clawmini 0.0.1 → 0.0.3

package/dist/daemon/index.mjs

@@ -1,9 +1,6 @@
-import { C as SettingsSchema, S as CronJobSchema, a as getAgent, b as writeChatSettings, c as getSettingsPath, g as readSettings, h as readEnvironment, i as getActiveEnvironmentInfo, l as getSocketPath, m as readChatSettings, o as getClawminiDir, p as readAgentSessionSettings, s as getEnvironmentPath, u as getWorkspaceRoot, v as writeAgentSessionSettings } from "../workspace-CSgfo_2J.mjs";
-import { n as pathIsInsideDir } from "../fs-B5wW0oaH.mjs";
-import { l as listChats, o as getDefaultChatId, s as getMessages } from "../chats-DKgTeU7i.mjs";
-import { n as exportLiteToEnvironment } from "../lite-Dl7WXyaH.mjs";
-import { a as daemonEvents, i as DAEMON_EVENT_TYPING, o as emitTyping, r as DAEMON_EVENT_MESSAGE_APPENDED, t as appendMessage } from "../chats-Zd_HXDHx.mjs";
-import fs from "node:fs";
+import { C as CronJobSchema, S as pathIsInsideDir, _ as readSettings, a as getAgent, b as writeChatSettings, c as getSettingsPath, g as readPolicies, h as readEnvironment, i as getActiveEnvironmentInfo, l as getSocketPath, m as readChatSettings, o as getClawminiDir, p as readAgentSessionSettings, s as getEnvironmentPath, u as getWorkspaceRoot, v as writeAgentSessionSettings, w as SettingsSchema } from "../workspace-DjoNjhW0.mjs";
+import { d as getMessages$1, n as exportLiteToEnvironment, o as appendMessage$1, p as listChats, u as getDefaultChatId } from "../lite-oSYSvaOr.mjs";
+import fs, { constants } from "node:fs";
 import path from "node:path";
 import { execSync, spawn } from "node:child_process";
 import fs$1 from "node:fs/promises";
@@ -12,9 +9,54 @@ import http from "node:http";
 import net from "node:net";
 import { createHTTPHandler } from "@trpc/server/adapters/standalone";
 import { TRPCError, initTRPC } from "@trpc/server";
-import crypto$1 from "node:crypto";
 import schedule from "node-schedule";
+import { EventEmitter, on } from "node:events";
+import crypto$1, { randomBytes, randomUUID } from "node:crypto";
+import fs$2 from "fs/promises";
+import path$1 from "path";
+import { randomInt } from "crypto";
 
+//#region src/daemon/api/trpc.ts
+const t = initTRPC.context().create();
+const router = t.router;
+const publicProcedure = t.procedure;
+const apiAuthMiddleware = t.middleware(({ ctx, next }) => {
+	if (ctx.isApiServer) {
+		if (!ctx.tokenPayload) throw new TRPCError({
+			code: "UNAUTHORIZED",
+			message: "Missing or invalid token"
+		});
+	}
+	return next({ ctx: {
+		...ctx,
+		tokenPayload: ctx.tokenPayload
+	} });
+});
+const apiProcedure = t.procedure.use(apiAuthMiddleware);
+
+//#endregion
+//#region src/daemon/events.ts
+const daemonEvents = new EventEmitter();
+const DAEMON_EVENT_MESSAGE_APPENDED = "message-appended";
+const DAEMON_EVENT_TYPING = "typing";
+function emitMessageAppended(chatId, message) {
+	daemonEvents.emit(DAEMON_EVENT_MESSAGE_APPENDED, {
+		chatId,
+		message
+	});
+}
+function emitTyping(chatId) {
+	daemonEvents.emit(DAEMON_EVENT_TYPING, { chatId });
+}
+
+//#endregion
+//#region src/daemon/chats.ts
+async function appendMessage(id, message, startDir = process.cwd()) {
+	await appendMessage$1(id, message, startDir);
+	emitMessageAppended(id, message);
+}
+
+//#endregion
 //#region src/daemon/queue.ts
 var Queue = class {
 	pending = [];
@@ -50,35 +92,38 @@ var Queue = class {
 			this.processNext().catch(() => {});
 		}
 	}
-	abortCurrent() {
+	abortCurrent(predicate) {
 		if (this.currentController) {
-			const error = /* @__PURE__ */ new Error("Task aborted");
-			error.name = "AbortError";
-			this.currentController.abort(error);
+			if (!predicate || this.currentPayload !== void 0 && predicate(this.currentPayload)) {
+				const error = /* @__PURE__ */ new Error("Task aborted");
+				error.name = "AbortError";
+				this.currentController.abort(error);
+			}
 		}
 	}
 	getCurrentPayload() {
 		return this.currentPayload;
 	}
-	clear(reason = "Task cleared") {
-		const tasksToClear = [...this.pending];
-		this.pending = [];
+	clear(reason = "Task cleared", predicate) {
+		const tasksToClear = predicate ? this.pending.filter((p) => p.payload !== void 0 && predicate(p.payload)) : [...this.pending];
+		if (predicate) this.pending = this.pending.filter((p) => !(p.payload !== void 0 && predicate(p.payload)));
+		else this.pending = [];
 		for (const { reject } of tasksToClear) {
 			const error = new Error(reason);
 			error.name = "AbortError";
 			reject(error);
 		}
 	}
-	extractPending() {
-		const extracted = this.pending.map((p) => p.payload).filter((p) => p !== void 0);
-		this.clear("Task extracted for batching");
+	extractPending(predicate) {
+		const extracted = this.pending.map((p) => p.payload).filter((p) => p !== void 0 && (!predicate || predicate(p)));
+		this.clear("Task extracted for batching", predicate);
 		return extracted;
 	}
 };
-const directoryQueues = /* @__PURE__ */ new Map();
-function getQueue(dir) {
-	if (!directoryQueues.has(dir)) directoryQueues.set(dir, new Queue());
-	return directoryQueues.get(dir);
+const messageQueues = /* @__PURE__ */ new Map();
+function getMessageQueue(dir) {
