comisai 1.0.33 → 1.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (285) hide show
  1. package/node_modules/@comis/agent/dist/background/auto-background-middleware.d.ts +11 -1
  2. package/node_modules/@comis/agent/dist/background/auto-background-middleware.js +21 -4
  3. package/node_modules/@comis/agent/dist/background/background-task-manager.d.ts +2 -2
  4. package/node_modules/@comis/agent/dist/background/background-task-manager.js +61 -20
  5. package/node_modules/@comis/agent/dist/background/background-task-persistence.js +10 -3
  6. package/node_modules/@comis/agent/dist/background/background-task-types.d.ts +10 -3
  7. package/node_modules/@comis/agent/dist/background/background-task-types.js +1 -1
  8. package/node_modules/@comis/agent/dist/background/completion-formatter.d.ts +39 -0
  9. package/node_modules/@comis/agent/dist/background/completion-formatter.js +77 -0
  10. package/node_modules/@comis/agent/dist/background/completion-runner.d.ts +53 -0
  11. package/node_modules/@comis/agent/dist/background/completion-runner.js +151 -0
  12. package/node_modules/@comis/agent/dist/background/index.d.ts +4 -0
  13. package/node_modules/@comis/agent/dist/background/index.js +2 -0
  14. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.d.ts +17 -2
  15. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.js +14 -2
  16. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.d.ts +23 -23
  17. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.js +72 -60
  18. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.d.ts +6 -7
  19. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.js +24 -25
  20. package/node_modules/@comis/agent/dist/budget/cost-tracker.d.ts +1 -1
  21. package/node_modules/@comis/agent/dist/context-engine/constants.d.ts +5 -5
  22. package/node_modules/@comis/agent/dist/context-engine/constants.js +12 -12
  23. package/node_modules/@comis/agent/dist/context-engine/context-engine.js +13 -4
  24. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.d.ts +1 -2
  25. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.js +1 -2
  26. package/node_modules/@comis/agent/dist/context-engine/llm-compaction.js +20 -16
  27. package/node_modules/@comis/agent/dist/context-engine/rehydration.js +6 -6
  28. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +12 -12
  29. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +36 -22
  30. package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +15 -0
  31. package/node_modules/@comis/agent/dist/executor/cache-break-detection.d.ts +6 -6
  32. package/node_modules/@comis/agent/dist/executor/cache-break-detection.js +8 -8
  33. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +16 -0
  34. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +46 -5
  35. package/node_modules/@comis/agent/dist/executor/executor-post-execution.d.ts +30 -0
  36. package/node_modules/@comis/agent/dist/executor/executor-post-execution.js +17 -1
  37. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +1 -1
  38. package/node_modules/@comis/agent/dist/executor/executor-response-filter.d.ts +7 -6
  39. package/node_modules/@comis/agent/dist/executor/executor-response-filter.js +9 -42
  40. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +2 -3
  41. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.d.ts +2 -2
  42. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.js +4 -4
  43. package/node_modules/@comis/agent/dist/executor/phase-filter.d.ts +2 -2
  44. package/node_modules/@comis/agent/dist/executor/phase-filter.js +5 -7
  45. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +13 -0
  46. package/node_modules/@comis/agent/dist/executor/pi-executor.js +71 -6
  47. package/node_modules/@comis/agent/dist/executor/post-batch-continuation.js +7 -7
  48. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.d.ts +1 -1
  49. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.js +1 -1
  50. package/node_modules/@comis/agent/dist/executor/tool-deferral.d.ts +2 -2
  51. package/node_modules/@comis/agent/dist/executor/tool-deferral.js +7 -7
  52. package/node_modules/@comis/agent/dist/index.d.ts +17 -0
  53. package/node_modules/@comis/agent/dist/index.js +32 -11
  54. package/node_modules/@comis/agent/dist/model/auth-provider.d.ts +25 -2
  55. package/node_modules/@comis/agent/dist/model/auth-provider.js +6 -0
  56. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.d.ts +3 -3
  57. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.js +3 -3
  58. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.d.ts +37 -0
  59. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.js +279 -0
  60. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.d.ts +49 -0
  61. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.js +50 -0
  62. package/node_modules/@comis/agent/dist/model/oauth-device-code.d.ts +57 -0
  63. package/node_modules/@comis/agent/dist/model/oauth-device-code.js +302 -0
  64. package/node_modules/@comis/agent/dist/model/oauth-env.d.ts +33 -0
  65. package/node_modules/@comis/agent/dist/model/oauth-env.js +38 -0
  66. package/node_modules/@comis/agent/dist/model/oauth-errors.d.ts +41 -0
  67. package/node_modules/@comis/agent/dist/model/oauth-errors.js +88 -0
  68. package/node_modules/@comis/agent/dist/model/oauth-identity.d.ts +53 -0
  69. package/node_modules/@comis/agent/dist/model/oauth-identity.js +141 -0
  70. package/node_modules/@comis/agent/dist/model/oauth-login-runner.d.ts +99 -0
  71. package/node_modules/@comis/agent/dist/model/oauth-login-runner.js +374 -0
  72. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.d.ts +58 -0
  73. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.js +82 -0
  74. package/node_modules/@comis/agent/dist/model/oauth-token-manager.d.ts +86 -16
  75. package/node_modules/@comis/agent/dist/model/oauth-token-manager.js +961 -66
  76. package/node_modules/@comis/agent/dist/model/operation-model-defaults.d.ts +9 -4
  77. package/node_modules/@comis/agent/dist/model/operation-model-defaults.js +36 -9
  78. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.d.ts +48 -0
  79. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.js +66 -0
  80. package/node_modules/@comis/agent/dist/provider/capabilities.d.ts +5 -5
  81. package/node_modules/@comis/agent/dist/provider/capabilities.js +10 -23
  82. package/node_modules/@comis/agent/dist/safety/tool-output-safety.js +3 -3
  83. package/node_modules/@comis/agent/dist/session/comis-session-manager.d.ts +1 -1
  84. package/node_modules/@comis/agent/dist/session/comis-session-manager.js +1 -1
  85. package/node_modules/@comis/agent/dist/spawn/narrative-caster.d.ts +10 -0
  86. package/node_modules/@comis/agent/dist/spawn/narrative-caster.js +5 -1
  87. package/node_modules/@comis/agent/package.json +1 -1
  88. package/node_modules/@comis/channels/dist/email/email-adapter.js +6 -6
  89. package/node_modules/@comis/channels/dist/email/imap-lifecycle.js +7 -7
  90. package/node_modules/@comis/channels/dist/shared/deliver-to-channel.js +12 -10
  91. package/node_modules/@comis/channels/dist/telegram/telegram-adapter.js +1 -1
  92. package/node_modules/@comis/channels/package.json +1 -1
  93. package/node_modules/@comis/cli/dist/cli.js +2 -0
  94. package/node_modules/@comis/cli/dist/commands/agent.d.ts +3 -3
  95. package/node_modules/@comis/cli/dist/commands/agent.js +46 -3
  96. package/node_modules/@comis/cli/dist/commands/auth.d.ts +37 -0
  97. package/node_modules/@comis/cli/dist/commands/auth.js +433 -0
  98. package/node_modules/@comis/cli/dist/commands/doctor.d.ts +4 -1
  99. package/node_modules/@comis/cli/dist/commands/doctor.js +20 -5
  100. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.d.ts +39 -0
  101. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.js +399 -0
  102. package/node_modules/@comis/cli/dist/doctor/types.d.ts +19 -0
  103. package/node_modules/@comis/cli/dist/index.d.ts +1 -0
  104. package/node_modules/@comis/cli/dist/index.js +10 -4
  105. package/node_modules/@comis/cli/dist/output/relative-time.d.ts +23 -0
  106. package/node_modules/@comis/cli/dist/output/relative-time.js +36 -0
  107. package/node_modules/@comis/cli/dist/wizard/non-interactive.js +17 -8
  108. package/node_modules/@comis/cli/dist/wizard/steps/03-provider.js +2 -1
  109. package/node_modules/@comis/cli/dist/wizard/steps/04-credentials.js +223 -34
  110. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +14 -0
  111. package/node_modules/@comis/cli/dist/wizard/steps/11-daemon-start.js +3 -3
  112. package/node_modules/@comis/cli/dist/wizard/types.d.ts +7 -0
  113. package/node_modules/@comis/cli/package.json +1 -1
  114. package/node_modules/@comis/core/dist/bootstrap.d.ts +1 -1
  115. package/node_modules/@comis/core/dist/config/env-substitution.d.ts +66 -0
  116. package/node_modules/@comis/core/dist/config/env-substitution.js +115 -0
  117. package/node_modules/@comis/core/dist/config/index.d.ts +3 -1
  118. package/node_modules/@comis/core/dist/config/index.js +2 -1
  119. package/node_modules/@comis/core/dist/config/loader.js +61 -0
  120. package/node_modules/@comis/core/dist/config/managed-sections.d.ts +3 -3
  121. package/node_modules/@comis/core/dist/config/managed-sections.js +10 -5
  122. package/node_modules/@comis/core/dist/config/schema-agent.d.ts +4 -0
  123. package/node_modules/@comis/core/dist/config/schema-agent.js +16 -1
  124. package/node_modules/@comis/core/dist/config/schema-background-tasks.d.ts +7 -0
  125. package/node_modules/@comis/core/dist/config/schema-background-tasks.js +7 -0
  126. package/node_modules/@comis/core/dist/config/schema-delivery.d.ts +2 -0
  127. package/node_modules/@comis/core/dist/config/schema-delivery.js +2 -0
  128. package/node_modules/@comis/core/dist/config/schema-gemini-cache.d.ts +0 -2
