comisai 1.0.34 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (448) hide show
  1. package/node_modules/@comis/agent/dist/background/auto-background-middleware.d.ts +11 -1
  2. package/node_modules/@comis/agent/dist/background/auto-background-middleware.js +30 -4
  3. package/node_modules/@comis/agent/dist/background/background-task-manager.d.ts +22 -2
  4. package/node_modules/@comis/agent/dist/background/background-task-manager.js +88 -40
  5. package/node_modules/@comis/agent/dist/background/background-task-persistence.js +34 -4
  6. package/node_modules/@comis/agent/dist/background/background-task-types.d.ts +59 -3
  7. package/node_modules/@comis/agent/dist/background/background-task-types.js +1 -1
  8. package/node_modules/@comis/agent/dist/background/completion-dispatcher.d.ts +130 -0
  9. package/node_modules/@comis/agent/dist/background/completion-dispatcher.js +215 -0
  10. package/node_modules/@comis/agent/dist/background/completion-formatter.d.ts +39 -0
  11. package/node_modules/@comis/agent/dist/background/completion-formatter.js +77 -0
  12. package/node_modules/@comis/agent/dist/background/completion-runner.d.ts +62 -0
  13. package/node_modules/@comis/agent/dist/background/completion-runner.js +234 -0
  14. package/node_modules/@comis/agent/dist/background/index.d.ts +10 -1
  15. package/node_modules/@comis/agent/dist/background/index.js +4 -0
  16. package/node_modules/@comis/agent/dist/background/session-resolver.d.ts +85 -0
  17. package/node_modules/@comis/agent/dist/background/session-resolver.js +78 -0
  18. package/node_modules/@comis/agent/dist/bootstrap/sections/messaging-sections.js +1 -0
  19. package/node_modules/@comis/agent/dist/bootstrap/sections/tool-descriptions.js +3 -3
  20. package/node_modules/@comis/agent/dist/bootstrap/sections/tooling-sections.d.ts +30 -2
  21. package/node_modules/@comis/agent/dist/bootstrap/sections/tooling-sections.js +51 -2
  22. package/node_modules/@comis/agent/dist/bootstrap/system-prompt-assembler.d.ts +22 -0
  23. package/node_modules/@comis/agent/dist/bootstrap/system-prompt-assembler.js +2 -2
  24. package/node_modules/@comis/agent/dist/bridge/bridge-event-handlers.d.ts +1 -5
  25. package/node_modules/@comis/agent/dist/bridge/bridge-event-handlers.js +2 -14
  26. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.d.ts +43 -2
  27. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.js +17 -2
  28. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.d.ts +32 -23
  29. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.js +145 -62
  30. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.d.ts +6 -7
  31. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.js +24 -25
  32. package/node_modules/@comis/agent/dist/budget/cost-tracker.d.ts +1 -1
  33. package/node_modules/@comis/agent/dist/context-engine/constants.d.ts +5 -5
  34. package/node_modules/@comis/agent/dist/context-engine/constants.js +12 -12
  35. package/node_modules/@comis/agent/dist/context-engine/context-engine.js +13 -4
  36. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.d.ts +1 -2
  37. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.js +1 -2
  38. package/node_modules/@comis/agent/dist/context-engine/llm-compaction.js +20 -16
  39. package/node_modules/@comis/agent/dist/context-engine/rehydration.js +6 -6
  40. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +12 -12
  41. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +36 -22
  42. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.d.ts +10 -10
  43. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.js +14 -14
  44. package/node_modules/@comis/agent/dist/context-engine/thinking-block-cleaner.d.ts +11 -13
  45. package/node_modules/@comis/agent/dist/context-engine/thinking-block-cleaner.js +14 -15
  46. package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +15 -0
  47. package/node_modules/@comis/agent/dist/executor/cache-break-detection.d.ts +6 -6
  48. package/node_modules/@comis/agent/dist/executor/cache-break-detection.js +8 -8
  49. package/node_modules/@comis/agent/dist/executor/capability-index-context.d.ts +72 -0
  50. package/node_modules/@comis/agent/dist/executor/capability-index-context.js +329 -0
  51. package/node_modules/@comis/agent/dist/executor/drain-helper.d.ts +122 -0
  52. package/node_modules/@comis/agent/dist/executor/drain-helper.js +173 -0
  53. package/node_modules/@comis/agent/dist/executor/error-classifier.js +2 -2
  54. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +16 -0
  55. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +46 -5
  56. package/node_modules/@comis/agent/dist/executor/executor-post-execution.d.ts +78 -4
  57. package/node_modules/@comis/agent/dist/executor/executor-post-execution.js +150 -31
  58. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.d.ts +7 -0
  59. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +26 -5
  60. package/node_modules/@comis/agent/dist/executor/executor-response-filter.d.ts +7 -6
  61. package/node_modules/@comis/agent/dist/executor/executor-response-filter.js +9 -42
  62. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.d.ts +18 -1
  63. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +20 -18
  64. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.d.ts +2 -2
  65. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.js +4 -4
  66. package/node_modules/@comis/agent/dist/executor/jit-guide-injector.d.ts +11 -2
  67. package/node_modules/@comis/agent/dist/executor/jit-guide-injector.js +16 -2
  68. package/node_modules/@comis/agent/dist/executor/phase-filter.d.ts +2 -2
  69. package/node_modules/@comis/agent/dist/executor/phase-filter.js +5 -7
  70. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +21 -2
  71. package/node_modules/@comis/agent/dist/executor/pi-executor.js +96 -18
  72. package/node_modules/@comis/agent/dist/executor/post-batch-continuation.js +7 -7
  73. package/node_modules/@comis/agent/dist/executor/prompt-assembly.d.ts +9 -1
  74. package/node_modules/@comis/agent/dist/executor/prompt-assembly.js +15 -1
  75. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.d.ts +1 -1
  76. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.js +1 -1
  77. package/node_modules/@comis/agent/dist/executor/tool-deferral.d.ts +18 -27
  78. package/node_modules/@comis/agent/dist/executor/tool-deferral.js +34 -43
  79. package/node_modules/@comis/agent/dist/index.d.ts +17 -0
  80. package/node_modules/@comis/agent/dist/index.js +32 -11
  81. package/node_modules/@comis/agent/dist/model/auth-provider.d.ts +25 -2
  82. package/node_modules/@comis/agent/dist/model/auth-provider.js +6 -0
  83. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.d.ts +3 -3
  84. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.js +3 -3
  85. package/node_modules/@comis/agent/dist/model/model-registry-adapter.js +1 -1
  86. package/node_modules/@comis/agent/dist/model/model-scanner.js +1 -1
  87. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.d.ts +37 -0
  88. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.js +279 -0
  89. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.d.ts +49 -0
  90. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.js +50 -0
  91. package/node_modules/@comis/agent/dist/model/oauth-device-code.d.ts +57 -0
  92. package/node_modules/@comis/agent/dist/model/oauth-device-code.js +302 -0
  93. package/node_modules/@comis/agent/dist/model/oauth-env.d.ts +33 -0
  94. package/node_modules/@comis/agent/dist/model/oauth-env.js +38 -0
  95. package/node_modules/@comis/agent/dist/model/oauth-errors.d.ts +41 -0
  96. package/node_modules/@comis/agent/dist/model/oauth-errors.js +88 -0
  97. package/node_modules/@comis/agent/dist/model/oauth-identity.d.ts +53 -0
  98. package/node_modules/@comis/agent/dist/model/oauth-identity.js +141 -0
  99. package/node_modules/@comis/agent/dist/model/oauth-login-runner.d.ts +99 -0
  100. package/node_modules/@comis/agent/dist/model/oauth-login-runner.js +374 -0
  101. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.d.ts +58 -0
  102. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.js +82 -0
  103. package/node_modules/@comis/agent/dist/model/oauth-token-manager.d.ts +86 -16
  104. package/node_modules/@comis/agent/dist/model/oauth-token-manager.js +961 -66
  105. package/node_modules/@comis/agent/dist/model/operation-model-defaults.d.ts +9 -4
  106. package/node_modules/@comis/agent/dist/model/operation-model-defaults.js +36 -9
  107. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.d.ts +48 -0
  108. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.js +66 -0
  109. package/node_modules/@comis/agent/dist/provider/capabilities.d.ts +5 -5
  110. package/node_modules/@comis/agent/dist/provider/capabilities.js +10 -23
  111. package/node_modules/@comis/agent/dist/safety/tool-output-safety.js +3 -3
  112. package/node_modules/@comis/agent/dist/safety/tool-retry-breaker.d.ts +11 -1
  113. package/node_modules/@comis/agent/dist/safety/tool-retry-breaker.js +19 -22
  114. package/node_modules/@comis/agent/dist/session/comis-session-manager.d.ts +17 -3
  115. package/node_modules/@comis/agent/dist/session/comis-session-manager.js +1 -1
