comisai 1.0.19 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (154) hide show
  1. package/dist/cli-entry.js +0 -0
  2. package/node_modules/@comis/agent/dist/context-engine/context-engine.js +43 -2
  3. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +51 -0
  4. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +110 -0
  5. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.d.ts +54 -0
  6. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.js +145 -0
  7. package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +17 -0
  8. package/node_modules/@comis/agent/dist/executor/error-classifier.d.ts +11 -1
  9. package/node_modules/@comis/agent/dist/executor/error-classifier.js +13 -0
  10. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +1 -0
  11. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +55 -0
  12. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +106 -5
  13. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +1 -0
  14. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
  15. package/node_modules/@comis/agent/dist/executor/pi-executor.js +30 -3
  16. package/node_modules/@comis/agent/dist/executor/replay-drift-detector.d.ts +85 -0
  17. package/node_modules/@comis/agent/dist/executor/replay-drift-detector.js +92 -0
  18. package/node_modules/@comis/agent/dist/executor/signature-block-scrubber.d.ts +34 -0
  19. package/node_modules/@comis/agent/dist/executor/signature-block-scrubber.js +69 -0
  20. package/node_modules/@comis/agent/dist/executor/signed-replay-detector.d.ts +39 -0
  21. package/node_modules/@comis/agent/dist/executor/signed-replay-detector.js +72 -0
  22. package/node_modules/@comis/agent/package.json +1 -1
  23. package/node_modules/@comis/channels/package.json +1 -1
  24. package/node_modules/@comis/cli/dist/cli.js +0 -0
  25. package/node_modules/@comis/cli/package.json +1 -1
  26. package/node_modules/@comis/core/dist/config/git-manager.js +10 -4
  27. package/node_modules/@comis/core/dist/config/index.d.ts +1 -0
  28. package/node_modules/@comis/core/dist/config/index.js +2 -0
  29. package/node_modules/@comis/core/dist/config/managed-sections.d.ts +67 -0
  30. package/node_modules/@comis/core/dist/config/managed-sections.js +124 -0
  31. package/node_modules/@comis/core/dist/config/schema-agent.d.ts +28 -10
  32. package/node_modules/@comis/core/dist/config/schema-agent.js +6 -0
  33. package/node_modules/@comis/core/dist/config/schema-gateway.d.ts +2 -2
  34. package/node_modules/@comis/core/dist/config/schema.d.ts +65 -64
  35. package/node_modules/@comis/core/dist/event-bus/events-messaging.d.ts +16 -0
  36. package/node_modules/@comis/core/dist/exports/config.d.ts +1 -1
  37. package/node_modules/@comis/core/dist/exports/config.js +1 -1
  38. package/node_modules/@comis/core/package.json +1 -1
  39. package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/init-skill.py +0 -0
  40. package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/validate-skill.py +0 -0
  41. package/node_modules/@comis/daemon/dist/daemon.js +11 -4
  42. package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +20 -7
  43. package/node_modules/@comis/daemon/dist/rpc/session-handlers.js +27 -1
  44. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.d.ts +22 -0
  45. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.js +34 -8
  46. package/node_modules/@comis/daemon/dist/wiring/setup-tools.js +14 -1
  47. package/node_modules/@comis/daemon/package.json +1 -1
  48. package/node_modules/@comis/gateway/package.json +1 -1
  49. package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +2 -2
  50. package/node_modules/@comis/infra/package.json +1 -1
  51. package/node_modules/@comis/memory/package.json +1 -1
  52. package/node_modules/@comis/scheduler/package.json +1 -1
  53. package/node_modules/@comis/shared/package.json +1 -1
  54. package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +23 -8
  55. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.d.ts +1 -1
  56. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +18 -14
  57. package/node_modules/@comis/skills/dist/builtin/platform/unified-session-tool.js +1 -1
  58. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.d.ts +1 -0
  59. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +78 -5
  60. package/node_modules/@comis/skills/package.json +1 -1
  61. package/node_modules/@comis/web/package.json +1 -1
  62. package/package.json +24 -26
  63. package/node_modules/@comis/agent/dist/provider/response/strip-minimax-xml.d.ts +0 -9
  64. package/node_modules/@comis/agent/dist/provider/response/strip-minimax-xml.js +0 -17
  65. package/node_modules/@comis/agent/dist/provider/response/strip-model-tokens.d.ts +0 -13
  66. package/node_modules/@comis/agent/dist/provider/response/strip-model-tokens.js +0 -19
