvasRails(config, account, fetchImpl) {
+  return new CanvasRails({
+    bmoSyncUrl: config?.bmoSyncServerUrl,
+    accountToken: account?.accountToken,
+    slug: account?.slug || config?.account?.slug || null,
+    fetchImpl,
+  });
+}

package/server/src/index.mjs

@@ -55,6 +55,10 @@ import { SyncControl } from './sync.mjs';
 import { detectPreviewPorts, checkPort } from './preview.mjs';
 import { createBazaar } from './bazaar/core.mjs';
 import { createCanvas } from './canvas/core.mjs';
+import { createCanvasRails } from './canvas-rails.mjs';
+import { createUsageService } from './usage.mjs';
+import { createPowers } from './skills.mjs';
+import { createSettings, resolveAutonomyMode } from './settings.mjs';
 import { matchCandidates } from './bazaar/mock-tickup.mjs';
 import { servePreviewFile, confineBuildDir } from './bazaar/preview-server.mjs';
 import { TURN_SYSTEM_PROMPT, writeTurnMcpConfig } from './turn-mcp.mjs';
@@ -313,6 +317,74 @@ export async function createServer(overrides = {}) {
   // ~/.wild-workspace/canvas (OUTSIDE the repo). The agent builds blocks via the
   // canvas MCP server we hand it per turn; the UI reads them from /api/canvas/blocks.
   const canvas = createCanvas(overrides.canvasDir ? { baseDir: overrides.canvasDir } : {});
+  // Multi-host step 1 (docs/multi-host-workspaces-design.md §8.1): the user's canvas
+  // STATE (layout/templates/user-theme) is per-IDENTITY, with VW's rails (bmo-sync)
+  // as the source of truth and the local per-person dir as a read-through/offline
+  // cache. `canvas` above still owns the workspace-SHARED agent content (blocks +
+  // agent theme). Person-scoped state stores are built lazily + cached per personKey.
+  const canvasRails = overrides.canvasRails || createCanvasRails(config, config.account);
+  const canvasStores = new Map();
+  function canvasFor(personKey) {
+    let store = canvasStores.get(personKey);
+    if (!store) {
+      store = createCanvas({ baseDir: canvas.dir, personKey });
+      canvasStores.set(personKey, store);
+    }
+    return store;
+  }
+  // Today every authed identity is the host owner (Google sign-in requires the
+  // owner's email; there's no membership yet), so personKey collapses to the
+  // account (or 'local' when not logged in). The `session.person` hook is where
+  // step 2 (membership) will route non-owner teammates to their own state.
+  function personKeyFor(session) {
+    if (session?.person) return String(session.person);
+    return config.account?.accountId || 'local';
+  }
+  // Is a getState() result effectively blank? Used to gate the one-time migration
+  // of the legacy per-install (flat) canvas into the owner's person store.
+  function isEmptyCanvasState(s) {
+    const hasLayout = Boolean(s?.layout?.blocks?.length || s?.layout?.layouts?.lg?.length);
+    const hasTemplates = Array.isArray(s?.templates) && s.templates.length > 0;
+    const hasTheme = Boolean(s?.userTheme && typeof s.userTheme === 'object');
+    return !hasLayout && !hasTemplates && !hasTheme;
+  }
+  // One-time forward-migration: the pre-multi-host flat files (canvas/{layout,…}.json)
+  // belong to today's single user = the owner. Seed them into the person store iff it
+  // is still empty (never clobber a real arrangement). Returns true if it seeded.
+  function seedPersonFromLegacy(store) {
+    if (!isEmptyCanvasState(store.getState())) return false;
+    const legacy = canvas.getState();
+    if (isEmptyCanvasState(legacy)) return false;
+    store.saveState(legacy);
+    return true;
+  }
+  // The usage service — plan utilization (from Anthropic's OAuth usage endpoint) +
+  // the local context gauge (§8). onUpdate pushes a `usage` WS frame, the SAME push
+  // path the bazaar meter uses (no client polling). The poll timer only starts off
+  // the test path (mirrors daemonAutostart) so the suite never hits real Anthropic.