  129. package/node_modules/@comis/core/dist/config/schema-gemini-cache.js +0 -2
  130. package/node_modules/@comis/core/dist/config/schema-oauth.d.ts +23 -0
  131. package/node_modules/@comis/core/dist/config/schema-oauth.js +19 -0
  132. package/node_modules/@comis/core/dist/config/schema-skills.d.ts +6 -8
  133. package/node_modules/@comis/core/dist/config/schema-skills.js +3 -4
  134. package/node_modules/@comis/core/dist/config/schema.d.ts +10 -0
  135. package/node_modules/@comis/core/dist/config/schema.js +3 -0
  136. package/node_modules/@comis/core/dist/domain/background-task-origin.d.ts +39 -0
  137. package/node_modules/@comis/core/dist/domain/background-task-origin.js +39 -0
  138. package/node_modules/@comis/core/dist/event-bus/events-infra.d.ts +71 -2
  139. package/node_modules/@comis/core/dist/exports/config.d.ts +2 -2
  140. package/node_modules/@comis/core/dist/exports/config.js +1 -1
  141. package/node_modules/@comis/core/dist/exports/domain.d.ts +2 -0
  142. package/node_modules/@comis/core/dist/exports/domain.js +1 -0
  143. package/node_modules/@comis/core/dist/exports/ports.d.ts +2 -2
  144. package/node_modules/@comis/core/dist/exports/ports.js +1 -1
  145. package/node_modules/@comis/core/dist/ports/delivery-queue.d.ts +23 -0
  146. package/node_modules/@comis/core/dist/ports/delivery-queue.js +2 -0
  147. package/node_modules/@comis/core/dist/ports/index.d.ts +2 -0
  148. package/node_modules/@comis/core/dist/ports/index.js +1 -0
  149. package/node_modules/@comis/core/dist/ports/oauth-credential-store.d.ts +64 -0
  150. package/node_modules/@comis/core/dist/ports/oauth-credential-store.js +37 -0
  151. package/node_modules/@comis/core/dist/tool-metadata.d.ts +20 -0
  152. package/node_modules/@comis/core/package.json +1 -1
  153. package/node_modules/@comis/daemon/dist/daemon-types.d.ts +23 -3
  154. package/node_modules/@comis/daemon/dist/daemon.js +82 -19
  155. package/node_modules/@comis/daemon/dist/health/watchdog.js +18 -3
  156. package/node_modules/@comis/daemon/dist/index.d.ts +2 -0
  157. package/node_modules/@comis/daemon/dist/index.js +5 -0
  158. package/node_modules/@comis/daemon/dist/observability/channel-health-logger.js +3 -3
  159. package/node_modules/@comis/daemon/dist/observability/delivery-queue-logger.js +1 -1
  160. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.d.ts +22 -1
  161. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.js +84 -21
  162. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.js +2 -2
  163. package/node_modules/@comis/daemon/dist/rpc/config-handlers.d.ts +9 -1
  164. package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +104 -23
  165. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.d.ts +30 -1
  166. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.js +74 -11
  167. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.d.ts +8 -0
  168. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.js +22 -8
  169. package/node_modules/@comis/daemon/dist/rpc/provider-handlers.js +9 -12
  170. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.d.ts +1 -0
  171. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.js +27 -2
  172. package/node_modules/@comis/daemon/dist/setup-docker-restart-warn.js +0 -1
  173. package/node_modules/@comis/daemon/dist/wiring/index.d.ts +2 -0
  174. package/node_modules/@comis/daemon/dist/wiring/index.js +1 -0
  175. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.d.ts +21 -0
  176. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.js +134 -0
  177. package/node_modules/@comis/daemon/dist/wiring/setup-agents.d.ts +46 -1
  178. package/node_modules/@comis/daemon/dist/wiring/setup-agents.js +127 -3
  179. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.d.ts +39 -0
  180. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.js +32 -0
  181. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.d.ts +10 -3
  182. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.js +11 -5
  183. package/node_modules/@comis/daemon/dist/wiring/setup-channels.js +20 -1
  184. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.js +1 -1
  185. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.d.ts +14 -5
  186. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.js +52 -19
  187. package/node_modules/@comis/daemon/dist/wiring/setup-schedulers.js +4 -0
  188. package/node_modules/@comis/daemon/package.json +1 -1
  189. package/node_modules/@comis/gateway/dist/index.d.ts +2 -0
  190. package/node_modules/@comis/gateway/dist/index.js +2 -0
  191. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.d.ts +66 -0
  192. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.js +212 -0
  193. package/node_modules/@comis/gateway/dist/server/hono-server.d.ts +14 -0
  194. package/node_modules/@comis/gateway/dist/server/hono-server.js +10 -0
  195. package/node_modules/@comis/gateway/package.json +1 -1
  196. package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +23 -0
  197. package/node_modules/@comis/infra/package.json +1 -1
  198. package/node_modules/@comis/memory/dist/compaction.d.ts +3 -5
  199. package/node_modules/@comis/memory/dist/compaction.js +2 -3
  200. package/node_modules/@comis/memory/dist/delivery-queue-adapter.d.ts +2 -2
  201. package/node_modules/@comis/memory/dist/delivery-queue-adapter.js +49 -1
  202. package/node_modules/@comis/memory/dist/index.d.ts +2 -0
  203. package/node_modules/@comis/memory/dist/index.js +3 -0
  204. package/node_modules/@comis/memory/dist/memory-api.d.ts +1 -1
  205. package/node_modules/@comis/memory/dist/memory-api.js +1 -1
  206. package/node_modules/@comis/memory/dist/oauth-profile-schema.d.ts +17 -0
  207. package/node_modules/@comis/memory/dist/oauth-profile-schema.js +33 -0
  208. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.d.ts +27 -0
  209. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.js +144 -0
  210. package/node_modules/@comis/memory/dist/session-store.d.ts +1 -1
  211. package/node_modules/@comis/memory/dist/session-store.js +1 -1
  212. package/node_modules/@comis/memory/dist/sqlite-secret-store.d.ts +29 -3
  213. package/node_modules/@comis/memory/dist/sqlite-secret-store.js +11 -3
  214. package/node_modules/@comis/memory/package.json +1 -1
  215. package/node_modules/@comis/scheduler/dist/execution/execution-lock.d.ts +13 -0
  216. package/node_modules/@comis/scheduler/dist/execution/execution-lock.js +1 -1
  217. package/node_modules/@comis/scheduler/dist/execution/index.d.ts +2 -0
  218. package/node_modules/@comis/scheduler/dist/execution/index.js +2 -0
  219. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.js +1 -1
  220. package/node_modules/@comis/scheduler/dist/index.d.ts +2 -0
  221. package/node_modules/@comis/scheduler/dist/index.js +2 -0
  222. package/node_modules/@comis/scheduler/package.json +1 -1
  223. package/node_modules/@comis/shared/package.json +1 -1
  224. package/node_modules/@comis/skills/dist/bridge/schema-validator.d.ts +38 -0
  225. package/node_modules/@comis/skills/dist/bridge/schema-validator.js +169 -0
  226. package/node_modules/@comis/skills/dist/bridge/tool-metadata-enforcement.js +12 -0
  227. package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +130 -0
  228. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.d.ts +32 -0
  229. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.js +127 -0
  230. package/node_modules/@comis/skills/dist/builtin/exec-security.js +38 -0
  231. package/node_modules/@comis/skills/dist/builtin/exec-tool.js +9 -0
  232. package/node_modules/@comis/skills/dist/builtin/file-tools/grep-tool.js +6 -6
  233. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.d.ts +5 -4
  234. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.js +38 -27
  235. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.d.ts +4 -1
  236. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.js +3 -3
  237. package/node_modules/@comis/skills/dist/builtin/platform/cron-tool.js +1 -1
  238. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +6 -6
  239. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.d.ts +1 -1
  240. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.js +9 -9
  241. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.d.ts +11 -0
  242. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.js +114 -1
  243. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +40 -15
  244. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.d.ts +7 -0
  245. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.js +9 -2
  246. package/node_modules/@comis/skills/package.json +1 -1
  247. package/node_modules/@comis/web/dist/assets/{agent-detail-71BSbSfD.js → agent-detail-q8t1NB7w.js} +1 -1
  248. package/node_modules/@comis/web/dist/assets/{agent-editor-CTSDZhwT.js → agent-editor-B46io5gv.js} +1 -1
  249. package/node_modules/@comis/web/dist/assets/{agent-list-BEhni2ea.js → agent-list-DQ6g2Rcx.js} +1 -1
  250. package/node_modules/@comis/web/dist/assets/{billing-view-DVP1IvVs.js → billing-view-IWPR8LgF.js} +1 -1
  251. package/node_modules/@comis/web/dist/assets/{channel-detail-N_YK74xC.js → channel-detail-DlNNZuuC.js} +1 -1
  252. package/node_modules/@comis/web/dist/assets/{channel-list-DRk6ZJaF.js → channel-list-DhGwxiMc.js} +1 -1
  253. package/node_modules/@comis/web/dist/assets/{chat-console-Dm-GtSf9.js → chat-console-Nv6fM3Rc.js} +1 -1
  254. package/node_modules/@comis/web/dist/assets/{config-editor-CIferYX6.js → config-editor-BYKuJF76.js} +1 -1
  255. package/node_modules/@comis/web/dist/assets/{context-dag-browser-CL84rXXM.js → context-dag-browser-ClNEtzYE.js} +1 -1
  256. package/node_modules/@comis/web/dist/assets/{context-engine-B1HOTEZv.js → context-engine-BZJ6HChd.js} +1 -1