  67. package/node_modules/@comis/agent/dist/provider/response/strip-tool-text.d.ts +0 -11
  68. package/node_modules/@comis/agent/dist/provider/response/strip-tool-text.js +0 -32
  69. package/node_modules/@comis/agent/dist/safety/follow-through-detector.d.ts +0 -46
  70. package/node_modules/@comis/agent/dist/safety/follow-through-detector.js +0 -76
  71. package/node_modules/@comis/agent/dist/safety/post-compaction-safety.d.ts +0 -30
  72. package/node_modules/@comis/agent/dist/safety/post-compaction-safety.js +0 -51
  73. package/node_modules/@comis/agent/dist/safety/schema-normalizer.d.ts +0 -37
  74. package/node_modules/@comis/agent/dist/safety/schema-normalizer.js +0 -137
  75. package/node_modules/@comis/agent/dist/safety/schema-pruning.d.ts +0 -50
  76. package/node_modules/@comis/agent/dist/safety/schema-pruning.js +0 -112
  77. package/node_modules/@comis/agent/dist/safety/tool-image-sanitizer.d.ts +0 -43
  78. package/node_modules/@comis/agent/dist/safety/tool-image-sanitizer.js +0 -96
  79. package/node_modules/@comis/agent/dist/safety/tool-sanitizer.d.ts +0 -44
  80. package/node_modules/@comis/agent/dist/safety/tool-sanitizer.js +0 -94
  81. package/node_modules/@comis/channels/dist/shared/thinking-tag-filter.d.ts +0 -28
  82. package/node_modules/@comis/channels/dist/shared/thinking-tag-filter.js +0 -206
  83. package/node_modules/@comis/cli/dist/wizard/config-writer.d.ts +0 -25
  84. package/node_modules/@comis/cli/dist/wizard/config-writer.js +0 -144
  85. package/node_modules/@comis/cli/dist/wizard/flow-types.d.ts +0 -48
  86. package/node_modules/@comis/cli/dist/wizard/flow-types.js +0 -70
  87. package/node_modules/@comis/cli/dist/wizard/manual-flow.d.ts +0 -21
  88. package/node_modules/@comis/cli/dist/wizard/manual-flow.js +0 -345
  89. package/node_modules/@comis/cli/dist/wizard/quickstart-flow.d.ts +0 -21
  90. package/node_modules/@comis/cli/dist/wizard/quickstart-flow.js +0 -116
  91. package/node_modules/@comis/core/dist/config/schema-agent-model.d.ts +0 -135
  92. package/node_modules/@comis/core/dist/config/schema-agent-model.js +0 -114
  93. package/node_modules/@comis/core/dist/config/schema-agent-session.d.ts +0 -177
  94. package/node_modules/@comis/core/dist/config/schema-agent-session.js +0 -116
  95. package/node_modules/@comis/core/dist/config/schema-context-engine.d.ts +0 -92
  96. package/node_modules/@comis/core/dist/config/schema-context-engine.js +0 -92
  97. package/node_modules/@comis/core/dist/config/schema-context-guard.d.ts +0 -34
  98. package/node_modules/@comis/core/dist/config/schema-context-guard.js +0 -32
  99. package/node_modules/@comis/core/dist/config/schema-delivery-mirror.d.ts +0 -27
  100. package/node_modules/@comis/core/dist/config/schema-delivery-mirror.js +0 -26
  101. package/node_modules/@comis/core/dist/config/schema-delivery-queue.d.ts +0 -31
  102. package/node_modules/@comis/core/dist/config/schema-delivery-queue.js +0 -30
  103. package/node_modules/@comis/core/dist/config/schema-delivery-timing.d.ts +0 -41
  104. package/node_modules/@comis/core/dist/config/schema-delivery-timing.js +0 -31
  105. package/node_modules/@comis/core/dist/config/schema-monitoring.d.ts +0 -105
  106. package/node_modules/@comis/core/dist/config/schema-monitoring.js +0 -67
  107. package/node_modules/@comis/core/dist/ports/media-ports.d.ts +0 -278
  108. package/node_modules/@comis/core/dist/ports/media-ports.js +0 -1
  109. package/node_modules/@comis/core/dist/security/input-guard.d.ts +0 -46
  110. package/node_modules/@comis/core/dist/security/input-guard.js +0 -166
  111. package/node_modules/@comis/core/dist/security/scoped-secret-manager.d.ts +0 -38
  112. package/node_modules/@comis/core/dist/security/scoped-secret-manager.js +0 -94
  113. package/node_modules/@comis/daemon/dist/observability/delivery-context.d.ts +0 -37
  114. package/node_modules/@comis/daemon/dist/observability/delivery-context.js +0 -1
  115. package/node_modules/@comis/daemon/dist/observability/log-level-manager.d.ts +0 -23
  116. package/node_modules/@comis/daemon/dist/observability/log-level-manager.js +0 -34
  117. package/node_modules/@comis/daemon/dist/observability/log-transport.d.ts +0 -44
  118. package/node_modules/@comis/daemon/dist/observability/log-transport.js +0 -74
  119. package/node_modules/@comis/daemon/dist/observability/obs-write-buffer.d.ts +0 -53
  120. package/node_modules/@comis/daemon/dist/observability/obs-write-buffer.js +0 -68
  121. package/node_modules/@comis/daemon/dist/observability/types.d.ts +0 -6
  122. package/node_modules/@comis/daemon/dist/observability/types.js +0 -1
  123. package/node_modules/@comis/daemon/dist/wiring/seed-bundled-skills.d.ts +0 -41
  124. package/node_modules/@comis/daemon/dist/wiring/seed-bundled-skills.js +0 -84
