arkaos 3.50.0 → 3.52.0

package/VERSION

@@ -1 +1 @@
-3.50.0
+3.52.0

package/dashboard/app/layouts/default.vue

@@ -59,6 +59,13 @@ const links = [[{
   onSelect: () => {
     open.value = false
   }
+}, {
+  label: 'Terminal',
+  icon: 'i-lucide-terminal',
+  to: '/terminal',
+  onSelect: () => {
+    open.value = false
+  }
 }, {
   label: 'Workflows',
   icon: 'i-lucide-workflow',

package/dashboard/app/pages/agents/[id].vue

@@ -105,6 +105,58 @@ function markedHtml(src: string): string {
   }
 }
 
+// PR95b v3.52.0 — edit YAML inline (modal).
+const yamlEditorOpen = ref(false)
+const yamlEditorDraft = ref('')
+const yamlEditorSaving = ref(false)
+
+async function openYamlEditor() {
+  if (!agent.value) return
+  // Fetch raw YAML once when opening (already on backend via PR89d).
+  try {
+    const blob = await $fetch<Blob>(
+      `${apiBase}/api/agents/${agentId}/yaml`,
+      { responseType: 'blob' },
+    )
+    yamlEditorDraft.value = await blob.text()
+    yamlEditorOpen.value = true
+  } catch (err) {
+    toast.add({
+      title: 'Failed to load YAML',
+      description: err instanceof Error ? err.message : 'unknown error',
+      color: 'error',
+    })
+  }
+}
+
+async function saveYamlEditor() {
+  if (!agent.value) return
+  yamlEditorSaving.value = true
+  try {
+    const res = await $fetch<{ updated?: boolean, error?: string }>(
+      `${apiBase}/api/agents/${agentId}/yaml`,
+      { method: 'PUT', body: { content: yamlEditorDraft.value } },
+    )
+    if (res.error) throw new Error(res.error)
+    toast.add({
+      title: 'YAML updated',
+      description: agentId,
+      color: 'success',
+      icon: 'i-lucide-check',
+    })
+    yamlEditorOpen.value = false
+    await refresh()
+  } catch (err) {
+    toast.add({
+      title: 'Save failed',
+      description: err instanceof Error ? err.message : 'unknown error',
+      color: 'error',
+    })
+  } finally {
+    yamlEditorSaving.value = false
+  }
+}
+
 // PR89d v3.30.0 — download YAML.
 const downloadingYaml = ref(false)
 async function downloadYaml() {
@@ -402,6 +454,13 @@ function formatTokens(n: number): string {
                     :loading="downloadingYaml"
                     @click="downloadYaml"
                   />
+                  <UButton
+                    label="Edit YAML"
+                    icon="i-lucide-file-code"
+                    variant="ghost"
+                    size="sm"
+                    @click="openYamlEditor"
+                  />
                   <UButton
                     label="Edit"
                     icon="i-lucide-pencil"
@@ -552,6 +611,57 @@ function formatTokens(n: number): string {
           </ol>
         </section>
 
+        <!-- PR95b v3.52.0 — YAML editor modal -->
+        <UModal v-model:open="yamlEditorOpen" :ui="{ content: 'max-w-3xl' }">
+          <template #content>
+            <UCard>
+              <template #header>
+                <div class="flex items-center justify-between gap-3">
+                  <div>
+                    <h2 class="text-lg font-bold">Edit agent YAML</h2>
+                    <p class="text-xs text-muted mt-0.5 font-mono">{{ agent?.id }}</p>
+                  </div>
+                  <UButton
+                    icon="i-lucide-x"
+                    variant="ghost"
+                    size="sm"
+                    :disabled="yamlEditorSaving"
+                    @click="yamlEditorOpen = false"
+                  />
+                </div>
+              </template>
+              <UTextarea
+                v-model="yamlEditorDraft"
+                :rows="20"
+                class="w-full font-mono text-xs"
+              />
+              <template #footer>
+                <div class="flex items-center justify-between gap-2 text-xs">
+                  <p class="text-muted">
+                    Edits go through the same validator as PUT /api/agents/{id}/yaml —
+                    parse + dict root + matching id. Tier 0 agents are locked.
+                  </p>
+                  <div class="flex gap-2 shrink-0">
+                    <UButton
+                      label="Cancel"
+                      variant="ghost"
+                      :disabled="yamlEditorSaving"
+                      @click="yamlEditorOpen = false"
+                    />
+                    <UButton
+                      label="Save"
+                      icon="i-lucide-check"
+                      color="primary"
+                      :loading="yamlEditorSaving"
+                      @click="saveYamlEditor"
+                    />
+                  </div>
+                </div>
+              </template>
+            </UCard>
+          </template>
+        </UModal>
+
         <AgentEditDrawer
           v-model="editOpen"
           :agent="agent"

