daemora 1.0.10 → 1.0.11

package/src/setup/wizard.js

@@ -7,7 +7,7 @@ import { banner, stepHeader, kv, summaryTable, completeBanner, t, S } from "./th
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const ROOT_DIR = join(__dirname, "..", "..");
-const TOTAL_STEPS = 9;
+const TOTAL_STEPS = 11;
 const OLLAMA_EMBED_MODEL = "all-minilm";
 
 /**
@@ -342,6 +342,15 @@ export async function runSetupWizard() {
     envConfig.TWILIO_ACCOUNT_SID    = guard(await p.password({ message: "Twilio Account SID" }));
     envConfig.TWILIO_AUTH_TOKEN     = guard(await p.password({ message: "Twilio Auth Token" }));
     envConfig.TWILIO_WHATSAPP_FROM  = guard(await p.text({ message: "WhatsApp From number", initialValue: "whatsapp:+14155238886" }));
+
+    const enableVoice = guard(await p.confirm({
+      message: "Enable voice calls? (needs a voice-capable Twilio number + public URL)",
+      initialValue: false,
+    }));
+    if (enableVoice) {
+      envConfig.TWILIO_PHONE_FROM       = guard(await p.text({ message: "Twilio voice-capable phone number (e.g. +1234567890)" }));
+      envConfig.VOICE_WEBHOOK_BASE_URL  = guard(await p.text({ message: "Public URL for voice webhooks (e.g. https://abc123.ngrok.io)" }));
+    }
   }
 
   if (channels.includes("discord")) {
@@ -378,22 +387,47 @@ export async function runSetupWizard() {
   }
 
   if (channels.includes("email")) {
-    p.note(
-      [
-        "Gmail setup:",
-        "1. Google Account › Security › 2-Step Verification → enable",
-        "2. Google Account › Security › App Passwords → Mail → create",
-        "3. Use the 16-char app password below (NOT your Gmail password)",
-        "",
-        "For other providers: change IMAP/SMTP hosts below.",
-        "Optional: EMAIL_ALLOWLIST=alice@example.com,bob@example.com",
-      ].join("\n"),
-      "Email Setup"
-    );
-    envConfig.EMAIL_USER      = guard(await p.text({ message: "Email address" }));
-    envConfig.EMAIL_PASSWORD  = guard(await p.password({ message: "App password" }));
-    envConfig.EMAIL_IMAP_HOST = guard(await p.text({ message: "IMAP host", initialValue: "imap.gmail.com" }));
-    envConfig.EMAIL_SMTP_HOST = guard(await p.text({ message: "SMTP host", initialValue: "smtp.gmail.com" }));
+    const emailMethod = guard(await p.select({
+      message: "Email sending method",
+      options: [
+        { value: "resend", label: "Resend (easiest)",       hint: "Just an API key, no SMTP config" },
+        { value: "gmail",  label: "Gmail IMAP/SMTP",        hint: "Full inbox read + send via Gmail app password" },
+        { value: "both",   label: "Both (Resend + Gmail)",  hint: "Resend for sending, Gmail for reading inbox" },
+      ],
+    }));
+
+    if (emailMethod === "resend" || emailMethod === "both") {
+      p.note(
+        [
+          "1. Sign up free at https://resend.com",
+          "2. API Keys → Create API Key",
+          "3. Domains → add your sending domain (or use shared domain for testing)",
+        ].join("\n"),
+        "Resend Setup"
+      );
+      envConfig.RESEND_API_KEY = guard(await p.password({ message: "Resend API key (re_...)" }));
+      envConfig.RESEND_FROM   = guard(await p.text({ message: "From address", placeholder: "you@yourdomain.com" }));
+    }
+
+    if (emailMethod === "gmail" || emailMethod === "both") {
+      p.note(
+        [
+          "Gmail setup:",
+          "1. Google Account › Security › 2-Step Verification → enable",
+          "2. Google Account › Security › App Passwords → Mail → create",
+          "3. Use the 16-char app password below (NOT your Gmail password)",
+          "",
+          "For other providers: change IMAP/SMTP hosts below.",
+        ].join("\n"),
+        "Gmail IMAP/SMTP Setup"
+      );
+      envConfig.EMAIL_USER      = guard(await p.text({ message: "Email address" }));
+      envConfig.EMAIL_PASSWORD  = guard(await p.password({ message: "App password" }));
+      envConfig.EMAIL_IMAP_HOST = guard(await p.text({ message: "IMAP host", initialValue: "imap.gmail.com" }));
+      envConfig.EMAIL_SMTP_HOST = guard(await p.text({ message: "SMTP host", initialValue: "smtp.gmail.com" }));
+    }
+
+    p.log.info("Optional: EMAIL_ALLOWLIST=alice@example.com,bob@example.com");
   }
 