  125. package/node_modules/@comis/daemon/dist/wiring/setup-delivery-mirror.d.ts +0 -24
  126. package/node_modules/@comis/daemon/dist/wiring/setup-delivery-mirror.js +0 -88
  127. package/node_modules/@comis/daemon/dist/wiring/setup-delivery-queue.d.ts +0 -31
  128. package/node_modules/@comis/daemon/dist/wiring/setup-delivery-queue.js +0 -132
  129. package/node_modules/@comis/daemon/dist/wiring/setup-monitoring.d.ts +0 -38
  130. package/node_modules/@comis/daemon/dist/wiring/setup-monitoring.js +0 -100
  131. package/node_modules/@comis/daemon/dist/wiring/setup-rpc-bridge.d.ts +0 -34
  132. package/node_modules/@comis/daemon/dist/wiring/setup-rpc-bridge.js +0 -52
  133. package/node_modules/@comis/daemon/dist/wiring/setup-task-extraction.d.ts +0 -41
  134. package/node_modules/@comis/daemon/dist/wiring/setup-task-extraction.js +0 -86
  135. package/node_modules/@comis/memory/dist/embedding-cache.d.ts +0 -36
  136. package/node_modules/@comis/memory/dist/embedding-cache.js +0 -94
  137. package/node_modules/@comis/skills/dist/bridge/tool-output-schemas.d.ts +0 -17
  138. package/node_modules/@comis/skills/dist/bridge/tool-output-schemas.js +0 -125
  139. package/node_modules/@comis/skills/dist/bridge/tool-parallelism-metadata.d.ts +0 -14
  140. package/node_modules/@comis/skills/dist/bridge/tool-parallelism-metadata.js +0 -92
  141. package/node_modules/@comis/skills/dist/bridge/tool-result-caps.d.ts +0 -14
  142. package/node_modules/@comis/skills/dist/bridge/tool-result-caps.js +0 -36
  143. package/node_modules/@comis/skills/dist/bridge/tool-search-hints.d.ts +0 -15
  144. package/node_modules/@comis/skills/dist/bridge/tool-search-hints.js +0 -68
  145. package/node_modules/@comis/skills/dist/bridge/tool-validators.d.ts +0 -11
  146. package/node_modules/@comis/skills/dist/bridge/tool-validators.js +0 -105
  147. package/node_modules/@comis/skills/dist/builtin/file/find-sort-wrapper.d.ts +0 -22
  148. package/node_modules/@comis/skills/dist/builtin/file/find-sort-wrapper.js +0 -95
  149. package/node_modules/@comis/skills/dist/builtin/file/grep-output-mode-wrapper.d.ts +0 -24
  150. package/node_modules/@comis/skills/dist/builtin/file/grep-output-mode-wrapper.js +0 -167
  151. package/node_modules/@comis/skills/dist/builtin/task-plan-tool.d.ts +0 -25
  152. package/node_modules/@comis/skills/dist/builtin/task-plan-tool.js +0 -67
  153. package/node_modules/@comis/skills/dist/integrations/mcp-tool-bridge.d.ts +0 -75
  154. package/node_modules/@comis/skills/dist/integrations/mcp-tool-bridge.js +0 -235
@@ -281,6 +281,22 @@ export interface MessagingEvents {
281
281
  escalatedMaxTokens: number;
282
282
  timestamp: number;
283
283
  };
284
+ /** Signed-replay self-heal fired: provider rejected stored signed thinking /
285
+ * reasoning state on the latest assistant turn (Anthropic `cannot be
286
+ * modified`, Gemini `thought_signature mismatch`, OpenAI Responses
287
+ * `reasoning_item not found`, OpenAI Completions `reasoning_id expired`,
288
+ * Mistral `encrypted_content verification failed`, etc.). The runner in
289
+ * `executor-prompt-runner.ts` scrubbed signed thinking state from the
290
+ * in-memory message array and re-entered the model retry chain. `succeeded`
291
+ * reports whether the retry produced a non-empty response. */
292
+ "execution:signed_replay_recovered": {
293
+ agentId: string;
294
+ sessionKey: string;
295
+ blocksRemoved: number;
296
+ thoughtSignaturesStripped: number;
297
+ succeeded: boolean;
298
+ timestamp: number;
299
+ };
284
300
  /** Failed announcement persisted to dead-letter queue */
285
301
  "announcement:dead_lettered": {
286
302
  runId: string;
@@ -1,2 +1,2 @@
1
- export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
1
+ export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, MANAGED_SECTIONS, getManagedSectionRedirect, formatRedirectHint, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
2
2
  export type { AppConfig, AgentConfig, BudgetConfig, CircuitBreakerConfig, DmScopeConfig, ElevatedReplyConfig, ModelRoutes, PruningConfig, HeartbeatConfig, HeartbeatTarget, PerAgentConfig, PerAgentCronConfig, PerAgentHeartbeatConfig, PerAgentSchedulerConfig, RagConfig, ResetPolicyOverride, RoutingBinding, RoutingConfig, SessionResetPolicyConfig, TracingConfig, ChannelConfig, ChannelEntry, ChannelHealthCheckConfig, AckReactionConfig, MemoryConfig, CompactionConfig, RetentionConfig, SecurityConfig, PermissionConfig, ActionConfirmationConfig, AgentToAgentConfig, SkillsConfig, DaemonConfig, LoggingConfig, TracingDefaults, ConfigWebhook, SchedulerConfig, GatewayConfig, GatewayTlsConfig, GatewayToken, GatewayRateLimit, IntegrationsConfig, BraveSearchConfig, McpServerEntry, McpConfig, TranscriptionConfig, TtsConfig, TtsAutoMode, ElevenLabsVoiceSettings, TtsOutputFormat, ImageAnalysisConfig, VisionScopeRule, VisionConfig, LinkUnderstandingConfig, MediaConfig, FileExtractionConfig, AutoReplyRule, AutoReplyConfig, MonitoringConfig, DiskMonitorConfig, ResourceMonitorConfig, SystemdMonitorConfig, SecurityUpdateMonitorConfig, GitMonitorConfig, PluginsConfig, PluginEntry, QueueConfig, PerChannelQueueConfig, QueueMode, OverflowPolicy, OverflowConfig, DebounceBufferConfig, FollowupConfig, PriorityLaneConfig, LaneAssignmentConfig, StreamingConfig, PerChannelStreamingConfig, TypingMode, ChunkMode, DeliveryMirrorConfig, DeliveryQueueConfig, DeliveryTimingConfig, DeliveryTimingMode, CoalescerConfig, AutoReplyEngineConfig, GroupActivationMode, SendPolicyConfig, SendPolicyRule, SendAction, EnvelopeConfig, RetryConfig, WebhooksConfig, WebhookMappingConfig, AgentSecretsConfig, SecretsConfig, ConfigError, ConfigErrorCode, FieldMetadata, PartialValidationResult, ConfigGitManager, GitCommitMetadata, HistoryEntry, GitManagerDeps, ExecGitFn, EnvValueWarning, LifecycleReactionsConfig, LifecycleReactionsTimingConfig, SenderTrustDisplayConfig, DocumentationConfig, DocumentationLink, ImageGenerationConfig, NotificationConfig, VerbosityConfig, VerbosityLevel, VerbosityOverride, ContextEngineConfig, BackgroundTasksConfig, MemoryReviewConfig, UserModel, ModelCost, OperationModelEntry, OperationModels, ModelOperationType, } from "../config/index.js";
@@ -1,3 +1,3 @@
1
1
  // SPDX-License-Identifier: Apache-2.0
2
2
  // @comis/core exports — Config (layered configuration with Zod validation)
3
- export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
3
+ export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, MANAGED_SECTIONS, getManagedSectionRedirect, formatRedirectHint, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/core",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Core domain types, ports, event bus, security, and config for Comis",
@@ -182,13 +182,20 @@ export async function main(overrides = {}) {
182
182
  // better-sqlite3 'bindings' module fails fast with a clear repair hint
183
183
  // instead of cascading into a systemd restart loop.
184
184
  await _preflightDoctor(exitFn);
185
- // 0. Load secrets from .env
186
- const envPath = safePath(safePath(os.homedir(), ".comis"), ".env");
187
- loadEnvFile(envPath);
188
- // 0.5. Decrypt secrets, merge with env, scrub process.env
185
+ // 0. Resolve data directory, then load secrets from <dataDir>/.env.
186
+ // The env file always lives alongside the data dir, so it follows
187
+ // COMIS_DATA_DIR — set to /data inside the Docker container (matches
188
+ // the compose mount of ${COMIS_ENV_FILE:-~/.comis/.env}:/data/.env:ro),
189
+ // unset on bare-metal so it falls back to ~/.comis/.env. This is what
190
+ // makes the legacy "credentials in a flat .env file" workflow the
191
+ // default for both deployment modes; secrets.db is opt-in via
192
+ // SECRETS_MASTER_KEY.
189
193
  // eslint-disable-next-line no-restricted-syntax -- process.env access needed before SecretManager is initialized
190
194
  const dataDir = process.env["COMIS_DATA_DIR"]
191
195
  ?? safePath(os.homedir(), ".comis");
196
+ const envPath = safePath(dataDir, ".env");
197
+ loadEnvFile(envPath);
198
+ // 0.5. Decrypt secrets, merge with env, scrub process.env
192
199
  // Scan and correct permissions on known sensitive files
193
200
  const permissionCorrections = hardenDataDirPermissions(dataDir);
194
201
  const secretsBootResult = _setupSecrets({
@@ -8,7 +8,7 @@
8
8
  * Extracted from daemon.ts rpcCallInner switch block
9
9
  * @module
10
10
  */
11
- import { isImmutableConfigPath, getConfigSchema, getConfigSections, deepMerge, AppConfigSchema, redactConfigSecrets, warnSuspiciousEnvValues, } from "@comis/core";
11
+ import { isImmutableConfigPath, getConfigSchema, getConfigSections, deepMerge, AppConfigSchema, redactConfigSecrets, warnSuspiciousEnvValues, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
12
12
  import { suppressError } from "@comis/shared";
13
13
  import { stringify as yamlStringify } from "yaml";
14
14
  import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync } from "node:fs";
@@ -406,10 +406,18 @@ export function createConfigHandlers(deps) {
406
406
  const coercedValue = coerceConfigValue(value, subSchema);
407
407
  const ctx = params._context;
408
408
  try {
409
- // Check immutable paths
409
+ // Check immutable paths.
410
+ // Backstop for direct-RPC clients (web UI, CLI). The gateway tool
411
+ // pre-flight and bridge metadata validator catch this earlier for
412
+ // LLM tool calls -- this path is reached when those layers are
413
+ // bypassed. Emit the same redirect hint so all clients see
414
+ // identical, model-agnostic recovery instructions (quick-260425-t40).