  116. package/node_modules/@comis/agent/dist/spawn/narrative-caster.d.ts +10 -0
  117. package/node_modules/@comis/agent/dist/spawn/narrative-caster.js +5 -1
  118. package/node_modules/@comis/agent/dist/spawn/pi-mono-adapters.d.ts +1 -1
  119. package/node_modules/@comis/agent/dist/spawn/pi-mono-adapters.js +5 -5
  120. package/node_modules/@comis/agent/dist/workspace/data-env.d.ts +38 -0
  121. package/node_modules/@comis/agent/dist/workspace/data-env.js +56 -0
  122. package/node_modules/@comis/agent/dist/workspace/index.d.ts +1 -0
  123. package/node_modules/@comis/agent/dist/workspace/index.js +1 -0
  124. package/node_modules/@comis/agent/dist/workspace/templates.js +5 -1
  125. package/node_modules/@comis/agent/package.json +1 -1
  126. package/node_modules/@comis/channels/dist/email/email-adapter.js +6 -6
  127. package/node_modules/@comis/channels/dist/email/imap-lifecycle.js +7 -7
  128. package/node_modules/@comis/channels/dist/index.d.ts +1 -1
  129. package/node_modules/@comis/channels/dist/index.js +1 -1
  130. package/node_modules/@comis/channels/dist/shared/channel-manager.d.ts +9 -3
  131. package/node_modules/@comis/channels/dist/shared/deliver-to-channel.js +12 -10
  132. package/node_modules/@comis/channels/dist/shared/inbound-gate.d.ts +1 -1
  133. package/node_modules/@comis/channels/dist/shared/inbound-gate.js +22 -7
  134. package/node_modules/@comis/channels/dist/shared/inbound-pipeline.d.ts +10 -3
  135. package/node_modules/@comis/channels/dist/shared/inbound-route.d.ts +1 -1
  136. package/node_modules/@comis/channels/dist/shared/inbound-route.js +13 -2
  137. package/node_modules/@comis/channels/dist/shared/response-filter.d.ts +11 -24
  138. package/node_modules/@comis/channels/dist/shared/response-filter.js +25 -53
  139. package/node_modules/@comis/channels/dist/telegram/telegram-adapter.js +1 -1
  140. package/node_modules/@comis/channels/package.json +1 -1
  141. package/node_modules/@comis/cli/dist/cli.js +2 -0
  142. package/node_modules/@comis/cli/dist/commands/agent.d.ts +3 -3
  143. package/node_modules/@comis/cli/dist/commands/agent.js +46 -3
  144. package/node_modules/@comis/cli/dist/commands/auth.d.ts +37 -0
  145. package/node_modules/@comis/cli/dist/commands/auth.js +433 -0
  146. package/node_modules/@comis/cli/dist/commands/doctor.d.ts +4 -1
  147. package/node_modules/@comis/cli/dist/commands/doctor.js +20 -5
  148. package/node_modules/@comis/cli/dist/commands/providers.d.ts +1 -2
  149. package/node_modules/@comis/cli/dist/commands/providers.js +5 -6
  150. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.d.ts +39 -0
  151. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.js +399 -0
  152. package/node_modules/@comis/cli/dist/doctor/types.d.ts +19 -0
  153. package/node_modules/@comis/cli/dist/index.d.ts +1 -0
  154. package/node_modules/@comis/cli/dist/index.js +10 -4
  155. package/node_modules/@comis/cli/dist/output/relative-time.d.ts +23 -0
  156. package/node_modules/@comis/cli/dist/output/relative-time.js +36 -0
  157. package/node_modules/@comis/cli/dist/wizard/non-interactive.js +17 -8
  158. package/node_modules/@comis/cli/dist/wizard/steps/03-provider.js +2 -1
  159. package/node_modules/@comis/cli/dist/wizard/steps/04-credentials.js +223 -34
  160. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +14 -0
  161. package/node_modules/@comis/cli/dist/wizard/steps/11-daemon-start.js +3 -3
  162. package/node_modules/@comis/cli/dist/wizard/types.d.ts +7 -0
  163. package/node_modules/@comis/cli/package.json +1 -1
  164. package/node_modules/@comis/core/dist/bootstrap.d.ts +1 -1
  165. package/node_modules/@comis/core/dist/config/env-substitution.d.ts +66 -0
  166. package/node_modules/@comis/core/dist/config/env-substitution.js +115 -0
  167. package/node_modules/@comis/core/dist/config/field-metadata.js +2 -0
  168. package/node_modules/@comis/core/dist/config/immutable-keys.js +4 -1
  169. package/node_modules/@comis/core/dist/config/index.d.ts +7 -1
  170. package/node_modules/@comis/core/dist/config/index.js +4 -1
  171. package/node_modules/@comis/core/dist/config/loader.js +61 -0
  172. package/node_modules/@comis/core/dist/config/managed-sections.d.ts +3 -3
  173. package/node_modules/@comis/core/dist/config/managed-sections.js +10 -5
  174. package/node_modules/@comis/core/dist/config/schema-agent.d.ts +4 -792
  175. package/node_modules/@comis/core/dist/config/schema-agent.js +16 -1
  176. package/node_modules/@comis/core/dist/config/schema-approvals.d.ts +0 -14
  177. package/node_modules/@comis/core/dist/config/schema-auto-reply-engine.d.ts +0 -6
  178. package/node_modules/@comis/core/dist/config/schema-background-tasks.d.ts +1 -6
  179. package/node_modules/@comis/core/dist/config/schema-background-tasks.js +7 -0
  180. package/node_modules/@comis/core/dist/config/schema-browser.d.ts +0 -18
  181. package/node_modules/@comis/core/dist/config/schema-channel.d.ts +0 -158
  182. package/node_modules/@comis/core/dist/config/schema-coalescer.d.ts +0 -5
  183. package/node_modules/@comis/core/dist/config/schema-daemon.d.ts +0 -32
  184. package/node_modules/@comis/core/dist/config/schema-delivery.d.ts +1 -17
  185. package/node_modules/@comis/core/dist/config/schema-delivery.js +2 -0
  186. package/node_modules/@comis/core/dist/config/schema-documentation.d.ts +0 -12
  187. package/node_modules/@comis/core/dist/config/schema-embedding.d.ts +0 -20
  188. package/node_modules/@comis/core/dist/config/schema-envelope.d.ts +0 -15
  189. package/node_modules/@comis/core/dist/config/schema-gateway.d.ts +0 -37
  190. package/node_modules/@comis/core/dist/config/schema-gemini-cache.d.ts +0 -4
  191. package/node_modules/@comis/core/dist/config/schema-gemini-cache.js +0 -2
  192. package/node_modules/@comis/core/dist/config/schema-integrations.d.ts +0 -318
  193. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.d.ts +0 -18
  194. package/node_modules/@comis/core/dist/config/schema-memory-review.d.ts +0 -7
  195. package/node_modules/@comis/core/dist/config/schema-memory.d.ts +0 -16
  196. package/node_modules/@comis/core/dist/config/schema-messages.d.ts +0 -8
  197. package/node_modules/@comis/core/dist/config/schema-models.d.ts +0 -15
  198. package/node_modules/@comis/core/dist/config/schema-notification.d.ts +0 -5
  199. package/node_modules/@comis/core/dist/config/schema-oauth.d.ts +18 -0
  200. package/node_modules/@comis/core/dist/config/schema-oauth.js +19 -0
  201. package/node_modules/@comis/core/dist/config/schema-observability.d.ts +0 -38
  202. package/node_modules/@comis/core/dist/config/schema-output-retention.d.ts +34 -0
  203. package/node_modules/@comis/core/dist/config/schema-output-retention.js +48 -0
  204. package/node_modules/@comis/core/dist/config/schema-plugins.d.ts +0 -8
  205. package/node_modules/@comis/core/dist/config/schema-providers.d.ts +0 -64
  206. package/node_modules/@comis/core/dist/config/schema-queue.d.ts +0 -58
  207. package/node_modules/@comis/core/dist/config/schema-response-prefix.d.ts +0 -2
  208. package/node_modules/@comis/core/dist/config/schema-retry.d.ts +0 -6
  209. package/node_modules/@comis/core/dist/config/schema-scheduler.d.ts +0 -39
  210. package/node_modules/@comis/core/dist/config/schema-secrets.d.ts +0 -3
  211. package/node_modules/@comis/core/dist/config/schema-security.d.ts +0 -18
  212. package/node_modules/@comis/core/dist/config/schema-send-policy.d.ts +0 -13
  213. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.d.ts +0 -5
  214. package/node_modules/@comis/core/dist/config/schema-serializer.js +2 -0
  215. package/node_modules/@comis/core/dist/config/schema-skills.d.ts +0 -63
  216. package/node_modules/@comis/core/dist/config/schema-skills.js +3 -4
  217. package/node_modules/@comis/core/dist/config/schema-streaming.d.ts +0 -38
  218. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.d.ts +0 -3
  219. package/node_modules/@comis/core/dist/config/schema-tooling.d.ts +87 -0
  220. package/node_modules/@comis/core/dist/config/schema-tooling.js +152 -0
  221. package/node_modules/@comis/core/dist/config/schema-verbosity.d.ts +0 -12
  222. package/node_modules/@comis/core/dist/config/schema-webhooks.d.ts +0 -40
  223. package/node_modules/@comis/core/dist/config/schema.d.ts +50 -37
  224. package/node_modules/@comis/core/dist/config/schema.js +9 -0
  225. package/node_modules/@comis/core/dist/context/context.d.ts +0 -4
  226. package/node_modules/@comis/core/dist/domain/approval-request.d.ts +0 -17
  227. package/node_modules/@comis/core/dist/domain/background-task-origin.d.ts +29 -0
  228. package/node_modules/@comis/core/dist/domain/background-task-origin.js +39 -0
  229. package/node_modules/@comis/core/dist/domain/delivery-origin.d.ts +0 -5
  230. package/node_modules/@comis/core/dist/domain/execution-graph.d.ts +0 -48
  231. package/node_modules/@comis/core/dist/domain/memory-entry.d.ts +0 -3
  232. package/node_modules/@comis/core/dist/domain/model-compat.d.ts +0 -4
  233. package/node_modules/@comis/core/dist/domain/normalized-message.d.ts +0 -15
  234. package/node_modules/@comis/core/dist/domain/provider-capabilities.d.ts +0 -6
  235. package/node_modules/@comis/core/dist/domain/rich-message.d.ts +0 -14