  257. package/node_modules/@comis/web/dist/assets/{delivery-view-Y6JKYVFw.js → delivery-view-Cb7I3vGu.js} +1 -1
  258. package/node_modules/@comis/web/dist/assets/{diagnostics-view-DWV1UQjz.js → diagnostics-view-9u9Lyu5a.js} +1 -1
  259. package/node_modules/@comis/web/dist/assets/{ic-chat-message-DfSERzzg.js → ic-chat-message-BFt3cVpx.js} +1 -1
  260. package/node_modules/@comis/web/dist/assets/{ic-connection-dot-CXyhlJup.js → ic-connection-dot-y77LZ3Gu.js} +1 -1
  261. package/node_modules/@comis/web/dist/assets/{ic-tool-call-DNmwTjek.js → ic-tool-call-qt6w1NQl.js} +1 -1
  262. package/node_modules/@comis/web/dist/assets/{index-CBr0Tm9_.js → index-8Tg9oc-C.js} +2 -2
  263. package/node_modules/@comis/web/dist/assets/{mcp-management-BaH2-vox.js → mcp-management-69dtH_kY.js} +2 -2
  264. package/node_modules/@comis/web/dist/assets/{media-config-CZLshJoN.js → media-config-BdjLj5c1.js} +1 -1
  265. package/node_modules/@comis/web/dist/assets/{media-test-C9NUWgo_.js → media-test-DuPqrixi.js} +1 -1
  266. package/node_modules/@comis/web/dist/assets/{memory-inspector-D_fmTcRN.js → memory-inspector-B-Pepbq-.js} +1 -1
  267. package/node_modules/@comis/web/dist/assets/{message-center-BBFlNCZn.js → message-center-B7l0yNYY.js} +1 -1
  268. package/node_modules/@comis/web/dist/assets/{models-BytGLm99.js → models-JHFHuv5S.js} +1 -1
  269. package/node_modules/@comis/web/dist/assets/{observe-view-VXtHqaqq.js → observe-view-r8mqhy4O.js} +1 -1
  270. package/node_modules/@comis/web/dist/assets/{pipeline-builder-CfXczlfJ.js → pipeline-builder-XjkiZRcR.js} +1 -1
  271. package/node_modules/@comis/web/dist/assets/{pipeline-history-CPmXFnbe.js → pipeline-history-CZqJv_Hj.js} +1 -1
  272. package/node_modules/@comis/web/dist/assets/{pipeline-history-detail-DcueTMs9.js → pipeline-history-detail-BEFGMoDy.js} +1 -1
  273. package/node_modules/@comis/web/dist/assets/{pipeline-list-B-xG5WZh.js → pipeline-list-B6q5LvO1.js} +1 -1
  274. package/node_modules/@comis/web/dist/assets/{pipeline-monitor-pnIOYaSY.js → pipeline-monitor-BNomXjVL.js} +1 -1
  275. package/node_modules/@comis/web/dist/assets/{scheduler-BtUIFHhA.js → scheduler-BJEjcGKA.js} +1 -1
  276. package/node_modules/@comis/web/dist/assets/{security-C8mWRq2y.js → security-2G1jhBfV.js} +1 -1
  277. package/node_modules/@comis/web/dist/assets/{session-detail-DgdkO5ka.js → session-detail-DmVPzFBR.js} +1 -1
  278. package/node_modules/@comis/web/dist/assets/{session-list-DcylcfTn.js → session-list-CsqMQoHs.js} +1 -1
  279. package/node_modules/@comis/web/dist/assets/{setup-wizard-BP5yjsuL.js → setup-wizard-CAdM-gSP.js} +1 -1
  280. package/node_modules/@comis/web/dist/assets/{skills-DXt1bX8Z.js → skills-2ODqKaWr.js} +1 -1
  281. package/node_modules/@comis/web/dist/assets/{subagents-C7YbUHXY.js → subagents-BFlwfTbD.js} +1 -1
  282. package/node_modules/@comis/web/dist/assets/{workspace-manager-DP6pW4wa.js → workspace-manager--CbOx_dI.js} +1 -1
  283. package/node_modules/@comis/web/dist/index.html +1 -1
  284. package/node_modules/@comis/web/package.json +1 -1
  285. package/package.json +17 -16
@@ -39,7 +39,7 @@ const CronToolParams = Type.Object({
39
39
  payload_text: Type.Optional(Type.String({ description: "Payload text or message content" })),
40
40
  // session strategy params
41
41
  session_strategy: Type.Optional(Type.Union([Type.Literal("fresh"), Type.Literal("rolling"), Type.Literal("accumulate")], {
42
- description: "Session history strategy for recurring jobs. Valid values: fresh (new session each run), rolling (keep last N turns), accumulate (keep all history). Default: fresh",
42
+ description: "Session history strategy for recurring jobs. Valid values: fresh (new session each run; default and STRONGLY PREFERRED for cadences ≥ 10 minutes), rolling (keep last N turns; ONLY use when cadence < 5 minutes), accumulate (keep all history; rarely correct, leaks across runs). Rationale: cron uses a 5-minute prompt cache TTL, so any cadence longer than that wastes cache-write spend on rolling/accumulate — the cache is always cold by the next tick. Pick fresh unless cross-tick session memory is essential and cadence is < 5 minutes. Default: fresh",
43
43
  })),
44
44
  max_history_turns: Type.Optional(Type.Integer({ description: "Number of recent turns to keep for rolling strategy (default 3)" })),
45
45
  model: Type.Optional(Type.String({
@@ -165,16 +165,16 @@ export function createGatewayTool(rpcCall, logger) {
165
165
  hint: "Ask the user to confirm this restart, then call again with _confirmed: true.",
166
166
  };
167
167
  }
168
- // 260428-qrn: Inside Docker the restart relies entirely on the
169
- // container's restart policy to bring the daemon back. Surface
170
- // a structured WARN so the operator gets a breadcrumb in
171
- // `docker logs` pointing at `--restart unless-stopped`. Tool
172
- // result schema unchanged (Pino-only -- no extra content blocks).
168
+ // Inside Docker the restart relies entirely on the container's
169
+ // restart policy to bring the daemon back. Surface a structured
170
+ // WARN so the operator gets a breadcrumb in `docker logs`
171
+ // pointing at `--restart unless-stopped`. Tool result schema
172
+ // unchanged (Pino-only -- no extra content blocks).
173
173
  if (isDocker()) {
174
174
  logger.warn({
175
175
  hint: "Container must have --restart unless-stopped (or compose restart: unless-stopped) for the restart to bring it back. Otherwise run 'docker restart <name>' from your host after the daemon exits.",
176
176
  errorKind: "config",
177
- module: "skill.gateway",
177
+ submodule: "skill.gateway",
178
178
  }, "Daemon restart requested inside Docker container — relies on container restart policy");
179
179
  }
180
180
  return rpcCall("gateway.restart", { _trustLevel });
@@ -13,7 +13,7 @@ import type { ApprovalGate } from "@comis/core";
13
13
  import type { RpcCall } from "./cron-tool.js";
14
14
  declare const McpManageToolParams: Type.TObject<{
15
15
  action: Type.TUnion<[Type.TLiteral<"list">, Type.TLiteral<"status">, Type.TLiteral<"connect">, Type.TLiteral<"disconnect">, Type.TLiteral<"reconnect">]>;
16
- name: Type.TOptional<Type.TString>;
16
+ server_name: Type.TOptional<Type.TString>;
17
17
  transport: Type.TOptional<Type.TString>;
18
18
  command: Type.TOptional<Type.TString>;
19
19
  args: Type.TOptional<Type.TArray<Type.TString>>;
@@ -22,7 +22,7 @@ const McpManageToolParams = Type.Object({
22
22
  Type.Literal("disconnect"),
23
23
  Type.Literal("reconnect"),
24
24
  ], { description: "MCP server management action. Valid values: list (all servers with status), status (detailed single server info), connect (add new server), disconnect (remove server), reconnect (restart server connection)" }),
25
- name: Type.Optional(Type.String({
25
+ server_name: Type.Optional(Type.String({
26
26
  description: "MCP server name. Required for status/connect/disconnect/reconnect.",
27
27
  })),
28
28
  transport: Type.Optional(Type.String({
@@ -72,14 +72,14 @@ export function createMcpManageTool(rpcCall, approvalGate) {
72
72
  return rpcCall("mcp.list", { _trustLevel: ctx.trustLevel });
73
73
  },
74
74
  async status(p, rpcCall, ctx) {
75
- const name = readStringParam(p, "name");
76
- return rpcCall("mcp.status", { name, _trustLevel: ctx.trustLevel });
75
+ const name = readStringParam(p, "server_name");
76
+ return rpcCall("mcp.status", { server_name: name, _trustLevel: ctx.trustLevel });
77
77
  },
78
78
  async connect(p, rpcCall, ctx) {
79
- const name = readStringParam(p, "name");
79
+ const name = readStringParam(p, "server_name");
80
80
  const transport = readStringParam(p, "transport");
81
81
  return rpcCall("mcp.connect", {
82
- name,
82
+ server_name: name,
83
83
  transport,
84
84
  command: p.command,
85
85
  args: p.args,
@@ -89,13 +89,13 @@ export function createMcpManageTool(rpcCall, approvalGate) {
89
89
  });
90
90
  },
91
91
  async disconnect(p, rpcCall, ctx) {
92
- const name = readStringParam(p, "name");
93
- return rpcCall("mcp.disconnect", { name, _trustLevel: ctx.trustLevel });
92
+ const name = readStringParam(p, "server_name");
93
+ return rpcCall("mcp.disconnect", { server_name: name, _trustLevel: ctx.trustLevel });
94
94
  },
95
95
  async reconnect(p, rpcCall, ctx) {
96
- const name = readStringParam(p, "name");
96
+ const name = readStringParam(p, "server_name");
97
97
  return rpcCall("mcp.reconnect", {
98
- name,
98
+ server_name: name,
99
99
  transport: p.transport,
100
100
  command: p.command,
101
101
  args: p.args,
@@ -7,6 +7,17 @@
7
7
  * @module
8
8
  */
9
9
  import type { SandboxOptions, SandboxProvider } from "./types.js";
10
+ /**
11
+ * System paths to bind read-only. Filtered by existsSync once at
12
+ * first buildArgs() call and cached for the provider's lifetime.
13
+ *
14
+ * Exported so the bwrap smoke test in detect-provider.ts consumes the
15
+ * same list — drift between smoke and production binds caused a real
16
+ * false-negative on usrmerge x86-64 hosts (smoke test missed /lib64
17
+ * → /bin/true's dynamic linker unreachable → smoke EPERMs while the
18
+ * production sandbox actually works fine).
19
+ */
20
+ export declare const SYSTEM_RO_PATHS: readonly ["/usr", "/bin", "/sbin", "/lib", "/lib64", "/lib32", "/etc/resolv.conf", "/etc/hosts", "/etc/hostname", "/etc/ssl", "/etc/ca-certificates", "/etc/pki", "/etc/ld.so.cache", "/etc/ld.so.conf", "/etc/ld.so.conf.d", "/etc/alternatives", "/etc/localtime", "/etc/passwd", "/etc/group", "/etc/nsswitch.conf"];
10
21
  export declare class BwrapProvider implements SandboxProvider {
11
22
  readonly name = "bwrap";
12
23
  private bwrapPath;
@@ -14,8 +14,14 @@ import path from "node:path";
14
14
  /**
15
15
  * System paths to bind read-only. Filtered by existsSync once at
16
16
  * first buildArgs() call and cached for the provider's lifetime.