410
415
  if (isImmutableConfigPath(section, key)) {
411
- throw new Error(`Config path "${key ? `${section}.${key}` : section}" is immutable and cannot be modified at runtime. ` +
412
- "This setting requires manual operator intervention via config files.");
416
+ const redirect = getManagedSectionRedirect(section, key);
417
+ const suffix = redirect
418
+ ? ` ${formatRedirectHint(redirect)}`
419
+ : " This setting requires manual operator intervention via config files.";
420
+ throw new Error(`Config path "${key ? `${section}.${key}` : section}" is immutable and cannot be modified at runtime.${suffix}`);
413
421
  }
414
422
  // Build patch object (use coerced value for the actual data, keep original for audit)
415
423
  let patch;
@@ -582,10 +590,15 @@ export function createConfigHandlers(deps) {
582
590
  if (!(section in deps.container.config)) {
583
591
  throw new Error(`Unknown config section: "${section}". Valid sections: ${getConfigSections().join(", ")}.`);
584
592
  }
585
- // Check immutable paths -- entire section is being replaced
593
+ // Check immutable paths -- entire section is being replaced.
594
+ // Backstop for direct-RPC clients; LLM tool calls hit the same redirect
595
+ // earlier via gateway-tool / bridge validator (quick-260425-t40).
586
596
  if (isImmutableConfigPath(section)) {
587
- throw new Error(`Config section "${section}" is immutable and cannot be replaced at runtime. ` +
588
- "This section requires manual operator intervention via config files.");
597
+ const redirect = getManagedSectionRedirect(section);
598
+ const suffix = redirect
599
+ ? ` ${formatRedirectHint(redirect)}`
600
+ : " This section requires manual operator intervention via config files.";
601
+ throw new Error(`Config section "${section}" is immutable and cannot be replaced at runtime.${suffix}`);
589
602
  }
590
603
  // Build replacement: replace the section entirely (NOT deep merge)
591
604
  const currentConfig = structuredClone(deps.container.config);
@@ -181,6 +181,28 @@ function loadJsonlSession(filePath) {
181
181
  }
182
182
  }
183
183
  // ---------------------------------------------------------------------------
184
+ // Helpers
185
+ // ---------------------------------------------------------------------------
186
+ /**
187
+ * Collect available session keys from all sources (SQLite, JSONL, workspace)
188
+ * for inclusion in "session not found" error messages.
189
+ */
190
+ function collectAvailableSessionKeys(deps) {
191
+ const keys = [];
192
+ for (const s of deps.sessionStore.listDetailed()) {
193
+ keys.push(s.sessionKey);
194
+ }
195
+ if (deps.defaultWorkspaceDir) {
196
+ const existing = new Set(keys);
197
+ for (const ws of scanWorkspaceSessions(deps.defaultWorkspaceDir)) {
198
+ if (!existing.has(ws.sessionKey)) {
199
+ keys.push(ws.sessionKey);
200
+ }
201
+ }
202
+ }
203
+ return keys;
204
+ }
205
+ // ---------------------------------------------------------------------------
184
206
  // Factory
185
207
  // ---------------------------------------------------------------------------
186
208
  /**
@@ -428,7 +450,11 @@ export function createSessionHandlers(deps) {
428
450
  }
429
451
  }
430
452
  if (!data) {
431
- throw new Error(`Session not found: ${sessionKey}`);
453
+ const available = collectAvailableSessionKeys(deps);
454
+ const hint = available.length > 0
455
+ ? `. Available session keys: ${available.join(", ")}`
456
+ : ". Use action 'list' to discover available session keys";
457
+ throw new Error(`Session not found: ${sessionKey}${hint}`);
432
458
  }
433
459
  // Parse session key for metadata
434
460
  const parsed = parseFormattedSessionKey(sessionKey);
@@ -14,6 +14,28 @@ import type { MemoryApi, SqliteMemoryAdapter, createEmbeddingQueue, createSessio
14
14
  import type { RpcCall } from "@comis/skills";
15
15
  import { createGatewayServer, WsConnectionManager, type GatewayServerHandle } from "@comis/gateway";
16
16
  import type { RpcDispatchDeps } from "../rpc/rpc-dispatch.js";
17
+ /**
18
+ * Build the structured log fields for the gateway "Agent execution requested"
19
+ * INFO line. Replaces the previous behavior of logging the first 200 chars
20
+ * of the raw user message, which violated AGENTS.md §2.2 (no message bodies
21
+ * in logs at any level). Emits message length plus a short SHA-256 prefix
22
+ * for correlation, never the body itself.
23
+ *
24
+ * @param input.agentId Resolved agent ID (already trust-derived).
25
+ * @param input.message Raw user message (may be empty / undefined).
26
+ * @param input.connectionId Optional WebSocket connection ID.
27
+ * @returns Object suitable for `logger.info(obj, "Agent execution requested")`.