package/dashboard/app/pages/terminal.vue

@@ -0,0 +1,224 @@
+<script setup lang="ts">
+// PR95a v3.51.0 — Dashboard terminal (allowlist mode).
+//
+// Operator picks one of the allowlisted commands; backend runs it via
+// subprocess.run (no shell). Output streams into the history block.
+//
+// Note: vue-termui is for building Vue TUI apps that RUN in a terminal,
+// not for embedding an arbitrary shell in a browser. The dashboard
+// instead ships a controlled command runner with allowlist + capped
+// output. xterm.js-style PTY can be a later upgrade if needed.
+
+interface CommandEntry {
+  id: string
+  label: string
+  description: string
+}
+
+interface ExecResult {
+  stdout: string
+  stderr: string
+  exit_code: number
+  duration_ms: number
+  command: string
+}
+
+interface HistoryEntry {
+  id: string
+  label: string
+  result: ExecResult
+  ts: string
+}
+
+const { fetchApi, apiBase } = useApi()
+const toast = useToast()
+
+const { data: cmdData, status } = await fetchApi<{ commands: CommandEntry[] }>(
+  '/api/terminal/commands',
+)
+const commands = computed<CommandEntry[]>(() => cmdData.value?.commands ?? [])
+
+const running = ref<string | null>(null)
+const history = ref<HistoryEntry[]>([])
+
+async function run(cmd: CommandEntry) {
+  running.value = cmd.id
+  try {
+    const res = await $fetch<ExecResult & { error?: string }>(
+      `${apiBase}/api/terminal/exec`,
+      { method: 'POST', body: { command_id: cmd.id } },
+    )
+    if (res.error) throw new Error(res.error)
+    history.value = [
+      {
+        id: cmd.id,
+        label: cmd.label,
+        result: res,
+        ts: new Date().toISOString(),
+      },
+      ...history.value,
+    ].slice(0, 20)
+    if (res.exit_code === 0) {
+      toast.add({
+        title: `${cmd.label} · ok`,
+        description: `${res.duration_ms}ms`,
+        color: 'success',
+        icon: 'i-lucide-check',
+      })
+    } else {
+      toast.add({
+        title: `${cmd.label} · exit ${res.exit_code}`,
+        description: `${res.duration_ms}ms · ${res.stderr.slice(0, 80) || 'no stderr'}`,
+        color: 'warning',
+      })
+    }
+  } catch (err) {
+    toast.add({
+      title: 'Run failed',
+      description: err instanceof Error ? err.message : 'unknown error',
+      color: 'error',
+    })
+  } finally {
+    running.value = null
+  }
+}
+
+function copyOutput(entry: HistoryEntry) {
+  if (typeof navigator === 'undefined' || !navigator.clipboard) return
+  const body = entry.result.stdout || entry.result.stderr
+  void navigator.clipboard.writeText(body)
+  toast.add({ title: 'Copied to clipboard', color: 'success', icon: 'i-lucide-clipboard-check' })
+}
+
+function clearHistory() {
+  history.value = []
+}
+
+function relative(iso: string): string {
+  const ts = Date.parse(iso)
+  if (Number.isNaN(ts)) return iso
+  const diff = Date.now() - ts
+  const s = Math.floor(diff / 1000)
+  if (s < 60) return `${s}s ago`
+  const m = Math.floor(s / 60)
+  if (m < 60) return `${m}m ago`
+  return `${Math.floor(m / 60)}h ago`
+}
+</script>
+
+<template>
+  <UDashboardPanel id="terminal">
+    <template #header>
+      <UDashboardNavbar title="Terminal">
+        <template #leading>
+          <UDashboardSidebarCollapse />
+        </template>
+        <template #trailing>
+          <UBadge label="Allowlist mode" variant="subtle" color="primary" size="sm" />
+        </template>
+      </UDashboardNavbar>
+    </template>
+
+    <template #body>
+      <DashboardState
+        :status="status"
+        :empty="commands.length === 0"
+        empty-title="No allowlisted commands"
+        empty-description="The backend exposes no terminal commands. Add to TERMINAL_ALLOWLIST."
+        empty-icon="i-lucide-terminal"
+      >
+        <div class="space-y-5 max-w-4xl">
+          <UCard>
+            <template #header>
+              <div>
+                <h3 class="text-lg font-bold">Commands</h3>
+                <p class="text-xs text-muted mt-0.5">
+                  Server-enforced allowlist. Each command runs via
