agim-cli 1.2.65 → 1.2.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (172) hide show
  1. package/CHANGELOG.md +113 -0
  2. package/dist/cli.js +78 -0
  3. package/dist/cli.js.map +1 -1
  4. package/dist/core/llm/exec-dispatcher.d.ts.map +1 -1
  5. package/dist/core/llm/exec-dispatcher.js +96 -1
  6. package/dist/core/llm/exec-dispatcher.js.map +1 -1
  7. package/dist/core/llm/web-dispatcher.d.ts +5 -0
  8. package/dist/core/llm/web-dispatcher.d.ts.map +1 -1
  9. package/dist/core/llm/web-dispatcher.js +116 -18
  10. package/dist/core/llm/web-dispatcher.js.map +1 -1
  11. package/dist/core/sender-allowlist.d.ts +15 -0
  12. package/dist/core/sender-allowlist.d.ts.map +1 -0
  13. package/dist/core/sender-allowlist.js +125 -0
  14. package/dist/core/sender-allowlist.js.map +1 -0
  15. package/dist/web/public/assets/{a2a-DNxqMtla.js → a2a-pV7pUaE_.js} +2 -2
  16. package/dist/web/public/assets/{a2a-DNxqMtla.js.map → a2a-pV7pUaE_.js.map} +1 -1
  17. package/dist/web/public/assets/{activity-C5_-rLe6.js → activity-BtEeVbL4.js} +2 -2
  18. package/dist/web/public/assets/{activity-C5_-rLe6.js.map → activity-BtEeVbL4.js.map} +1 -1
  19. package/dist/web/public/assets/{admins-DSOax_hH.js → admins-Cb6gyuWs.js} +2 -2
  20. package/dist/web/public/assets/{admins-DSOax_hH.js.map → admins-Cb6gyuWs.js.map} +1 -1
  21. package/dist/web/public/assets/{agents-T687l0rN.js → agents-Bua9ZDtI.js} +2 -2
  22. package/dist/web/public/assets/{agents-T687l0rN.js.map → agents-Bua9ZDtI.js.map} +1 -1
  23. package/dist/web/public/assets/{approvals-CWorM8Vw.js → approvals-DgxxWp1m.js} +2 -2
  24. package/dist/web/public/assets/{approvals-CWorM8Vw.js.map → approvals-DgxxWp1m.js.map} +1 -1
  25. package/dist/web/public/assets/{asks-PiqKpXZ1.js → asks-iON_EhzS.js} +2 -2
  26. package/dist/web/public/assets/{asks-PiqKpXZ1.js.map → asks-iON_EhzS.js.map} +1 -1
  27. package/dist/web/public/assets/{audit-C2Ox35e1.js → audit-D1sPdKlD.js} +2 -2
  28. package/dist/web/public/assets/{audit-C2Ox35e1.js.map → audit-D1sPdKlD.js.map} +1 -1
  29. package/dist/web/public/assets/{bell-Cj5Dt_yv.js → bell-B5ZjxlmU.js} +2 -2
  30. package/dist/web/public/assets/{bell-Cj5Dt_yv.js.map → bell-B5ZjxlmU.js.map} +1 -1
  31. package/dist/web/public/assets/{bgjobs-DxEVHpLB.js → bgjobs-DdnrqmC2.js} +2 -2
  32. package/dist/web/public/assets/{bgjobs-DxEVHpLB.js.map → bgjobs-DdnrqmC2.js.map} +1 -1
  33. package/dist/web/public/assets/{brain-LvSyYmLT.js → brain-Bh8Xm53Q.js} +2 -2
  34. package/dist/web/public/assets/{brain-LvSyYmLT.js.map → brain-Bh8Xm53Q.js.map} +1 -1
  35. package/dist/web/public/assets/{briefcase-CJMKdAPu.js → briefcase-Tn3JuAZM.js} +2 -2
  36. package/dist/web/public/assets/{briefcase-CJMKdAPu.js.map → briefcase-Tn3JuAZM.js.map} +1 -1