+  const usage = createUsageService({
+    env: overrides.usageEnv || process.env,
+    home: overrides.usageHome, // tests point credential resolution at a temp dir
+    baseDir: overrides.usageDir,
+    fetchImpl: overrides.usageFetch, // tests inject a mock; undefined → global fetch
+    pollMs: overrides.usagePollMs,
+    onUpdate: (state) => broadcastChat({ type: 'usage', state }),
+  });
+  const usageAutostart =
+    overrides.usageAutostart ??
+    (process.env.VITEST !== 'true' && config.nodeEnv !== 'test');
+  if (usageAutostart) usage.start();
+  // The Powers block (§7) — user-curated skills discovered by scanning the workspace's
+  // and the user's .claude/skills (+ .claude/commands). The "from Bazaar" zone stays
+  // locked (Class-D gate not built). Curation persists under ~/.wild-workspace/powers.
+  const powers = createPowers({
+    baseDir: overrides.powersDir,
+    workspaceDir: config.workspaceDir,
+    home: overrides.powersHome || config.home,
+  });
+  // Settings store (§8 Surface B) — the autonomy dial + the /rename conversation
+  // title. The autonomy resolver's guardrail is applied per user turn (runChatTurn).
+  const settings = createSettings({ baseDir: overrides.settingsDir, home: config.home });
   const turnMcpConfig = writeTurnMcpConfig({
     baseDir: bazaar.dir,
     globalDir: path.dirname(bazaar.dir),
@@ -366,6 +438,11 @@ export async function createServer(overrides = {}) {
       currentTurn.session.close(); //     a user send supersedes what's running
       currentTurn = null;
     }
+    // Apply the autonomy dial (§8). Auto-wake is exempt — it's the system consent
+    // boundary and stays in the plan mode it was given. For a USER turn we resolve
+    // the stored level + the per-message toggle through resolveAutonomyMode, whose
+    // guardrail guarantees an unbuilt/unknown level can NEVER become bypassPermissions.
+    if (!auto) mode = resolveAutonomyMode(settings.getAutonomyLevel(), mode);
     const id = messageId || nanoid(8);
     broadcastChat({ type: 'turn-begin', messageId: id, userText, note });
     activityBus.publish({
@@ -382,6 +459,13 @@ export async function createServer(overrides = {}) {
       currentTurn = { session, messageId: id };
       let sawError = false;
       session.on('chunk', (chunk) => {
+        // The per-turn context signal (working-memory gauge, §8) feeds the usage
+        // service, which pushes a `usage` WS frame. It's server-internal metadata —
+        // keep it OFF the chat stream so it never renders as an empty bubble.
+        if (chunk.type === 'context' && chunk.usage) {
+          usage.setContext(chunk.usage, chunk.model);
+          return;
+        }
         if (chunk.type === 'error') sawError = true;
         broadcastChat({ type: 'chunk', messageId: id, chunk });
         activityBus.publish({ type: 'chat-stream', messageId: id, chunk });
@@ -755,6 +839,10 @@ export async function createServer(overrides = {}) {
       workspace: workspaceSummary(config.workspaceDir),
       workspaceId: config.workspaceId,
       session,
+      // The identity that scopes this person's canvas state (multi-host step 1).
+      // The client folds it into its localStorage cache key so two people on one
+      // browser don't share a cache.
+      personKey: personKeyFor(session),
       agent: activeAgent
         ? { id: activeAgent.id, label: activeAgent.label, available: activeAgent.available }
         : null,
@@ -1764,6 +1852,74 @@ export async function createServer(overrides = {}) {
     if (forbidden) return forbidden;
     return c.json(bazaar.computeState());
   });
+
+  // --- usage / context (§8) -------------------------------------------------
+  // Plan utilization (Session/Weekly %) from Anthropic's OAuth usage endpoint +
+  // the local working-memory gauge. Read-gated like the bazaar state. The snapshot
+  // carries `disclosed` so the UI knows whether to show the one-time disclosure
+  // before the block activates. Live updates ride the `usage` WS frame (no polling).