17
+ *
18
+ * Exported so the bwrap smoke test in detect-provider.ts consumes the
19
+ * same list — drift between smoke and production binds caused a real
20
+ * false-negative on usrmerge x86-64 hosts (smoke test missed /lib64
21
+ * → /bin/true's dynamic linker unreachable → smoke EPERMs while the
22
+ * production sandbox actually works fine).
17
23
  */
18
- const SYSTEM_RO_PATHS = [
24
+ export const SYSTEM_RO_PATHS = [
19
25
  "/usr",
20
26
  "/bin",
21
27
  "/sbin",
@@ -73,6 +79,40 @@ function getClaudeCodeRwPaths(home) {
73
79
  /* eslint-enable no-restricted-syntax */
74
80
  ].filter((p) => existsSync(p));
75
81
  }
82
+ /**
83
+ * Per-user XDG paths that need read-write access for language package managers.
84
+ *
85
+ * These paths MUST match the systemd ReadWritePaths in
86
+ * packages/daemon/systemd/comis.service.template. Without RW access here,
87
+ * package managers writing to standard XDG paths (npm, uv, pipx, cargo, go,
88
+ * deno, bun) fail with EROFS at the bwrap mount layer even when the outer
89
+ * systemd sandbox permits the write.
90
+ *
91
+ * Why these specific paths:
92
+ * - ~/.npm -- npm/npx default cache + global modules root.
93
+ * - ~/.cache -- XDG_CACHE_HOME default; uv archives, deno cache, bun cache,
94
+ * pip wheel cache, cargo registry cache, go module cache.
95
+ * wrapEnv() also redirects most caches into the workspace, but
96
+ * some tools (e.g. uv's archive cache) still touch ~/.cache
97
+ * during early bootstrap before env vars take effect.
98
+ * - ~/.local/share -- XDG_DATA_HOME default; uvx tool installs, pipx venvs,
99
+ * rustup toolchains, generic XDG_DATA consumers.
100
+ *
101
+ * Note: this returns a subset of paths bound RO by getUserRoPaths
102
+ * (specifically ~/.local). The RW bind is emitted AFTER the RO bind in
103
+ * buildArgs, which causes bwrap to apply the more-permissive RW mount on
104
+ * top of the RO mount for the ~/.local/share subpath. ~/.local itself
105
+ * remains RO; only ~/.local/share becomes RW.
106
+ */
107
+ function getDevToolRwPaths(home) {
108
+ /* eslint-disable no-restricted-syntax -- Trusted: constant subpaths of homedir, no user input */
109
+ return [
110
+ path.join(home, ".npm"),
111
+ path.join(home, ".cache"),
112
+ path.join(home, ".local", "share"),
113
+ /* eslint-enable no-restricted-syntax */
114
+ ].filter((p) => existsSync(p));
115
+ }
76
116
  export class BwrapProvider {
77
117
  name = "bwrap";
78
118
  bwrapPath = null;
@@ -124,6 +164,14 @@ export class BwrapProvider {
124
164
  for (const cp of getClaudeCodeRwPaths(os.homedir())) {
125
165
  args.push("--bind", cp, cp);
126
166
  }
167
+ // -- Dev tool RW paths (read-write) --
168
+ // MUST come after getUserRoPaths above so the RW bind for ~/.local/share
169
+ // overrides the RO bind for ~/.local. MUST come before the discovery
170
+ // readOnlyPaths loop below so caller-supplied RO can't shadow these.
171
+ // Mirror of systemd ReadWritePaths in comis.service.template.
172
+ for (const dp of getDevToolRwPaths(os.homedir())) {
173
+ args.push("--bind", dp, dp);
174
+ }
127
175
  // -- Read-only paths (discovery paths, custom) --
128
176
  for (const ro of opts.readOnlyPaths) {
129
177
  if (existsSync(ro)) {
@@ -139,6 +187,24 @@ export class BwrapProvider {
139
187
  wrapEnv(env, workspacePath) {
140
188
  // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
141
189
  const cacheDir = path.join(workspacePath, ".cache");
190
+ // Workspace-rooted bin dirs that hold CLIs installed by sandboxed package
191
+ // managers. Prepended to PATH so a binary installed by `cargo install <crate>`
192
+ // (or pipx, go install, bun add -g, deno install, pnpm add -g) on one exec
193
+ // call is invocable on the NEXT exec call. Ordering: highest-frequency first.
194
+ const toolBinPaths = [
195
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
196
+ path.join(workspacePath, ".local", "bin"), // PYTHONUSERBASE/bin + PIPX_BIN_DIR
197
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
198
+ path.join(cacheDir, "cargo", "bin"), // cargo install
199
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
200
+ path.join(cacheDir, "go", "bin"), // go install
201
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
202
+ path.join(cacheDir, "bun", "bin"), // bun add -g
203
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
204
+ path.join(cacheDir, "pnpm"), // pnpm global (PNPM_HOME itself is the bin dir)
205
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
206
+ path.join(cacheDir, "deno", "bin"), // deno install
207
+ ];
142
208
  return {
143
209
  ...env,
144
210
  // Temp files: heredocs, wheel builds, etc.
@@ -150,6 +216,15 @@ export class BwrapProvider {
150
216
  // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
151
217
  PIP_CACHE_DIR: path.join(cacheDir, "pip"),
152
218
  XDG_CACHE_HOME: cacheDir,
219
+ // XDG_STATE_HOME (~/.local/state by default): pipx logs, some Python
220
+ // tools, runtime state. The ~/.local parent bind is RO (getUserRoPaths)
221
+ // and getDevToolRwPaths only carves out ~/.local/share, so anything
222
+ // defaulting to ~/.local/state would EROFS without this redirect.
223
+ // pipx happens to survive (PIPX_HOME captures all pipx state) but other
224
+ // XDG-state-using tools would not. Defensive belt-and-suspenders matching
225
+ // the existing XDG_CACHE_HOME pattern.
226
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
227
+ XDG_STATE_HOME: path.join(workspacePath, ".local", "state"),
153
228
  // Python: redirect user packages into workspace.
154
229
  // PYTHONNOUSERSITE is NOT set — sandbox read paths cover dirs that
155
230
  // pip needs to scan. Removing it lets Python find packages installed
@@ -176,6 +251,44 @@ export class BwrapProvider {
176
251
  GEM_HOME: path.join(cacheDir, "gems"),
177
252
  // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
178
253
  BUNDLE_PATH: path.join(cacheDir, "bundle"),
254
+ // Rust: rustup multiplexer needs RUSTUP_HOME to locate the toolchain.
255
+ // Pointed at the system rustup install (written by install.sh's
256
+ // install_rust at /usr/local/rustup). A workspace-rooted RUSTUP_HOME
257
+ // would be empty on first call, breaking `cargo install <crate>` with
258
+ // "rustup could not choose a version of cargo to run, because no default
259
+ // is configured" — confirmed on a real VPS during the dev-sandbox matrix
260
+ // test. CARGO_HOME stays workspace-rooted (above) so `cargo install`
261
+ // outputs land in <workspace>/.cache/cargo/bin and survive.
262
+ // Tradeoff: agent loses the ability to `rustup install <toolchain>` from
263
+ // inside exec (would need RW to /usr/local/rustup). Acceptable — the
264
+ // canonical use case is `cargo install <crate>`, which works.
265
+ RUSTUP_HOME: "/usr/local/rustup",
266
+ // uv: tool install dir for `uvx` / `uv tool install` (paired with UV_PYTHON_INSTALL_DIR above).
267
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
268
+ UV_TOOL_DIR: path.join(cacheDir, "uv", "tools"),
269
+ // pipx: venvs root + bin dir. PIPX_BIN_DIR aligns with PYTHONUSERBASE/bin
270
+ // (PYTHONUSERBASE = workspace/.local) so user-installed and pipx-installed
271
+ // CLIs share a single PATH entry: workspace/.local/bin.
272
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
273
+ PIPX_HOME: path.join(cacheDir, "pipx"),
274
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
275
+ PIPX_BIN_DIR: path.join(workspacePath, ".local", "bin"),
276
+ // pnpm global store + bin dir (PNPM_HOME is on PATH below).
277
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
278
+ PNPM_HOME: path.join(cacheDir, "pnpm"),
279
+ // bun: install root; binaries land in $BUN_INSTALL/bin.
280
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
281
+ BUN_INSTALL: path.join(cacheDir, "bun"),
282
+ // deno: cache + installed CLI dir ($DENO_DIR/bin via `deno install`).
283
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
284
+ DENO_DIR: path.join(cacheDir, "deno"),
285
+ // yarn cache; mirrors the others for completeness even though yarn is rare in agent flows.
286
+ // eslint-disable-next-line no-restricted-syntax -- Trusted: workspace path is daemon-controlled, constant subpaths
287
+ YARN_CACHE_FOLDER: path.join(cacheDir, "yarn"),
288
+ // PATH augmentation MUST come after the spread above so it overrides
289
+ // any PATH carried in `env`. Empty entries are filtered to avoid
290
+ // trailing/duplicate colons when env.PATH is undefined.
291
+ PATH: [...toolBinPaths, env.PATH ?? ""].filter(Boolean).join(":"),
179
292
  };
180
293
  }
181
294
  }
@@ -10,7 +10,7 @@
10
10
  */
11
11
  import { existsSync } from "node:fs";
12
12
  import { spawnSync } from "node:child_process";
13
- import { BwrapProvider } from "./bwrap-provider.js";
13
+ import { BwrapProvider, SYSTEM_RO_PATHS } from "./bwrap-provider.js";
14
14
  import { SandboxExecProvider } from "./sandbox-exec-provider.js";
15
15
  /**
16
16
  * True when the daemon is running inside a Linux container. Docker writes
@@ -21,26 +21,42 @@ function isContainer() {
21
21
  return existsSync("/.dockerenv") || existsSync("/run/.containerenv");
22
22
  }
23
23
  /**
24
- * Smoke-test the bwrap binary against the isolation flags BwrapProvider
25
- * actually uses (--unshare-pid + --proc /proc). On Docker Desktop's linuxkit
26
- * kernel and similar restricted environments this combo EPERMs at the
27
- * procfs mount step, even with apparmor/seccomp unconfined every later
28
- * exec call would silently fail. `available()` only checks if `bwrap` is on
29
- * PATH, so without this probe the daemon would log "provider: bwrap" even
30
- * when bwrap is non-functional. ~50ms one-shot at startup.