  37. package/dist/web/public/assets/{chevron-right-BUOV_Xg8.js → chevron-right-Bu2Wni-B.js} +2 -2
  38. package/dist/web/public/assets/{chevron-right-BUOV_Xg8.js.map → chevron-right-Bu2Wni-B.js.map} +1 -1
  39. package/dist/web/public/assets/{circle-check-BYLlUkXj.js → circle-check-Bx222bW4.js} +2 -2
  40. package/dist/web/public/assets/{circle-check-BYLlUkXj.js.map → circle-check-Bx222bW4.js.map} +1 -1
  41. package/dist/web/public/assets/{circle-check-big-KNa00WXm.js → circle-check-big-BAGOp63h.js} +2 -2
  42. package/dist/web/public/assets/{circle-check-big-KNa00WXm.js.map → circle-check-big-BAGOp63h.js.map} +1 -1
  43. package/dist/web/public/assets/{circle-x-CGLLbBL-.js → circle-x-DYSUbjfb.js} +2 -2
  44. package/dist/web/public/assets/{circle-x-CGLLbBL-.js.map → circle-x-DYSUbjfb.js.map} +1 -1
  45. package/dist/web/public/assets/{confirm-dialog-CLfYzx-a.js → confirm-dialog-BkTngEE8.js} +2 -2
  46. package/dist/web/public/assets/{confirm-dialog-CLfYzx-a.js.map → confirm-dialog-BkTngEE8.js.map} +1 -1
  47. package/dist/web/public/assets/{data-table-ZySeRfEP.js → data-table-BlqccxTF.js} +2 -2
  48. package/dist/web/public/assets/{data-table-ZySeRfEP.js.map → data-table-BlqccxTF.js.map} +1 -1
  49. package/dist/web/public/assets/{dialog-DS0Dk6GL.js → dialog-CMUp72oB.js} +2 -2
  50. package/dist/web/public/assets/{dialog-DS0Dk6GL.js.map → dialog-CMUp72oB.js.map} +1 -1
  51. package/dist/web/public/assets/{download-1aUlz7_D.js → download-CB0cOUn8.js} +2 -2
  52. package/dist/web/public/assets/{download-1aUlz7_D.js.map → download-CB0cOUn8.js.map} +1 -1
  53. package/dist/web/public/assets/{email-BkAvhVxU.js → email-BCqfN_b2.js} +2 -2
  54. package/dist/web/public/assets/{email-BkAvhVxU.js.map → email-BCqfN_b2.js.map} +1 -1
  55. package/dist/web/public/assets/{empty-state-BclIaHPD.js → empty-state-DTC7UMRJ.js} +2 -2
  56. package/dist/web/public/assets/{empty-state-BclIaHPD.js.map → empty-state-DTC7UMRJ.js.map} +1 -1
  57. package/dist/web/public/assets/{external-link-Ckz2th0a.js → external-link-D7kkHOqE.js} +2 -2
  58. package/dist/web/public/assets/{external-link-Ckz2th0a.js.map → external-link-D7kkHOqE.js.map} +1 -1
  59. package/dist/web/public/assets/{eye-DGRzJ5lb.js → eye-KM8X6N9N.js} +2 -2
  60. package/dist/web/public/assets/{eye-DGRzJ5lb.js.map → eye-KM8X6N9N.js.map} +1 -1
  61. package/dist/web/public/assets/{facts-CUY-brWq.js → facts-mHIefs9t.js} +2 -2
  62. package/dist/web/public/assets/{facts-CUY-brWq.js.map → facts-mHIefs9t.js.map} +1 -1
  63. package/dist/web/public/assets/{goals-5uN3gp8c.js → goals-DkW2jRda.js} +2 -2
  64. package/dist/web/public/assets/{goals-5uN3gp8c.js.map → goals-DkW2jRda.js.map} +1 -1
  65. package/dist/web/public/assets/{health-bp5Qgneq.js → health-DqSq0_p8.js} +2 -2