+                  <code class="font-mono">subprocess.run</code> with explicit argv —
+                  no shell, no globbing, no pipes. Cap: 15s timeout, 20K chars per stream.
+                </p>
+              </div>
+            </template>
+            <div class="grid grid-cols-1 md:grid-cols-2 gap-2">
+              <UButton
+                v-for="cmd in commands"
+                :key="cmd.id"
+                :label="cmd.label"
+                :description="cmd.description"
+                icon="i-lucide-terminal"
+                variant="soft"
+                color="primary"
+                size="sm"
+                block
+                class="justify-start"
+                :loading="running === cmd.id"
+                :disabled="running !== null && running !== cmd.id"
+                @click="run(cmd)"
+              />
+            </div>
+          </UCard>
+
+          <UCard v-if="history.length > 0">
+            <template #header>
+              <div class="flex items-center justify-between gap-3">
+                <div>
+                  <h3 class="text-lg font-bold">Recent runs</h3>
+                  <p class="text-xs text-muted mt-0.5">
+                    Last {{ history.length }} commands · most recent first
+                  </p>
+                </div>
+                <UButton label="Clear" variant="ghost" size="xs" @click="clearHistory" />
+              </div>
+            </template>
+            <ul class="space-y-4">
+              <li
+                v-for="entry in history"
+                :key="`${entry.ts}-${entry.id}`"
+                class="rounded-lg border border-default overflow-hidden"
+              >
+                <div class="px-3 py-2 bg-elevated/30 flex items-center justify-between gap-3 text-xs">
+                  <div class="min-w-0 flex items-center gap-2">
+                    <UBadge
+                      :label="entry.result.exit_code === 0 ? 'ok' : `exit ${entry.result.exit_code}`"
+                      :color="entry.result.exit_code === 0 ? 'success' : 'warning'"
+                      variant="subtle"
+                      size="xs"
+                    />
+                    <span class="font-mono truncate">{{ entry.result.command }}</span>
+                  </div>
+                  <div class="flex items-center gap-2 shrink-0">
+                    <span class="text-muted font-mono">{{ entry.result.duration_ms }}ms</span>
+                    <span class="text-muted">{{ relative(entry.ts) }}</span>
+                    <UButton
+                      icon="i-lucide-clipboard-copy"
+                      variant="ghost"
+                      size="xs"
+                      aria-label="Copy output"
+                      @click="copyOutput(entry)"
+                    />
+                  </div>
+                </div>
+                <pre
+                  v-if="entry.result.stdout"
+                  class="p-3 text-xs font-mono whitespace-pre overflow-x-auto"
+                >{{ entry.result.stdout }}</pre>
+                <pre
+                  v-if="entry.result.stderr"
+                  class="p-3 text-xs font-mono whitespace-pre overflow-x-auto text-rose-500 border-t border-default"
+                >{{ entry.result.stderr }}</pre>
+              </li>
+            </ul>
+          </UCard>
+
+          <p class="text-xs text-muted">
+            Want a different command? Add it to
+            <code class="font-mono">TERMINAL_ALLOWLIST</code> in
+            <code class="font-mono">scripts/dashboard-api.py</code> and
+            restart the backend. Arbitrary shell execution from the
+            dashboard is intentionally not supported.
+          </p>
+        </div>
+      </DashboardState>
+    </template>
+  </UDashboardPanel>
+</template>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arkaos",
-  "version": "3.50.0",
+  "version": "3.52.0",
   "description": "The Operating System for AI Agent Teams",
   "type": "module",
   "bin": {