+  app.get('/api/usage/state', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(usage.snapshot());
+  });
+  // One-time disclosure ack — stored server-side under ~/.wild-workspace (per user,
+  // not per browser; CLAUDE.md #1). chatWrite-gated: a read-only viewer can't ack on
+  // the owner's behalf. After ack, the client refreshes /api/usage/state.
+  app.post('/api/usage/ack', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    usage.acknowledge();
+    return c.json({ ok: true, disclosed: true });
+  });
+  // Force a refresh (e.g. right after the user acks, so they don't wait for the
+  // timer). Degrade-safe — never throws. chatWrite-gated.
+  app.post('/api/usage/refresh', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const state = await usage.refresh();
+    return c.json(state);
+  });
+
+  // --- powers (§7) — user-curated skill toolbelt ----------------------------
+  // Read-gated like the canvas/bazaar state. Returns discovered skills (project >
+  // user precedence) merged with the user's curation, plus the locked Bazaar zone.
+  app.get('/api/powers/state', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(powers.state());
+  });
+  // Save the user's arrangement (pinned order + hidden set). chatWrite-gated — a
+  // read-only viewer can browse the toolbelt but not re-curate the owner's.
+  app.post('/api/powers/curation', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const saved = powers.saveCuration(body);
+    return c.json({ ok: true, curation: { order: saved.order, hidden: saved.hidden } });
+  });
+
+  // --- settings (§8 Surface B) — the /config menu's writable state ----------
+  // Read-gated. Returns the autonomy level (+ which tiers are selectable / coming
+  // soon) and the /rename conversation title. The other /config knobs (theme,
+  // account, model, consent) keep their own surfaces; /config just aggregates them.
+  app.get('/api/settings', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(settings.getAll());
+  });
+  // Update the autonomy level and/or the conversation title. chatWrite-gated — a
+  // read-only viewer can't change the owner's agent autonomy. The store REFUSES any
+  // non-selectable autonomy level (e.g. the unbuilt 'work' middle tier), so the
+  // guardrail can't be bypassed via the API either.
+  app.post('/api/settings', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    if ('autonomyLevel' in body) settings.setAutonomyLevel(body.autonomyLevel);
+    if ('conversationTitle' in body) settings.setConversationTitle(body.conversationTitle);
+    return c.json({ ok: true, ...settings.getAll() });
+  });
   // Apply a theme from the shelf: records the three-way moment (producer earns) and
   // returns the validated bundle for the browser to apply. chatWrite-gated — a
   // read-only viewer can browse the shelf but not record a use against it.
@@ -1801,20 +1957,50 @@ export async function createServer(overrides = {}) {
     return c.json({ theme: canvas.getTheme() });
   });
 
-  // Canvas state — the source of truth for layout, templates, and user-theme.
-  // Fixes the localStorage-per-origin divergence (req-1 gave two origins for the
-  // same workspace → divergent canvas). Server stores the canonical state; client
-  // uses localStorage as a read-through cache.
-  app.get('/api/canvas/state', (c) => {
+  // Canvas state — layout, saved templates, and user-theme, PER IDENTITY.
+  // Source-of-truth order: VW's rails (bmo-sync, keyed by (workspace, person)) →
+  // the local per-person dir (read-through + offline cache). Lifts the original
+  // "server is truth, localStorage is the cache" one level up so a person's
+  // arrangement follows them across hosts/devices (multi-host step 1). The rails
+  // degrade-never-throw: when they're unreachable or the install has no account,
+  // the local cache answers exactly as before.
+  app.get('/api/canvas/state', async (c) => {
     const forbidden = require(c, 'chat');
     if (forbidden) return forbidden;
-    return c.json(canvas.getState());
+    const store = canvasFor(personKeyFor(c.get('session')));
+    if (config.account && canvasRails.capable) {
+      const pulled = await canvasRails.pull(config.account.slug);
+      if (pulled.ok) {
+        if (pulled.state) {
+          // Rails are the truth → refresh the local cache (re-validated by
+          // saveState) and serve it.
+          store.saveState(pulled.state);
+          return c.json(store.getState());
+        }
+        // Rails answered EMPTY (first time for this person) → migrate any legacy
+        // per-install layout up, then serve.