  66. package/dist/web/public/assets/{health-bp5Qgneq.js.map → health-DqSq0_p8.js.map} +1 -1
  67. package/dist/web/public/assets/{heart-pulse-BnB8Mahi.js → heart-pulse-Dw9UThda.js} +2 -2
  68. package/dist/web/public/assets/{heart-pulse-BnB8Mahi.js.map → heart-pulse-Dw9UThda.js.map} +1 -1
  69. package/dist/web/public/assets/{heartbeat-ClNB_aaM.js → heartbeat-4Jqvt3ZG.js} +2 -2
  70. package/dist/web/public/assets/{heartbeat-ClNB_aaM.js.map → heartbeat-4Jqvt3ZG.js.map} +1 -1
  71. package/dist/web/public/assets/{hot-CXFYYRzt.js → hot-DwVVYe_Q.js} +2 -2
  72. package/dist/web/public/assets/{hot-CXFYYRzt.js.map → hot-DwVVYe_Q.js.map} +1 -1
  73. package/dist/web/public/assets/{index-B_MJTcDz.js → index-Dm4bHM0M.js} +12 -12
  74. package/dist/web/public/assets/index-Dm4bHM0M.js.map +1 -0
  75. package/dist/web/public/assets/{installed-BRhOTT0w.js → installed-CRBbM3d1.js} +2 -2
  76. package/dist/web/public/assets/{installed-BRhOTT0w.js.map → installed-CRBbM3d1.js.map} +1 -1
  77. package/dist/web/public/assets/{jobs-SGgiVMdm.js → jobs-DvVu0NEB.js} +2 -2
  78. package/dist/web/public/assets/{jobs-SGgiVMdm.js.map → jobs-DvVu0NEB.js.map} +1 -1
  79. package/dist/web/public/assets/layout-C0Dmdrm6.js +2 -0
  80. package/dist/web/public/assets/layout-C0Dmdrm6.js.map +1 -0
  81. package/dist/web/public/assets/{layout-CxIivtIC.js → layout-CGvFOz3S.js} +2 -2
  82. package/dist/web/public/assets/{layout-CxIivtIC.js.map → layout-CGvFOz3S.js.map} +1 -1
  83. package/dist/web/public/assets/{layout-C0BXTGdU.js → layout-Cq4zcQuI.js} +2 -2
  84. package/dist/web/public/assets/{layout-C0BXTGdU.js.map → layout-Cq4zcQuI.js.map} +1 -1
  85. package/dist/web/public/assets/{layout-CNhFryQ_.js → layout-DCrcKMGj.js} +2 -2
  86. package/dist/web/public/assets/{layout-CNhFryQ_.js.map → layout-DCrcKMGj.js.map} +1 -1
  87. package/dist/web/public/assets/{layout-BMehqBaD.js → layout-N_ipr3nA.js} +2 -2
  88. package/dist/web/public/assets/{layout-BMehqBaD.js.map → layout-N_ipr3nA.js.map} +1 -1
  89. package/dist/web/public/assets/{llm-BuvGS_vU.js → llm-DKruaUsd.js} +2 -2
  90. package/dist/web/public/assets/{llm-BuvGS_vU.js.map → llm-DKruaUsd.js.map} +1 -1
  91. package/dist/web/public/assets/{loader-circle-CWYFBw93.js → loader-circle-C8YCUz70.js} +2 -2
  92. package/dist/web/public/assets/{loader-circle-CWYFBw93.js.map → loader-circle-C8YCUz70.js.map} +1 -1
  93. package/dist/web/public/assets/{map-pin-CHW2BahT.js → map-pin-wZRlA_mV.js} +2 -2
  94. package/dist/web/public/assets/{map-pin-CHW2BahT.js.map → map-pin-wZRlA_mV.js.map} +1 -1
  95. package/dist/web/public/assets/{mcp-Bs02bxka.js → mcp-DJN2vM4F.js} +2 -2
  96. package/dist/web/public/assets/{mcp-Bs02bxka.js.map → mcp-DJN2vM4F.js.map} +1 -1