package/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "arkaos-core"
-version = "3.50.0"
+version = "3.52.0"
 description = "Core engine for ArkaOS — The Operating System for AI Agent Teams"
 readme = "README.md"
 license = {text = "MIT"}

package/scripts/dashboard-api.py

@@ -449,6 +449,51 @@ def persona_download_markdown(persona_id: str):
     )
 
 
+@app.put("/api/agents/{agent_id}/yaml")
+def agent_update_yaml(agent_id: str, body: dict):
+    """PR95b v3.52.0 — overwrite an agent's YAML file in place.
+
+    Body: ``{"content": "<full YAML>"}``. Mirrors the workflow YAML
+    editor (PR94d): parses the content, requires a dict root + an `id`
+    that matches the URL param. Atomic write via tmp + replace.
+
+    Refuses to mutate Tier 0 agents — those are governance fixtures.
+    """
+    if not isinstance(body, dict):
+        return {"error": "body must be an object"}
+    content = str(body.get("content") or "")
+    if not content.strip():
+        return {"error": "content is required"}
+    yaml_file = _resolve_agent_yaml(agent_id)
+    if yaml_file is None:
+        return {"error": "Agent not found"}
+    if _agent_tier_from_yaml(yaml_file) == 0:
+        return {"error": "Cannot edit Tier 0 (C-Suite) YAML via this endpoint"}
+    try:
+        import yaml as _yaml
+        parsed = _yaml.safe_load(content)
+    except Exception as exc:  # noqa: BLE001
+        return {"error": f"YAML parse failed: {exc}"}
+    if not isinstance(parsed, dict):
+        return {"error": "YAML root must be a mapping"}
+    if not parsed.get("id"):
+        return {"error": "YAML must include a non-empty 'id' field"}
+    if parsed.get("id") != agent_id:
+        return {
+            "error": (
+                "YAML 'id' must match the URL param "
+                f"({parsed.get('id')!r} vs {agent_id!r})"
+            ),
+        }
+    try:
+        tmp = yaml_file.with_suffix(yaml_file.suffix + ".tmp")
+        tmp.write_text(content, encoding="utf-8")
+        tmp.replace(yaml_file)
+    except OSError as exc:
+        return {"error": f"write failed: {exc}"}
+    return {"updated": True, "id": agent_id, "yaml_path": str(yaml_file)}
+
+
 @app.get("/api/agents/{agent_id}/yaml")
 def agent_download_yaml(agent_id: str):
     """PR89d v3.30.0 — return the raw YAML for the agent.
@@ -1894,6 +1939,120 @@ def _iso_duration_s(start_iso: str, end_iso: str) -> Optional[int]:
         return None
 