  236. package/node_modules/@comis/core/dist/domain/subagent-context-config.d.ts +0 -22
  237. package/node_modules/@comis/core/dist/domain/subagent-context-types.d.ts +0 -8
  238. package/node_modules/@comis/core/dist/event-bus/events-agent.d.ts +31 -0
  239. package/node_modules/@comis/core/dist/event-bus/events-infra.d.ts +76 -2
  240. package/node_modules/@comis/core/dist/exports/config.d.ts +2 -2
  241. package/node_modules/@comis/core/dist/exports/config.js +3 -1
  242. package/node_modules/@comis/core/dist/exports/domain.d.ts +2 -0
  243. package/node_modules/@comis/core/dist/exports/domain.js +1 -0
  244. package/node_modules/@comis/core/dist/exports/hooks.d.ts +1 -1
  245. package/node_modules/@comis/core/dist/exports/ports.d.ts +2 -2
  246. package/node_modules/@comis/core/dist/exports/ports.js +1 -1
  247. package/node_modules/@comis/core/dist/ports/channel-plugin.d.ts +0 -13
  248. package/node_modules/@comis/core/dist/ports/delivery-queue.d.ts +23 -0
  249. package/node_modules/@comis/core/dist/ports/delivery-queue.js +2 -0
  250. package/node_modules/@comis/core/dist/ports/index.d.ts +4 -0
  251. package/node_modules/@comis/core/dist/ports/index.js +5 -0
  252. package/node_modules/@comis/core/dist/ports/no-op-tool-capability.d.ts +30 -0
  253. package/node_modules/@comis/core/dist/ports/no-op-tool-capability.js +47 -0
  254. package/node_modules/@comis/core/dist/ports/oauth-credential-store.d.ts +64 -0
  255. package/node_modules/@comis/core/dist/ports/oauth-credential-store.js +37 -0
  256. package/node_modules/@comis/core/dist/ports/tool-capability.d.ts +165 -0
  257. package/node_modules/@comis/core/dist/ports/tool-capability.js +15 -0
  258. package/node_modules/@comis/core/dist/security/audit.d.ts +0 -11
  259. package/node_modules/@comis/core/dist/tool-metadata.d.ts +41 -1
  260. package/node_modules/@comis/core/dist/tool-metadata.js +1 -1
  261. package/node_modules/@comis/core/package.json +1 -1
  262. package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/validate-skill.py +1 -1
  263. package/node_modules/@comis/daemon/dist/daemon-types.d.ts +23 -3
  264. package/node_modules/@comis/daemon/dist/daemon.js +168 -30
  265. package/node_modules/@comis/daemon/dist/index.d.ts +2 -0
  266. package/node_modules/@comis/daemon/dist/index.js +5 -0
  267. package/node_modules/@comis/daemon/dist/observability/channel-health-logger.js +3 -3
  268. package/node_modules/@comis/daemon/dist/observability/delivery-queue-logger.js +1 -1
  269. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.d.ts +22 -1
  270. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.js +84 -21
  271. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.d.ts +1 -1
  272. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.js +3 -3
  273. package/node_modules/@comis/daemon/dist/rpc/builtin-provider-guard.js +2 -2
  274. package/node_modules/@comis/daemon/dist/rpc/config-handlers.d.ts +9 -1
  275. package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +104 -23
  276. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.d.ts +30 -1
  277. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.js +74 -11
  278. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.d.ts +8 -0
  279. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.js +22 -8
  280. package/node_modules/@comis/daemon/dist/rpc/model-handlers.d.ts +1 -1
  281. package/node_modules/@comis/daemon/dist/rpc/model-handlers.js +2 -2
  282. package/node_modules/@comis/daemon/dist/rpc/provider-handlers.js +9 -12
  283. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.d.ts +1 -0
  284. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.js +27 -2
  285. package/node_modules/@comis/daemon/dist/setup-docker-restart-warn.js +0 -1
  286. package/node_modules/@comis/daemon/dist/sub-agent-runner.d.ts +18 -0
  287. package/node_modules/@comis/daemon/dist/sub-agent-runner.js +41 -9
  288. package/node_modules/@comis/daemon/dist/wiring/index.d.ts +4 -0
  289. package/node_modules/@comis/daemon/dist/wiring/index.js +2 -0
  290. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.d.ts +21 -0
  291. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.js +134 -0
  292. package/node_modules/@comis/daemon/dist/wiring/setup-agents.d.ts +81 -2
  293. package/node_modules/@comis/daemon/dist/wiring/setup-agents.js +164 -3
  294. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.d.ts +58 -0
  295. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.js +59 -0
  296. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.d.ts +10 -3
  297. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.js +13 -7
  298. package/node_modules/@comis/daemon/dist/wiring/setup-channels.d.ts +9 -2
  299. package/node_modules/@comis/daemon/dist/wiring/setup-channels.js +35 -10
  300. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.d.ts +20 -5
  301. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.js +21 -16
  302. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.d.ts +14 -5
  303. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.js +65 -20
  304. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.d.ts +4 -6
  305. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.js +3 -5
  306. package/node_modules/@comis/daemon/dist/wiring/setup-heartbeat.d.ts +20 -5
  307. package/node_modules/@comis/daemon/dist/wiring/setup-heartbeat.js +11 -2
  308. package/node_modules/@comis/daemon/dist/wiring/setup-output-retention.d.ts +89 -0
  309. package/node_modules/@comis/daemon/dist/wiring/setup-output-retention.js +212 -0
  310. package/node_modules/@comis/daemon/dist/wiring/setup-schedulers.js +4 -0
  311. package/node_modules/@comis/daemon/dist/wiring/setup-tools.d.ts +18 -4
  312. package/node_modules/@comis/daemon/dist/wiring/setup-tools.js +29 -10
  313. package/node_modules/@comis/daemon/dist/wiring/tool-capability-adapter.d.ts +75 -0
  314. package/node_modules/@comis/daemon/dist/wiring/tool-capability-adapter.js +253 -0
  315. package/node_modules/@comis/daemon/package.json +1 -1
  316. package/node_modules/@comis/gateway/dist/index.d.ts +2 -0
  317. package/node_modules/@comis/gateway/dist/index.js +2 -0
  318. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.d.ts +66 -0
  319. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.js +212 -0
  320. package/node_modules/@comis/gateway/dist/server/hono-server.d.ts +14 -0
  321. package/node_modules/@comis/gateway/dist/server/hono-server.js +10 -0
  322. package/node_modules/@comis/gateway/dist/webhook/webhook-endpoint.d.ts +0 -4
  323. package/node_modules/@comis/gateway/package.json +1 -1
  324. package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +23 -0
  325. package/node_modules/@comis/infra/package.json +1 -1
  326. package/node_modules/@comis/memory/dist/compaction.d.ts +3 -5
  327. package/node_modules/@comis/memory/dist/compaction.js +2 -3
  328. package/node_modules/@comis/memory/dist/delivery-queue-adapter.d.ts +2 -2
  329. package/node_modules/@comis/memory/dist/delivery-queue-adapter.js +49 -1
  330. package/node_modules/@comis/memory/dist/index.d.ts +2 -0
  331. package/node_modules/@comis/memory/dist/index.js +3 -0
  332. package/node_modules/@comis/memory/dist/memory-api.d.ts +1 -1
  333. package/node_modules/@comis/memory/dist/memory-api.js +1 -1
  334. package/node_modules/@comis/memory/dist/oauth-profile-schema.d.ts +17 -0
  335. package/node_modules/@comis/memory/dist/oauth-profile-schema.js +33 -0
  336. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.d.ts +27 -0
  337. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.js +144 -0
  338. package/node_modules/@comis/memory/dist/session-store.d.ts +1 -1
  339. package/node_modules/@comis/memory/dist/session-store.js +1 -1
  340. package/node_modules/@comis/memory/dist/sqlite-secret-store.d.ts +29 -3
  341. package/node_modules/@comis/memory/dist/sqlite-secret-store.js +11 -3
  342. package/node_modules/@comis/memory/package.json +1 -1
  343. package/node_modules/@comis/scheduler/dist/cron/cron-types.d.ts +0 -42
  344. package/node_modules/@comis/scheduler/dist/execution/execution-lock.d.ts +13 -0
  345. package/node_modules/@comis/scheduler/dist/execution/execution-lock.js +1 -1
  346. package/node_modules/@comis/scheduler/dist/execution/index.d.ts +2 -0
  347. package/node_modules/@comis/scheduler/dist/execution/index.js +2 -0
  348. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.d.ts +29 -8
  349. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.js +20 -8
  350. package/node_modules/@comis/scheduler/dist/index.d.ts +2 -0
  351. package/node_modules/@comis/scheduler/dist/index.js +2 -0
  352. package/node_modules/@comis/scheduler/dist/system-events/system-event-types.d.ts +0 -3
  353. package/node_modules/@comis/scheduler/dist/tasks/task-types.d.ts +0 -17
  354. package/node_modules/@comis/scheduler/package.json +1 -1
  355. package/node_modules/@comis/shared/dist/index.d.ts +3 -0
  356. package/node_modules/@comis/shared/dist/index.js +4 -0
  357. package/node_modules/@comis/shared/dist/mcp-tool-name.d.ts +78 -0
  358. package/node_modules/@comis/shared/dist/mcp-tool-name.js +92 -0
  359. package/node_modules/@comis/shared/dist/silent-tokens.d.ts +38 -0