+	if (!messageQueues.has(dir)) messageQueues.set(dir, new Queue());
+	return messageQueues.get(dir);
 }
 
 //#endregion
@@ -154,18 +199,310 @@ const slashStop = createSlashActionRouter("stop", "stop", "Stopping current task
 //#region src/daemon/routers/slash-interrupt.ts
 const slashInterrupt = createSlashActionRouter("interrupt", "interrupt", "Interrupting current task...");
 
+//#endregion
+//#region src/daemon/request-store.ts
+const PolicyRequestSchema = z.object({
+	id: z.string(),
+	commandName: z.string(),
+	args: z.array(z.string()),
+	fileMappings: z.record(z.string(), z.string()),
+	state: z.enum([
+		"Pending",
+		"Approved",
+		"Rejected"
+	]),
+	createdAt: z.number(),
+	rejectionReason: z.string().optional(),
+	chatId: z.string(),
+	agentId: z.string()
+});
+function isENOENT(err) {
+	return Boolean(err && typeof err === "object" && "code" in err && err.code === "ENOENT");
+}
+var RequestStore = class {
+	baseDir;
+	constructor(startDir = process.cwd()) {
+		this.baseDir = path$1.join(getClawminiDir(startDir), "tmp", "requests");
+	}
+	async init() {
+		await fs$2.mkdir(this.baseDir, { recursive: true });
+	}
+	getFilePath(id) {
+		return path$1.join(this.baseDir, `${id}.json`);
+	}
+	async save(request) {
+		await this.init();
+		const normalizedId = normalizePolicyId(request.id);
+		request.id = normalizedId;
+		const filePath = this.getFilePath(normalizedId);
+		await fs$2.writeFile(filePath, JSON.stringify(request, null, 2), "utf8");
+	}
+	async load(id) {
+		const normalizedId = normalizePolicyId(id);
+		const filePath = this.getFilePath(normalizedId);
+		try {
+			const data = await fs$2.readFile(filePath, "utf8");
+			return PolicyRequestSchema.parse(JSON.parse(data));
+		} catch (err) {
+			if (isENOENT(err)) return null;
+			const msg = err instanceof Error ? err.message : String(err);
+			console.warn(`Failed to parse request file ${filePath}:`, msg);
+			return null;
+		}
+	}
+	async list() {
+		await this.init();
+		const requests = [];
+		try {
+			const files = await fs$2.readdir(this.baseDir);
+			for (const file of files) {
+				if (!file.endsWith(".json")) continue;
+				const id = path$1.basename(file, ".json");
+				const req = await this.load(id);
+				if (req) requests.push(req);
+			}
+		} catch (err) {
+			if (!isENOENT(err)) throw err;
+		}
+		return requests.sort((a, b) => b.createdAt - a.createdAt);
+	}
+};
+function generateRandomAlphaNumericString(length) {
+	const characters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	let result = "";
+	for (let i = 0; i < length; i++) result += characters[Math.floor(randomInt(36))];
+	return result;
+}
+function normalizePolicyId(id) {
+	return id.toLocaleUpperCase().trim();
+}
+
+//#endregion
+//#region src/daemon/policy-utils.ts
+const MAX_SNAPSHOT_SIZE = 5 * 1024 * 1024;
+async function createSnapshot(requestedPath, agentDir, snapshotDir) {
+	let realAgentDir;
+	try {
+		realAgentDir = await fs$1.realpath(agentDir);
+	} catch (err) {
+		throw new Error(`Agent directory not found or cannot be resolved: ${agentDir}`, { cause: err });
+	}
+	const resolvedRequestedPath = path.resolve(realAgentDir, requestedPath);
+	if (!pathIsInsideDir(resolvedRequestedPath, realAgentDir, { allowSameDir: true })) throw new Error(`Security Error: Path resolves outside the allowed agent directory: ${resolvedRequestedPath}`);
+	let stat;
+	try {
+		stat = await fs$1.lstat(resolvedRequestedPath);
+	} catch (err) {
+		throw new Error(`File not found or cannot be accessed: ${requestedPath}`, { cause: err });
+	}
+	if (stat.isSymbolicLink()) throw new Error(`Security Error: Symlinks are not allowed: ${requestedPath}`);
+	if (!stat.isFile()) throw new Error(`Requested path is not a file: ${requestedPath}`);
+	if (stat.size > MAX_SNAPSHOT_SIZE) throw new Error(`File exceeds maximum snapshot size of 5MB: ${requestedPath}`);
+	const ext = path.extname(resolvedRequestedPath);
+	const base = path.basename(resolvedRequestedPath, ext);
+	await fs$1.mkdir(snapshotDir, { recursive: true });
+	let snapshotPath;
+	while (true) {
+		const snapshotFileName = `${base}_${randomBytes(8).toString("hex")}${ext}`;
+		snapshotPath = path.join(snapshotDir, snapshotFileName);
+		try {
+			await fs$1.copyFile(resolvedRequestedPath, snapshotPath, constants.COPYFILE_EXCL);
+			break;
+		} catch (err) {
+			if (err instanceof Error && "code" in err && err.code === "EEXIST") continue;
+			throw err;
+		}
+	}
+	return snapshotPath;
+}
+function interpolateArgs(args, snapshots) {
+	return args.map((arg) => {
+		let interpolated = arg;
+		for (const [key, snapshotPath] of Object.entries(snapshots)) {
+			const variable = `{{${key}}}`;
+			interpolated = interpolated.replaceAll(variable, snapshotPath);
+		}
+		return interpolated;
+	});
+}
+function executeSafe(command, args, options) {
+	return new Promise((resolve) => {
+		const p = spawn(command, args, {
+			shell: false,
+			cwd: options?.cwd,
+			env: options?.env
+		});
+		let stdout = "";
+		let stderr = "";
+		if (p.stdout) p.stdout.on("data", (data) => {
+			stdout += data.toString();
+		});
+		if (p.stderr) p.stderr.on("data", (data) => {
+			stderr += data.toString();
+		});