28
+ */
29
+ export declare function buildExecutionRequestedLogFields(input: {
30
+ agentId: string;
31
+ message: string | undefined;
32
+ connectionId: string | undefined;
33
+ }): {
34
+ agentId: string;
35
+ messageLen: number;
36
+ messageHash?: string;
37
+ connectionId?: string;
38
+ };
17
39
  /** All services produced by the RPC bridge setup phase. */
18
40
  export interface RpcBridgeResult {
19
41
  /** The rpcCall function usable immediately (delegates to inner dispatch once wired). */
@@ -15,10 +15,39 @@ import { suppressError } from "@comis/shared";
15
15
  import { readFileSync, existsSync } from "node:fs";
16
16
  import { parseSlashCommand, createCommandHandler, createGreetingGenerator, } from "@comis/agent";
17
17
  import { createDynamicMethodRouter, createRpcAdapters, createTokenStore, WsConnectionManager, } from "@comis/gateway";
18
- import { randomUUID } from "node:crypto";
18
+ import { createHash, randomUUID } from "node:crypto";
19
19
  import { dirname, join, resolve } from "node:path";
20
20
  import { fileURLToPath } from "node:url";
21
21
  import { createRpcDispatch, classifyRpcError } from "../rpc/rpc-dispatch.js";
22
+ // ===========================================================================
23
+ // Execution-request log redaction helper
24
+ // ===========================================================================
25
+ /**
26
+ * Build the structured log fields for the gateway "Agent execution requested"
27
+ * INFO line. Replaces the previous behavior of logging the first 200 chars
28
+ * of the raw user message, which violated AGENTS.md §2.2 (no message bodies
29
+ * in logs at any level). Emits message length plus a short SHA-256 prefix
30
+ * for correlation, never the body itself.
31
+ *
32
+ * @param input.agentId Resolved agent ID (already trust-derived).
33
+ * @param input.message Raw user message (may be empty / undefined).
34
+ * @param input.connectionId Optional WebSocket connection ID.
35
+ * @returns Object suitable for `logger.info(obj, "Agent execution requested")`.
36
+ */
37
+ export function buildExecutionRequestedLogFields(input) {
38
+ const raw = input.message ?? "";
39
+ const fields = {
40
+ agentId: input.agentId,
41
+ messageLen: raw.length,
42
+ };
43
+ if (raw.length > 0) {
44
+ fields.messageHash = createHash("sha256").update(raw).digest("hex").slice(0, 12);
45
+ }
46
+ if (input.connectionId !== undefined) {
47
+ fields.connectionId = input.connectionId;
48
+ }
49
+ return fields;
50
+ }
22
51
  /**
23
52
  * Create the rpcCall wrapper and deferred dispatch mechanism.
24
53
  * The returned rpcCall can be passed to setupTools immediately. After
@@ -296,14 +325,11 @@ export async function setupGateway(deps) {
296
325
  // Admin scope or wildcard -> admin trust; otherwise -> user trust (fail-closed).
297
326
  const trustLevel = deriveTrustLevel(params.scopes);
298
327
  gatewayLogger.debug({ scopes: params.scopes, trustLevel, agentId: execAgentId }, "Trust level derived from token scopes");
299
- const rawMsg = params.message ?? "";
300
- const truncated = rawMsg.length > 200;
301
- gatewayLogger.info({
328
+ gatewayLogger.info(buildExecutionRequestedLogFields({
302
329
  agentId: execAgentId,
303
- message: rawMsg.slice(0, 200),
304
- ...(truncated && { messageTruncated: true }),
305
- ...(connectionId && { connectionId }),
306
- }, "Agent execution requested");
330
+ message: params.message,
331
+ connectionId,
332
+ }), "Agent execution requested");
307
333
  // Link understanding preprocessing: enrich message text with fetched URL content
308
334
  const enrichedText = await preprocessMessageText(params.message);
309
335
  const msg = {
@@ -28,6 +28,11 @@ export function setupTools(deps) {
28
28
  const { rpcCall, agents, defaultAgentId, workspaceDirs, defaultWorkspaceDir, dataDir, secretManager, platformSecretNames, eventBus, skillsLogger, linkRunner, approvalGate, subprocessEnv, credentialMappingStore, onSuspiciousContent, mcpClientManager, sandboxProvider, sessionTrackerRegistry, } = deps;
29
29
  /** Per-agent ProcessRegistry instances for background process lifecycle management. */
30
30
  const processRegistries = new Map();
31
+ /** Agents we've already logged the no-sandbox WARN for. Per-agent assembly
32
+ * runs on every session/heartbeat/cron tick; without this guard the WARN
33
+ * repeats on every LLM call even though the underlying state is fixed at
34
+ * daemon startup (detectSandboxProvider runs once). */
35
+ const warnedNoSandboxAgents = new Set();
31
36
  function getOrCreateRegistry(agentId) {
32
37
  let registry = processRegistries.get(agentId);
33
38
  if (!registry) {
@@ -238,7 +243,15 @@ export function setupTools(deps) {
238
243
  }
239
244
  : undefined;
240
245
  if (!sandboxCfg && skillsConfig.execSandbox.enabled === "always") {
241
- skillsLogger.warn({ agentId, hint: "Sandbox enabled in config but no provider available -- exec tool will run without OS sandbox", errorKind: "config" }, "Exec tool running without OS sandbox");
246
+ if (warnedNoSandboxAgents.has(agentId)) {
247
+ // Already warned for this agent at WARN level — drop to DEBUG so
248
+ // every per-call assembly doesn't re-log the same fact.