  360. package/node_modules/@comis/shared/dist/silent-tokens.js +51 -0
  361. package/node_modules/@comis/shared/dist/visible-delivery.d.ts +28 -0
  362. package/node_modules/@comis/shared/dist/visible-delivery.js +16 -0
  363. package/node_modules/@comis/shared/package.json +1 -1
  364. package/node_modules/@comis/skills/dist/bridge/mcp-tool-bridge.d.ts +2 -13
  365. package/node_modules/@comis/skills/dist/bridge/mcp-tool-bridge.js +3 -21
  366. package/node_modules/@comis/skills/dist/bridge/schema-validator.d.ts +38 -0
  367. package/node_modules/@comis/skills/dist/bridge/schema-validator.js +169 -0
  368. package/node_modules/@comis/skills/dist/bridge/tool-metadata-enforcement.js +12 -0
  369. package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +133 -3
  370. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.d.ts +32 -0
  371. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.js +127 -0
  372. package/node_modules/@comis/skills/dist/builtin/exec-security.js +38 -0
  373. package/node_modules/@comis/skills/dist/builtin/exec-tool.d.ts +55 -9
  374. package/node_modules/@comis/skills/dist/builtin/exec-tool.js +392 -19
  375. package/node_modules/@comis/skills/dist/builtin/file-tools/grep-tool.js +6 -6
  376. package/node_modules/@comis/skills/dist/builtin/install-detour.d.ts +67 -0
  377. package/node_modules/@comis/skills/dist/builtin/install-detour.js +342 -0
  378. package/node_modules/@comis/skills/dist/builtin/platform/admin-manage-factory.js +5 -5
  379. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.d.ts +7 -6
  380. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.js +40 -29
  381. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.d.ts +4 -1
  382. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.js +3 -3
  383. package/node_modules/@comis/skills/dist/builtin/platform/cron-tool.js +1 -1
  384. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +6 -6
  385. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.d.ts +1 -1
  386. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.js +9 -9
  387. package/node_modules/@comis/skills/dist/builtin/platform/message-tool.js +18 -0
  388. package/node_modules/@comis/skills/dist/builtin/platform/messaging-factory.d.ts +18 -1
  389. package/node_modules/@comis/skills/dist/builtin/platform/messaging-factory.js +18 -2
  390. package/node_modules/@comis/skills/dist/builtin/platform/models-manage-tool.js +3 -3
  391. package/node_modules/@comis/skills/dist/builtin/process-registry.d.ts +14 -0
  392. package/node_modules/@comis/skills/dist/builtin/process-tool.d.ts +24 -4
  393. package/node_modules/@comis/skills/dist/builtin/process-tool.js +25 -7
  394. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.d.ts +11 -0
  395. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.js +123 -1
  396. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +40 -15
  397. package/node_modules/@comis/skills/dist/index.d.ts +4 -1
  398. package/node_modules/@comis/skills/dist/index.js +3 -1
  399. package/node_modules/@comis/skills/dist/manifest/capability-parser.d.ts +44 -0
  400. package/node_modules/@comis/skills/dist/manifest/capability-parser.js +68 -0
  401. package/node_modules/@comis/skills/dist/manifest/schema.d.ts +44 -37
  402. package/node_modules/@comis/skills/dist/manifest/schema.js +35 -0
  403. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.d.ts +7 -0
  404. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.js +9 -2
  405. package/node_modules/@comis/skills/dist/registry/discovery.d.ts +8 -0
  406. package/node_modules/@comis/skills/dist/registry/discovery.js +10 -3
  407. package/node_modules/@comis/skills/dist/registry/skill-registry.d.ts +45 -1
  408. package/node_modules/@comis/skills/dist/registry/skill-registry.js +70 -7
  409. package/node_modules/@comis/skills/package.json +1 -1
  410. package/node_modules/@comis/web/dist/assets/{agent-detail-71BSbSfD.js → agent-detail-q8t1NB7w.js} +1 -1
  411. package/node_modules/@comis/web/dist/assets/{agent-editor-CTSDZhwT.js → agent-editor-B46io5gv.js} +1 -1
  412. package/node_modules/@comis/web/dist/assets/{agent-list-BEhni2ea.js → agent-list-DQ6g2Rcx.js} +1 -1
  413. package/node_modules/@comis/web/dist/assets/{billing-view-DVP1IvVs.js → billing-view-IWPR8LgF.js} +1 -1
  414. package/node_modules/@comis/web/dist/assets/{channel-detail-N_YK74xC.js → channel-detail-DlNNZuuC.js} +1 -1
  415. package/node_modules/@comis/web/dist/assets/{channel-list-DRk6ZJaF.js → channel-list-DhGwxiMc.js} +1 -1
  416. package/node_modules/@comis/web/dist/assets/{chat-console-Dm-GtSf9.js → chat-console-Nv6fM3Rc.js} +1 -1
  417. package/node_modules/@comis/web/dist/assets/{config-editor-CIferYX6.js → config-editor-BYKuJF76.js} +1 -1
  418. package/node_modules/@comis/web/dist/assets/{context-dag-browser-CL84rXXM.js → context-dag-browser-ClNEtzYE.js} +1 -1
  419. package/node_modules/@comis/web/dist/assets/{context-engine-B1HOTEZv.js → context-engine-BZJ6HChd.js} +1 -1
  420. package/node_modules/@comis/web/dist/assets/{delivery-view-Y6JKYVFw.js → delivery-view-Cb7I3vGu.js} +1 -1
  421. package/node_modules/@comis/web/dist/assets/{diagnostics-view-DWV1UQjz.js → diagnostics-view-9u9Lyu5a.js} +1 -1
  422. package/node_modules/@comis/web/dist/assets/{ic-chat-message-DfSERzzg.js → ic-chat-message-BFt3cVpx.js} +1 -1
  423. package/node_modules/@comis/web/dist/assets/{ic-connection-dot-CXyhlJup.js → ic-connection-dot-y77LZ3Gu.js} +1 -1
  424. package/node_modules/@comis/web/dist/assets/{ic-tool-call-DNmwTjek.js → ic-tool-call-qt6w1NQl.js} +1 -1
  425. package/node_modules/@comis/web/dist/assets/{index-CBr0Tm9_.js → index-8Tg9oc-C.js} +2 -2
  426. package/node_modules/@comis/web/dist/assets/{mcp-management-BaH2-vox.js → mcp-management-69dtH_kY.js} +2 -2
  427. package/node_modules/@comis/web/dist/assets/{media-config-CZLshJoN.js → media-config-BdjLj5c1.js} +1 -1
  428. package/node_modules/@comis/web/dist/assets/{media-test-C9NUWgo_.js → media-test-DuPqrixi.js} +1 -1
  429. package/node_modules/@comis/web/dist/assets/{memory-inspector-D_fmTcRN.js → memory-inspector-B-Pepbq-.js} +1 -1
  430. package/node_modules/@comis/web/dist/assets/{message-center-BBFlNCZn.js → message-center-B7l0yNYY.js} +1 -1
  431. package/node_modules/@comis/web/dist/assets/{models-BytGLm99.js → models-JHFHuv5S.js} +1 -1
  432. package/node_modules/@comis/web/dist/assets/{observe-view-VXtHqaqq.js → observe-view-r8mqhy4O.js} +1 -1
  433. package/node_modules/@comis/web/dist/assets/{pipeline-builder-CfXczlfJ.js → pipeline-builder-XjkiZRcR.js} +1 -1
  434. package/node_modules/@comis/web/dist/assets/{pipeline-history-CPmXFnbe.js → pipeline-history-CZqJv_Hj.js} +1 -1
  435. package/node_modules/@comis/web/dist/assets/{pipeline-history-detail-DcueTMs9.js → pipeline-history-detail-BEFGMoDy.js} +1 -1
  436. package/node_modules/@comis/web/dist/assets/{pipeline-list-B-xG5WZh.js → pipeline-list-B6q5LvO1.js} +1 -1
  437. package/node_modules/@comis/web/dist/assets/{pipeline-monitor-pnIOYaSY.js → pipeline-monitor-BNomXjVL.js} +1 -1
  438. package/node_modules/@comis/web/dist/assets/{scheduler-BtUIFHhA.js → scheduler-BJEjcGKA.js} +1 -1
  439. package/node_modules/@comis/web/dist/assets/{security-C8mWRq2y.js → security-2G1jhBfV.js} +1 -1
  440. package/node_modules/@comis/web/dist/assets/{session-detail-DgdkO5ka.js → session-detail-DmVPzFBR.js} +1 -1
  441. package/node_modules/@comis/web/dist/assets/{session-list-DcylcfTn.js → session-list-CsqMQoHs.js} +1 -1
  442. package/node_modules/@comis/web/dist/assets/{setup-wizard-BP5yjsuL.js → setup-wizard-CAdM-gSP.js} +1 -1
  443. package/node_modules/@comis/web/dist/assets/{skills-DXt1bX8Z.js → skills-2ODqKaWr.js} +1 -1
  444. package/node_modules/@comis/web/dist/assets/{subagents-C7YbUHXY.js → subagents-BFlwfTbD.js} +1 -1
  445. package/node_modules/@comis/web/dist/assets/{workspace-manager-DP6pW4wa.js → workspace-manager--CbOx_dI.js} +1 -1
  446. package/node_modules/@comis/web/dist/index.html +1 -1
  447. package/node_modules/@comis/web/package.json +1 -1
  448. package/package.json +25 -24
@@ -10,7 +10,7 @@
10
10
  */
11
11
  import { existsSync } from "node:fs";
12
12
  import { spawnSync } from "node:child_process";
13
- import { BwrapProvider } from "./bwrap-provider.js";
13
+ import { BwrapProvider, SYSTEM_RO_PATHS } from "./bwrap-provider.js";
14
14
  import { SandboxExecProvider } from "./sandbox-exec-provider.js";
15
15
  /**
16
16
  * True when the daemon is running inside a Linux container. Docker writes
@@ -21,26 +21,42 @@ function isContainer() {
21
21
  return existsSync("/.dockerenv") || existsSync("/run/.containerenv");
22
22
  }
23
23
  /**
24
- * Smoke-test the bwrap binary against the isolation flags BwrapProvider
25
- * actually uses (--unshare-pid + --proc /proc). On Docker Desktop's linuxkit
26
- * kernel and similar restricted environments this combo EPERMs at the
27
- * procfs mount step, even with apparmor/seccomp unconfined every later
28
- * exec call would silently fail. `available()` only checks if `bwrap` is on
29
- * PATH, so without this probe the daemon would log "provider: bwrap" even
30
- * when bwrap is non-functional. ~50ms one-shot at startup.