   if (channels.includes("line")) {
@@ -633,8 +667,115 @@ export async function runSetupWizard() {
   })];
   p.log.success(`Channels: ${t.bold(activeChannels.join(", "))}`);
 
-  // ━━━ Step 6: Daemon ━━━
-  stepHeader(6, TOTAL_STEPS, "Daemon Mode");
+  // ━━━ Step 6: Tool API Keys (optional) ━━━
+  stepHeader(6, TOTAL_STEPS, "Tool API Keys");
+
+  p.note(
+    [
+      "Some built-in tools need their own API keys to work.",
+      "You can skip this now and add keys later via: daemora config set <KEY> <value>",
+      "",
+      `  ${S.info}  generateImage / textToSpeech / transcribeAudio → OPENAI_API_KEY`,
+      `  ${S.info}  textToSpeech (premium voices) → ELEVENLABS_API_KEY`,
+      `  ${S.info}  googlePlaces → GOOGLE_PLACES_API_KEY`,
+      `  ${S.info}  calendar (Google) → GOOGLE_CALENDAR_API_KEY`,
+      `  ${S.info}  database → DATABASE_URL / MYSQL_URL`,
+      `  ${S.info}  notification (ntfy) → NTFY_TOPIC + NTFY_TOKEN`,
+      `  ${S.info}  notification (pushover) → PUSHOVER_API_TOKEN + PUSHOVER_USER_KEY`,
+      `  ${S.info}  philipsHue → HUE_BRIDGE_IP + HUE_API_KEY`,
+    ].join("\n"),
+    "Optional Tool Credentials"
+  );
+
+  const toolKeys = guard(await p.multiselect({
+    message: "Configure tool API keys?  (space = toggle, enter = confirm)",
+    required: false,
+    options: [
+      { value: "openai_tools",  label: "OpenAI (images, TTS, transcription)", hint: "OPENAI_API_KEY — skip if already set as main provider" },
+      { value: "elevenlabs",    label: "ElevenLabs TTS",                      hint: "Premium voice synthesis" },
+      { value: "google_places", label: "Google Places",                       hint: "Location search & details" },
+      { value: "google_cal",    label: "Google Calendar",                     hint: "Calendar read/write" },
+      { value: "database",      label: "Database",                            hint: "PostgreSQL / MySQL connection" },
+      { value: "ntfy",          label: "Ntfy notifications",                  hint: "Push notifications via ntfy.sh" },
+      { value: "pushover",      label: "Pushover notifications",              hint: "Push notifications via Pushover" },
+      { value: "hue",           label: "Philips Hue",                         hint: "Smart light control" },
+      { value: "sonos",         label: "Sonos speaker",                       hint: "Music / audio control" },
+      { value: "none",          label: "Skip for now",                        hint: "Add later via daemora config set" },
+    ],
+  }));
+
+  if (toolKeys.includes("openai_tools") && !envConfig.OPENAI_API_KEY) {
+    const key = guard(await p.password({ message: "OpenAI API key (for images, TTS, transcription)" }));
+    if (key) envConfig.OPENAI_API_KEY = key;
+  }
+
+  if (toolKeys.includes("elevenlabs")) {
+    const key = guard(await p.password({ message: "ElevenLabs API key" }));
+    if (key) envConfig.ELEVENLABS_API_KEY = key;
+  }
+
+  if (toolKeys.includes("google_places")) {
+    const key = guard(await p.password({ message: "Google Places API key" }));