249
+ skillsLogger.debug({ agentId }, "Exec tool running without OS sandbox (already warned at startup; per-call DEBUG)");
250
+ }
251
+ else {
252
+ skillsLogger.warn({ agentId, hint: "Sandbox enabled in config but no provider available -- exec tool will run without OS sandbox", errorKind: "config" }, "Exec tool running without OS sandbox");
253
+ warnedNoSandboxAgents.add(agentId);
254
+ }
242
255
  }
243
256
  // Exec tool -- always instantiated; builtinTools ceiling applied after profile filtering
244
257
  {
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/daemon",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Background daemon and orchestrator for the Comis platform",
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/gateway",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "HTTP, JSON-RPC, and WebSocket gateway for Comis",
@@ -119,10 +119,10 @@ export interface LogFields {
119
119
  closeReason: string;
120
120
  /** Semantic categorization of the WebSocket close code (e.g., "normal", "abnormal", "no-status"). */
121
121
  closeType: string;
122
- /** Whether the logged message text was truncated from the original. */
123
- messageTruncated: boolean;
124
122
  /** Input message character length. */
125
123
  messageLen: number;
124
+ /** First 12 hex chars of SHA-256 of input message; omitted when empty. Stable per content. */
125
+ messageHash: string;
126
126
  /** Output response character length. */
127
127
  responseLen: number;
128
128
  /** Flat input token count for easy aggregation. */
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/infra",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Structured logging infrastructure for Comis",
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/memory",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "SQLite memory, embeddings, and RAG storage for Comis agents",
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/scheduler",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Task scheduling and cron management for Comis",
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/shared",
3
3
  "private": true,
4
- "version": "1.0.19",
4
+ "version": "1.0.23",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Shared types and utilities for the Comis platform",
@@ -11,7 +11,7 @@
11
11
  *
12
12
  * @module
13
13
  */
14
- import { registerToolMetadata, isImmutableConfigPath, getMutableOverridesForSection } from "@comis/core";
14
+ import { registerToolMetadata, isImmutableConfigPath, getMutableOverridesForSection, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
15
15
  import { validateExecCommand } from "../builtin/exec-security.js";
16
16
  import { GATEWAY_ACTIONS } from "../builtin/platform/gateway-tool.js";
17
17
  export function registerAllToolMetadata() {
@@ -149,25 +149,40 @@ export function registerAllToolMetadata() {
149
149
  return undefined;
150
150
  },
151
151
  });
152
- // Gateway tool -- action enum + immutable path rejection for patch.
152
+ // Gateway tool -- action enum + immutable path rejection for patch and apply.
153
153
  // Whitelist is derived from the tool's exported GATEWAY_ACTIONS tuple so
154
154
  // bridge + handler cannot drift (quick-260420-iv2 regression fix).
155
+ // When the rejected section has a dedicated *_manage tool, the message
156
+ // includes a parameter-correct redirect via formatRedirectHint() so any
157
+ // LLM (Opus/Sonnet/Haiku, GPT-5, Gemini, Mistral, etc.) can self-recover
158
+ // without model-specific prompting (quick-260425-t40).
155
159
  registerToolMetadata("gateway", {
156
160
  validateInput: (params) => {
157
161
  const action = typeof params.action === "string" ? params.action : undefined;
158
162
  if (!action || !GATEWAY_ACTIONS.includes(action)) {
159
163
  return `Invalid action: "${action ?? ""}". Valid: ${GATEWAY_ACTIONS.join(", ")}`;
160
164
  }
161
- // Only check immutability for patch action (reads must succeed on immutable paths)
165
+ const section = typeof params.section === "string" ? params.section : undefined;
166
+ // Only check immutability for mutating actions (reads must succeed on immutable paths).
162
167
  if (action === "patch") {
163
- const section = typeof params.section === "string" ? params.section : undefined;
164
168
  const key = typeof params.key === "string" ? params.key : undefined;
165
169
  if (section && isImmutableConfigPath(section, key)) {
166
170
  const mutablePaths = getMutableOverridesForSection(section, key);
167
- const pathHint = mutablePaths.length > 0
168
- ? ` Patchable: ${mutablePaths.join(", ")}`
169
- : "";
170
- return `Cannot patch immutable config path: ${section}${key ? "." + key : ""}.${pathHint}`;
171
+ const redirect = getManagedSectionRedirect(section, key);
172
+ const fullPath = `${section}${key ? "." + key : ""}`;
173
+ const suffix = redirect
174
+ ? ` ${formatRedirectHint(redirect, mutablePaths)}`
175
+ : mutablePaths.length > 0
176
+ ? ` Patchable: ${mutablePaths.join(", ")}.`
177
+ : "";
178
+ return `Cannot patch immutable config path: ${fullPath}.${suffix}`;
179
+ }
180
+ }
181
+ if (action === "apply") {
182
+ if (section && isImmutableConfigPath(section)) {
183
+ const redirect = getManagedSectionRedirect(section);
184
+ const suffix = redirect ? ` ${formatRedirectHint(redirect)}` : "";
185
+ return `Cannot apply to immutable config section: ${section}.${suffix}`;
171
186
  }
172
187
  }
173
188
  return undefined;
@@ -21,7 +21,7 @@ import type { RpcCall } from "./cron-tool.js";
21
21
  export declare const GATEWAY_ACTIONS: readonly ["read", "patch", "apply", "restart", "schema", "status", "history", "diff", "rollback", "env_set", "env_list"];
22
22
  export type GatewayAction = typeof GATEWAY_ACTIONS[number];
23
23
  declare const GatewayToolParams: import("@sinclair/typebox").TObject<{
24
- action: import("@sinclair/typebox").TUnion<import("@sinclair/typebox").TLiteral<"status" | "read" | "patch" | "apply" | "restart" | "schema" | "history" | "diff" | "rollback" | "env_set" | "env_list">[]>;
24
+ action: import("@sinclair/typebox").TUnion<import("@sinclair/typebox").TLiteral<"status" | "read" | "patch" | "diff" | "apply" | "restart" | "schema" | "history" | "rollback" | "env_set" | "env_list">[]>;
25
25
  section: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
26
26
  key: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
27
27
  value: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnknown>;
@@ -10,7 +10,7 @@
10
10
  * @module
11
11
  */
12
12
  import { Type } from "@sinclair/typebox";
13
- import { tryGetContext, isImmutableConfigPath, MUTABLE_CONFIG_OVERRIDES, matchesOverridePattern, getMutableOverridesForSection } from "@comis/core";
13
+ import { tryGetContext, isImmutableConfigPath, MUTABLE_CONFIG_OVERRIDES, matchesOverridePattern, getMutableOverridesForSection, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
14
14
  import { readStringParam, throwToolError, createActionGate, } from "./tool-helpers.js";
15
15
  import { createMultiActionDispatchTool } from "./messaging-factory.js";
16
16
  // ---------------------------------------------------------------------------
@@ -123,19 +123,18 @@ export function createGatewayTool(rpcCall) {
123
123
  case "patch": {
124
124
  const section = readStringParam(p, "section");
125
125
  const key = readStringParam(p, "key");
126
- // Pre-gate immutability check: reject before asking for confirmation
126
+ // Pre-gate immutability check: reject before asking for confirmation.