+		p.on("close", (code) => {
+			resolve({
+				stdout,
+				stderr,
+				exitCode: code ?? 1
+			});
+		});
+		p.on("error", (err) => {
+			resolve({
+				stdout: "",
+				stderr: err.toString(),
+				exitCode: 1
+			});
+		});
+	});
+}
+async function generateRequestPreview(request) {
+	let previewContent = `Sandbox Policy Request: ${request.commandName}\n`;
+	previewContent += `ID: ${request.id}\n`;
+	if (request.args.length > 0) previewContent += `Args: ${request.args.join(" ")}\n`;
+	for (const [name, snapPath] of Object.entries(request.fileMappings)) {
+		previewContent += `File [${name}]:\n`;
+		try {
+			let content = await fs$1.readFile(snapPath, "utf8");
+			if (content.length > 500) content = content.substring(0, 500) + "\n... (truncated)\n";
+			previewContent += content;
+		} catch (e) {
+			previewContent += `<Error reading file: ${e.message}>\n`;
+		}
+	}
+	previewContent += `\nUse /approve ${request.id} or /reject ${request.id} [reason]`;
+	return previewContent;
+}
+
+//#endregion
+//#region src/daemon/routers/slash-policies.ts
+async function loadAndValidateRequest(id, state) {
+	const store = new RequestStore(getWorkspaceRoot());
+	const req = await store.load(id);
+	if (!req) return { error: {
+		...state,
+		message: "",
+		reply: `Request not found: ${id}`
+	} };
+	if (req.chatId && req.chatId !== state.chatId) return { error: {
+		...state,
+		message: "",
+		reply: `Request belongs to a different chat: ${req.chatId}`
+	} };
+	if (req.state !== "Pending") return { error: {
+		...state,
+		message: "",
+		reply: `Request is not pending: ${id}`
+	} };
+	return {
+		req,
+		store
+	};
+}
+async function slashPolicies(state) {
+	const message = state.message.trim();
+	if (message === "/pending") {
+		const pending = (await new RequestStore(getWorkspaceRoot()).list()).filter((r) => r.state === "Pending");
+		let reply = `Pending Requests (${pending.length}):\n`;
+		for (const req of pending) reply += `- ID: ${req.id} | Command: ${req.commandName} ${req.args.join(" ")}\n`;
+		return {
+			...state,
+			reply,
+			action: "stop"
+		};
+	}
+	const approveMatch = message.match(/^\/approve\s+([^\s]+)/);
+	if (approveMatch) {
+		const id = approveMatch[1];
+		if (!id) return state;
+		const { req, store, error } = await loadAndValidateRequest(id, state);
+		if (error) return error;
+		if (!req || !store) return state;
+		const policy = (await readPolicies())?.policies?.[req.commandName];
+		if (!policy) return {
+			...state,
+			message: "",
+			reply: `Policy not found: ${req.commandName}`
+		};
+		req.state = "Approved";
+		await store.save(req);
+		const interpolatedArgs = interpolateArgs([...policy.args || [], ...req.args], req.fileMappings);
+		const { stdout, stderr, exitCode } = await executeSafe(policy.command, interpolatedArgs, { cwd: getWorkspaceRoot() });
+		const commandStr = `${policy.command} ${interpolatedArgs.join(" ")}`;
+		const logMsg = {
+			id: randomUUID(),
+			messageId: state.messageId,
+			role: "log",
+			source: "router",
+			content: `Request ${id} approved and executed.`,
+			stderr,
+			stdout,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+			command: commandStr,
+			cwd: getWorkspaceRoot(),
+			exitCode
+		};
+		await appendMessage(state.chatId, logMsg);
+		const agentMessage = `Request ${id} approved.\n\n${wrapInHtml("stdout", stdout)}\n\n${wrapInHtml("stderr", stderr)}\n\nExit Code: ${exitCode}`;
+		return {
+			...state,
+			message: agentMessage,
+			reply: `Approved request, running ${req.commandName}`
+		};
+	}
+	const rejectMatch = message.match(/^\/reject\s+([^\s]+)(?:\s+(.*))?/);
+	if (rejectMatch) {
+		const id = rejectMatch[1];
+		if (!id) return state;
+		const reason = rejectMatch[2] || "No reason provided";
+		const { req, store, error } = await loadAndValidateRequest(id, state);
+		if (error) return error;
+		if (!req || !store) return state;
+		req.state = "Rejected";
+		req.rejectionReason = reason;
+		await store.save(req);
+		const logMsg = {
+			id: randomUUID(),
+			messageId: state.messageId,
+			role: "log",
+			source: "router",
+			content: `Request ${id} rejected. Reason: ${reason}`,
+			stderr: "",
+			timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+			command: `policy-request-reject ${id}`,
+			cwd: getWorkspaceRoot(),
+			exitCode: 1
+		};
+		await appendMessage(state.chatId, logMsg);
+		const agentMessage = `Request ${id} rejected. Reason: ${reason}`;
+		return {
+			...state,
+			message: agentMessage
+		};
+	}
+	return state;
+}
+function wrapInHtml(tag, text) {
+	if (text.trim().length === 0) return `<${tag}></${tag}>`;
+	return `<${tag}>\n${text.trim()}\n</${tag}>`;
+}
+
 //#endregion
 //#region src/daemon/routers.ts
 async function executeRouterPipeline(initialState, routers) {
 	let state = { ...initialState };
-	for (const router of routers) if (router === "@clawmini/slash-new") state = slashNew(state);
-	else if (router === "@clawmini/slash-command") state = await slashCommand(state);
-	else if (router === "@clawmini/slash-stop") state = slashStop(state);
-	else if (router === "@clawmini/slash-interrupt") state = slashInterrupt(state);
-	else try {