24
+ * Smoke-test bwrap against the same SYSTEM_RO_PATHS BwrapProvider.buildArgs()
25
+ * uses, plus --unshare-pid + --proc /proc the kernel-feature combo we
26
+ * actually need to detect. Reusing the production bind list prevents drift
27
+ * (e.g. /lib64 must be present on usrmerge x86-64 hosts where /bin/true's
28
+ * dynamic linker lives there; without it the smoke spawn EPERMs at execvp
29
+ * even though the production sandbox itself runs fine).
30
+ *
31
+ * On Docker Desktop's linuxkit kernel and similar restricted environments
32
+ * --unshare-pid + --proc /proc EPERMs at the procfs mount step, even with
33
+ * apparmor/seccomp unconfined — every later exec call would silently fail.
34
+ * `available()` only checks if `bwrap` is on PATH, so without this probe the
35
+ * daemon would log "provider: bwrap" even when bwrap is non-functional.
36
+ * ~50ms one-shot at startup.
37
+ *
38
+ * Returns the raw `stderr` and `signal` from bwrap so the caller can include
39
+ * them in the warn payload — operators reading the log see the actual bwrap
40
+ * error message (e.g. "Creating new namespace failed: Operation not
41
+ * permitted") without having to enable DEBUG logging.
31
42
  */
32
43
  function bwrapSmokeTest() {
44
+ const sysBinds = SYSTEM_RO_PATHS
45
+ .filter((p) => existsSync(p))
46
+ .flatMap((p) => ["--ro-bind", p, p]);
33
47
  const r = spawnSync("bwrap", [
34
48
  "--unshare-user",
35
49
  "--unshare-pid",
36
50
  "--proc", "/proc",
37
- "--ro-bind", "/usr", "/usr",
38
- "--ro-bind", "/bin", "/bin",
39
- "--ro-bind", "/lib", "/lib",
51
+ ...sysBinds,
40
52
  "--tmpfs", "/tmp",
41
53
  "/bin/true",
42
54
  ], { encoding: "utf8", timeout: 5000 });
43
- return r.status === 0;
55
+ return {
56
+ ok: r.status === 0,
57
+ stderr: (r.stderr ?? "").trim(),
58
+ signal: r.signal ?? null,
59
+ };
44
60
  }
45
61
  /**
46
62
  * Detect and return the best available sandbox provider for this platform.
@@ -51,7 +67,8 @@ export function detectSandboxProvider(logger) {
51
67
  if (process.platform === "linux") {
52
68
  const bwrap = new BwrapProvider();
53
69
  if (bwrap.available()) {
54
- if (!bwrapSmokeTest()) {
70
+ const smoke = bwrapSmokeTest();
71
+ if (!smoke.ok) {
55
72
  // bwrap is on PATH but the kernel rejects the isolation flags
56
73
  // (typically Docker Desktop's linuxkit on macOS/Windows). Behaviour
57
74
  // diverges by environment:
@@ -69,17 +86,25 @@ export function detectSandboxProvider(logger) {
69
86
  // (rare on stock Linux). Surface it loudly and return the
70
87
  // provider so exec fails via bwrap's stderr until the operator
71
88
  // fixes the kernel/userns config — never silently degrade
72
- // sandboxing on a bare-metal host.
89
+ // sandboxing on a bare-metal host. The warn payload now includes
90
+ // `stderr` (the actual bwrap error) and `signal` so operators
91
+ // don't have to enable DEBUG logging to diagnose; the hint
92
+ // points at stderr first and demotes kernel sysctls to a
93
+ // secondary fallback.
73
94
  if (isContainer()) {
74
95
  logger?.warn({
75
96
  hint: "Kernel rejected --unshare-pid + --proc /proc (typically Docker Desktop linuxkit on macOS/Windows). Sandbox auto-disabled so agent exec is functional for development. PRODUCTION DEPLOYMENTS MUST USE A REAL LINUX HOST — see docs/operations/docker.mdx → Platform Support.",
76
97
  errorKind: "config",
98
+ stderr: smoke.stderr,
99
+ signal: smoke.signal,
77
100
  }, "Exec sandbox DISABLED (kernel limitation; container host) -- shell commands will run UNSANDBOXED. Dev/testing only.");
78
101
  return undefined;
79
102
  }
80
103
  logger?.warn({
81
- hint: "Kernel rejected --unshare-pid + --proc /proc on a bare-metal host. Check `kernel.unprivileged_userns_clone` and AppArmor's `apparmor_restrict_unprivileged_userns`. Exec calls will fail until bwrap can run.",
104
+ hint: "Check the `stderr` field above for the actual bwrap error — that's the primary signal. If stderr mentions namespaces or 'Operation not permitted' on a bare-metal host, then as a secondary diagnostic verify `sysctl kernel.unprivileged_userns_clone=1` and AppArmor's `apparmor_restrict_unprivileged_userns=0` (Ubuntu 23.10+). Exec calls will fail until bwrap can run.",
82
105
  errorKind: "config",
106
+ stderr: smoke.stderr,
107
+ signal: smoke.signal,
83
108
  }, "bwrap installed but smoke test failed -- exec sandbox is non-functional on this kernel");
84
109
  }
85
110
  return bwrap;
@@ -17,6 +17,8 @@ export { createExecTool } from "./builtin/exec-tool.js";
17
17
  export { createProcessTool } from "./builtin/process-tool.js";
18
18
  export { createProcessRegistry } from "./builtin/process-registry.js";
19
19
  export type { ProcessRegistry } from "./builtin/process-registry.js";
20
+ export type { InstallDetourDecision, DetourOverlap } from "./builtin/install-detour.js";
21
+ export { parseInstallDetour } from "./builtin/install-detour.js";
20
22
  export type { SandboxProvider, SandboxOptions, ExecSandboxConfig } from "./builtin/sandbox/types.js";
21
23
  export { detectSandboxProvider } from "./builtin/sandbox/detect-provider.js";
22
24
  export type { DetectLogger } from "./builtin/sandbox/detect-provider.js";
@@ -44,7 +46,8 @@ export { createLinkRunner } from "./integrations/link/link-runner.js";
44
46
  export type { LinkRunner } from "./integrations/link/link-runner.js";
45
47
  export { createMcpClientManager, qualifyToolName, parseQualifiedName } from "./integrations/mcp-client.js";
46
48
  export type { McpClientManager, McpClientManagerDeps, McpServerConfig, McpConnection, McpConnectionStatus, McpToolDefinition, McpToolCallResult, McpToolCallContent, } from "./integrations/mcp-client.js";
47
- export { mcpToolsToAgentTools, jsonSchemaToTypeBox, sanitizeMcpToolName, extractMcpServerName, classifyMcpErrorType } from "./bridge/mcp-tool-bridge.js";
49
+ export { mcpToolsToAgentTools, jsonSchemaToTypeBox, sanitizeMcpToolName, classifyMcpErrorType } from "./bridge/mcp-tool-bridge.js";
50
+ export { extractMcpServerName } from "@comis/shared";
48
51
  export { createVisionProviderRegistry, selectVisionProvider } from "./integrations/vision/vision-provider-registry.js";
49
52
  export { resolveVisionScope } from "./integrations/vision/scope-resolver.js";
50
53
  export { detectFfmpeg, createAudioConverter, createMediaTempManager, createMediaSemaphore, createSsrfGuardedFetcher, createCompositeResolver, createMediaPersistenceService, } from "./media/index.js";
@@ -22,6 +22,7 @@ export { createApplyPatchTool } from "./builtin/file/apply-patch-tool.js";
22
22
  export { createExecTool } from "./builtin/exec-tool.js";
23
23
  export { createProcessTool } from "./builtin/process-tool.js";
24
24
  export { createProcessRegistry } from "./builtin/process-registry.js";
25
+ export { parseInstallDetour } from "./builtin/install-detour.js";
25
26
  // Built-in tools -- Exec sandbox detection
26
27
  export { detectSandboxProvider } from "./builtin/sandbox/detect-provider.js";
27
28
  // Registry
@@ -89,7 +90,8 @@ export { createLinkRunner } from "./integrations/link/link-runner.js";
89
90
  // Integrations -- MCP client manager
90
91
  export { createMcpClientManager, qualifyToolName, parseQualifiedName } from "./integrations/mcp-client.js";
91
92
  // Bridge -- MCP tool bridge
92
- export { mcpToolsToAgentTools, jsonSchemaToTypeBox, sanitizeMcpToolName, extractMcpServerName, classifyMcpErrorType } from "./bridge/mcp-tool-bridge.js";
93
+ export { mcpToolsToAgentTools, jsonSchemaToTypeBox, sanitizeMcpToolName, classifyMcpErrorType } from "./bridge/mcp-tool-bridge.js";
94
+ export { extractMcpServerName } from "@comis/shared";
93
95
  // Integrations -- Vision
94
96
  export { createVisionProviderRegistry, selectVisionProvider } from "./integrations/vision/vision-provider-registry.js";
95
97
  export { resolveVisionScope } from "./integrations/vision/scope-resolver.js";
@@ -0,0 +1,44 @@
1
+ /**
2
+ * Defensive parser for `comis.capability` skill manifest blocks.
