agim-cli 1.2.2 → 1.2.17

package/dist/web/server.js

@@ -1,6 +1,6 @@
 // Web chat server — HTTP + WebSocket for browser-based agent interaction
 import { createServer } from 'node:http';
-import { readFileSync, existsSync } from 'node:fs';
+import { readFileSync, existsSync, readdirSync } from 'node:fs';
 import { readdir, stat, readFile, writeFile, rename, unlink, realpath, open } from 'node:fs/promises';
 import { join, dirname, resolve as resolvePath, sep as pathSep, relative as relativePath } from 'node:path';
 import { fileURLToPath } from 'node:url';
@@ -12,6 +12,7 @@ import { registry } from '../core/registry.js';
 import { sink, resolveMessenger } from '../core/message-sink.js';
 import { generateTraceId, createLogger, logger as rootLogger } from '../core/logger.js';
 import { validateConfig } from '../core/config-schema.js';
+import { isMasked, maskSecret } from './env-mask.js';
 import { consumeToken, peekToken } from '../core/location-token.js';
 import { createMemo, updateMemo, getMemo, mapUrls } from '../core/memos.js';
 import { normalizeIncomingCoords } from '../core/coord-systems.js';
@@ -30,11 +31,6 @@ import { isAgentAvailableCached, loadConfig, saveConfig, } from '../core/onboard
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PUBLIC_DIR = join(__dirname, 'public');
 const DEFAULT_PORT = 3000;
-function isMasked(value) {
-    if (!value)
-        return false;
-    return /^.{0,2}\*{2,}.{0,2}$/.test(value);
-}
 /** v1.1.10 — paths that never require a web token. */
 const PUBLIC_EXACT_PATHS = new Set([
     '/login', '/login.html',
@@ -48,7 +44,7 @@ const PUBLIC_EXACT_PATHS = new Set([
     '/api/loc',
     '/favicon.ico', '/favicon.svg',
 ]);
-const PUBLIC_PREFIX_PATHS = ['/l/', '/v/', '/api/loc/'];
+const PUBLIC_PREFIX_PATHS = ['/l/', '/v/', '/api/loc/', '/vendor/'];
 const PUBLIC_API_VIEWER_RE = /^\/api\/viewer\/[0-9a-f-]{8,}$/i;
 function isPublicPath(pathname, method) {
     if (PUBLIC_EXACT_PATHS.has(pathname))
@@ -63,8 +59,12 @@ function isPublicPath(pathname, method) {
     return false;
 }
 function isLoopbackPeer(req) {
+    // Treat an empty / missing remoteAddress as untrusted: under exotic
+    // transports or post-close sockets the field can read empty, which
+    // pre-R9 would silently pass auth. Tighten to exact loopback IPs
+    // (with the IPv4-mapped IPv6 form Node uses on dual-stack servers).
     const ip = (req.socket.remoteAddress || '').replace(/^::ffff:/, '');
-    return ip === '127.0.0.1' || ip === '::1' || ip === '';
+    return ip === '127.0.0.1' || ip === '::1';
 }
 function extractToken(req, url) {
     // 1. Authorization: Bearer <token>
@@ -158,6 +158,13 @@ export async function startWebServer(options) {
     const port = options.port || DEFAULT_PORT;
     const bindHost = process.env.IMHUB_WEB_BIND || '127.0.0.1';
     const clients = new Map();
+    // R9: threadId → tokenId ownership. A WS peer claims a threadId on
+    // first connection (verifyClient already verified the token); later
+    // `get-history { threadId }` rekey requests must come from a peer
+    // holding the same tokenId, otherwise an authenticated operator could
+    // adopt and wipe another operator's session. Survives reconnects
+    // within the process lifetime so a page refresh still works.
+    const threadOwners = new Map();
     // v1.1.10+: token-based auth for the web console.
     // ─ loopback peers (127.0.0.1 / ::1) bypass auth (local CLI / curl)
     // ─ public viewer pages (/v/:id, /loc, /l/<token>) remain public
@@ -193,7 +200,49 @@ export async function startWebServer(options) {
         // Loopback peers + the public paths below bypass.
         if (!checkAuth(req, res, url))
             return;
-        // Static pages — direct serve, no auth gate.
+        // v2 SPA fallback — opt-in via IMHUB_WEB_V2=1. When enabled, any
+        // GET that doesn't match an API / WS / SSE / static-asset path
+        // and isn't a public SSR page falls through to serving the v2
+        // index.html. The client-side router (react-router) then resolves
+        // the path. Anything served from src/web-app/dist/* is built in
+        // the M5 PR; until then, set IMHUB_WEB_V2=1 only if you've run
+        // `npm --prefix src/web-app run build` and copied dist/* into
+        // src/web/public/`.
+        //
+        // Default IMHUB_WEB_V2=0 → existing behavior unchanged: tasks.html
+        // / reminders.html / memos.html / settings.html / index.html are
+        // served as before. Zero impact on production deployments.
+        if (process.env.IMHUB_WEB_V2 === '1' && req.method === 'GET') {
+            const p = url.pathname;
+            const isApi = p.startsWith('/api/');
+            const isWs = p.startsWith('/ws');
+            const isSse = p === '/events';
+            const isVendor = p.startsWith('/vendor/');
+            const isLegacyShared = p === '/_app.js' || p === '/_shell.css';
+            const isPublicSsr = p === '/loc' || p === '/loc.html' || p.startsWith('/l/') || p.startsWith('/v/');
+            if (!isApi && !isWs && !isSse && !isVendor && !isLegacyShared && !isPublicSsr) {
+                // SPA static asset (assets/index-xxx.js, /manifest.webmanifest,
+                // /favicon.svg) → return the file if it exists in PUBLIC_DIR.
+                // Otherwise fall back to /index.html so the router handles it.