  97. package/dist/web/public/assets/{memos-DHGW-Qni.js → memos-zpcFJvTm.js} +2 -2
  98. package/dist/web/public/assets/{memos-DHGW-Qni.js.map → memos-zpcFJvTm.js.map} +1 -1
  99. package/dist/web/public/assets/{messengers-DrKKVSEA.js → messengers-ClgibwCS.js} +2 -2
  100. package/dist/web/public/assets/{messengers-DrKKVSEA.js.map → messengers-ClgibwCS.js.map} +1 -1
  101. package/dist/web/public/assets/{native-agent-D2cbs5yG.js → native-agent-7mZcks5Q.js} +2 -2
  102. package/dist/web/public/assets/{native-agent-D2cbs5yG.js.map → native-agent-7mZcks5Q.js.map} +1 -1
  103. package/dist/web/public/assets/{network-BlGBHSOz.js → network-BN_4AVjH.js} +2 -2
  104. package/dist/web/public/assets/{network-BlGBHSOz.js.map → network-BN_4AVjH.js.map} +1 -1
  105. package/dist/web/public/assets/{outbox-BNiVF52F.js → outbox-CqO2DN9r.js} +2 -2
  106. package/dist/web/public/assets/{outbox-BNiVF52F.js.map → outbox-CqO2DN9r.js.map} +1 -1
  107. package/dist/web/public/assets/{pagination-B5Cwu4pq.js → pagination-BN5IlfM7.js} +2 -2
  108. package/dist/web/public/assets/{pagination-B5Cwu4pq.js.map → pagination-BN5IlfM7.js.map} +1 -1
  109. package/dist/web/public/assets/{persona-D7TRqgsy.js → persona-CwiBUs53.js} +2 -2
  110. package/dist/web/public/assets/{persona-D7TRqgsy.js.map → persona-CwiBUs53.js.map} +1 -1
  111. package/dist/web/public/assets/{play-CmTdWGab.js → play-DH5aMHyg.js} +2 -2
  112. package/dist/web/public/assets/{play-CmTdWGab.js.map → play-DH5aMHyg.js.map} +1 -1
  113. package/dist/web/public/assets/{plus-BYmkO51v.js → plus-m81LzTGp.js} +2 -2
  114. package/dist/web/public/assets/{plus-BYmkO51v.js.map → plus-m81LzTGp.js.map} +1 -1
  115. package/dist/web/public/assets/{policy-CrFIBtzs.js → policy-C4LWbsG1.js} +2 -2
  116. package/dist/web/public/assets/{policy-CrFIBtzs.js.map → policy-C4LWbsG1.js.map} +1 -1
  117. package/dist/web/public/assets/{refresh-ccw-DgHgDBFU.js → refresh-ccw-BVkrjmyW.js} +2 -2
  118. package/dist/web/public/assets/{refresh-ccw-DgHgDBFU.js.map → refresh-ccw-BVkrjmyW.js.map} +1 -1
  119. package/dist/web/public/assets/{reminders-Dh2VXBAt.js → reminders-BSQoGyVb.js} +2 -2
  120. package/dist/web/public/assets/{reminders-Dh2VXBAt.js.map → reminders-BSQoGyVb.js.map} +1 -1
  121. package/dist/web/public/assets/{save-BTdbl1sB.js → save-CODsafFB.js} +2 -2
  122. package/dist/web/public/assets/{save-BTdbl1sB.js.map → save-CODsafFB.js.map} +1 -1
  123. package/dist/web/public/assets/{schedules-C98Syrst.js → schedules-BBH1Ipyd.js} +2 -2
  124. package/dist/web/public/assets/{schedules-C98Syrst.js.map → schedules-BBH1Ipyd.js.map} +1 -1
  125. package/dist/web/public/assets/{search-CgUr_Tjy.js → search-QcBNzBQ7.js} +2 -2
  126. package/dist/web/public/assets/{search-CgUr_Tjy.js.map → search-QcBNzBQ7.js.map} +1 -1