-		state = await executeCustomRouter(router, state);
-	} catch (err) {
-		console.error(`Router error [${router}]:`, err);
+	for (const router of routers) {
+		if (state.action === "stop") break;
+		if (router === "@clawmini/slash-new") state = slashNew(state);
+		else if (router === "@clawmini/slash-command") state = await slashCommand(state);
+		else if (router === "@clawmini/slash-stop") state = slashStop(state);
+		else if (router === "@clawmini/slash-interrupt") state = slashInterrupt(state);
+		else if (router === "@clawmini/slash-policies") state = await slashPolicies(state);
+		else try {
+			state = await executeCustomRouter(router, state);
+		} catch (err) {
+			console.error(`Router error [${router}]:`, err);
+		}
 	}
 	return state;
 }
@@ -296,6 +633,9 @@ function calculateDelay(attempt, baseDelayMs, isFallback = false) {
 	const delay = baseDelayMs * Math.pow(2, effectiveAttempt - 1);
 	return Math.min(delay, 15e3);
 }
+function formatPendingMessages(payloads) {
+	return payloads.map((text) => `<message>\n${text}\n</message>`).join("\n\n");
+}
 const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 async function resolveSessionState(chatId, cwd, sessionId, overrideAgentId) {
 	const chatSettings = await readChatSettings(chatId, cwd);
@@ -374,9 +714,9 @@ function formatEnvironmentPrefix(prefix, replacements) {
 	};
 	return prefix.replace(/{(WORKSPACE_DIR|AGENT_DIR|ENV_DIR|HOME_DIR|ENV_ARGS)}/g, (match) => map[match] || match);
 }
-async function executeDirectMessage(chatId, state, settings, cwd, runCommand, noWait = true, userMessageContent) {
+async function executeDirectMessage(chatId, state, settings, cwd, runCommand, noWait = false, userMessageContent) {
 	const userMsg = {
-		id: crypto.randomUUID(),
+		id: state.messageId ?? crypto.randomUUID(),
 		role: "user",
 		content: userMessageContent ?? state.message,
 		timestamp: (/* @__PURE__ */ new Date()).toISOString()
@@ -396,18 +736,21 @@ async function executeDirectMessage(chatId, state, settings, cwd, runCommand, no
 		...state.reply.includes("NO_REPLY_NECESSARY") ? { level: "verbose" } : {}
 	});
 	if (!state.message.trim() && state.action !== "stop" && state.action !== "interrupt") return;
-	const queue = getQueue(cwd);
+	const queue = getMessageQueue(cwd);
 	if (state.action === "stop") {
 		queue.abortCurrent();
 		queue.clear();
 		return;
 	}
 	if (state.action === "interrupt") {
+		const targetSessionId = state.sessionId || "default";
+		const isMatchingSession = (p) => p.sessionId === targetSessionId;
 		const currentPayload = queue.getCurrentPayload();
-		queue.abortCurrent();
-		const extracted = queue.extractPending();
-		const payloads = currentPayload ? [currentPayload, ...extracted] : extracted;
-		if (payloads.length > 0) state.message = `${payloads.map((text) => `<message>\n${text}\n</message>`).join("\n\n")}\n\n<message>\n${state.message}\n</message>`.trim();
+		const currentMatches = currentPayload ? isMatchingSession(currentPayload) : false;
+		const extracted = queue.extractPending(isMatchingSession);
+		queue.abortCurrent(isMatchingSession);
+		const payloads = currentMatches && currentPayload ? [currentPayload, ...extracted] : extracted;
+		if (payloads.length > 0) state.message = `${formatPendingMessages(payloads.map((p) => p.text))}\n\n<message>\n${state.message}\n</message>`.trim();
 	}
 	if (!state.message.trim()) return;
 	const routerEnv = state.env ?? {};
@@ -570,20 +913,29 @@ async function executeDirectMessage(chatId, state, settings, cwd, runCommand, no
 			if (success) break;
 		}
 		if (lastLogMsg) await appendMessage(chatId, lastLogMsg);
-	}, state.message);
-	if (!noWait) await taskPromise;
+	}, {
+		text: state.message,
+		sessionId: state.sessionId || "default"
+	});
+	if (!noWait) try {
+		await taskPromise;
+	} catch (err) {
+		if (!(err instanceof Error && err.name === "AbortError")) throw err;
+	}
 	else taskPromise.catch((err) => {
 		if (err.name !== "AbortError") console.error("Task execution error:", err);
 	});
 }
-async function getInitialRouterState(chatId, message, cwd = process.cwd(), overrideAgentId, overrideSessionId) {
+async function getInitialRouterState(chatId, message, cwd = process.cwd(), overrideAgentId, overrideSessionId, overrideMessageId) {
 	const chatSettings = await readChatSettings(chatId, cwd) ?? {};
 	const agentId = overrideAgentId ?? chatSettings.defaultAgent ?? "default";
+	const sessionId = overrideSessionId ?? chatSettings.sessions?.[agentId] ?? "default";
 	return {
+		messageId: overrideMessageId ?? crypto.randomUUID(),
 		message,
 		chatId,
 		agentId,
-		sessionId: overrideSessionId ?? chatSettings.sessions?.[agentId] ?? "default",
+		sessionId,
 		env: {}
 	};
 }
@@ -613,6 +965,7 @@ async function handleUserMessage(chatId, message, settings, cwd = process.cwd(),
 	}
 	if (settingsChanged) await writeChatSettings(chatId, chatSettings, cwd);
 	const directState = {
+		messageId: finalState.messageId,
 		message: finalMessage,
 		chatId,
 		env: routerEnv
@@ -778,23 +1131,7 @@ var CronManager = class {
 const cronManager = new CronManager();
 
 //#endregion
-//#region src/daemon/router.ts
-const t = initTRPC.context().create();