 
+# --- Terminal command runner (PR95a v3.51.0) ---
+
+# Allowlist of commands the dashboard terminal can run. Each entry is
+# {id, label, cmd, description}. Server-side enforcement: any request
+# whose `command_id` isn't in this list is rejected. No shell expansion,
+# no globbing, no pipes — subprocess.run with explicit argv only.
+TERMINAL_ALLOWLIST: list[dict] = [
+    {
+        "id": "arka-status",
+        "label": "ArkaOS status",
+        "cmd": ["arkaos", "status"],
+        "description": "System status (version, departments, agents, projects).",
+    },
+    {
+        "id": "git-status",
+        "label": "git status",
+        "cmd": ["git", "status", "--short"],
+        "description": "Working tree status in short form.",
+    },
+    {
+        "id": "git-log",
+        "label": "git log (10)",
+        "cmd": ["git", "log", "-10", "--oneline"],
+        "description": "Most recent 10 commits.",
+    },
+    {
+        "id": "npm-version",
+        "label": "npm view arkaos version",
+        "cmd": ["npm", "view", "arkaos", "version"],
+        "description": "Latest published ArkaOS version on npm.",
+    },
+    {
+        "id": "pytest-collect",
+        "label": "pytest --collect-only",
+        "cmd": ["python3", "-m", "pytest", "--collect-only", "-q", "tests/python/"],
+        "description": "List every Python test without running.",
+    },
+    {
+        "id": "ls",
+        "label": "ls",
+        "cmd": ["ls", "-la"],
+        "description": "List files in the project root.",
+    },
+]
+
+_TERMINAL_TIMEOUT_S = 15
+_TERMINAL_MAX_OUTPUT = 20_000  # chars — both stdout and stderr capped
+
+
+@app.get("/api/terminal/commands")
+def terminal_commands():
+    """List allowlisted commands the dashboard terminal may run."""
+    return {
+        "commands": [
+            {"id": c["id"], "label": c["label"], "description": c["description"]}
+            for c in TERMINAL_ALLOWLIST
+        ],
+        "total": len(TERMINAL_ALLOWLIST),
+    }
+
+
+@app.post("/api/terminal/exec")
+def terminal_exec(body: dict):
+    """PR95a v3.51.0 — run an allowlisted command and return the output.
+
+    Body: ``{"command_id": "<id>"}``. Unknown ids are rejected.
+    Returns ``{stdout, stderr, exit_code, duration_ms, command}``.
+    Output is capped at ``_TERMINAL_MAX_OUTPUT`` chars per stream.
+    """
+    if not isinstance(body, dict):
+        return {"error": "body must be an object"}
+    cid = (body.get("command_id") or "").strip()
+    if not cid:
+        return {"error": "command_id is required"}
+    entry = next((c for c in TERMINAL_ALLOWLIST if c["id"] == cid), None)
+    if entry is None:
+        return {"error": f"command '{cid}' is not on the allowlist"}
+    import time
+    started = time.monotonic()
+    try:
+        result = subprocess.run(
+            entry["cmd"],
+            cwd=str(ARKAOS_ROOT),
+            capture_output=True,
+            text=True,
+            timeout=_TERMINAL_TIMEOUT_S,
+            shell=False,
+        )
+    except subprocess.TimeoutExpired:
+        return {
+            "stdout": "",
+            "stderr": f"command timed out after {_TERMINAL_TIMEOUT_S}s",
+            "exit_code": -1,
+            "duration_ms": int(_TERMINAL_TIMEOUT_S * 1000),
+            "command": " ".join(entry["cmd"]),
+        }
+    except OSError as exc:
+        return {
+            "stdout": "",
+            "stderr": f"command failed to launch: {exc}",
+            "exit_code": -1,
+            "duration_ms": int((time.monotonic() - started) * 1000),
+            "command": " ".join(entry["cmd"]),
+        }
+    duration_ms = int((time.monotonic() - started) * 1000)
+    return {
+        "stdout": (result.stdout or "")[:_TERMINAL_MAX_OUTPUT],
+        "stderr": (result.stderr or "")[:_TERMINAL_MAX_OUTPUT],
+        "exit_code": result.returncode,
+        "duration_ms": duration_ms,
+        "command": " ".join(entry["cmd"]),
+    }
+
+
 @app.put("/api/workflows/{workflow_id}/yaml")
 def workflow_update_yaml(workflow_id: str, body: dict):
     """PR94d v3.50.0 — overwrite a workflow's YAML file in place.