+                const trimmed = p.replace(/^\//, '');
+                const candidate = join(PUBLIC_DIR, trimmed);
+                if (trimmed && existsSync(candidate) && !candidate.endsWith('.html')) {
+                    // Best-effort content-type guess; serveStatic handles binary
+                    // + sets cache headers.
+                    const ct = candidate.endsWith('.js') ? 'application/javascript; charset=utf-8' :
+                        candidate.endsWith('.css') ? 'text/css; charset=utf-8' :
+                            candidate.endsWith('.svg') ? 'image/svg+xml' :
+                                candidate.endsWith('.webmanifest') ? 'application/manifest+json' :
+                                    candidate.endsWith('.json') ? 'application/json; charset=utf-8' :
+                                        'application/octet-stream';
+                    return serveStatic(res, candidate, ct);
+                }
+                return servePageHtml(res, join(PUBLIC_DIR, 'index.html'));
+            }
+            // Falls through to API / WS / SSR-page handlers below.
+        }
+        // Static pages — direct serve, no auth gate. This is the v1
+        // routing path; v2 takes precedence when IMHUB_WEB_V2=1 (above).
         if (url.pathname === '/' || url.pathname === '/index.html' ||
             url.pathname === '/settings' || url.pathname === '/settings.html' ||
             url.pathname === '/tasks' || url.pathname === '/tasks.html' ||
@@ -232,6 +281,22 @@ export async function startWebServer(options) {
         if (url.pathname === '/_app.js' && req.method === 'GET') {
             return serveStatic(res, join(PUBLIC_DIR, '_app.js'), 'application/javascript; charset=utf-8');
         }
+        // v1.2.3 — vendored third-party assets (Chart.js etc). Whitelist by
+        // filename pattern to keep the static surface tight. Public on
+        // purpose — no auth gate (third-party libs aren't secrets).
+        if (req.method === 'GET' && url.pathname.startsWith('/vendor/')) {
+            const fname = url.pathname.slice('/vendor/'.length);
+            // Only allow plain filenames (no traversal, no nested dirs).
+            if (!/^[A-Za-z0-9._-]+\.(js|css|map)$/.test(fname)) {
+                res.statusCode = 404;
+                res.end('vendor file not whitelisted');
+                return;
+            }
+            const ct = fname.endsWith('.css') ? 'text/css; charset=utf-8'
+                : fname.endsWith('.map') ? 'application/json; charset=utf-8'
+                    : 'application/javascript; charset=utf-8';
+            return serveStatic(res, join(PUBLIC_DIR, 'vendor', fname), ct);
+        }
         // ─── Location capture endpoints (public; auth via single-use token) ───
         // Public on purpose — the user reaches these via a token-bearing link
         // sent into their IM thread. Token (32 hex chars, 10-min TTL, single
@@ -487,6 +552,9 @@ export async function startWebServer(options) {
         if (url.pathname === '/api/env' && req.method === 'PUT') {
             return handlePutEnv(req, res);
         }
+        if (url.pathname === '/api/messengers/email/test' && req.method === 'POST') {
+            return handleEmailTest(req, res);
+        }
         if (url.pathname === '/api/workspaces' && req.method === 'GET') {
             return handleListWorkspaces(req, res, url);
         }
@@ -623,6 +691,18 @@ export async function startWebServer(options) {
         if (url.pathname === '/api/memory/consolidate/status' && req.method === 'GET') {
             return handleMemoryConsolidateStatus(req, res);
         }
+        // v1.2.3 — Skills browser. Lists locally-installed claude/opencode
+        // skills with frontmatter; modal renders the full SKILL.md markdown.
+        if (url.pathname === '/api/skills' && req.method === 'GET') {
+            return handleSkillsList(req, res);
+        }
+        if (url.pathname === '/api/skills/remote/hot' && req.method === 'GET') {
+            return handleSkillsRemoteHot(req, res);
+        }
+        const skillDetailMatch = url.pathname.match(/^\/api\/skills\/([A-Za-z0-9._-]+)$/);
+        if (skillDetailMatch && req.method === 'GET') {
+            return handleSkillDetail(req, res, skillDetailMatch[1]);
+        }
         // PR-B: HITL approvals — global pending list + per-reqId resolve.
         if (url.pathname === '/api/approvals' && req.method === 'GET') {
             return handleListApprovals(req, res);
@@ -707,8 +787,52 @@ export async function startWebServer(options) {
         res.writeHead(404);
         res.end('Not found');
     });
-    // WebSocket server
-    const wss = new WebSocketServer({ server: httpServer });
+    // WebSocket server with auth + same-origin gate. Before R9 the WS
+    // upgrade event bypassed checkAuth entirely (the upgrade path isn't
+    // a normal HTTP request handler), leaving every chat / approval-card
+    // socket open to anyone reachable on the port. verifyClient runs the
+    // same token check as the REST path and locks Origin to the request's
+    // host so a third-party page can't open a cross-site WS.
+    const wss = new WebSocketServer({
+        server: httpServer,
+        verifyClient: (info, cb) => {
+            // Auth-off / loopback bypass — mirror checkAuth's two short-circuits
+            // so dev / local CLI sessions still work without a token.
+            if ((process.env.IMHUB_WEB_AUTH || '').toLowerCase() === 'off')
+                return cb(true);
+            if (isLoopbackPeer(info.req))
+                return cb(true);
+            // Origin check: cookie SameSite=Lax handles most of the CSWSH
+            // surface, but defence-in-depth — reject when Origin's host
+            // doesn't match the request Host header. Origin can be absent
+            // (non-browser clients); we allow that since they can't carry a
+            // browser cookie anyway and must supply Bearer.
+            const origin = info.origin || info.req.headers.origin;
+            if (typeof origin === 'string' && origin) {
+                try {
+                    if (new URL(origin).host !== info.req.headers.host) {
+                        return cb(false, 403, 'origin mismatch');
+                    }
+                }
+                catch {
+                    return cb(false, 400, 'invalid origin');
+                }
+            }
+            // Auth: token from Authorization / Cookie / ?token=.