24
+ * Smoke-test bwrap against the same SYSTEM_RO_PATHS BwrapProvider.buildArgs()
25
+ * uses, plus --unshare-pid + --proc /proc the kernel-feature combo we
26
+ * actually need to detect. Reusing the production bind list prevents drift
27
+ * (e.g. /lib64 must be present on usrmerge x86-64 hosts where /bin/true's
28
+ * dynamic linker lives there; without it the smoke spawn EPERMs at execvp
29
+ * even though the production sandbox itself runs fine).
30
+ *
31
+ * On Docker Desktop's linuxkit kernel and similar restricted environments
32
+ * --unshare-pid + --proc /proc EPERMs at the procfs mount step, even with
33
+ * apparmor/seccomp unconfined — every later exec call would silently fail.
34
+ * `available()` only checks if `bwrap` is on PATH, so without this probe the
35
+ * daemon would log "provider: bwrap" even when bwrap is non-functional.
36
+ * ~50ms one-shot at startup.
37
+ *
38
+ * Returns the raw `stderr` and `signal` from bwrap so the caller can include
39
+ * them in the warn payload — operators reading the log see the actual bwrap
40
+ * error message (e.g. "Creating new namespace failed: Operation not
41
+ * permitted") without having to enable DEBUG logging.
31
42
  */
32
43
  function bwrapSmokeTest() {
44
+ const sysBinds = SYSTEM_RO_PATHS
45
+ .filter((p) => existsSync(p))
46
+ .flatMap((p) => ["--ro-bind", p, p]);
33
47
  const r = spawnSync("bwrap", [
34
48
  "--unshare-user",
35
49
  "--unshare-pid",
36
50
  "--proc", "/proc",
37
- "--ro-bind", "/usr", "/usr",
38
- "--ro-bind", "/bin", "/bin",
39
- "--ro-bind", "/lib", "/lib",
51
+ ...sysBinds,
40
52
  "--tmpfs", "/tmp",
41
53
  "/bin/true",
42
54
  ], { encoding: "utf8", timeout: 5000 });
43
- return r.status === 0;
55
+ return {
56
+ ok: r.status === 0,
57
+ stderr: (r.stderr ?? "").trim(),
58
+ signal: r.signal ?? null,
59
+ };
44
60
  }
45
61
  /**
46
62
  * Detect and return the best available sandbox provider for this platform.
@@ -51,7 +67,8 @@ export function detectSandboxProvider(logger) {
51
67
  if (process.platform === "linux") {
52
68
  const bwrap = new BwrapProvider();
53
69
  if (bwrap.available()) {
54
- if (!bwrapSmokeTest()) {
70
+ const smoke = bwrapSmokeTest();
71
+ if (!smoke.ok) {
55
72
  // bwrap is on PATH but the kernel rejects the isolation flags
56
73
  // (typically Docker Desktop's linuxkit on macOS/Windows). Behaviour
57
74
  // diverges by environment:
@@ -69,17 +86,25 @@ export function detectSandboxProvider(logger) {
69
86
  // (rare on stock Linux). Surface it loudly and return the
70
87
  // provider so exec fails via bwrap's stderr until the operator
71
88
  // fixes the kernel/userns config — never silently degrade
72
- // sandboxing on a bare-metal host.
89
+ // sandboxing on a bare-metal host. The warn payload now includes
90
+ // `stderr` (the actual bwrap error) and `signal` so operators
91
+ // don't have to enable DEBUG logging to diagnose; the hint
92
+ // points at stderr first and demotes kernel sysctls to a
93
+ // secondary fallback.
73
94
  if (isContainer()) {
74
95
  logger?.warn({
75
96
  hint: "Kernel rejected --unshare-pid + --proc /proc (typically Docker Desktop linuxkit on macOS/Windows). Sandbox auto-disabled so agent exec is functional for development. PRODUCTION DEPLOYMENTS MUST USE A REAL LINUX HOST — see docs/operations/docker.mdx → Platform Support.",
76
97
  errorKind: "config",
98
+ stderr: smoke.stderr,
99
+ signal: smoke.signal,
77
100
  }, "Exec sandbox DISABLED (kernel limitation; container host) -- shell commands will run UNSANDBOXED. Dev/testing only.");
78
101
  return undefined;
79
102
  }
80
103
  logger?.warn({
81
- hint: "Kernel rejected --unshare-pid + --proc /proc on a bare-metal host. Check `kernel.unprivileged_userns_clone` and AppArmor's `apparmor_restrict_unprivileged_userns`. Exec calls will fail until bwrap can run.",
104
+ hint: "Check the `stderr` field above for the actual bwrap error — that's the primary signal. If stderr mentions namespaces or 'Operation not permitted' on a bare-metal host, then as a secondary diagnostic verify `sysctl kernel.unprivileged_userns_clone=1` and AppArmor's `apparmor_restrict_unprivileged_userns=0` (Ubuntu 23.10+). Exec calls will fail until bwrap can run.",
82
105
  errorKind: "config",
106
+ stderr: smoke.stderr,
107
+ signal: smoke.signal,
83
108
  }, "bwrap installed but smoke test failed -- exec sandbox is non-functional on this kernel");
84
109
  }
85
110
  return bwrap;
@@ -9,6 +9,13 @@
9
9
  * URL** (preserving TLS SNI). This maintains SSRF protection while keeping
10
10
  * TLS certificate validation working correctly.
11
11
  *
12
+ * Both `fetch` and `Agent` are imported from undici directly (NOT
13
+ * `globalThis.fetch`): Node's bundled fetch ships an older undici whose
14
+ * request-handler lifecycle is incompatible with the v8 `Agent` we use for
15
+ * DNS pinning. Mixing the two throws `InvalidArgumentError: invalid
16
+ * onRequestStart method` and breaks every channel's inbound media path. Do
17
+ * not swap this back to `globalThis.fetch`.
18
+ *
12
19
  * Every outbound media fetch MUST go through this utility.
13
20
  *
14
21
  * @module
@@ -10,13 +10,20 @@
10
10
  * URL** (preserving TLS SNI). This maintains SSRF protection while keeping
11
11
  * TLS certificate validation working correctly.
12
12
  *
13
+ * Both `fetch` and `Agent` are imported from undici directly (NOT
14
+ * `globalThis.fetch`): Node's bundled fetch ships an older undici whose
15
+ * request-handler lifecycle is incompatible with the v8 `Agent` we use for
16
+ * DNS pinning. Mixing the two throws `InvalidArgumentError: invalid
17
+ * onRequestStart method` and breaks every channel's inbound media path. Do
18
+ * not swap this back to `globalThis.fetch`.
19
+ *
13
20
  * Every outbound media fetch MUST go through this utility.
14
21
  *
15
22
  * @module
16
23
  */
17
24
  import { validateUrl } from "@comis/core";
18
25
  import { fromPromise, suppressError } from "@comis/shared";
19
- import { Agent } from "undici";
26
+ import { Agent, fetch } from "undici";
20
27
  /**
21
28
  * Classify a fetch error into an actionable errorKind + hint for structured logging.
22
29
  */
@@ -121,7 +128,7 @@ export function createSsrfGuardedFetcher(config, logger) {
121
128
  // because the original hostname stays in the URL.