3
+ *
4
+ * The outer `ComisNamespaceSchema` is z.strictObject -- a typo'd nested
5
+ * capability key (`replacePackages` missing `s`) would normally cause the
6
+ * whole `comis:` block to fail parse and the skill to become invisible.
7
+ * This function parses the capability sub-block separately with try/recover
8
+ * semantics: on any validation failure (typo, type mismatch, empty string),
9
+ * log a Pino WARN with `errorKind: "config"` and return undefined. The skill
10
+ * renders under the fallback `prompt-skills` cluster.
11
+ *
12
+ * Capability metadata is enrichment, not a gate. The skill itself is NEVER
13
+ * hidden solely because optional capability metadata is invalid.
14
+ *
15
+ * Caller pattern:
16
+ * const ns = (typeof obj["comis"] === "object" && ...) ? ... : undefined;
17
+ * const capability = parseComisCapabilityDefensively(ns?.["capability"], skillName, logger);
18
+ * // ... include `capability` in SkillMetadata; downstream filters tolerate undefined.
19
+ *
20
+ * @module
21
+ */
22
+ import type { ToolCapabilityMetadata } from "@comis/core";
23
+ export type { ToolCapabilityMetadata };
24
+ /** Pino-compatible logger interface. The skills package already uses this shape; reuse here. */
25
+ interface DiscoveryLogger {
26
+ warn(obj: Record<string, unknown>, msg: string): void;
27
+ }
28
+ /**
29
+ * Defensively parse a `comis.capability` block.
30
+ *
31
+ * On success: returns the parsed shape (with defaults applied).
32
+ * On failure: logs a Pino WARN with `errorKind: "config"`, the skillName,
33
+ * the Zod issue paths, and an operator-actionable hint, then returns
34
+ * undefined. NEVER throws.
35
+ *
36
+ * @param raw - The raw `capability` value from `manifest.comis.capability`
37
+ * (may be undefined or null).
38
+ * @param skillName - Used in the WARN log payload for operator context.
39
+ * @param logger - Optional Pino logger. When omitted, parse failures fall
40
+ * through silently (the function still returns undefined;
41
+ * the caller may emit its own log).
42
+ * @returns Parsed capability metadata, or undefined if absent / malformed.
43
+ */
44
+ export declare function parseComisCapabilityDefensively(raw: unknown, skillName: string, logger: DiscoveryLogger | undefined): ToolCapabilityMetadata | undefined;
@@ -0,0 +1,68 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ /**
3
+ * Defensive parser for `comis.capability` skill manifest blocks.
4
+ *
5
+ * The outer `ComisNamespaceSchema` is z.strictObject -- a typo'd nested
6
+ * capability key (`replacePackages` missing `s`) would normally cause the
7
+ * whole `comis:` block to fail parse and the skill to become invisible.
8
+ * This function parses the capability sub-block separately with try/recover
9
+ * semantics: on any validation failure (typo, type mismatch, empty string),
10
+ * log a Pino WARN with `errorKind: "config"` and return undefined. The skill
11
+ * renders under the fallback `prompt-skills` cluster.
12
+ *
13
+ * Capability metadata is enrichment, not a gate. The skill itself is NEVER
14
+ * hidden solely because optional capability metadata is invalid.
15
+ *
16
+ * Caller pattern:
17
+ * const ns = (typeof obj["comis"] === "object" && ...) ? ... : undefined;
18
+ * const capability = parseComisCapabilityDefensively(ns?.["capability"], skillName, logger);
19
+ * // ... include `capability` in SkillMetadata; downstream filters tolerate undefined.
20
+ *
21
+ * @module
22
+ */
23
+ import { ComisCapabilityBlockSchema } from "./schema.js";
24
+ /**
25
+ * Defensively parse a `comis.capability` block.
26
+ *
27
+ * On success: returns the parsed shape (with defaults applied).
28
+ * On failure: logs a Pino WARN with `errorKind: "config"`, the skillName,
29
+ * the Zod issue paths, and an operator-actionable hint, then returns
30
+ * undefined. NEVER throws.
31
+ *
32
+ * @param raw - The raw `capability` value from `manifest.comis.capability`
33
+ * (may be undefined or null).
34
+ * @param skillName - Used in the WARN log payload for operator context.
35
+ * @param logger - Optional Pino logger. When omitted, parse failures fall
36
+ * through silently (the function still returns undefined;
37
+ * the caller may emit its own log).
38
+ * @returns Parsed capability metadata, or undefined if absent / malformed.
39
+ */
40
+ export function parseComisCapabilityDefensively(raw, skillName, logger) {
41
+ // Fast path: no capability block declared -> no log, no work.
42
+ if (raw === undefined)
43
+ return undefined;
44
+ const result = ComisCapabilityBlockSchema.safeParse(raw);
45
+ if (result.success) {
46
+ // Coerce the Zod-inferred shape into ToolCapabilityMetadata
47
+ // (compatible by structure).
48
+ return {
49
+ cluster: result.data.cluster,
50
+ summary: result.data.summary,
51
+ replacesPackages: result.data.replacesPackages,
52
+ };
53
+ }
54
+ // Malformed -- log WARN and fall back. This path NEVER raises an exception.
55
+ const issues = result.error.issues.map((issue) => ({
56
+ path: issue.path.join("."),
57
+ code: issue.code,
58
+ message: issue.message,
59
+ }));
60
+ logger?.warn({
61
+ errorKind: "config",
62
+ skillName,
63
+ issues,
64
+ hint: "Fix the comis.capability block in the skill manifest, or remove it. " +
65
+ "The skill will render under the fallback 'prompt-skills' cluster until corrected.",
66
+ }, "Malformed comis.capability metadata; skill renders under fallback cluster.");
67
+ return undefined;
68
+ }
@@ -10,13 +10,9 @@ export declare const SkillNameSchema: z.ZodString;
10
10
  * All fields default to empty arrays (no permissions).
11
11
  */
12
12
  export declare const SkillPermissionsSchema: z.ZodObject<{
13
- /** Filesystem read access paths (e.g. ["/tmp/skill-data"]) */
14
13
  fsRead: z.ZodDefault<z.ZodArray<z.ZodString>>;
15
- /** Filesystem write access paths */
16
14
  fsWrite: z.ZodDefault<z.ZodArray<z.ZodString>>;
17
- /** Network access domains (e.g. ["api.example.com"]) */
18
15
  net: z.ZodDefault<z.ZodArray<z.ZodString>>;
19
- /** Environment variable access (read-only, specific keys) */
20
16
  env: z.ZodDefault<z.ZodArray<z.ZodString>>;
21
17
  }, z.core.$strict>;
22
18
  /**
@@ -24,7 +20,7 @@ export declare const SkillPermissionsSchema: z.ZodObject<{
24
20
  * Accepts a single string (wraps in array, lowercases) or an array of strings (lowercases each).
25
21
  * No enum restriction -- any OS string is valid (e.g., "playstation").
26
22
  */
27
- export declare const OsFieldSchema: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodArray<z.ZodString>>>;
23
+ export declare const OsFieldSchema: z.ZodPreprocess<z.ZodOptional<z.ZodArray<z.ZodString>>>;
28
24
  /**
29
25
  * Skill prerequisites schema (strict: only bins and env keys accepted).
30
26
  * Undefined means no prerequisites; present means the skill declares external dependencies.
@@ -37,7 +33,35 @@ export declare const SkillRequiresSchema: z.ZodObject<{
37
33
  * Skill key schema with preprocess coercion to slug format.
38
34
  * Lowercases, replaces spaces with hyphens, strips non-alphanumeric-hyphen chars.
39
35
  */
40
- export declare const SkillKeySchema: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
36
+ export declare const SkillKeySchema: z.ZodPreprocess<z.ZodOptional<z.ZodString>>;
37
+ /**
38
+ * Capability metadata block for v1.1 capability layer.
39
+ *
40
+ * Optional sub-block of `comis:` namespace. All inner fields optional. The
41
+ * block is z.strictObject -- unknown nested keys (typos like
42
+ * `replacePackages` missing `s`) are rejected when used in a strict-parse
43
+ * context.
44
+ *
45
+ * IMPORTANT -- defensive parse at registry-side:
46
+ * The outer ComisNamespaceSchema is strict, so a malformed `capability` block
47
+ * would normally cause the whole `comis:` block to fail parse and the skill
48
+ * to become invisible. The registry's discovery enrichment extracts
49
+ * `comis.capability` SEPARATELY via `parseComisCapabilityDefensively`, which
50
+ * logs a WARN and returns undefined on failure -- letting the skill render
51
+ * under the fallback `prompt-skills` cluster. The strict schema here is the
52
+ * declaration of the contract; the defensive parser is the recovery
53
+ * mechanism.
54
+ *
55
+ * The skill itself is never hidden solely because optional capability
56
+ * metadata is invalid.
57
+ */
58
+ export declare const ComisCapabilityBlockSchema: z.ZodObject<{
59
+ cluster: z.ZodOptional<z.ZodString>;
60
+ summary: z.ZodOptional<z.ZodString>;
61
+ replacesPackages: z.ZodDefault<z.ZodArray<z.ZodString>>;
62
+ }, z.core.$strict>;
63
+ /** Parsed `comis.capability` block (Zod-inferred, defaults applied). */
64
+ export type ComisCapabilityBlockParsed = z.infer<typeof ComisCapabilityBlockSchema>;
41
65
  /**
42
66
  * Comis-specific namespace schema for fields that only apply within the
43
67
  * Comis platform. Other pi-coding-agent hosts will simply ignore this block.