+            try {
+                const url = new URL(info.req.url || '/ws', `http://${info.req.headers.host}`);
+                const tok = extractToken(info.req, url);
+                const tokenId = tok ? verifyTokenSync(tok) : null;
+                if (!tokenId)
+                    return cb(false, 401, 'auth required');
+                info.req._agimTokenId = tokenId;
+                cb(true);
+            }
+            catch {
+                cb(false, 500, 'auth error');
+            }
+        },
+    });
     // M3: cap concurrent WS clients so a leaked / shared web token can't OOM
     // the host by opening unbounded connections. Default 100 is generous for
     // a single-user / small-team setup; production multi-tenant should set
@@ -734,10 +858,24 @@ export async function startWebServer(options) {
             ws.close(1013, 'Server too busy');
             return;
         }
-        // No auth gate — access control is upstream (reverse proxy / firewall).
-        const clientId = `web-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        // R9: token verified at upgrade time by verifyClient; we read the
+        // tokenId here so get-history can enforce ownership when the client
+        // wants to rekey to a persisted threadId. 'anon' is the loopback /
+        // auth-off path — still safe because those paths trust the peer.
+        const tokenId = req._agimTokenId ?? 'anon';
+        // R9: crypto.randomBytes(12) → 96 bits of base64url entropy
+        // (~16 chars). The pre-R9 `Date.now() + Math.random().slice(2,8)`
+        // gave ~30 bits and a publicly enumerable timestamp prefix — enough
+        // for an authenticated peer to brute-force another live session's
+        // id. With H2 ownership-by-tokenId the impact is bounded to
+        // same-tokenId tabs (which is fine), but the stronger id closes the
+        // pre-rekey race window.
+        const clientId = `web-${randomBytes(12).toString('base64url')}`;
         const client = { ws, id: clientId, agent: options.defaultAgent };
         clients.set(clientId, client);
+        // First-claim ownership: this connection's tokenId owns this
+        // brand-new threadId until disconnect.
+        threadOwners.set(clientId, tokenId);
         webLog.info({ clientId }, 'Client connected');
         // Send available agents list
         sendToClient(ws, {
@@ -761,9 +899,16 @@ export async function startWebServer(options) {
                     if (msg && msg.type === 'approval-action') {
                         const actionData = String(msg.data || '');
                         const messageId = String(msg.messageId || '');
+                        // Use `client.id` (mutable; updated on session rekey) — not
+                        // the original `clientId` const — so the threadId we hand
+                        // to the bus matches the threadId the bus stamped on the
+                        // pending approval request. Without this, a session that
+                        // was rekeyed via `get-history` reports the stale id and
+                        // the bus can't find the open req to resolve.
+                        const liveId = client.id;
                         webLog.info({
                             event: 'approval.web.click_received',
-                            clientId, data: actionData, messageId,
+                            clientId: liveId, data: actionData, messageId,
                             handlerBound: !!webButtonHandler,
                         });
                         if (!actionData || !messageId) {
@@ -775,7 +920,7 @@ export async function startWebServer(options) {
                             // failure mode that PR-A's fix patches. Tell the user and the
                             // operator (via log) instead of dropping the click.
                             const why = 'approval handler not bound (router not installed?). Restart agim to rebind.';
-                            webLog.warn({ event: 'approval.web.no_handler', clientId, data: actionData, messageId }, why);
+                            webLog.warn({ event: 'approval.web.no_handler', clientId: liveId, data: actionData, messageId }, why);
                             sendToClient(ws, { type: 'error', message: why });
                             return;
                         }
@@ -785,33 +930,67 @@ export async function startWebServer(options) {
                             // ack is a no-op resolving to the in-page status the page itself
                             // chose to render after click.
                             await webButtonHandler({
-                                data: actionData, threadId: clientId, userId: `web:${clientId}`,
+                                data: actionData, threadId: liveId, userId: `web:${liveId}`,
                                 userDisplay: 'Web', messageId, ack: async () => { },
                             });
-                            webLog.info({ event: 'approval.web.click_resolved', clientId, data: actionData });
+                            webLog.info({ event: 'approval.web.click_resolved', clientId: liveId, data: actionData });
                         }
                         catch (err) {
                             const errMsg = err instanceof Error ? err.message : String(err);
-                            webLog.error({ event: 'approval.web.click_failed', clientId, data: actionData, err: errMsg });
+                            webLog.error({ event: 'approval.web.click_failed', clientId: liveId, data: actionData, err: errMsg });
                             sendToClient(ws, { type: 'error', message: `Approval click failed: ${errMsg}` });
                         }
                         return;
                     }
-                    await handleClientMessage(client, msg, options.defaultAgent);
+                    // Pass an onRekey callback so handleClientMessage can keep
+                    // the `clients` map in sync when a browser refresh resumes
+                    // with its persisted threadId. Otherwise the map stays keyed
+                    // by the WS-assigned id, and the web messenger's outbound
+                    // approval-card lookup misses the live client.
+                    await handleClientMessage(client, msg, options.defaultAgent, (oldId, newId) => {
+                        // Only reassign if we actually owned `oldId` — defensive
+                        // against the (impossible-but-cheap-to-guard) case of two
+                        // clients colliding on the rekey path.
+                        if (clients.get(oldId) === client)
+                            clients.delete(oldId);
+                        clients.set(newId, client);
+                        // R9: keep the ownership map aligned with the live id so
+                        // a subsequent rekey from another connection (same token,
+                        // e.g. a second tab) succeeds with the new threadId.