122
129
  const agent = createPinnedAgent(ip);
123
130
  try {
124
- const response = await globalThis.fetch(url, {
131
+ const response = await fetch(url, {
125
132
  signal: AbortSignal.timeout(30_000),
126
133
  redirect: "error", // Do not follow redirects — they could point to internal IPs
127
134
  dispatcher: agent,
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@comis/skills",
3
3
  "private": true,
4
- "version": "1.0.33",
4
+ "version": "1.0.36",
5
5
  "author": "Moshe Anconina",
6
6
  "license": "Apache-2.0",
7
7
  "description": "Skill system, MCP integration, and tool sandbox for Comis agents",
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-CBr0Tm9_.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-relative-time-B3UAnTqg.js";function f(e){return e.toLocaleString(`en-US`)}var p=class extends r{constructor(...e){super(...e),this.label=``,this.used=0,this.total=0,this.warnThreshold=70,this.dangerThreshold=90}static{this.styles=[o,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-8Tg9oc-C.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-relative-time-B3UAnTqg.js";function f(e){return e.toLocaleString(`en-US`)}var p=class extends r{constructor(...e){super(...e),this.label=``,this.used=0,this.total=0,this.warnThreshold=70,this.dangerThreshold=90}static{this.styles=[o,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u}from"./index-CBr0Tm9_.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-array-editor-BLoEyeLS.js";function d(e,t=0){let n=[],r=` `.repeat(t);for(let[i,a]of Object.entries(e))if(!(a==null||a===``))if(Array.isArray(a)){if(a.length===0)continue;n.push(`${r}${i}:`);for(let e of a)if(typeof e==`object`&&e&&!Array.isArray(e)){let i=d(e,t+2).split(`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u}from"./index-8Tg9oc-C.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-array-editor-BLoEyeLS.js";function d(e,t=0){let n=[],r=` `.repeat(t);for(let[i,a]of Object.entries(e))if(!(a==null||a===``))if(Array.isArray(a)){if(a.length===0)continue;n.push(`${r}${i}:`);for(let e of a)if(typeof e==`object`&&e&&!Array.isArray(e)){let i=d(e,t+2).split(`
2
2
  `).filter(Boolean);if(i.length>0){n.push(`${r} - ${i[0].trimStart()}`);for(let e=1;e<i.length;e++)n.push(`${r} ${i[e].trimStart()}`)}}else n.push(`${r} - ${f(e)}`)}else if(typeof a==`object`){let e=d(a,t+1);e.trim()&&(n.push(`${r}${i}:`),n.push(e))}else n.push(`${r}${i}: ${f(a)}`);return n.join(`
3
3
  `)}function f(e){return typeof e==`string`?/[:#{}[\],&*?|>!%@`'"]/.test(e)||e.includes(`
4
4
  `)?`"${e.replace(/\\/g,`\\\\`).replace(/"/g,`\\"`)}"`:e:typeof e==`boolean`?e?`true`:`false`:String(e)}function p(){let e=new Set,t=t=>{e.size>0&&t.preventDefault()};return{get isDirty(){return e.size>0},markDirty(t=`_default`){e.add(t)},markClean(){e.clear()},confirmNavigation(){return e.size===0?!0:window.confirm(`You have unsaved changes. Discard and leave?`)},attach(){window.addEventListener(`beforeunload`,t)},detach(){window.removeEventListener(`beforeunload`,t)},dirtyFields(){return[...e]}}}function m(e,t,n){return e[t]??n}function h(e,n,r,i,a){let o=m(e,n,void 0),s=a?.step??`1`,c=s.includes(`.`)?s.split(`.`)[1].length:0,l=o===void 0?``:(c>0?Number(Number(o).toFixed(c)):o).toString(),u=a?.id??`field-${n.replace(/\./g,`-`)}`;return t`
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-CBr0Tm9_.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-data-table-CKIvr-ag.js";import"./ic-search-input-B02AGw1i.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";var f={active:`success`,idle:`info`,suspended:`warning`,error:`error`},p={active:`Active`,idle:`Idle`,suspended:`Suspended`,error:`Error`},m=[{value:`active`,label:`Active`,color:`var(--ic-success)`},{value:`idle`,label:`Idle`,color:`var(--ic-info)`},{value:`suspended`,label:`Suspended`,color:`var(--ic-warning)`},{value:`error`,label:`Error`,color:`var(--ic-error)`}],h=new Intl.NumberFormat(`en-US`,{style:`currency`,currency:`USD`}),g={minimal:`Read and write only. Safest option for restricted environments.`,coding:`Common tools including web, memory, and file operations.`,messaging:`Optimized for chat and messaging workflows.`,supervisor:`Extended tools for agent orchestration and oversight.`,full:`All available tools. Best for autonomous agents with broad capabilities.`},_=class extends r{constructor(...e){super(...e),this.apiClient=null,this.rpcClient=null,this.eventDispatcher=null,this._sse=null,this._reloadDebounce=null,this._agents=[],this._loadState=`loading`,this._error=``,this._deleteTarget=null,this._actionPending=``,this._searchQuery=``,this._statusFilters=new Set,this._wizardOpen=!1,this._wizardStep=1,this._wizardError=``,this._wizardCreating=!1,this._wizardAgentId=``,this._wizardAgentName=``,this._wizardProvider=`anthropic`,this._wizardModel=``,this._wizardToolProfile=`full`,this._catalogProviders=[]}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-8Tg9oc-C.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-data-table-CKIvr-ag.js";import"./ic-search-input-B02AGw1i.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";var f={active:`success`,idle:`info`,suspended:`warning`,error:`error`},p={active:`Active`,idle:`Idle`,suspended:`Suspended`,error:`Error`},m=[{value:`active`,label:`Active`,color:`var(--ic-success)`},{value:`idle`,label:`Idle`,color:`var(--ic-info)`},{value:`suspended`,label:`Suspended`,color:`var(--ic-warning)`},{value:`error`,label:`Error`,color:`var(--ic-error)`}],h=new Intl.NumberFormat(`en-US`,{style:`currency`,currency:`USD`}),g={minimal:`Read and write only. Safest option for restricted environments.`,coding:`Common tools including web, memory, and file operations.`,messaging:`Optimized for chat and messaging workflows.`,supervisor:`Extended tools for agent orchestration and oversight.`,full:`All available tools. Best for autonomous agents with broad capabilities.`},_=class extends r{constructor(...e){super(...e),this.apiClient=null,this.rpcClient=null,this.eventDispatcher=null,this._sse=null,this._reloadDebounce=null,this._agents=[],this._loadState=`loading`,this._error=``,this._deleteTarget=null,this._actionPending=``,this._searchQuery=``,this._statusFilters=new Set,this._wizardOpen=!1,this._wizardStep=1,this._wizardError=``,this._wizardCreating=!1,this._wizardAgentId=``,this._wizardAgentName=``,this._wizardProvider=`anthropic`,this._wizardModel=``,this._wizardToolProfile=`full`,this._catalogProviders=[]}static{this.styles=[o,i,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{i as u}from"./index-CBr0Tm9_.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";var d=class extends r{constructor(...e){super(...e),this.segments=[],this.total=0,this.currency=`$`}static{this.styles=[o,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{i as u}from"./index-8Tg9oc-C.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";var d=class extends r{constructor(...e){super(...e),this.segments=[],this.total=0,this.currency=`$`}static{this.styles=[o,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-CBr0Tm9_.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-tabs-yBjkWKJH.js";import"./ic-connection-dot-CXyhlJup.js";var f=[{key:`transcribeAudio`,label:`Voice Transcription`,description:`Transcribe inbound audio/voice attachments to text (STT)`},{key:`analyzeImages`,label:`Image Analysis`,description:`Analyze inbound images using vision AI`},{key:`describeVideos`,label:`Video Description`,description:`Generate text descriptions of inbound video attachments`},{key:`extractDocuments`,label:`Document Extraction`,description:`Extract text from PDF, CSV, and other document attachments`},{key:`understandLinks`,label:`Link Understanding`,description:`Fetch and inject content from URLs in message text`}],p={telegram:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`webhookUrl`,label:`Webhook URL`,type:`text`,placeholder:`https://...`},{key:`ackReaction.enabled`,label:`Ack Reaction`,type:`toggle`},{key:`ackReaction.emoji`,label:`Ack Emoji`,type:`text`,placeholder:`👀`}],discord:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`guildId`,label:`Guild ID`,type:`text`}],slack:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`appToken`,label:`App Token`,type:`secret`},{key:`signingSecret`,label:`Signing Secret`,type:`secret`},{key:`mode`,label:`Mode`,type:`select`,options:[`socket`,`http`]}],whatsapp:[{key:`authDir`,label:`Auth Directory`,type:`text`},{key:`printQR`,label:`Print QR Code`,type:`toggle`}],line:[{key:`channelSecret`,label:`Channel Secret`,type:`secret`},{key:`webhookPath`,label:`Webhook Path`,type:`text`,placeholder:`/webhooks/line`}],signal:[{key:`baseUrl`,label:`Base URL`,type:`text`,placeholder:`http://127.0.0.1:8080`},{key:`account`,label:`Account`,type:`text`},{key:`cliPath`,label:`CLI Path`,type:`text`}],irc:[{key:`host`,label:`Host`,type:`text`},{key:`port`,label:`Port`,type:`text`},{key:`nick`,label:`Nick`,type:`text`},{key:`tls`,label:`TLS`,type:`toggle`},{key:`nickservPassword`,label:`NickServ Password`,type:`secret`},{key:`channels`,label:`Channels`,type:`list`}],imessage:[{key:`binaryPath`,label:`Binary Path`,type:`text`},{key:`account`,label:`Account`,type:`text`}]};function m(e){return e?e.charAt(0).toUpperCase()+e.slice(1):``}function h(e,t){return t.split(`.