@@ -45,19 +69,19 @@ export declare const SkillKeySchema: z.ZodPipe<z.ZodTransform<unknown, unknown>,
45
69
  * Skills place these fields under `comis:` in frontmatter.
46
70
  */
47
71
  export declare const ComisNamespaceSchema: z.ZodOptional<z.ZodObject<{
48
- /** Target operating systems (coerced: string -> [string], lowercased) */
49
- os: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodArray<z.ZodString>>>;
50
- /** External prerequisites: binary executables and environment variables */
72
+ os: z.ZodPreprocess<z.ZodOptional<z.ZodArray<z.ZodString>>>;
51
73
  requires: z.ZodOptional<z.ZodObject<{
52
74
  bins: z.ZodDefault<z.ZodArray<z.ZodString>>;
53
75
  env: z.ZodDefault<z.ZodArray<z.ZodString>>;
54
76
  }, z.core.$strict>>;
55
- /** Explicit skill key override (coerced to slug format) */
56
- "skill-key": z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
57
- /** Display/grouping hint for primary environment (e.g., "discord", "telegram") */
77
+ "skill-key": z.ZodPreprocess<z.ZodOptional<z.ZodString>>;
58
78
  "primary-env": z.ZodOptional<z.ZodString>;
59
- /** Metadata-only dispatch tag for command routing */
60
79
  "command-dispatch": z.ZodOptional<z.ZodString>;
80
+ capability: z.ZodOptional<z.ZodObject<{
81
+ cluster: z.ZodOptional<z.ZodString>;
82
+ summary: z.ZodOptional<z.ZodString>;
83
+ replacesPackages: z.ZodDefault<z.ZodArray<z.ZodString>>;
84
+ }, z.core.$strict>>;
61
85
  }, z.core.$strict>>;
62
86
  /** Parsed Comis namespace block type. */
63
87
  export type ComisNamespaceParsed = z.infer<typeof ComisNamespaceSchema>;
@@ -69,54 +93,37 @@ export type ComisNamespaceParsed = z.infer<typeof ComisNamespaceSchema>;
69
93
  * exclusively under the `comis:` namespace block.
70
94
  */
71
95
  export declare const SkillManifestSchema: z.ZodObject<{
72
- /** Unique skill name (lowercase alphanumeric with hyphens) */
73
96
  name: z.ZodString;
74
- /** Human-readable description (1-1024 chars) */
75
97
  description: z.ZodString;
76
- /** Skill type: always "prompt" for Markdown instruction skills. */
77
98
  type: z.ZodDefault<z.ZodLiteral<"prompt">>;
78
- /** Semver version string */
79
99
  version: z.ZodOptional<z.ZodString>;
80
- /** SPDX license identifier */
81
100
  license: z.ZodOptional<z.ZodString>;
82
- /** Whether users can invoke this skill via /skill:name (default true) */
83
101
  userInvocable: z.ZodDefault<z.ZodBoolean>;
84
- /** When true, skill is hidden from model's available skills listing (default false) */
85
102
  disableModelInvocation: z.ZodDefault<z.ZodBoolean>;
86
- /** Tool restrictions when skill is active; empty array means no restriction (default []) */
87
103
  allowedTools: z.ZodDefault<z.ZodArray<z.ZodString>>;
88
- /** Optional hint text shown to users (e.g., "[name]") */
89
104
  argumentHint: z.ZodOptional<z.ZodString>;
90
- /** Required permissions */
91
105
  permissions: z.ZodDefault<z.ZodObject<{
92
- /** Filesystem read access paths (e.g. ["/tmp/skill-data"]) */
93
106
  fsRead: z.ZodDefault<z.ZodArray<z.ZodString>>;
94
- /** Filesystem write access paths */
95
107
  fsWrite: z.ZodDefault<z.ZodArray<z.ZodString>>;
96
- /** Network access domains (e.g. ["api.example.com"]) */
97
108
  net: z.ZodDefault<z.ZodArray<z.ZodString>>;
98
- /** Environment variable access (read-only, specific keys) */
99
109
  env: z.ZodDefault<z.ZodArray<z.ZodString>>;
100
110
  }, z.core.$strict>>;
101
- /** JSON Schema describing the skill's input parameters */
102
111
  inputSchema: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
103
- /** Arbitrary key-value metadata */
104
112
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
105
- /** Comis-specific namespace block for platform-only fields */
106
113
  comis: z.ZodOptional<z.ZodObject<{
107
- /** Target operating systems (coerced: string -> [string], lowercased) */
108
- os: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodArray<z.ZodString>>>;
109
- /** External prerequisites: binary executables and environment variables */
114
+ os: z.ZodPreprocess<z.ZodOptional<z.ZodArray<z.ZodString>>>;
110
115
  requires: z.ZodOptional<z.ZodObject<{
111
116
  bins: z.ZodDefault<z.ZodArray<z.ZodString>>;
112
117
  env: z.ZodDefault<z.ZodArray<z.ZodString>>;
113
118
  }, z.core.$strict>>;
114
- /** Explicit skill key override (coerced to slug format) */
115
- "skill-key": z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodOptional<z.ZodString>>;
116
- /** Display/grouping hint for primary environment (e.g., "discord", "telegram") */
119
+ "skill-key": z.ZodPreprocess<z.ZodOptional<z.ZodString>>;
117
120
  "primary-env": z.ZodOptional<z.ZodString>;
118
- /** Metadata-only dispatch tag for command routing */
119
121
  "command-dispatch": z.ZodOptional<z.ZodString>;
122
+ capability: z.ZodOptional<z.ZodObject<{
123
+ cluster: z.ZodOptional<z.ZodString>;
124
+ summary: z.ZodOptional<z.ZodString>;
125
+ replacesPackages: z.ZodDefault<z.ZodArray<z.ZodString>>;
126
+ }, z.core.$strict>>;
120
127
  }, z.core.$strict>>;
121
128
  }, z.core.$strict>;
122
129
  /** Parsed and validated skill manifest. */
@@ -58,6 +58,35 @@ export const SkillKeySchema = z.preprocess((val) => {
58
58
  }
59
59
  return val;
60
60
  }, z.string().regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/, "skill-key must be a valid slug").optional());
61
+ /**
62
+ * Capability metadata block for v1.1 capability layer.
63
+ *
64
+ * Optional sub-block of `comis:` namespace. All inner fields optional. The
65
+ * block is z.strictObject -- unknown nested keys (typos like
66
+ * `replacePackages` missing `s`) are rejected when used in a strict-parse
67
+ * context.
68
+ *
69
+ * IMPORTANT -- defensive parse at registry-side:
70
+ * The outer ComisNamespaceSchema is strict, so a malformed `capability` block
71
+ * would normally cause the whole `comis:` block to fail parse and the skill
72
+ * to become invisible. The registry's discovery enrichment extracts
73
+ * `comis.capability` SEPARATELY via `parseComisCapabilityDefensively`, which
74
+ * logs a WARN and returns undefined on failure -- letting the skill render
75
+ * under the fallback `prompt-skills` cluster. The strict schema here is the
76
+ * declaration of the contract; the defensive parser is the recovery
77
+ * mechanism.
78
+ *
79
+ * The skill itself is never hidden solely because optional capability
80
+ * metadata is invalid.
81
+ */
82
+ export const ComisCapabilityBlockSchema = z.strictObject({
83
+ /** Cluster ID this skill belongs to (operator may override via tooling.skills.capabilityHints). */
84
+ cluster: z.string().min(1).optional(),
85
+ /** Operator-tunable display summary; falls back to skill description if absent. */
86
+ summary: z.string().min(1).optional(),
87
+ /** Package names this skill replaces (for install-detour overlap detection). */
88
+ replacesPackages: z.array(z.string().min(1)).default([]),
89
+ });
61
90
  /**
62
91
  * Comis-specific namespace schema for fields that only apply within the
63
92
  * Comis platform. Other pi-coding-agent hosts will simply ignore this block.
@@ -75,6 +104,12 @@ export const ComisNamespaceSchema = z.strictObject({
75
104
  "primary-env": z.string().optional(),
76
105
  /** Metadata-only dispatch tag for command routing */
77
106
  "command-dispatch": z.string().optional(),
107
+ /**
108
+ * v1.1 capability layer -- optional metadata for cluster, summary,
109
+ * package aliases. Defensively parsed at registry-side; a typo here will
110
+ * NOT hide the skill.
111
+ */
112
+ capability: ComisCapabilityBlockSchema.optional(),
78
113
  }).optional();
79
114
  /**
80
115
  * Full SKILL.md manifest schema.
@@ -9,6 +9,13 @@
9
9
  * URL** (preserving TLS SNI). This maintains SSRF protection while keeping
10
10
  * TLS certificate validation working correctly.
11
11
  *
12
+ * Both `fetch` and `Agent` are imported from undici directly (NOT
13
+ * `globalThis.fetch`): Node's bundled fetch ships an older undici whose
14
+ * request-handler lifecycle is incompatible with the v8 `Agent` we use for
15
+ * DNS pinning. Mixing the two throws `InvalidArgumentError: invalid
16
+ * onRequestStart method` and breaks every channel's inbound media path. Do
17
+ * not swap this back to `globalThis.fetch`.
18
+ *
12
19
  * Every outbound media fetch MUST go through this utility.