+                        const owner = threadOwners.get(oldId);
+                        if (owner !== undefined) {
+                            threadOwners.delete(oldId);
+                            threadOwners.set(newId, owner);
+                        }
+                    }, tokenId, threadOwners);
                 }
                 catch (err) {
-                    webLog.error({ clientId, err: err instanceof Error ? err.message : String(err) }, 'Error parsing client message');
+                    webLog.error({ clientId: client.id, err: err instanceof Error ? err.message : String(err) }, 'Error parsing client message');
                     sendToClient(ws, { type: 'error', message: 'Invalid message format' });
                 }
             });
         });
         ws.on('close', () => {
-            webLog.info({ clientId }, 'Client disconnected');
-            clients.delete(clientId);
+            // Use `client.id` rather than the closure-captured `clientId` so
+            // we delete whichever key the map is actually using after a
+            // potential rekey. The map maintenance on rekey deletes the old
+            // key, so this just covers the live one.
+            const liveId = client.id;
+            webLog.info({ clientId: liveId }, 'Client disconnected');
+            clients.delete(liveId);
+            // R9: drop the ownership entry only for server-generated ids that
+            // were never rekeyed to a persistent client-side threadId. Rekeyed
+            // ids stay registered so the operator's next reconnect with the
+            // same localStorage id finds its previous owner.
+            if (liveId === clientId)
+                threadOwners.delete(liveId);
         });
         ws.on('error', (err) => {
-            webLog.error({ clientId, err: err instanceof Error ? err.message : String(err) }, 'Client WebSocket error');
-            clients.delete(clientId);
+            const liveId = client.id;
+            webLog.error({ clientId: liveId, err: err instanceof Error ? err.message : String(err) }, 'Client WebSocket error');
+            clients.delete(liveId);
+            if (liveId === clientId)
+                threadOwners.delete(liveId);
         });
     });
     // Default to loopback; operators can opt into LAN/public exposure with
@@ -1030,7 +1209,10 @@ async function handlePutConfig(req, res) {
         }
         const result = validateConfig(merged);
         if (!result.ok) {
-            sendJson(res, 400, { error: 'Config validation failed', details: result.errors });
+            sendError(res, 400, 'CONFIG_INVALID', {
+                message: 'Config validation failed',
+                extra: { details: result.errors },
+            });
             return;
         }
         await saveConfig(result.config);
@@ -1038,7 +1220,7 @@ async function handlePutConfig(req, res) {
     }
     catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
-        sendJson(res, 400, { error: msg });
+        sendError(res, 400, 'CONFIG_SAVE_FAILED', { detail: msg });
     }
 }
 async function handleAgentsStatus(_req, res) {
@@ -1873,13 +2055,8 @@ const ENV_EDITABLE_KEYS = [
     'IMHUB_MEMORY_VECTOR_HYBRID_WEIGHT',
 ];
 const SECRET_KEYS = new Set(['IMHUB_SMTP_PASS', 'IMHUB_BAIDU_MAP_AK', 'IMHUB_MEMORY_VECTOR_OPENAI_API_KEY']);
-function maskSecret(v) {
-    if (!v)
-        return '';
-    if (v.length <= 8)
-        return '*'.repeat(v.length);
-    return v.slice(0, 4) + '*'.repeat(Math.max(0, v.length - 8)) + v.slice(-4);
-}
+// maskSecret moved to ./env-mask.ts (imported at the top of this file
+// alongside isMasked).
 async function handleGetEnv(_req, res, url) {
     try {
         const { readEnvFile } = await import('../cli-ui/env-file.js');
@@ -1904,7 +2081,7 @@ async function handlePutEnv(req, res) {
         const parsed = JSON.parse(body || '{}');
         const updates = parsed.updates;
         if (!updates || typeof updates !== 'object') {
-            sendJson(res, 400, { error: 'updates object required' });
+            sendError(res, 400, 'ENV_UPDATES_REQUIRED', { message: 'updates object required' });
             return;
         }
         // Filter to whitelist — never let arbitrary keys through.
@@ -1922,7 +2099,7 @@ async function handlePutEnv(req, res) {
             }
         }
         if (Object.keys(safe).length === 0) {
-            sendJson(res, 400, { error: 'no editable keys in updates' });
+            sendError(res, 400, 'ENV_NO_EDITABLE_KEYS', { message: 'no editable keys in updates' });
             return;
         }
         const { updateEnvFile } = await import('../cli-ui/env-file.js');
@@ -1944,6 +2121,59 @@ async function handlePutEnv(req, res) {
         sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
     }
 }
+// POST /api/messengers/email/test — verify SMTP credentials currently in
+// process.env by opening a fresh nodemailer transporter and calling
+// `verify()`. Doesn't actually send mail. Returns { ok, message } on
+// success or { ok: false, error } with a clean error string. Operators
+// save first, then click "Test" — same UX as v1's settings page.
+async function handleEmailTest(req, res) {
+    try {
+        // Drain body even though we don't use it, so the connection doesn't
+        // stall under keep-alive.
+        await readBody(req, res);
+        const host = process.env.IMHUB_SMTP_HOST?.trim();
+        const user = process.env.IMHUB_SMTP_USER?.trim();
+        const pass = process.env.IMHUB_SMTP_PASS;
+        if (!host || !user || !pass) {
+            sendError(res, 400, 'EMAIL_NOT_CONFIGURED', {
+                message: 'SMTP not configured (host / user / pass required)',
+                extra: { ok: false },
+            });
+            return;
+        }
+        const portRaw = process.env.IMHUB_SMTP_PORT?.trim();
+        const portNum = portRaw ? Number.parseInt(portRaw, 10) : 465;
+        const port = Number.isFinite(portNum) && portNum > 0 && portNum <= 65535 ? portNum : 465;
+        const secureRaw = process.env.IMHUB_SMTP_SECURE?.trim().toLowerCase();
+        const secure = secureRaw !== undefined
+            ? (secureRaw === '1' || secureRaw === 'true' || secureRaw === 'yes')
+            : port === 465;
+        const nodemailer = (await import('nodemailer')).default;
+        const tx = nodemailer.createTransport({
+            host, port, secure,
+            auth: { user, pass },
+            // Short timeouts — the UI should see a result within ~10s rather
+            // than hanging on an unreachable host.