-const router = t.router;
-const publicProcedure = t.procedure;
-const apiAuthMiddleware = t.middleware(({ ctx, next }) => {
-	if (ctx.isApiServer) {
-		if (!ctx.tokenPayload) throw new TRPCError({
-			code: "UNAUTHORIZED",
-			message: "Missing or invalid token"
-		});
-	}
-	return next({ ctx: {
-		...ctx,
-		tokenPayload: ctx.tokenPayload
-	} });
-});
-const apiProcedure = t.procedure.use(apiAuthMiddleware);
+//#region src/daemon/api/router-utils.ts
 async function getUniquePath(p) {
 	let currentPath = p;
 	let counter = 1;
@@ -820,16 +1157,6 @@ async function resolveAgentDir(agentId, workspaceRoot) {
 	}
 	return workspaceRoot;
 }
-async function resolveAndCheckChatId(ctx, inputChatId) {
-	const chatId = inputChatId ?? (ctx.isApiServer && ctx.tokenPayload ? ctx.tokenPayload.chatId : await getDefaultChatId());
-	if (ctx.isApiServer && ctx.tokenPayload) {
-		if (ctx.tokenPayload.chatId !== chatId) throw new TRPCError({
-			code: "FORBIDDEN",
-			message: "Token not authorized for this chat"
-		});
-	}
-	return chatId;
-}
 async function getAgentFilesDir(agentId, chatId, settings, workspaceRoot) {
 	const chatSettings = await readChatSettings(chatId) ?? {};
 	const targetAgentId = agentId ?? chatSettings.defaultAgent ?? "default";
@@ -844,8 +1171,6 @@ async function getAgentFilesDir(agentId, chatId, settings, workspaceRoot) {
 	return path.resolve(agentDir, agentFilesDir);
 }
 async function validateAttachments(files) {
-	const { pathIsInsideDir } = await import("../fs-B5wW0oaH.mjs").then((n) => n.t);
-	const { getClawminiDir } = await import("../workspace-CSgfo_2J.mjs").then((n) => n._);
 	const tmpDir = path.join(getClawminiDir(process.cwd()), "tmp");
 	for (const file of files) {
 		const absoluteFile = path.resolve(process.cwd(), file);
@@ -864,7 +1189,6 @@ async function validateAttachments(files) {
 	}
 }
 async function validateLogFile(file, agentDir, workspaceRoot) {
-	const { pathIsInsideDir } = await import("../fs-B5wW0oaH.mjs").then((n) => n.t);
 	const resolvedPath = path.resolve(agentDir, file);
 	if (!pathIsInsideDir(resolvedPath, agentDir, { allowSameDir: true })) throw new TRPCError({
 		code: "BAD_REQUEST",
@@ -880,192 +1204,349 @@ async function validateLogFile(file, agentDir, workspaceRoot) {
 	}
 	return path.relative(workspaceRoot, resolvedPath);
 }
-const AppRouter = router({
-	sendMessage: apiProcedure.input(z.object({
-		type: z.literal("send-message"),
-		client: z.literal("cli"),
-		data: z.object({
-			message: z.string(),
-			chatId: z.string().optional(),
-			sessionId: z.string().optional(),
-			agentId: z.string().optional(),
-			noWait: z.boolean().optional(),
-			files: z.array(z.string()).optional(),
-			adapter: z.string().optional()
-		})
-	})).mutation(async ({ input, ctx }) => {
-		let message = input.data.message;
-		const chatId = await resolveAndCheckChatId(ctx, input.data.chatId);
-		const noWait = input.data.noWait ?? false;
-		const sessionId = input.data.sessionId;
-		const agentId = input.data.agentId;
-		const settingsPath = getSettingsPath();
-		let settings;
-		try {
-			const settingsStr = await fs$1.readFile(settingsPath, "utf8");
-			settings = JSON.parse(settingsStr);
-		} catch (err) {
-			throw new Error(`Failed to read settings from ${settingsPath}: ${err}`, { cause: err });
-		}
-		const files = input.data.files;
-		if (files && files.length > 0) {
-			const workspaceRoot = getWorkspaceRoot(process.cwd());
-			const chatSettings = await readChatSettings(chatId) ?? {};
-			const agentDir = await resolveAgentDir(agentId ?? chatSettings.defaultAgent ?? "default", workspaceRoot);
-			const absoluteFilesDir = await getAgentFilesDir(agentId, chatId, settings, workspaceRoot);
-			const adapterNamespace = input.data.adapter || "cli";
-			const targetDir = path.join(absoluteFilesDir, adapterNamespace);
-			const { pathIsInsideDir } = await import("../fs-B5wW0oaH.mjs").then((n) => n.t);
-			if (!pathIsInsideDir(targetDir, workspaceRoot, { allowSameDir: true })) throw new TRPCError({
-				code: "BAD_REQUEST",
-				message: "Target directory must be within the workspace."
-			});
-			await validateAttachments(files);
-			await fs$1.mkdir(targetDir, { recursive: true });
-			const finalPaths = [];
-			for (const file of files) {
-				const fileName = path.basename(file);
-				const targetPath = await getUniquePath(path.join(targetDir, fileName));
-				try {
-					await fs$1.rename(file, targetPath);
-				} catch {
-					await fs$1.copyFile(file, targetPath);
-					await fs$1.unlink(file);
-				}
-				finalPaths.push(path.relative(agentDir, targetPath));
-			}
-			const fileList = `Attached files:\n${finalPaths.map((p) => `- ${p}`).join("\n")}`;
-			message = message ? `${message}\n\n${fileList}` : fileList;
-		}
-		await handleUserMessage(chatId, message, settings, void 0, noWait, (args) => runCommand({
-			...args,
-			logToTerminal: true
-		}), sessionId, agentId);
-		return { success: true };
-	}),
-	getMessages: apiProcedure.input(z.object({
-		chatId: z.string().optional(),
-		limit: z.number().optional()
-	})).query(async ({ input, ctx }) => {
-		return getMessages(await resolveAndCheckChatId(ctx, input.chatId), input.limit);