`).reduce((e,t)=>typeof e==`object`&&e?e[t]:void 0,e)}var g=class extends r{constructor(...e){super(...e),this.apiClient=null,this.rpcClient=null,this.eventDispatcher=null,this.channelType=``,this._loadState=`loading`,this._error=``,this._config={},this._enabled=!1,this._status=`disconnected`,this._deliveryTrace=[],this._activityData=[],this._channelLastActiveAt=0,this._channelMessagesSent=0,this._channelMessagesReceived=0,this._connectionMode=``,this._lastError=``,this._actionPending=!1,this._queueStatus=null,this._capabilities=null,this._mediaProcessing={transcribeAudio:!0,analyzeImages:!0,describeVideos:!0,extractDocuments:!0,understandLinks:!0},this._sse=null,this._reloadDebounce=null,this._hasLoaded=!1,this._previousChannelType=``}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d}from"./index-8Tg9oc-C.js";import"./ic-breadcrumb-DqN6G3gc.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-tabs-yBjkWKJH.js";import"./ic-connection-dot-y77LZ3Gu.js";var f=[{key:`transcribeAudio`,label:`Voice Transcription`,description:`Transcribe inbound audio/voice attachments to text (STT)`},{key:`analyzeImages`,label:`Image Analysis`,description:`Analyze inbound images using vision AI`},{key:`describeVideos`,label:`Video Description`,description:`Generate text descriptions of inbound video attachments`},{key:`extractDocuments`,label:`Document Extraction`,description:`Extract text from PDF, CSV, and other document attachments`},{key:`understandLinks`,label:`Link Understanding`,description:`Fetch and inject content from URLs in message text`}],p={telegram:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`webhookUrl`,label:`Webhook URL`,type:`text`,placeholder:`https://...`},{key:`ackReaction.enabled`,label:`Ack Reaction`,type:`toggle`},{key:`ackReaction.emoji`,label:`Ack Emoji`,type:`text`,placeholder:`👀`}],discord:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`guildId`,label:`Guild ID`,type:`text`}],slack:[{key:`botToken`,label:`Bot Token`,type:`secret`},{key:`appToken`,label:`App Token`,type:`secret`},{key:`signingSecret`,label:`Signing Secret`,type:`secret`},{key:`mode`,label:`Mode`,type:`select`,options:[`socket`,`http`]}],whatsapp:[{key:`authDir`,label:`Auth Directory`,type:`text`},{key:`printQR`,label:`Print QR Code`,type:`toggle`}],line:[{key:`channelSecret`,label:`Channel Secret`,type:`secret`},{key:`webhookPath`,label:`Webhook Path`,type:`text`,placeholder:`/webhooks/line`}],signal:[{key:`baseUrl`,label:`Base URL`,type:`text`,placeholder:`http://127.0.0.1:8080`},{key:`account`,label:`Account`,type:`text`},{key:`cliPath`,label:`CLI Path`,type:`text`}],irc:[{key:`host`,label:`Host`,type:`text`},{key:`port`,label:`Port`,type:`text`},{key:`nick`,label:`Nick`,type:`text`},{key:`tls`,label:`TLS`,type:`toggle`},{key:`nickservPassword`,label:`NickServ Password`,type:`secret`},{key:`channels`,label:`Channels`,type:`list`}],imessage:[{key:`binaryPath`,label:`Binary Path`,type:`text`},{key:`account`,label:`Account`,type:`text`}]};function m(e){return e?e.charAt(0).toUpperCase()+e.slice(1):``}function h(e,t){return t.split(`.`).reduce((e,t)=>typeof e==`object`&&e?e[t]:void 0,e)}var g=class extends r{constructor(...e){super(...e),this.apiClient=null,this.rpcClient=null,this.eventDispatcher=null,this.channelType=``,this._loadState=`loading`,this._error=``,this._config={},this._enabled=!1,this._status=`disconnected`,this._deliveryTrace=[],this._activityData=[],this._channelLastActiveAt=0,this._channelMessagesSent=0,this._channelMessagesReceived=0,this._connectionMode=``,this._lastError=``,this._actionPending=!1,this._queueStatus=null,this._capabilities=null,this._mediaProcessing={transcribeAudio:!0,analyzeImages:!0,describeVideos:!0,extractDocuments:!0,understandLinks:!0},this._sse=null,this._reloadDebounce=null,this._hasLoaded=!1,this._previousChannelType=``}static{this.styles=[o,i,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d,n as f,r as p,t as m}from"./index-CBr0Tm9_.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-empty-state-CM3Wbj2f.js";var h=class extends r{constructor(...e){super(...e),this.channelType=``,this.name=``,this.status=`disconnected`,this.enabled=!1,this.isStale=!1,this.messageCount=0,this.uptime=0,this.lastActivity=0}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u,i as d,n as f,r as p,t as m}from"./index-8Tg9oc-C.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-empty-state-CM3Wbj2f.js";var h=class extends r{constructor(...e){super(...e),this.channelType=``,this.name=``,this.status=`disconnected`,this.enabled=!1,this.isStale=!1,this.messageCount=0,this.uptime=0,this.lastActivity=0}static{this.styles=[o,i,n`
2
2
  :host {
3
3
  display: block;
4
4
  min-width: 280px;
@@ -1,4 +1,4 @@
1
- import{a as e,c as t,f as n,h as r,l as i,n as a,o,r as s,s as c,t as l,u}from"./decorate-BvWYovGE.js";import{a as d}from"./index-CBr0Tm9_.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-search-input-B02AGw1i.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";import{n as f,r as p}from"./session-key-parser-Dkqcj2Ss.js";import{n as m,r as h}from"./ic-tool-call-DNmwTjek.js";import"./ic-chat-message-DfSERzzg.js";import"./ic-budget-segment-bar-zLsMzjDO.js";var g=class extends i{constructor(...e){super(...e),this.sessions=[],this.selectedKey=``,this.filter=``,this.open=!1}static{this.styles=[s,a,r`
1
+ import{a as e,c as t,f as n,h as r,l as i,n as a,o,r as s,s as c,t as l,u}from"./decorate-BvWYovGE.js";import{a as d}from"./index-8Tg9oc-C.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-search-input-B02AGw1i.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-empty-state-CM3Wbj2f.js";import{n as f,r as p}from"./session-key-parser-Dkqcj2Ss.js";import{n as m,r as h}from"./ic-tool-call-qt6w1NQl.js";import"./ic-chat-message-BFt3cVpx.js";import"./ic-budget-segment-bar-zLsMzjDO.js";var g=class extends i{constructor(...e){super(...e),this.sessions=[],this.selectedKey=``,this.filter=``,this.open=!1}static{this.styles=[s,a,r`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u}from"./index-CBr0Tm9_.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-array-editor-BLoEyeLS.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-tabs-yBjkWKJH.js";import"./ic-select-BqfZISjw.js";function d(e,t){let n=e.split(`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{a as u}from"./index-8Tg9oc-C.js";import"./ic-tag-CvMVQFRR.js";import"./ic-confirm-dialog-DGlPbV1T.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-array-editor-BLoEyeLS.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-tabs-yBjkWKJH.js";import"./ic-select-BqfZISjw.js";function d(e,t){let n=e.split(`
2
2
  `),r=t.split(`
3
3
  `),i=n.length,a=r.length,o=Array.from({length:i+1},()=>Array(a+1).fill(0));for(let e=1;e<=i;e++)for(let t=1;t<=a;t++)n[e-1]===r[t-1]?o[e][t]=o[e-1][t-1]+1:o[e][t]=Math.max(o[e-1][t],o[e][t-1]);let s=i,c=a,l=[],u=[];for(;s>0||c>0;)s>0&&c>0&&n[s-1]===r[c-1]?(l.push({text:n[s-1],status:`unchanged`}),u.push({text:r[c-1],status:`unchanged`}),s--,c--):c>0&&(s===0||o[s][c-1]>=o[s-1][c])?(u.push({text:r[c-1],status:`added`}),l.push({text:``,status:`unchanged`}),c--):(l.push({text:n[s-1],status:`removed`}),u.push({text:``,status:`unchanged`}),s--);return l.reverse(),u.reverse(),{oldLines:l,newLines:u}}var f=class extends r{constructor(...e){super(...e),this.oldText=``,this.newText=``,this.oldLabel=`Current`,this.newLabel=`Pending`,this._syncing=!1}static{this.styles=[o,i,n`
4
4
  :host {
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-CBr0Tm9_.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-search-input-B02AGw1i.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-detail-panel-DiCe4hLr.js";var u=class extends r{constructor(...e){super(...e),this.rpcClient=null,this._loadState=`loading`,this._conversations=[],this._selectedConvId=null,this._treeNodes=[],this._treeMessageCount=0,this._expanded=new Set,this._searchQuery=``,this._searchResults=[],this._inspectedNode=null,this._detailOpen=!1,this._treeLoading=!1,this._searchLoading=!1,this._errorMsg=``,this._searchTimeout=null,this._rpcClientInitialized=!1}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-8Tg9oc-C.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-search-input-B02AGw1i.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-detail-panel-DiCe4hLr.js";var u=class extends r{constructor(...e){super(...e),this.rpcClient=null,this._loadState=`loading`,this._conversations=[],this._selectedConvId=null,this._treeNodes=[],this._treeMessageCount=0,this._expanded=new Set,this._searchQuery=``,this._searchResults=[],this._inspectedNode=null,this._detailOpen=!1,this._treeLoading=!1,this._searchLoading=!1,this._errorMsg=``,this._searchTimeout=null,this._rpcClientInitialized=!1}static{this.styles=[o,i,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{i as u}from"./index-CBr0Tm9_.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-budget-segment-bar-zLsMzjDO.js";import"./ic-layer-waterfall-WkaFyu-l.js";var d={file_read:`var(--ic-accent)`,exec:`var(--ic-success)`,web:`var(--ic-info, #3b82f6)`,image:`var(--ic-warning)`,error:`var(--ic-error)`},f=`var(--ic-text-dim)`,p=class extends r{constructor(...e){super(...e),this.categories={},this.showLegend=!0}static{this.styles=[o,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{i as u}from"./index-8Tg9oc-C.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-budget-segment-bar-zLsMzjDO.js";import"./ic-layer-waterfall-WkaFyu-l.js";var d={file_read:`var(--ic-accent)`,exec:`var(--ic-success)`,web:`var(--ic-info, #3b82f6)`,image:`var(--ic-warning)`,error:`var(--ic-error)`},f=`var(--ic-text-dim)`,p=class extends r{constructor(...e){super(...e),this.categories={},this.showLegend=!0}static{this.styles=[o,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-CBr0Tm9_.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";import"./ic-detail-panel-DiCe4hLr.js";import"./ic-delivery-row-B3YwjjuM.js";function u(e){return e>=1e3?`${(e/1e3).toFixed(1)}s`:`${e}ms`}var d=class extends r{constructor(...e){super(...e),this.steps=[],this.totalDurationMs=0}static{this.styles=[o,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-8Tg9oc-C.