+            connectionTimeout: 8000,
+            greetingTimeout: 6000,
+            socketTimeout: 8000,
+        });
+        try {
+            await tx.verify();
+            sendJson(res, 200, { ok: true, message: `Connected to ${host}:${port}` });
+        }
+        finally {
+            tx.close();
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        sendError(res, 400, 'EMAIL_VERIFY_FAILED', {
+            detail: msg,
+            extra: { ok: false },
+        });
+    }
+}
 async function handleListBgjobs(_req, res, url) {
     try {
         const { resolveRoots, listJobsForRoot, listAllJobs } = await import('../core/bgjob-reader.js');
@@ -2099,7 +2329,7 @@ async function handleMemoryFacts(_req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required (platform:userId)' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required (platform:userId)' });
             return;
         }
         const { listFacts } = await import('../core/memory.js');
@@ -2119,7 +2349,7 @@ async function handleMemoryDeleteOne(req, res, url, id) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const { deleteFact } = await import('../core/memory.js');
@@ -2135,7 +2365,7 @@ async function handleMemoryBulkDelete(req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const body = await readBody(req, res);
@@ -2164,7 +2394,7 @@ async function handleMemoryPersona(_req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const { getPersona } = await import('../core/memory.js');
@@ -2183,7 +2413,7 @@ async function handleMemoryPersonaPut(req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const body = await readBody(req, res);
@@ -2205,7 +2435,7 @@ async function handleMemoryPersonaDelete(_req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const { deletePersona } = await import('../core/memory.js');
@@ -2220,7 +2450,7 @@ async function handleMemoryExport(_req, res, url) {
     try {
         const user_key = readUserKey(url);
         if (!user_key) {
-            sendJson(res, 400, { error: 'user_key required' });
+            sendError(res, 400, 'MEMORY_USER_KEY_REQUIRED', { message: 'user_key required' });
             return;
         }
         const { exportUserMemory } = await import('../core/memory.js');
@@ -2424,6 +2654,204 @@ async function handleMemoryConsolidate(_req, res) {
 async function handleMemoryConsolidateStatus(_req, res) {
     sendJson(res, 200, { jobs: pickRecentConsolidate() });
 }
+function inferCategory(slug) {
+    if (slug.startsWith('fin-data-') || slug.startsWith('mx_') || slug.startsWith('ttfund-')
+        || slug.startsWith('ash-') || slug.startsWith('low-position-pick')
+        || slug.startsWith('overnight-') || slug.startsWith('garp-')
+        || slug.startsWith('gold') || slug === 'precious-metals-report')
+        return '金融数据 / 行情';
+    if (slug.startsWith('white-pig-') || slug.startsWith('add-white-pig')
+        || slug.startsWith('renew-white-pig') || slug.startsWith('deduct-white-pig')
+        || slug.startsWith('delete-white-pig') || slug.startsWith('modify-white-pig')
+        || slug.startsWith('add-white-pig-') || slug.startsWith('query-account')
+        || slug.startsWith('query-white-pig') || slug.startsWith('set-kol')
+        || slug.startsWith('statistics-sales'))
+        return '白猪运营';
+    if (slug.startsWith('metaso-') || slug === 'multi-search-engine'
+        || slug === 'news-summary' || slug === 'global-financial-headlines'
+        || slug.startsWith('qveris'))
+        return '搜索 / 资讯';
+    if (slug.startsWith('mailsender') || slug === 'sendmail')
+        return '邮件 / 通讯';
+    if (slug.startsWith('claude-api') || slug === 'security-review' || slug === 'review'
+        || slug === 'simplify' || slug === 'first-principles-decomposer'
+        || slug === 'session_summary' || slug === 'init')
+        return '开发 / 评审';
+    if (slug === 'find-skills' || slug === 'update-config' || slug === 'keybindings-help'
+        || slug === 'fewer-permission-prompts' || slug === 'loop' || slug === 'schedule'
+        || slug === 'yanshen-manual')
+        return '元能力 / 平台';
+    return '其他';
+}
+function readSkillFrontmatter(skillMdPath) {
+    try {
+        const raw = readFileSync(skillMdPath, 'utf-8');
+        if (!raw.startsWith('---'))
+            return null;
+        const end = raw.indexOf('\n---', 3);
+        if (end < 0)
+            return null;
+        const fm = raw.slice(3, end);
+        const out = {};
+        for (const line of fm.split('\n')) {
+            const m = line.match(/^(\w+)\s*:\s*(.+?)\s*$/);
+            if (!m)
+                continue;
+            const k = m[1].toLowerCase();
+            const v = m[2].replace(/^["']|["']$/g, '');
+            if (k === 'name')
+                out.name = v;
+            else if (k === 'description')
+                out.description = v;
+        }
+        return out;
+    }
+    catch {
+        return null;
+    }
+}
+function scanSkillDir(rootDir) {
+    try {
+        if (!existsSync(rootDir))
+            return [];
+        const out = [];
+        for (const entry of readdirSync(rootDir, { withFileTypes: true })) {
+            if (!entry.isDirectory() && !entry.isSymbolicLink())
+                continue;
+            const md = join(rootDir, entry.name, 'SKILL.md');
+            if (existsSync(md))
+                out.push({ slug: entry.name, skillMd: md });
+        }
+        return out;
+    }
+    catch {
+        return [];
+    }
+}
+const HOME = process.env.HOME || '/root';
+const CLAUDE_SKILLS = `${HOME}/.claude/skills`;