13
20
  *
14
21
  * @module
@@ -10,13 +10,20 @@
10
10
  * URL** (preserving TLS SNI). This maintains SSRF protection while keeping
11
11
  * TLS certificate validation working correctly.
12
12
  *
13
+ * Both `fetch` and `Agent` are imported from undici directly (NOT
14
+ * `globalThis.fetch`): Node's bundled fetch ships an older undici whose
15
+ * request-handler lifecycle is incompatible with the v8 `Agent` we use for
16
+ * DNS pinning. Mixing the two throws `InvalidArgumentError: invalid
17
+ * onRequestStart method` and breaks every channel's inbound media path. Do
18
+ * not swap this back to `globalThis.fetch`.
19
+ *
13
20
  * Every outbound media fetch MUST go through this utility.
14
21
  *
15
22
  * @module
16
23
  */
17
24
  import { validateUrl } from "@comis/core";
18
25
  import { fromPromise, suppressError } from "@comis/shared";
19
- import { Agent } from "undici";
26
+ import { Agent, fetch } from "undici";
20
27
  /**
21
28
  * Classify a fetch error into an actionable errorKind + hint for structured logging.
22
29
  */
@@ -121,7 +128,7 @@ export function createSsrfGuardedFetcher(config, logger) {
121
128
  // because the original hostname stays in the URL.
122
129
  const agent = createPinnedAgent(ip);
123
130
  try {
124
- const response = await globalThis.fetch(url, {
131
+ const response = await fetch(url, {
125
132
  signal: AbortSignal.timeout(30_000),
126
133
  redirect: "error", // Do not follow redirects — they could point to internal IPs
127
134
  dispatcher: agent,
@@ -17,6 +17,7 @@
17
17
  *
18
18
  * @module
19
19
  */
20
+ import type { ToolCapabilityMetadata } from "@comis/core";
20
21
  import type { ResourceDiagnostic } from "./diagnostics.js";
21
22
  /** Minimal pino-compatible logger for discovery warnings. */
22
23
  export interface DiscoveryLogger {
@@ -63,6 +64,13 @@ export interface SkillMetadata {
63
64
  readonly primaryEnv?: string;
64
65
  /** Dispatch mode tag (metadata-only in this phase). */
65
66
  readonly commandDispatch?: string;
67
+ /**
68
+ * Capability layer -- extracted from `comis.capability` via defensive
69
+ * parse. Malformed metadata -> undefined + WARN log. The skill still
70
+ * renders under the fallback `prompt-skills` cluster when this is
71
+ * undefined; metadata absence never hides the skill.
72
+ */
73
+ readonly capability?: ToolCapabilityMetadata;
66
74
  }
67
75
  /** Result of skill discovery: skills found plus any diagnostics (collisions, warnings). */
68
76
  export interface DiscoveryResult {
@@ -22,6 +22,7 @@ import * as fs from "node:fs";
22
22
  import * as path from "node:path";
23
23
  import ignore from "ignore";
24
24
  import { parseFrontmatter } from "../manifest/parser.js";
25
+ import { parseComisCapabilityDefensively } from "../manifest/capability-parser.js";
25
26
  // ---------------------------------------------------------------------------
26
27
  // Ignore helpers
27
28
  // ---------------------------------------------------------------------------
@@ -108,7 +109,7 @@ function resolveSource(pathIndex, totalPaths) {
108
109
  * Only parses the frontmatter block -- does not validate the full manifest schema.
109
110
  * This keeps discovery fast and lightweight (Level 1 progressive disclosure).
110
111
  */
111
- function extractMetadataFromSkillMd(skillMdPath) {
112
+ function extractMetadataFromSkillMd(skillMdPath, logger) {
112
113
  let content;
113
114
  try {
114
115
  content = fs.readFileSync(skillMdPath, "utf-8");
@@ -163,7 +164,12 @@ function extractMetadataFromSkillMd(skillMdPath) {
163
164
  // command-dispatch field
164
165
  const rawCommandDispatch = ns?.["command-dispatch"];
165
166
  const commandDispatch = typeof rawCommandDispatch === "string" ? rawCommandDispatch : undefined;
166
- return { name: obj["name"], description: obj["description"], type, userInvocable, disableModelInvocation, argumentHint, os, requires, skillKey, primaryEnv, commandDispatch };
167
+ // Capability layer -- defensive parse. A typo or type mismatch in
168
+ // `comis.capability` returns undefined + emits a WARN; the skill itself
169
+ // remains visible (renders under the fallback "prompt-skills" cluster
170
+ // downstream).
171
+ const capability = parseComisCapabilityDefensively(ns?.["capability"], obj["name"], logger);
172
+ return { name: obj["name"], description: obj["description"], type, userInvocable, disableModelInvocation, argumentHint, os, requires, skillKey, primaryEnv, commandDispatch, capability };
167
173
  }
168
174
  /**
169
175
  * Recursive internal helper for discovering skills within a directory tree.
@@ -237,7 +243,7 @@ function discoverSkillsFromDir(dir, source, includeRootFiles, skillMap, diagnost
237
243
  // Silent skip if same real file already loaded (same file via different symlink)
238
244
  if (realPathSet.has(realPath))
239
245
  continue;
240
- const metadata = extractMetadataFromSkillMd(fullPath);
246
+ const metadata = extractMetadataFromSkillMd(fullPath, logger);
241
247
  if (metadata === null) {
242
248
  logger?.warn({ skillPath: fullPath, hint: "Check skill file has valid YAML frontmatter with name and description fields", errorKind: "validation" }, "Skipping malformed skill file");
243
249
  continue;
@@ -278,6 +284,7 @@ function discoverSkillsFromDir(dir, source, includeRootFiles, skillMap, diagnost
278
284
  skillKey: metadata.skillKey,
279
285
  primaryEnv: metadata.primaryEnv,
280
286
  commandDispatch: metadata.commandDispatch,
287
+ capability: metadata.capability,
281
288
  };
282
289
  skillMap.set(metadata.name, skillMeta);
283
290
  realPathSet.add(realPath);
@@ -10,12 +10,25 @@
10
10
  *
11
11
  * @module
12
12
  */
13
- import type { SkillsConfig, TypedEventBus } from "@comis/core";
13
+ import type { PromptSkillCapability, SkillsConfig, TypedEventBus } from "@comis/core";
14
14
  import type { Result } from "@comis/shared";
15
15
  import { type PromptSkillDescription } from "../prompt/processor.js";
16
16
  import { type SkillMetadata, type SkillSource } from "./discovery.js";
17
17
  import { type RuntimeEligibilityContext } from "./eligibility.js";
18
18
  import { type SkillWatcherHandle } from "./skill-watcher.js";
19
+ /**
20
+ * Operator hint shape consumed by `getPromptSkillCapabilities`.
21
+ *
22
+ * Mirrors the return shape of `ToolCapabilityPort.getSkillHint` in
23
+ * `@comis/core/ports/tool-capability.ts`. The registry stays decoupled from
24
+ * the port itself -- daemon-side wiring passes the port's `getSkillHint`
25
+ * method as the callback.
26
+ */
27
+ type OperatorSkillHint = {
28
+ readonly cluster: string;
29
+ readonly description?: string;
30
+ readonly replacesPackages: readonly string[];
31
+ };
19
32
  /** Minimal pino-compatible logger interface for skills subsystem logging. */
20
33
  interface SkillsLogger {
21
34
  info(obj: Record<string, unknown>, msg: string): void;
@@ -101,6 +114,37 @@ export interface SkillRegistry {
101
114
  * Acts as the Comis eligibility gate for SDK discovery.
102
115
  */
103
116
  getEligibleSkillNames(): Set<string>;
117
+ /**
118
+ * Return all visible eligible prompt skills with merged capability metadata.
119
+ *
120
+ * Applies the same `allowedSkills`/`deniedSkills` and runtime-eligibility
121
+ * filters as `getPromptSkillDescriptions`, PLUS an extra
122
+ * `disableModelInvocation !== true` filter -- skills hidden from the model
123
+ * are not surfaced as capability index entries.
124
+ *
125
+ * Capability merge precedence:
126
+ * 1. operator hint by `skillKey` (when the skill declares one)
127
+ * 2. operator hint by skill name (always available as fallback)
128
+ * 3. `comis.capability` from the skill manifest (already in
129
+ * `metadata.capability`)
130
+ * 4. Fallback: `cluster` undefined (renderer falls back to the literal
131
+ * `"prompt-skills"` cluster); `summary` = `description`;
132
+ * `replacesPackages` = `[]`.
133
+ *
134
+ * The `getOperatorHint` callback keeps the registry decoupled from
135
+ * `ToolCapabilityPort` -- daemon-side adapters pass the port's
136
+ * `getSkillHint` method here.
137
+ *
138
+ * Fresh-per-call (no memoization). Returns a frozen array of frozen entries.
139
+ *
140
+ * IMPORTANT -- cache fence:
141
+ * This method MUST NOT be consumed by `assembleRichSystemPrompt`'s
142
+ * `assemblerParams` in `packages/agent/src/executor/prompt-assembly.ts`.
143
+ * If a skill discovery sweep runs between turns, the cached system-prompt
144
+ * prefix MUST stay byte-identical. An architecture-grep test enforces this
145
+ * invariant.
146
+ */
147
+ getPromptSkillCapabilities(getOperatorHint: (skillName: string, skillKey?: string) => OperatorSkillHint | undefined): readonly PromptSkillCapability[];
104
148
  /**
105
149
  * Populate the registry from SDK-discovered skills instead of filesystem discovery.
106
150
  * Clears existing metadata, maps SDK Skill fields to Comis SkillMetadata,