  127. package/dist/web/public/assets/security-Cv5Tjnb3.js +7 -0
  128. package/dist/web/public/assets/security-Cv5Tjnb3.js.map +1 -0
  129. package/dist/web/public/assets/{service-Dlw--ni7.js → service-Dg3fHa1F.js} +2 -2
  130. package/dist/web/public/assets/{service-Dlw--ni7.js.map → service-Dg3fHa1F.js.map} +1 -1
  131. package/dist/web/public/assets/{status-badge-rlmqIgUK.js → status-badge-COrk0PaU.js} +2 -2
  132. package/dist/web/public/assets/{status-badge-rlmqIgUK.js.map → status-badge-COrk0PaU.js.map} +1 -1
  133. package/dist/web/public/assets/{subtasks-BHJXEg1-.js → subtasks-BoKtrF6e.js} +2 -2
  134. package/dist/web/public/assets/{subtasks-BHJXEg1-.js.map → subtasks-BoKtrF6e.js.map} +1 -1
  135. package/dist/web/public/assets/{table-CyYHo50D.js → table-CO5iRHXX.js} +2 -2
  136. package/dist/web/public/assets/{table-CyYHo50D.js.map → table-CO5iRHXX.js.map} +1 -1
  137. package/dist/web/public/assets/{topn-CQjlFpTX.js → topn-CZpEJB9u.js} +2 -2
  138. package/dist/web/public/assets/{topn-CQjlFpTX.js.map → topn-CZpEJB9u.js.map} +1 -1
  139. package/dist/web/public/assets/{trash-2-C7RhXr5v.js → trash-2-Cb97xDdm.js} +2 -2
  140. package/dist/web/public/assets/{trash-2-C7RhXr5v.js.map → trash-2-Cb97xDdm.js.map} +1 -1
  141. package/dist/web/public/assets/{use-background-tasks-Xk52LztT.js → use-background-tasks-CJmddApa.js} +2 -2
  142. package/dist/web/public/assets/{use-background-tasks-Xk52LztT.js.map → use-background-tasks-CJmddApa.js.map} +1 -1
  143. package/dist/web/public/assets/{use-llm-admin-xgIdH9Kw.js → use-llm-admin-DszocDJN.js} +2 -2
  144. package/dist/web/public/assets/{use-llm-admin-xgIdH9Kw.js.map → use-llm-admin-DszocDJN.js.map} +1 -1
  145. package/dist/web/public/assets/{use-memory-DtZHF20y.js → use-memory-fcO8b_OU.js} +2 -2
  146. package/dist/web/public/assets/{use-memory-DtZHF20y.js.map → use-memory-fcO8b_OU.js.map} +1 -1
  147. package/dist/web/public/assets/{use-observability-nUGyBvW4.js → use-observability-C9g0QTLd.js} +2 -2
  148. package/dist/web/public/assets/{use-observability-nUGyBvW4.js.map → use-observability-C9g0QTLd.js.map} +1 -1
  149. package/dist/web/public/assets/{use-settings-BjibxUyB.js → use-settings-Dvc5WX17.js} +2 -2
  150. package/dist/web/public/assets/{use-settings-BjibxUyB.js.map → use-settings-Dvc5WX17.js.map} +1 -1
  151. package/dist/web/public/assets/{use-workspace-DzyMsk0c.js → use-workspace-DoenH-EZ.js} +2 -2
  152. package/dist/web/public/assets/{use-workspace-DzyMsk0c.js.map → use-workspace-DoenH-EZ.js.map} +1 -1
  153. package/dist/web/public/assets/{useQuery-DI6dxASQ.js → useQuery-CwP843k0.js} +2 -2
  154. package/dist/web/public/assets/{useQuery-DI6dxASQ.js.map → useQuery-CwP843k0.js.map} +1 -1