+const OPENCODE_SKILLS = `${HOME}/.config/opencode/skills`;
+function listSkills() {
+    const fromClaude = scanSkillDir(CLAUDE_SKILLS);
+    const fromOpencode = scanSkillDir(OPENCODE_SKILLS);
+    const map = new Map();
+    for (const { slug, skillMd } of fromClaude) {
+        const fm = readSkillFrontmatter(skillMd);
+        if (!fm?.name)
+            continue;
+        map.set(slug, {
+            slug,
+            name: fm.name,
+            description: fm.description || '',
+            category: inferCategory(slug),
+            agents: ['claude'],
+            path: skillMd,
+        });
+    }
+    for (const { slug, skillMd } of fromOpencode) {
+        const fm = readSkillFrontmatter(skillMd);
+        if (!fm?.name)
+            continue;
+        const existing = map.get(slug);
+        if (existing) {
+            if (!existing.agents.includes('opencode'))
+                existing.agents.push('opencode');
+        }
+        else {
+            map.set(slug, {
+                slug,
+                name: fm.name,
+                description: fm.description || '',
+                category: inferCategory(slug),
+                agents: ['opencode'],
+                path: skillMd,
+            });
+        }
+    }
+    return Array.from(map.values()).sort((a, b) => {
+        if (a.category !== b.category)
+            return a.category.localeCompare(b.category);
+        return a.slug.localeCompare(b.slug);
+    });
+}
+async function handleSkillsList(_req, res) {
+    try {
+        const skills = listSkills();
+        const byCategory = {};
+        for (const s of skills)
+            byCategory[s.category] = (byCategory[s.category] || 0) + 1;
+        sendJson(res, 200, {
+            total: skills.length,
+            byCategory,
+            skills,
+            sources: { claude: CLAUDE_SKILLS, opencode: OPENCODE_SKILLS },
+        });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
+    }
+}
+// skillhub.cn proxy with 5-min cache — shows top-50 popular skills so the
+// user can discover new ones without leaving the dashboard. The actual
+// install still happens via the skillhub CLI on the host (see docs).
+let remoteHotCache = null;
+const REMOTE_HOT_TTL_MS = 5 * 60_000;
+async function handleSkillsRemoteHot(_req, res) {
+    try {
+        if (remoteHotCache && Date.now() - remoteHotCache.fetchedAt < REMOTE_HOT_TTL_MS) {
+            sendJson(res, 200, { ...remoteHotCache.data, cached: true, fetchedAt: remoteHotCache.fetchedAt });
+            return;
+        }
+        const r = await fetch('https://api.skillhub.cn/api/v1/showcase/hot', {
+            signal: AbortSignal.timeout(8000),
+            headers: { accept: 'application/json' },
+        });
+        if (!r.ok) {
+            // Serve stale-while-error if we have any cache
+            if (remoteHotCache) {
+                sendJson(res, 200, { ...remoteHotCache.data, cached: true, fetchedAt: remoteHotCache.fetchedAt, stale: true, upstreamStatus: r.status });
+                return;
+            }
+            sendJson(res, 502, { error: `skillhub upstream ${r.status}` });
+            return;
+        }
+        const json = await r.json();
+        remoteHotCache = { fetchedAt: Date.now(), data: json };
+        sendJson(res, 200, { ...json, cached: false, fetchedAt: remoteHotCache.fetchedAt });
+    }
+    catch (err) {
+        if (remoteHotCache) {
+            sendJson(res, 200, {
+                ...remoteHotCache.data,
+                cached: true, fetchedAt: remoteHotCache.fetchedAt, stale: true,
+                upstreamError: err instanceof Error ? err.message : String(err),
+            });
+            return;
+        }
+        sendJson(res, 502, { error: err instanceof Error ? err.message : String(err) });
+    }
+}
+async function handleSkillDetail(_req, res, slug) {
+    try {
+        // Guard against traversal — only allow slug chars (already enforced by
+        // the route regex but check again here to be safe).
+        if (!/^[A-Za-z0-9._-]+$/.test(slug)) {
+            sendJson(res, 400, { error: 'bad slug' });
+            return;
+        }
+        const skills = listSkills();
+        const meta = skills.find((s) => s.slug === slug);
+        if (!meta) {
+            sendJson(res, 404, { error: 'skill not found' });
+            return;
+        }
+        const raw = readFileSync(meta.path, 'utf-8');
+        sendJson(res, 200, { ...meta, content: raw });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
+    }
+}
 async function handleVectorClear(_req, res, url) {
     try {
         const { clearEmbeddings } = await import('../core/memory.js');
@@ -3008,11 +3436,28 @@ async function handleEventsSSE(req, res) {
 async function handleAcpDiscover(req, res) {
     try {
         const body = await readBody(req, res);
-        const { baseUrl, register } = JSON.parse(body);
+        const parsed = JSON.parse(body);
+        const baseUrl = typeof parsed.baseUrl === 'string' ? parsed.baseUrl : '';
+        // Strict-boolean: only literal `true` enables auto-registration. A
+        // truthy `{}` / 'yes' / 1 won't trip it.
+        const register = parsed.register === true;
         if (!baseUrl) {
-            sendJson(res, 400, { error: 'Missing baseUrl' });
+            sendError(res, 400, 'ACP_BASEURL_REQUIRED', { message: 'Missing baseUrl' });
             return;
         }
+        // Guard SSRF: discovery doesn't forward auth, but a malicious baseUrl
+        // can still probe internal services (e.g. cloud metadata).