-	}),
-	waitForMessages: apiProcedure.input(z.object({
-		chatId: z.string().optional(),
-		lastMessageId: z.string().optional()
-	})).subscription(async function* ({ input, ctx, signal }) {
-		const chatId = await resolveAndCheckChatId(ctx, input.chatId);
-		if (input.lastMessageId) {
-			const messages = await getMessages(chatId);
-			const lastIndex = messages.findIndex((m) => m.id === input.lastMessageId);
-			if (lastIndex !== -1 && lastIndex < messages.length - 1) yield messages.slice(lastIndex + 1);
-		}
-		const { on } = await import("node:events");
-		try {
-			for await (const [event] of on(daemonEvents, DAEMON_EVENT_MESSAGE_APPENDED, { signal })) if (event.chatId === chatId) yield [event.message];
-		} catch (err) {
-			if (err instanceof Error && err.name === "AbortError") return;
-			throw err;
-		}
-	}),
-	waitForTyping: apiProcedure.input(z.object({ chatId: z.string().optional() })).subscription(async function* ({ input, ctx, signal }) {
-		const chatId = await resolveAndCheckChatId(ctx, input.chatId);
-		const { on } = await import("node:events");
-		try {
-			for await (const [event] of on(daemonEvents, DAEMON_EVENT_TYPING, { signal })) if (event.chatId === chatId) yield event;
-		} catch (err) {
-			if (err instanceof Error && err.name === "AbortError") return;
-			throw err;
-		}
-	}),
-	ping: publicProcedure.query(() => {
-		return { status: "ok" };
-	}),
-	shutdown: publicProcedure.mutation(() => {
-		setTimeout(() => {
-			console.log("Shutting down daemon...");
-			process.kill(process.pid, "SIGTERM");
-		}, 100);
-		return { success: true };
-	}),
-	logMessage: apiProcedure.input(z.object({
+async function listCronJobsShared(chatId) {
+	return (await readChatSettings(chatId))?.jobs ?? [];
+}
+async function addCronJobShared(chatId, job) {
+	const settings = await readChatSettings(chatId) || {};
+	const cronJobs = settings.jobs ?? [];
+	const existingIndex = cronJobs.findIndex((j) => j.id === job.id);
+	if (existingIndex >= 0) cronJobs[existingIndex] = job;
+	else cronJobs.push(job);
+	settings.jobs = cronJobs;
+	await writeChatSettings(chatId, settings);
+	cronManager.scheduleJob(chatId, job);
+	return { success: true };
+}
+async function deleteCronJobShared(chatId, id) {
+	const settings = await readChatSettings(chatId);
+	if (!settings || !settings.jobs) return {
+		success: true,
+		deleted: false
+	};
+	const initialLength = settings.jobs.length;
+	settings.jobs = settings.jobs.filter((j) => j.id !== id);
+	if (settings.jobs.length !== initialLength) {
+		await writeChatSettings(chatId, settings);
+		cronManager.unscheduleJob(chatId, id);
+		return {
+			success: true,
+			deleted: true
+		};
+	}
+	return {
+		success: true,
+		deleted: false
+	};
+}
+
+//#endregion
+//#region src/daemon/api/user-router.ts
+const sendMessage = apiProcedure.input(z.object({
+	type: z.literal("send-message"),
+	client: z.literal("cli"),
+	data: z.object({
+		message: z.string(),
 		chatId: z.string().optional(),
-		message: z.string().optional(),
-		files: z.array(z.string()).optional()
-	})).mutation(async ({ input, ctx }) => {
-		const chatId = await resolveAndCheckChatId(ctx, input.chatId);
-		const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-		const id = Date.now().toString() + Math.random().toString(36).substring(2, 7);
-		const filePaths = [];
-		if (input.files && input.files.length > 0) {
-			const workspaceRoot = getWorkspaceRoot(process.cwd());
-			const agentDir = await resolveAgentDir(ctx.tokenPayload?.agentId, workspaceRoot);
-			for (const file of input.files) {
-				const validPath = await validateLogFile(file, agentDir, workspaceRoot);
-				filePaths.push(validPath);
+		sessionId: z.string().optional(),
+		agentId: z.string().optional(),
+		noWait: z.boolean().optional(),
+		files: z.array(z.string()).optional(),
+		adapter: z.string().optional()
+	})
+})).mutation(async ({ input }) => {
+	let message = input.data.message;
+	const chatId = input.data.chatId ?? await getDefaultChatId();
+	const noWait = input.data.noWait ?? false;
+	const sessionId = input.data.sessionId;
+	const agentId = input.data.agentId;
+	const settingsPath = getSettingsPath();
+	let settings;
+	try {
+		const settingsStr = await fs$1.readFile(settingsPath, "utf8");
+		settings = JSON.parse(settingsStr);
+	} catch (err) {
+		throw new Error(`Failed to read settings from ${settingsPath}: ${err}`, { cause: err });
+	}
+	const files = input.data.files;
+	if (files && files.length > 0) {
+		const workspaceRoot = getWorkspaceRoot(process.cwd());
+		const chatSettings = await readChatSettings(chatId) ?? {};
+		const agentDir = await resolveAgentDir(agentId ?? chatSettings.defaultAgent ?? "default", workspaceRoot);
+		const absoluteFilesDir = await getAgentFilesDir(agentId, chatId, settings, workspaceRoot);
+		const adapterNamespace = input.data.adapter || "cli";
+		const targetDir = path.join(absoluteFilesDir, adapterNamespace);
+		if (!pathIsInsideDir(targetDir, workspaceRoot, { allowSameDir: true })) throw new TRPCError({
+			code: "BAD_REQUEST",
+			message: "Target directory must be within the workspace."