  155. package/dist/web/public/assets/{vector-Bu_EzONh.js → vector-tNx8IrnY.js} +2 -2
  156. package/dist/web/public/assets/{vector-Bu_EzONh.js.map → vector-tNx8IrnY.js.map} +1 -1
  157. package/dist/web/public/assets/{viewer-DbJxZOmC.js → viewer-_tE5G30K.js} +2 -2
  158. package/dist/web/public/assets/{viewer-DbJxZOmC.js.map → viewer-_tE5G30K.js.map} +1 -1
  159. package/dist/web/public/assets/{workspace-DAYMQHog.js → workspace-15Jilg2h.js} +2 -2
  160. package/dist/web/public/assets/{workspace-DAYMQHog.js.map → workspace-15Jilg2h.js.map} +1 -1
  161. package/dist/web/public/assets/{workspaces-DGRs1EZm.js → workspaces-nyFTRkZH.js} +2 -2
  162. package/dist/web/public/assets/{workspaces-DGRs1EZm.js.map → workspaces-nyFTRkZH.js.map} +1 -1
  163. package/dist/web/public/assets/{x-DEBwh51E.js → x-C7i8kvqL.js} +2 -2
  164. package/dist/web/public/assets/{x-DEBwh51E.js.map → x-C7i8kvqL.js.map} +1 -1
  165. package/dist/web/public/index.html +1 -1
  166. package/dist/web/server.d.ts.map +1 -1
  167. package/dist/web/server.js +78 -0
  168. package/dist/web/server.js.map +1 -1
  169. package/package.json +1 -1
  170. package/dist/web/public/assets/index-B_MJTcDz.js.map +0 -1
  171. package/dist/web/public/assets/layout-Czg1K2be.js +0 -2
  172. package/dist/web/public/assets/layout-Czg1K2be.js.map +0 -1
package/dist/web/server.js CHANGED
@@ -722,6 +722,14 @@ export async function startWebServer(options) {
722
722
  return;
723
723
  return handlePutEnv(req, res);
724
724
  }
725
+ // v1.2.67 — Security diagnostics. Surfaces boot-time observations the
726
+ // Security UI page renders as read-only badges (uid, env file perms,
727
+ // bwrap availability, IMHUB_ALLOWED_USERS configured? …).
728
+ if (url.pathname === '/api/security/diagnostics' && req.method === 'GET') {
729
+ if (!requireAdmin(req, res))
730
+ return;
731
+ return handleSecurityDiagnostics(req, res);
732
+ }
725
733
  if (url.pathname === '/api/messengers/email/test' && req.method === 'POST') {
726
734
  if (!requireAdmin(req, res))
727
735
  return;
@@ -2661,10 +2669,80 @@ const ENV_EDITABLE_KEYS = [
2661
2669
  'IMHUB_MEMORY_VECTOR_OPENAI_API_KEY',
2662
2670
  'IMHUB_MEMORY_VECTOR_BATCH_SIZE',
2663
2671
  'IMHUB_MEMORY_VECTOR_HYBRID_WEIGHT',
2672
+ // v1.2.67 — Security page surfaces these (added in v1.2.58–v1.2.66).
2673
+ // Sender allowlist — who can talk to the bot at all.
2674
+ 'IMHUB_ALLOWED_USERS',
2675
+ // Native fs tools — workspace restriction + per-tool timeout.
2676
+ 'IMHUB_NATIVE_FS_RESTRICT',
2677
+ 'IMHUB_NATIVE_FS_TIMEOUT_MS',
2678
+ // Native web tools — SSRF guards.
2679
+ 'IMHUB_NATIVE_WEB_ALLOW_PRIVATE',
2680
+ 'IMHUB_NATIVE_WEB_SSRF_WHITELIST',
2681
+ 'IMHUB_NATIVE_WEB_TIMEOUT_MS',
2682
+ // Native exec tool — bwrap sandbox + sub-knobs.