+        const { assertSafeAcpUrl, UnsafeAcpUrlError } = await import('../plugins/agents/acp/url-guard.js');
+        try {
+            await assertSafeAcpUrl(baseUrl, { forwardsCredentials: false });
+        }
+        catch (err) {
+            if (err instanceof UnsafeAcpUrlError) {
+                sendError(res, 400, 'ACP_URL_BLOCKED', { detail: err.message, extra: { ok: false, reason: err.reason } });
+                return;
+            }
+            throw err;
+        }
         const { discoverAgents } = await import('../plugins/agents/acp/discovery.js');
         const result = await discoverAgents(baseUrl);
         if (register) {
@@ -3026,8 +3471,12 @@ async function handleAcpDiscover(req, res) {
             return;
         const status = e?.statusCode || 500;
         const msg = e instanceof Error ? e.message : String(err);
-        if (!res.headersSent)
-            sendJson(res, status, { ok: false, error: msg });
+        if (!res.headersSent) {
+            sendError(res, status, 'ACP_DISCOVER_FAILED', {
+                detail: msg,
+                extra: { ok: false },
+            });
+        }
     }
 }
 async function handleAcpTest(req, res) {
@@ -3041,14 +3490,38 @@ async function handleAcpTest(req, res) {
             parsed = JSON.parse(body);
         }
         catch {
-            sendJson(res, 400, { ok: false, error: 'Invalid JSON body' });
+            sendError(res, 400, 'INVALID_JSON_BODY', {
+                message: 'Invalid JSON body',
+                extra: { ok: false },
+            });
             return;
         }
         const { endpoint, auth } = parsed;
         if (!endpoint || typeof endpoint !== 'string') {
-            sendJson(res, 400, { ok: false, error: 'Missing or invalid "endpoint"' });
+            sendError(res, 400, 'ACP_ENDPOINT_REQUIRED', {
+                message: 'Missing or invalid "endpoint"',
+                extra: { ok: false },
+            });
             return;
         }
+        // Guard SSRF + credential exfil: the manifest fetch carries the
+        // operator-supplied auth.token in the Authorization header, so a
+        // malicious endpoint URL would have it on the wire. Require https
+        // when a token would travel.
+        const hasAuthToken = !!(auth && typeof auth === 'object'
+            && typeof auth.token === 'string'
+            && auth.token.length > 0);
+        const { assertSafeAcpUrl, UnsafeAcpUrlError } = await import('../plugins/agents/acp/url-guard.js');
+        try {
+            await assertSafeAcpUrl(endpoint, { forwardsCredentials: hasAuthToken });
+        }
+        catch (err) {
+            if (err instanceof UnsafeAcpUrlError) {
+                sendError(res, 400, 'ACP_URL_BLOCKED', { detail: err.message, extra: { ok: false, reason: err.reason } });
+                return;
+            }
+            throw err;
+        }
         // Dynamic import to avoid circular deps
         const { ACPClient } = await import('../plugins/agents/acp/acp-client.js');
         const client = new ACPClient({ name: 'test', endpoint, auth: auth });
@@ -3061,7 +3534,10 @@ async function handleAcpTest(req, res) {
     }
     catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
-        sendJson(res, 400, { ok: false, error: msg });
+        sendError(res, 400, 'ACP_TEST_FAILED', {
+            detail: msg,
+            extra: { ok: false },
+        });
     }
 }
 // ============================================
@@ -3129,6 +3605,33 @@ function sendJson(res, status, data) {
     res.writeHead(status, { 'Content-Type': 'application/json' });
     res.end(JSON.stringify(data));
 }
+/**
+ * Send a machine-readable error response. The SPA's `lib/api/client.ts`
+ * reads `body.code` and maps it through `errors.json` → user-facing text;
+ * the legacy `error` string remains as a fallback for tools that don't
+ * speak the code dictionary (curl, older clients, tests grepping the
+ * response).
+ *
+ * Convention: codes are UPPER_SNAKE, namespaced by feature when needed
+ * (e.g. `EMAIL_NOT_CONFIGURED`, `MEMORY_USER_KEY_REQUIRED`). Bare names
+ * like `VALIDATION` / `NOT_FOUND` cover broad buckets. Add new entries
+ * to `src/web-app/src/i18n/locales/{en,zh}/errors.json` together with
+ * the call site so the SPA picks up the human text.
+ *
+ * Use `detail` when the human message has variable parts the SPA can
+ * interpolate (`{{detail}}` in the i18n template). Use `message` when
+ * you want a fully-formed line that's safe to surface verbatim (the
+ * SPA fallback path renders this when no per-code key exists).
+ */
+function sendError(res, status, code, options) {
+    const message = options?.message ?? options?.detail ?? code;
+    const body = { error: message, code };
+    if (options?.detail !== undefined)
+        body.detail = options.detail;
+    if (options?.extra)
+        Object.assign(body, options.extra);
+    sendJson(res, status, body);
+}
 // ============================================
 // Outbox (v1.1.2)
 // ============================================
@@ -3354,31 +3857,45 @@ async function handleArtifactsFile(_req, res, jobId, name) {
     }
 }
 // ─── v1.1.10 auth handlers ───
+/** Build the cookie attribute string. When the request looks HTTPS
+ *  (req.socket.encrypted OR x-forwarded-proto=https from a reverse
+ *  proxy / cloudflared / nginx), include `Secure`. Without `Secure`,
+ *  modern Chrome / Safari downgrade or REJECT cookies with
+ *  `SameSite=Strict` on HTTPS pages, which manifests as "logged in
+ *  works on the same tab once, but a refresh kicks back to /login"
+ *  — the symptom the operator reported 2026-05-19.
+ *  Also relax SameSite=Strict → Lax so following an external link
+ *  back to the dashboard doesn't lose the session. */
+function buildAuthCookie(req, token, maxAgeSec) {
+    const isHttps = req.socket.encrypted === true
+        || String(req.headers['x-forwarded-proto'] || '').toLowerCase() === 'https';
+    const secure = isHttps ? '; Secure' : '';
+    const value = token === null ? '' : encodeURIComponent(token);
+    return `agim_token=${value}; Path=/; Max-Age=${maxAgeSec}; SameSite=Lax${secure}`;
+}
 async function handleAuthLogin(req, res) {
     try {
         const body = await readBody(req, res);
         const parsed = JSON.parse(body || '{}');
         const token = (parsed.token || '').trim();
         if (!token) {
-            sendJson(res, 400, { error: 'token required' });
+            sendError(res, 400, 'AUTH_TOKEN_REQUIRED', { message: 'token required' });
             return;
         }
         if (!_tokenModule) {
-            sendJson(res, 503, { error: 'auth module not ready' });
+            sendError(res, 503, 'AUTH_NOT_READY', { message: 'auth module not ready' });
             return;
         }
         const id = _tokenModule.verifyToken(token);
         if (!id) {
-            sendJson(res, 401, { error: 'invalid token' });
+            sendError(res, 401, 'AUTH_INVALID', { message: 'invalid token' });
             return;
         }
-        // 30-day cookie, Path=/, SameSite=Strict. Not HttpOnly so the page JS
-        // can also read it back if needed (e.g. to attach Authorization header
-        // on fetch — though the cookie alone suffices).