127
+ // When the section has a dedicated *_manage tool, redirect there with
128
+ // a parameter-correct example call so the LLM can self-recover without
129
+ // needing model-specific prompting.
127
130
  if (isImmutableConfigPath(section, key)) {
128
131
  const mutablePaths = getMutableOverridesForSection(section, key);
129
- let hint;
130
- if (mutablePaths.length > 0) {
131
- hint = `Patchable paths under "${section}": ${mutablePaths.join(", ")}`;
132
- }
133
- else if (section === "agents") {
134
- hint = `Key must start with the agent ID. Use action="read" section="agents" first to see agent IDs, then patch as e.g. key="<agentId>.model"`;
135
- }
136
- else {
137
- hint = "This section has no runtime-patchable paths.";
138
- }
132
+ const redirect = getManagedSectionRedirect(section, key);
133
+ const hint = redirect
134
+ ? formatRedirectHint(redirect, mutablePaths)
135
+ : mutablePaths.length > 0
136
+ ? `Patchable paths under "${section}": ${mutablePaths.join(", ")}.`
137
+ : "This section has no runtime-patchable paths and no dedicated management tool.";
139
138
  throwToolError("permission_denied", `Cannot patch immutable config path: ${section}.${key}.`, { hint });
140
139
  }
141
140
  // Skip confirmation gate for known mutable override paths (no round-trip needed)
@@ -183,9 +182,14 @@ export function createGatewayTool(rpcCall) {
183
182
  }
184
183
  case "apply": {
185
184
  const section = readStringParam(p, "section");
186
- // Pre-gate immutability check: reject before asking for confirmation
185
+ // Pre-gate immutability check: reject before asking for confirmation.
186
+ // Redirect to the dedicated *_manage tool when one exists for this section.
187
187
  if (isImmutableConfigPath(section)) {
188
- throwToolError("permission_denied", `Cannot apply to immutable config section: ${section}.`, { hint: "Security-sensitive sections cannot be replaced at runtime." });
188
+ const redirect = getManagedSectionRedirect(section);
189
+ const hint = redirect
190
+ ? formatRedirectHint(redirect)
191
+ : "Security-sensitive sections cannot be replaced at runtime.";
192
+ throwToolError("permission_denied", `Cannot apply to immutable config section: ${section}.`, { hint });
189
193
  }
190
194
  const gate = applyGate(p);
191
195
  if (gate.requiresConfirmation) {
@@ -36,7 +36,7 @@ const UnifiedSessionParams = Type.Object({
36
36
  ], { description: "Filter by message role: 'all' (default), 'user', 'assistant', 'tool' (action: search)" })),
37
37
  summarize: Type.Optional(Type.Boolean({ description: "Summarize matched sessions using LLM (default: true when query provided) (action: search)" })),
38
38
  // history params
39
- session_key: Type.Optional(Type.String({ description: "Target session key to retrieve history for (action: history)" })),
39
+ session_key: Type.Optional(Type.String({ description: "Session key for action: history. Use action 'list' first to discover available keys. Format: {tenantId}:{filename}, e.g. 'default:678314278~peer~678314278'" })),
40
40
  offset: Type.Optional(Type.Integer({ description: "Pagination offset (default: 0) (action: history)" })),
41
41
  // shared params
42
42
  limit: Type.Optional(Type.Integer({ description: "Maximum results to return (action: search default 10 max 30, action: history default 20)" })),
@@ -10,6 +10,7 @@
10
10
  import type { SandboxProvider } from "./types.js";
11
11
  /** Minimal logger interface for sandbox detection. */
12
12
  export interface DetectLogger {
13
+ info(obj: Record<string, unknown>, msg: string): void;
13
14
  warn(obj: Record<string, unknown>, msg: string): void;
14
15
  }
15
16
  /**