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";import"./ic-detail-panel-DiCe4hLr.js";import"./ic-delivery-row-B3YwjjuM.js";function u(e){return e>=1e3?`${(e/1e3).toFixed(1)}s`:`${e}ms`}var d=class extends r{constructor(...e){super(...e),this.steps=[],this.totalDurationMs=0}static{this.styles=[o,n`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{n as u,t as d}from"./observability-types-D0tkwElU.js";import{i as f}from"./index-CBr0Tm9_.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";var p=3e4,m=6048e5,h={info:`var(--ic-text-dim)`,warn:`var(--ic-warning)`,error:`var(--ic-error)`},g=class extends r{constructor(...e){super(...e),this.rpcClient=null,this.eventDispatcher=null,this._sse=null,this._reloadDebounce=null,this._loadState=`loading`,this._sinceMs=m,this._selectedRange=`7d`,this._events=[],this._selectedCategories=new Set,this._selectedSeverities=new Set,this._eventCounts={},this._refreshInterval=null,this._rpcStatusUnsub=null}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import{n as u,t as d}from"./observability-types-D0tkwElU.js";import{i as f}from"./index-8Tg9oc-C.js";import"./ic-tag-CvMVQFRR.js";import"./ic-relative-time-B3UAnTqg.js";import"./ic-empty-state-CM3Wbj2f.js";import"./ic-time-range-picker-DXbYeBmY.js";var p=3e4,m=6048e5,h={info:`var(--ic-text-dim)`,warn:`var(--ic-warning)`,error:`var(--ic-error)`},g=class extends r{constructor(...e){super(...e),this.rpcClient=null,this.eventDispatcher=null,this._sse=null,this._reloadDebounce=null,this._loadState=`loading`,this._sinceMs=m,this._selectedRange=`7d`,this._events=[],this._selectedCategories=new Set,this._selectedSeverities=new Set,this._eventCounts={},this._refreshInterval=null,this._rpcStatusUnsub=null}static{this.styles=[o,i,n`
2
2
  :host { display: block; }
3
3
 
4
4
  .diagnostics-view { padding: 0; }
@@ -1,4 +1,4 @@
1
- import{c as e,d as t,f as n,h as r,l as i,n as a,o,r as s,s as c,t as l,u}from"./decorate-BvWYovGE.js";import{a as d}from"./index-CBr0Tm9_.js";import"./ic-icon-BGNCCPpZ.js";import{n as f,r as p,t as m}from"./directive-BOYXJ-K-.js";var h=class extends f{constructor(e){if(super(e),this.it=u,e.type!==p.CHILD)throw Error(this.constructor.directiveName+`() can only be used in child bindings`)}render(e){if(e===u||e==null)return this._t=void 0,this.it=e;if(e===t)return e;if(typeof e!=`string`)throw Error(this.constructor.directiveName+`() called with a non-string value`);if(e===this.it)return this._t;this.it=e;let n=[e];return n.raw=n,this._t={_$litType$:this.constructor.resultType,strings:n,values:[]}}};h.directiveName=`unsafeHTML`,h.resultType=1;var g=m(h),_=new Set(`const.let.var.function.return.if.else.for.while.import.export.from.true.false.null.undefined.class.new.this.async.await.throw.try.catch.switch.case.break.continue.default.typeof.instanceof.void.delete.in.of.yield.static.extends.implements.interface.type.enum.abstract.readonly`.split(`.`));function v(e){return e.replace(/&/g,`&amp;`).replace(/</g,`&lt;`).replace(/>/g,`&gt;`).replace(/"/g,`&quot;`)}function y(e,t){if(!t)return v(e);let n=t.toLowerCase(),r=v(e);return r=r.replace(/\/\*[\s\S]*?\*\//g,e=>`<span class="hl-comment">${e}</span>`),r=r.replace(/\/\/[^\n]*/g,e=>e.includes(`hl-comment`)?e:`<span class="hl-comment">${e}</span>`),(n===`yaml`||n===`yml`||n===`bash`||n===`sh`||n===`python`||n===`py`)&&(r=r.replace(/(?:^|(?<=\n))(\s*#[^\n]*)/g,e=>`<span class="hl-comment">${e}</span>`)),r=r.replace(/(?<!<span class=")(&quot;(?:[^&]|&(?!quot;))*?&quot;)/g,e=>e.includes(`hl-`)?e:`<span class="hl-string">${e}</span>`),r=r.replace(/(?<![=\w])('[^'\\]*(?:\\.[^'\\]*)*')/g,e=>e.includes(`hl-`)?e:`<span class="hl-string">${e}</span>`),r=r.replace(/\b(\d+(?:\.\d+)?)\b/g,e=>e.includes(`hl-`)?e:`<span class="hl-number">${e}</span>`),(n===`json`||n===`yaml`||n===`yml`)&&(r=r.replace(/(?:^|(?<=\n))(\s*)(&quot;[\w.-]+&quot;)(\s*:)/gm,(e,t,n,r)=>`${t}<span class="hl-property">${n}</span>${r}`),(n===`yaml`||n===`yml`)&&(r=r.replace(/(?:^|(?<=\n))(\s*)([\w.-]+)(\s*:)/gm,(e,t,n,r)=>n.includes(`hl-`)?e:`${t}<span class="hl-property">${n}</span>${r}`))),(n===`javascript`||n===`js`||n===`typescript`||n===`ts`||n===`jsx`||n===`tsx`)&&(r=r.replace(/\b([a-z]+)\b/g,e=>_.has(e)?`<span class="hl-keyword">${e}</span>`:e)),r}var b=class extends i{constructor(...e){super(...e),this.code=``,this.language=``,this.copyable=!0,this._copied=!1,this._copyTimer=null}static{this.styles=[s,a,r`
1
+ import{c as e,d as t,f as n,h as r,l as i,n as a,o,r as s,s as c,t as l,u}from"./decorate-BvWYovGE.js";import{a as d}from"./index-8Tg9oc-C.js";import"./ic-icon-BGNCCPpZ.js";import{n as f,r as p,t as m}from"./directive-BOYXJ-K-.js";var h=class extends f{constructor(e){if(super(e),this.it=u,e.type!==p.CHILD)throw Error(this.constructor.directiveName+`() can only be used in child bindings`)}render(e){if(e===u||e==null)return this._t=void 0,this.it=e;if(e===t)return e;if(typeof e!=`string`)throw Error(this.constructor.directiveName+`() called with a non-string value`);if(e===this.it)return this._t;this.it=e;let n=[e];return n.raw=n,this._t={_$litType$:this.constructor.resultType,strings:n,values:[]}}};h.directiveName=`unsafeHTML`,h.resultType=1;var g=m(h),_=new Set(`const.let.var.function.return.if.else.for.while.import.export.from.true.false.null.undefined.class.new.this.async.await.throw.try.catch.switch.case.break.continue.default.typeof.instanceof.void.delete.in.of.yield.static.extends.implements.interface.type.enum.abstract.readonly`.split(`.`));function v(e){return e.replace(/&/g,`&amp;`).replace(/</g,`&lt;`).replace(/>/g,`&gt;`).replace(/"/g,`&quot;`)}function y(e,t){if(!t)return v(e);let n=t.toLowerCase(),r=v(e);return r=r.replace(/\/\*[\s\S]*?\*\//g,e=>`<span class="hl-comment">${e}</span>`),r=r.replace(/\/\/[^\n]*/g,e=>e.includes(`hl-comment`)?e:`<span class="hl-comment">${e}</span>`),(n===`yaml`||n===`yml`||n===`bash`||n===`sh`||n===`python`||n===`py`)&&(r=r.replace(/(?:^|(?<=\n))(\s*#[^\n]*)/g,e=>`<span class="hl-comment">${e}</span>`)),r=r.replace(/(?<!<span class=")(&quot;(?:[^&]|&(?!quot;))*?&quot;)/g,e=>e.includes(`hl-`)?e:`<span class="hl-string">${e}</span>`),r=r.replace(/(?<![=\w])('[^'\\]*(?:\\.[^'\\]*)*')/g,e=>e.includes(`hl-`)?e:`<span class="hl-string">${e}</span>`),r=r.replace(/\b(\d+(?:\.\d+)?)\b/g,e=>e.includes(`hl-`)?e:`<span class="hl-number">${e}</span>`),(n===`json`||n===`yaml`||n===`yml`)&&(r=r.replace(/(?:^|(?<=\n))(\s*)(&quot;[\w.-]+&quot;)(\s*:)/gm,(e,t,n,r)=>`${t}<span class="hl-property">${n}</span>${r}`),(n===`yaml`||n===`yml`)&&(r=r.replace(/(?:^|(?<=\n))(\s*)([\w.-]+)(\s*:)/gm,(e,t,n,r)=>n.includes(`hl-`)?e:`${t}<span class="hl-property">${n}</span>${r}`))),(n===`javascript`||n===`js`||n===`typescript`||n===`ts`||n===`jsx`||n===`tsx`)&&(r=r.replace(/\b([a-z]+)\b/g,e=>_.has(e)?`<span class="hl-keyword">${e}</span>`:e)),r}var b=class extends i{constructor(...e){super(...e),this.code=``,this.language=``,this.copyable=!0,this._copied=!1,this._copyTimer=null}static{this.styles=[s,a,r`
2
2
  :host {
3
3
  display: block;
4
4
  }
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,r as i,s as a,t as o}from"./decorate-BvWYovGE.js";import{t as s}from"./index-CBr0Tm9_.js";import"./ic-icon-BGNCCPpZ.js";var c=class extends r{constructor(...e){super(...e),this.status=`disconnected`,this.size=`8px`,this.showLabel=!0}static{this.styles=[i,n`
1
+ import{c as e,f as t,h as n,l as r,r as i,s as a,t as o}from"./decorate-BvWYovGE.js";import{t as s}from"./index-8Tg9oc-C.js";import"./ic-icon-BGNCCPpZ.js";var c=class extends r{constructor(...e){super(...e),this.status=`disconnected`,this.size=`8px`,this.showLabel=!0}static{this.styles=[i,n`
2
2
  :host {
3
3
  display: inline-flex;
4
4
  align-items: center;
@@ -1,4 +1,4 @@
1
- import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-CBr0Tm9_.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-chat-message-DfSERzzg.js";function u(e){return e.replace(/\b(?:NO_REPLY|HEARTBEAT_OK)\b/g,``).trim()}function d(e){if(!e.includes(`[System context]`)&&!e.includes(`[End system context]`))return e;let t=e.lastIndexOf(`[End system context]`);if(t===-1)return e;let n=e.slice(t+20),r=n.match(/\s*\[[\w-]+\]\s+\S+\s+\([^)]*\):\s*/);if(r){let e=n.indexOf(r[0])+r[0].length;return n.slice(e).trim()}return n.trim()}function f(e,t){return t===`assistant`?u(e):t===`user`?d(e):e}function p(e){if(e==null)return``;if(typeof e==`string`)return e;try{return JSON.stringify(e,null,2)}catch{return String(e)}}var m=class extends r{constructor(...e){super(...e),this.toolName=``,this.input=null,this.output=null,this.expanded=!1,this.status=`success`,this._showFullOutput=!1}static{this.styles=[o,i,n`
1
+ import{c as e,f as t,h as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"./decorate-BvWYovGE.js";import"./index-8Tg9oc-C.js";import"./ic-icon-BGNCCPpZ.js";import"./ic-chat-message-BFt3cVpx.js";function u(e){return e.replace(/\b(?:NO_REPLY|HEARTBEAT_OK)\b/g,``).trim()}function d(e){if(!e.includes(`[System context]`)&&!e.includes(`[End system context]`))return e;let t=e.lastIndexOf(`[End system context]`);if(t===-1)return e;let n=e.slice(t+20),r=n.match(/\s*\[[\w-]+\]\s+\S+\s+\([^)]*\):\s*/);if(r){let e=n.indexOf(r[0])+r[0].length;return n.slice(e).trim()}return n.trim()}function f(e,t){return t===`assistant`?u(e):t===`user`?d(e):e}function p(e){if(e==null)return``;if(typeof e==`string`)return e;try{return JSON.stringify(e,null,2)}catch{return String(e)}}var m=class extends r{constructor(...e){super(...e),this.toolName=``,this.input=null,this.output=null,this.expanded=!1,this.status=`success`,this._showFullOutput=!1}static{this.styles=[o,i,n`
2
2
  :host {
3
3
  display: block;
4
4
  }