2683
+ 'IMHUB_EXEC_SANDBOX',
2684
+ 'IMHUB_EXEC_SANDBOX_NET',
2685
+ 'IMHUB_EXEC_TIMEOUT_MS',
2686
+ 'IMHUB_EXEC_MAX_OUTPUT',
2687
+ // Native call_agent per-turn cap.
2688
+ 'IMHUB_NATIVE_CALL_AGENT_MAX_PER_TURN',
2664
2689
  ];
2665
2690
  const SECRET_KEYS = new Set(['IMHUB_SMTP_PASS', 'IMHUB_BAIDU_MAP_AK', 'IMHUB_MEMORY_VECTOR_OPENAI_API_KEY']);
2666
2691
  // maskSecret moved to ./env-mask.ts (imported at the top of this file
2667
2692
  // alongside isMasked).
2693
+ /** v1.2.67 — Security diagnostics endpoint. Returns the boot-time
2694
+ * safety observations the Security UI page renders as badges. None
2695
+ * of the values are secret; the endpoint is admin-gated only to
2696
+ * prevent reconnaissance via an open UI. */
2697
+ async function handleSecurityDiagnostics(_req, res) {
2698
+ try {
2699
+ const { ENV_FILE } = await import('../cli-ui/env-file.js');
2700
+ const { statSync, existsSync } = await import('node:fs');
2701
+ const getUid = process.getuid;
2702
+ const runningAsRoot = typeof getUid === 'function' ? getUid() === 0 : null;
2703
+ let envFile = {
2704
+ exists: false, mode: null, tooPermissive: false,
2705
+ };
2706
+ try {
2707
+ if (existsSync(ENV_FILE)) {
2708
+ const st = statSync(ENV_FILE);
2709
+ const mode = st.mode & 0o777;
2710
+ envFile = {
2711
+ exists: true,
2712
+ mode: mode.toString(8).padStart(3, '0'),
2713
+ tooPermissive: (mode & 0o077) !== 0,
2714
+ };
2715
+ }
2716
+ }
2717
+ catch { /* leave defaults */ }
2718
+ const bwrapAvailable = existsSync('/usr/bin/bwrap');
2719
+ const { isSenderAllowlistConfigured } = await import('../core/sender-allowlist.js');
2720
+ const senderAllowlistConfigured = isSenderAllowlistConfigured();
2721
+ const { isAllowlistConfigured: isAdminConfigured } = await import('../core/admin-allowlist.js');
2722
+ const adminAllowlistConfigured = isAdminConfigured();
2723
+ sendJson(res, 200, {
2724
+ diagnostics: {
2725
+ runningAsRoot,
2726
+ envFile,
2727
+ bwrapAvailable,
2728
+ senderAllowlistConfigured,
2729
+ adminAllowlistConfigured,
2730
+ // Live env values so the UI can show what's effectively in force
2731
+ // (process.env, which is what runtime sees) without round-tripping
2732
+ // through the env file.
2733
+ liveEnv: {
2734
+ IMHUB_EXEC_SANDBOX: process.env.IMHUB_EXEC_SANDBOX ?? null,
2735
+ IMHUB_NATIVE_FS_RESTRICT: process.env.IMHUB_NATIVE_FS_RESTRICT ?? null,
2736
+ IMHUB_TIMEOUT_DEFAULT: process.env.IMHUB_TIMEOUT_DEFAULT ?? null,
2737
+ IMHUB_DANGEROUSLY_SKIP_PERMISSIONS: process.env.IMHUB_DANGEROUSLY_SKIP_PERMISSIONS ?? null,
2738
+ },
2739
+ },
2740
+ });
2741
+ }
2742
+ catch (err) {
2743
+ sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
2744
+ }
2745
+ }
2668
2746
  async function handleGetEnv(_req, res, url) {
2669
2747
  try {
2670
2748
  const { readEnvFile } = await import('../cli-ui/env-file.js');