+		});
+		await validateAttachments(files);
+		await fs$1.mkdir(targetDir, { recursive: true });
+		const finalPaths = [];
+		for (const file of files) {
+			const fileName = path.basename(file);
+			const targetPath = await getUniquePath(path.join(targetDir, fileName));
+			try {
+				await fs$1.rename(file, targetPath);
+			} catch {
+				await fs$1.copyFile(file, targetPath);
+				await fs$1.unlink(file);
 			}
+			finalPaths.push(path.relative(agentDir, targetPath));
 		}
-		const filesArgStr = filePaths.map((p) => ` --file ${p}`).join("");
-		const logMsg = {
+		const fileList = `Attached files:\n${finalPaths.map((p) => `- ${p}`).join("\n")}`;
+		message = message ? `${message}\n\n${fileList}` : fileList;
+	}
+	await handleUserMessage(chatId, message, settings, void 0, noWait, (args) => runCommand({
+		...args,
+		logToTerminal: true
+	}), sessionId, agentId);
+	return { success: true };
+});
+const getMessages = apiProcedure.input(z.object({
+	chatId: z.string().optional(),
+	limit: z.number().optional()
+})).query(async ({ input }) => {
+	return getMessages$1(input.chatId ?? await getDefaultChatId(), input.limit);
+});
+const waitForMessages = apiProcedure.input(z.object({
+	chatId: z.string().optional(),
+	lastMessageId: z.string().optional()
+})).subscription(async function* ({ input, signal }) {
+	const chatId = input.chatId ?? await getDefaultChatId();
+	if (input.lastMessageId) {
+		const messages = await getMessages$1(chatId);
+		const lastIndex = messages.findIndex((m) => m.id === input.lastMessageId);
+		if (lastIndex !== -1 && lastIndex < messages.length - 1) yield messages.slice(lastIndex + 1);
+	}
+	try {
+		for await (const [event] of on(daemonEvents, DAEMON_EVENT_MESSAGE_APPENDED, { signal })) if (event.chatId === chatId) yield [event.message];
+	} catch (err) {
+		if (err instanceof Error && err.name === "AbortError") return;
+		throw err;
+	}
+});
+const waitForTyping = apiProcedure.input(z.object({ chatId: z.string().optional() })).subscription(async function* ({ input, signal }) {
+	const chatId = input.chatId ?? await getDefaultChatId();
+	try {
+		for await (const [event] of on(daemonEvents, DAEMON_EVENT_TYPING, { signal })) if (event.chatId === chatId) yield event;
+	} catch (err) {
+		if (err instanceof Error && err.name === "AbortError") return;
+		throw err;
+	}
+});
+const ping = publicProcedure.query(() => {
+	return { status: "ok" };
+});
+const shutdown = publicProcedure.mutation(() => {
+	setTimeout(() => {
+		console.log("Shutting down daemon...");
+		process.kill(process.pid, "SIGTERM");
+	}, 100);
+	return { success: true };
+});
+const userListCronJobs = apiProcedure.input(z.object({ chatId: z.string().optional() })).query(async ({ input }) => {
+	return listCronJobsShared(input.chatId ?? await getDefaultChatId());
+});
+const userAddCronJob = apiProcedure.input(z.object({
+	chatId: z.string().optional(),
+	job: CronJobSchema
+})).mutation(async ({ input }) => {
+	return addCronJobShared(input.chatId ?? await getDefaultChatId(), input.job);
+});
+const userDeleteCronJob = apiProcedure.input(z.object({
+	chatId: z.string().optional(),
+	id: z.string()
+})).mutation(async ({ input }) => {
+	return deleteCronJobShared(input.chatId ?? await getDefaultChatId(), input.id);
+});
+const userRouter = router({
+	sendMessage,
+	getMessages,
+	waitForMessages,
+	waitForTyping,
+	ping,
+	shutdown,
+	listCronJobs: userListCronJobs,
+	addCronJob: userAddCronJob,
+	deleteCronJob: userDeleteCronJob
+});
+
+//#endregion
+//#region src/daemon/policy-request-service.ts
+var PolicyRequestService = class {
+	store;
+	maxPending;
+	agentDir;
+	snapshotDir;
+	constructor(store, agentDir, snapshotDir, maxPending = 100) {
+		this.store = store;
+		this.agentDir = agentDir;
+		this.snapshotDir = snapshotDir;
+		this.maxPending = maxPending;
+	}
+	async createRequest(commandName, args, fileMappings, chatId, agentId) {
+		const allRequests = await this.store.list();
+		if (allRequests.filter((r) => r.state === "Pending").length >= this.maxPending) throw new Error(`Maximum number of pending requests (${this.maxPending}) reached.`);
+		const snapshotMappings = {};
+		for (const [key, requestedPath] of Object.entries(fileMappings)) snapshotMappings[key] = await createSnapshot(requestedPath, this.agentDir, this.snapshotDir);
+		let id = "";
+		do
+			id = generateRandomAlphaNumericString(3);
+		while (allRequests.some((r) => r.id === id));
+		const request = {
 			id,
-			messageId: id,
-			role: "log",
-			source: "router",
-			content: input.message || "",
-			stderr: "",
-			timestamp,
-			command: `clawmini-lite log${filesArgStr}`,
-			cwd: process.cwd(),
-			exitCode: 0,
-			...filePaths.length > 0 ? { files: filePaths } : {}
+			commandName,
+			args,
+			fileMappings: snapshotMappings,
+			state: "Pending",
+			createdAt: Date.now(),
+			chatId,
+			agentId
 		};
-		await import("../chats-Zd_HXDHx.mjs").then((n) => n.n).then((m) => m.appendMessage(chatId, logMsg));
-		return { success: true };
-	}),
-	listCronJobs: apiProcedure.input(z.object({ chatId: z.string().optional() })).query(async ({ input, ctx }) => {
-		return (await readChatSettings(await resolveAndCheckChatId(ctx, input.chatId)))?.jobs ?? [];
-	}),
-	addCronJob: apiProcedure.input(z.object({
-		chatId: z.string().optional(),
-		job: CronJobSchema
-	})).mutation(async ({ input, ctx }) => {
-		const chatId = await resolveAndCheckChatId(ctx, input.chatId);
-		const settings = await readChatSettings(chatId) || {};
-		const cronJobs = settings.jobs ?? [];
-		const existingIndex = cronJobs.findIndex((j) => j.id === input.job.id);
-		if (existingIndex >= 0) cronJobs[existingIndex] = input.job;
-		else cronJobs.push(input.job);
-		settings.jobs = cronJobs;
-		await writeChatSettings(chatId, settings);
-		cronManager.scheduleJob(chatId, input.job);
-		return { success: true };
-	}),
-	deleteCronJob: apiProcedure.input(z.object({
-		chatId: z.string().optional(),
-		id: z.string()
-	})).mutation(async ({ input, ctx }) => {
-		const chatId = await resolveAndCheckChatId(ctx, input.chatId);