+        // 30-day cookie. SameSite=Lax + conditional Secure — see buildAuthCookie.
         const maxAge = 30 * 24 * 60 * 60;
         res.writeHead(200, {
             'Content-Type': 'application/json; charset=utf-8',
-            'Set-Cookie': `agim_token=${encodeURIComponent(token)}; Path=/; Max-Age=${maxAge}; SameSite=Strict`,
+            'Set-Cookie': buildAuthCookie(req, token, maxAge),
         });
         res.end(JSON.stringify({ ok: true, tokenId: id }));
     }
@@ -3386,10 +3903,10 @@ async function handleAuthLogin(req, res) {
         sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
     }
 }
-function handleAuthLogout(_req, res) {
+function handleAuthLogout(req, res) {
     res.writeHead(200, {
         'Content-Type': 'application/json; charset=utf-8',
-        'Set-Cookie': 'agim_token=; Path=/; Max-Age=0; SameSite=Strict',
+        'Set-Cookie': buildAuthCookie(req, null, 0),
     });
     res.end(JSON.stringify({ ok: true }));
 }
@@ -3472,8 +3989,23 @@ async function handleViewerTunnelStatus(_req, res) {
 /**
  * Handle a message from a web client
  */
-async function handleClientMessage(client, msg, defaultAgent) {
-    const { ws, id: clientId } = client;
+async function handleClientMessage(client, msg, defaultAgent, 
+/** Notify the caller that the client's id changed mid-handler so the
+ *  WS handler can keep its `clients` map keyed by the live id. Without
+ *  this the approval-card sender (which does clients.get(threadId))
+ *  silently misses the rekeyed client and the approval lands only in
+ *  the global /approvals tab. */
+onRekey, 
+/** R9: token id of the connecting peer (or 'anon' on loopback /
+ *  auth-off). Used to enforce thread ownership on get-history rekey. */
+tokenId, 
+/** R9: shared threadId → tokenId map. The handler validates
+ *  ownership before adopting a client-supplied threadId. */
+threadOwners) {
+    const { ws } = client;
+    // Read client.id fresh — `get-history` may rekey it mid-handler so the
+    // session lookup matches the client's persisted threadId.
+    let clientId = client.id;
     switch (msg.type) {
         case 'message': {
             if (!msg.text?.trim())
@@ -3548,9 +4080,57 @@ async function handleClientMessage(client, msg, defaultAgent) {
             break;
         }
         case 'get-history': {
+            // 2026-05-19: support client-supplied threadId so a browser refresh
+            // (or returning to the chat after a navigation) resumes the existing
+            // conversation instead of starting fresh. Client persists the id in
+            // localStorage; if it provides one, we treat it as the authoritative
+            // session key going forward. We update client.id (so subsequent
+            // `message` / `switch-agent` ops use the persisted thread) but leave
+            // the clients map alone — push-by-clientId is a separate code path
+            // that doesn't rely on the persisted id today.
+            //
+            // R9: before adopting the threadId, validate ownership. The
+            // pre-R9 path accepted any well-formed `web-*` id, letting an
+            // authenticated peer enumerate Date.now()-based ids and hijack
+            // (or wipe via new-conversation) another peer's chat session.
+            // Now the threadId is owned by the tokenId that first claimed it;
+            // a rekey from a different tokenId is refused.
+            const wantedThreadId = typeof msg.threadId === 'string' ? msg.threadId.trim() : '';
+            if (wantedThreadId && /^web-[A-Za-z0-9_-]{4,64}$/.test(wantedThreadId) && wantedThreadId !== clientId) {
+                const peer = tokenId ?? 'anon';
+                const owner = threadOwners?.get(wantedThreadId);
+                if (owner !== undefined && owner !== peer) {
+                    webLog.warn({
+                        event: 'web.session.rekey_denied',
+                        clientId, wantedThreadId, peer,
+                    }, 'WS get-history rekey refused — threadId owned by a different token');
+                    sendToClient(ws, { type: 'error', message: 'thread not owned by this session' });
+                    return;
+                }
+                // First-claim OK (owner === undefined) or same-owner reconnect.
+                const oldId = clientId;
+                client.id = wantedThreadId;
+                clientId = wantedThreadId;
+                if (threadOwners && owner === undefined) {
+                    threadOwners.set(wantedThreadId, peer);
+                }
+                onRekey?.(oldId, wantedThreadId);
+                webLog.info({ clientId, oldId, event: 'web.session.rekey' }, 'WS client adopted persisted threadId');
+            }
             await sendSessionHistory(ws, clientId, defaultAgent);
             break;
         }
+        // v1's "New conversation" button in the web chat. Clears the
+        // session messages, forks a fresh session id, drops per-agent CLI
+        // session bindings (Claude/opencode/codex) and any auto-allow
+        // approval rules, so the next prompt starts on a clean slate. The
+        // WS client receives a follow-up `history` message with an empty
+        // list so the UI repaints the cleared state.
+        case 'new-conversation': {
+            await sessionManager.resetConversation('web', 'web', clientId);
+            sendToClient(ws, { type: 'history', messages: [], agent: client.agent });
+            break;
+        }
     }
 }
 /**