+        if (seedPersonFromLegacy(store)) {
+          canvasRails.push(store.getState(), config.account.slug).catch(() => {});
+        }
+        return c.json(store.getState());
+      }
+      // Rails unreachable → fall through to the local cache (offline tier).
+    }
+    seedPersonFromLegacy(store); // no-account / offline: still inherit legacy once
+    return c.json(store.getState());
   });
   app.post('/api/canvas/state', async (c) => {
     const forbidden = require(c, 'chatWrite');
     if (forbidden) return forbidden;
+    const store = canvasFor(personKeyFor(c.get('session')));
     const body = await c.req.json().catch(() => ({}));
-    return c.json({ ok: true, ...canvas.saveState(body) });
+    const result = store.saveState(body); // apply the subset to the local cache
+    // Push the FULL current snapshot to the rails (Node owns the merge → a clean
+    // last-write-wins row). Best-effort; the local write already succeeded.
+    if (config.account && canvasRails.capable) {
+      canvasRails.push(store.getState(), config.account.slug).catch(() => {});
+    }
+    return c.json({ ok: true, ...result });
   });
 
   // The built site, served SAME-ORIGIN through this (already authed) server — no

package/server/src/settings.mjs

@@ -0,0 +1,145 @@
+// Settings store + the autonomy-dial resolver (§8 "Surface B"). Two things live here:
+//   1. resolveAutonomyMode() — the SAFETY-CRITICAL mapping from the user-facing
+//      autonomy level to the agent's permission mode. This is the guardrail.
+//   2. createSettings() — a file-backed store under ~/.wild-workspace/settings/ for
+//      the autonomy level + the conversation title (/rename override of the derived
+//      presence label). CLAUDE.md #1: never the synced repo, never localStorage.
+//
+// THE AUTONOMY DIAL — and why the middle tier is "coming soon", not built (read this):
+//
+//   The §8 build-risk is explicit: "Work, then show me" is NOT one native flag. It is
+//   acceptEdits PLUS our own confirm-gate on dangerous non-edit ops (deploy/delete/
+//   send/spend). A TRUE inline confirm-gate needs to intercept a tool call mid-turn,
+//   round-trip a confirmation to the browser, and resume — which our architecture
+//   can't do cleanly tonight: we wrap `claude -p` per turn (AR-17: no Agent SDK, so no
+//   `canUseTool` callback), and headless `-p` has no interactive permission prompt, so
+//   `default`/`acceptEdits` modes can't "ask" — they just deny. Building that
+//   round-trip is a real piece of infra, not a flag.
+//
+//   So per the pre-approved fallback we ship only the TWO UNAMBIGUOUS tiers and leave
+//   the middle DISABLED ("coming soon"):
+//     • 'check' (Check with me) → 'plan'  — read-only; the agent proposes, you approve.
+//     • 'full'  (Full autonomy) → honors the Build/Plan toggle (Build → bypass).
+//   The middle ('work') and ANY unknown value SAFELY fall back to 'plan' — NEVER
+//   bypassPermissions. That is the guardrail the build-risk warns about: an unbuilt or
+//   unrecognized autonomy level must never silently behave like Full autonomy.
+//
+//   DEFAULT = UNSET. An install with no chosen level keeps today's behavior exactly
+//   (the per-message Build/Plan toggle drives the mode — Build is already bypass). The
+//   dial is purely ADDITIVE: it lets a nervous user LOCK to read-only, which they
+//   couldn't before. We did NOT change the product's existing default, and we did NOT
+//   map the middle tier to Full. (Whether the default SHOULD become a guarded
+//   auto-build once the confirm-gate ships is a product call flagged for Tuan.)
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+
+// The three user-facing tiers. 'work' is DEFINED (so the UI can render it) but NOT
+// BUILD-BACKED — see resolveAutonomyMode (it falls back to the safe 'plan').
+export const AUTONOMY_LEVELS = ['check', 'work', 'full'];
+// Which tiers a user may actually SELECT today. 'work' is excluded — "coming soon".