-		const settings = await readChatSettings(chatId);
-		if (!settings || !settings.jobs) return {
-			success: true,
-			deleted: false
-		};
-		const initialLength = settings.jobs.length;
-		settings.jobs = settings.jobs.filter((j) => j.id !== input.id);
-		if (settings.jobs.length !== initialLength) {
-			await writeChatSettings(chatId, settings);
-			cronManager.unscheduleJob(chatId, input.id);
-			return {
-				success: true,
-				deleted: true
-			};
+		await this.store.save(request);
+		return request;
+	}
+	getInterpolatedArgs(request) {
+		return interpolateArgs(request.args, request.fileMappings);
+	}
+};
+
+//#endregion
+//#region src/daemon/api/agent-router.ts
+const logMessage = apiProcedure.input(z.object({
+	message: z.string().optional(),
+	files: z.array(z.string()).optional()
+})).mutation(async ({ input, ctx }) => {
+	if (!ctx.tokenPayload) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "Missing token"
+	});
+	const chatId = ctx.tokenPayload.chatId;
+	const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+	const id = Date.now().toString() + Math.random().toString(36).substring(2, 7);
+	const filePaths = [];
+	if (input.files && input.files.length > 0) {
+		const workspaceRoot = getWorkspaceRoot(process.cwd());
+		const agentDir = await resolveAgentDir(ctx.tokenPayload?.agentId, workspaceRoot);
+		for (const file of input.files) {
+			const validPath = await validateLogFile(file, agentDir, workspaceRoot);
+			filePaths.push(validPath);
 		}
-		return {
-			success: true,
-			deleted: false
-		};
-	})
+	}
+	const filesArgStr = filePaths.map((p) => ` --file ${p}`).join("");
+	await appendMessage(chatId, {
+		id,
+		messageId: id,
+		role: "log",
+		source: "router",
+		content: input.message || "",
+		stderr: "",
+		timestamp,
+		command: `clawmini-lite log${filesArgStr}`,
+		cwd: process.cwd(),
+		exitCode: 0,
+		...filePaths.length > 0 ? { files: filePaths } : {}
+	});
+	return { success: true };
+});
+const agentListCronJobs = apiProcedure.query(async ({ ctx }) => {
+	if (!ctx.tokenPayload) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "Missing token"
+	});
+	const chatId = ctx.tokenPayload.chatId;
+	return listCronJobsShared(chatId);
+});
+const agentAddCronJob = apiProcedure.input(z.object({ job: CronJobSchema })).mutation(async ({ input, ctx }) => {
+	if (!ctx.tokenPayload) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "Missing token"
+	});
+	const chatId = ctx.tokenPayload.chatId;
+	return addCronJobShared(chatId, {
+		...input.job,
+		agentId: ctx.tokenPayload.agentId
+	});
+});
+const agentDeleteCronJob = apiProcedure.input(z.object({ id: z.string() })).mutation(async ({ input, ctx }) => {
+	if (!ctx.tokenPayload) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "Missing token"
+	});
+	const chatId = ctx.tokenPayload.chatId;
+	return deleteCronJobShared(chatId, input.id);
+});
+const listPolicies = apiProcedure.query(async () => {
+	return await readPolicies();
+});
+const executePolicyHelp = apiProcedure.input(z.object({ commandName: z.string() })).query(async ({ input }) => {
+	const policy = (await readPolicies())?.policies?.[input.commandName];
+	if (!policy) throw new TRPCError({
+		code: "NOT_FOUND",
+		message: `Policy not found: ${input.commandName}`
+	});
+	if (!policy.allowHelp) return {
+		stdout: "",
+		stderr: "This command does not support --help\n",
+		exitCode: 1
+	};
+	const fullArgs = [...policy.args || [], "--help"];
+	const { stdout, stderr, exitCode } = await executeSafe(policy.command, fullArgs, { cwd: getWorkspaceRoot() });
+	return {
+		stdout,
+		stderr,
+		exitCode
+	};
+});
+const createPolicyRequest = apiProcedure.input(z.object({
+	commandName: z.string(),
+	args: z.array(z.string()),
+	fileMappings: z.record(z.string(), z.string())
+})).mutation(async ({ input, ctx }) => {
+	if (!ctx.tokenPayload) throw new TRPCError({
+		code: "UNAUTHORIZED",
+		message: "Missing token"
+	});
+	const workspaceRoot = getWorkspaceRoot(process.cwd());
+	const snapshotDir = path.join(getClawminiDir(process.cwd()), "tmp", "snapshots");
+	const service = new PolicyRequestService(new RequestStore(process.cwd()), await resolveAgentDir(ctx.tokenPayload?.agentId, workspaceRoot), snapshotDir);
+	const chatId = ctx.tokenPayload.chatId;
+	const agentId = ctx.tokenPayload.agentId;
+	const request = await service.createRequest(input.commandName, input.args, input.fileMappings, chatId, agentId);
+	const previewContent = await generateRequestPreview(request);
+	await appendMessage(chatId, {
+		id: randomUUID(),
+		messageId: randomUUID(),
+		role: "log",
+		source: "router",
+		content: previewContent,
+		stderr: "",
+		timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+		command: "policy-request",
+		cwd: process.cwd(),
+		exitCode: 0
+	});
+	return request;
+});
+const fetchPendingMessages = apiProcedure.mutation(async ({ ctx }) => {
+	const queue = getMessageQueue(process.cwd());
+	const targetSessionId = ctx.tokenPayload?.sessionId || "default";
+	const extracted = queue.extractPending((p) => p.sessionId === targetSessionId);
+	if (extracted.length === 0) return { messages: "" };
+	return { messages: formatPendingMessages(extracted.map((p) => p.text)) };
+});
+const agentRouter = router({
+	logMessage,
+	listCronJobs: agentListCronJobs,
+	addCronJob: agentAddCronJob,
+	deleteCronJob: agentDeleteCronJob,
+	listPolicies,
+	executePolicyHelp,
+	createPolicyRequest,
+	fetchPendingMessages,
+	ping
 });
-const appRouter = AppRouter;
 
 //#endregion
 //#region src/daemon/index.ts
@@ -1139,7 +1620,7 @@ async function initDaemon() {
 		readyPromiseResolve = resolve;
 	});
 	const handler = createHTTPHandler({
-		router: appRouter,
+		router: userRouter,
 		createContext: ({ req, res }) => ({
 			req,
 			res,
@@ -1172,7 +1653,7 @@ async function initDaemon() {
 	let apiServer;
 	if (apiCtx) {
 		const apiHandler = createHTTPHandler({
-			router: appRouter,
+			router: agentRouter,
 			createContext: ({ req, res }) => {
 				let tokenPayload = null;
 				const authHeader = req.headers.authorization;