+export const SELECTABLE_AUTONOMY = ['check', 'full'];
+
+/**
+ * Map an autonomy level + the per-message Build/Plan toggle to the agent permission
+ * mode buildClaudeArgs understands ('plan' | 'build'). THE GUARDRAIL lives here:
+ *   - unknown / 'work' (middle, not built)  → 'plan'  (read-only — NEVER bypass)
+ *   - 'check'                                → 'plan'  (hard read-only lock)
+ *   - 'full'                                 → honors the toggle (Build → bypass)
+ *   - null/undefined (unset)                 → honors the toggle (today's behavior)
+ * The invariant tested in settings.test.mjs: NOTHING except 'full'/unset+Build ever
+ * yields 'build' (which is the only path to bypassPermissions).
+ */
+export function resolveAutonomyMode(level, requestedMode) {
+  const toggle = requestedMode === 'plan' ? 'plan' : 'build';
+  switch (level) {
+    case 'full':
+      return toggle; //                 Full autonomy → honor the toggle (Build = bypass)
+    case 'check':
+      return 'plan'; //                 Check with me → always read-only propose
+    case null:
+    case undefined:
+    case '':
+      return toggle; //                 unset → unchanged product behavior
+    default:
+      // 'work' (middle, not built) AND any unrecognized value → SAFE read-only.
+      // This is the anti-regression: an unbuilt guardrail never becomes Full.
+      return 'plan';
+  }
+}
+
+function defaultSettingsDir(env = process.env, home = os.homedir()) {
+  const base = env.WILD_WORKSPACE_GLOBAL_DIR || path.join(home, '.wild-workspace');
+  return path.join(base, 'settings');
+}
+
+function readJsonSafe(file, fallback) {
+  try { return JSON.parse(fs.readFileSync(file, 'utf8')); } catch { return fallback; }
+}
+
+const TITLE_CAP = 120;
+
+export function createSettings({ baseDir, env = process.env, home = os.homedir() } = {}) {
+  const dir = baseDir || defaultSettingsDir(env, home);
+  const file = path.join(dir, 'settings.json');
+
+  function read() {
+    const v = readJsonSafe(file, null);
+    return v && typeof v === 'object' ? v : {};
+  }
+
+  function write(patch) {
+    const next = { ...read(), ...patch, ts: Date.now() };
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      const tmp = `${file}.${process.pid}.tmp`;
+      fs.writeFileSync(tmp, JSON.stringify(next, null, 2));
+      fs.renameSync(tmp, file);
+    } catch { /* read-only fs — degrade to not-persisted */ }
+    return next;
+  }
+
+  // autonomyLevel: 'check' | 'full' | null. We REFUSE to persist 'work' (not
+  // selectable) or any unknown value — storing it would be a latent foot-gun. null
+  // clears back to the unset/default behavior.
+  function getAutonomyLevel() {
+    const lvl = read().autonomyLevel;
+    return SELECTABLE_AUTONOMY.includes(lvl) ? lvl : null;
+  }
+  function setAutonomyLevel(level) {
+    const clean = SELECTABLE_AUTONOMY.includes(level) ? level : null;
+    write({ autonomyLevel: clean });
+    return clean;
+  }
+
+  function getConversationTitle() {
+    const t = read().conversationTitle;
+    return typeof t === 'string' && t.trim() ? t.trim() : null;
+  }
+  function setConversationTitle(title) {
+    const clean = typeof title === 'string' ? title.trim().slice(0, TITLE_CAP) : '';
+    write({ conversationTitle: clean || null });
+    return clean || null;
+  }
+
+  function getAll() {
+    return {
+      autonomyLevel: getAutonomyLevel(),
+      conversationTitle: getConversationTitle(),
+      // Surface what's selectable + which is build-backed, so the UI doesn't hardcode it.
+      autonomy: {
+        levels: AUTONOMY_LEVELS,
+        selectable: SELECTABLE_AUTONOMY,
+        comingSoon: AUTONOMY_LEVELS.filter((l) => !SELECTABLE_AUTONOMY.includes(l)),
+      },
+    };
+  }
+
+  return {
+    dir, file,
+    getAutonomyLevel, setAutonomyLevel,
+    getConversationTitle, setConversationTitle,
+    getAll,
+  };
+}