+    if (key) envConfig.GOOGLE_PLACES_API_KEY = key;
+  }
+
+  if (toolKeys.includes("google_cal")) {
+    const key = guard(await p.password({ message: "Google Calendar API key" }));
+    if (key) envConfig.GOOGLE_CALENDAR_API_KEY = key;
+    const calId = guard(await p.text({ message: "Calendar ID", initialValue: "primary" }));
+    if (calId) envConfig.GOOGLE_CALENDAR_ID = calId;
+  }
+
+  if (toolKeys.includes("database")) {
+    p.note(
+      "Format: postgresql://user:pass@host:5432/db  or  mysql://user:pass@host:3306/db",
+      "Database URL"
+    );
+    const dbUrl = guard(await p.text({ message: "Database URL (PostgreSQL or MySQL)" }));
+    if (dbUrl) {
+      if (dbUrl.startsWith("mysql")) envConfig.MYSQL_URL = dbUrl;
+      else envConfig.DATABASE_URL = dbUrl;
+    }
+  }
+
+  if (toolKeys.includes("ntfy")) {
+    envConfig.NTFY_URL   = guard(await p.text({ message: "Ntfy server URL", initialValue: "https://ntfy.sh" }));
+    envConfig.NTFY_TOPIC = guard(await p.text({ message: "Ntfy topic name" }));
+    const ntfyToken = guard(await p.password({ message: "Ntfy access token (optional)" }));
+    if (ntfyToken) envConfig.NTFY_TOKEN = ntfyToken;
+  }
+
+  if (toolKeys.includes("pushover")) {
+    envConfig.PUSHOVER_API_TOKEN = guard(await p.password({ message: "Pushover API token" }));
+    envConfig.PUSHOVER_USER_KEY  = guard(await p.password({ message: "Pushover user key" }));
+  }
+
+  if (toolKeys.includes("hue")) {
+    p.note(
+      [
+        "Find bridge IP: check your router or use the Hue app.",
+        "Get API key: press the bridge button, then run:",
+        '  curl -X POST http://<bridge-ip>/api -d \'{"devicetype":"daemora"}\'',
+      ].join("\n"),
+      "Philips Hue Setup"
+    );
+    envConfig.HUE_BRIDGE_IP = guard(await p.text({ message: "Hue Bridge IP" }));
+    envConfig.HUE_API_KEY   = guard(await p.password({ message: "Hue API key" }));
+  }
+
+  if (toolKeys.includes("sonos")) {
+    envConfig.SONOS_SPEAKER_IP = guard(await p.text({ message: "Sonos speaker IP address" }));
+  }
+
+  const toolCount = toolKeys.filter(k => k !== "none").length;
+  if (toolCount > 0) {
+    p.log.success(`${toolCount} tool integration(s) configured`);
+  } else {
+    p.log.info("No tool keys configured. Add later via: daemora config set <KEY> <value>");
+  }
+
+  // ━━━ Step 7: Daemon Mode ━━━
+  stepHeader(7, TOTAL_STEPS, "Daemon Mode");
 
   p.note(
     [
@@ -662,8 +803,8 @@ export async function runSetupWizard() {
 
   p.log.success(`Daemon: ${t.bold(daemonMode ? "Enabled" : "Disabled")}`);
 
-  // ━━━ Step 7: Data Cleanup ━━━
-  stepHeader(7, TOTAL_STEPS, "Data Cleanup");
+  // ━━━ Step 8: Data Cleanup ━━━
+  stepHeader(8, TOTAL_STEPS, "Data Cleanup");
 
   const cleanupDays = guard(await p.select({
     message: "Auto-delete old tasks, logs & sessions after how many days?",
@@ -679,8 +820,8 @@ export async function runSetupWizard() {
 
   p.log.success(`Cleanup: ${t.bold(cleanupDays === "0" ? "Never" : cleanupDays + " days")}`);
 
-  // ━━━ Step 8: MCP Servers ━━━
-  stepHeader(8, TOTAL_STEPS, "MCP Tool Servers");
+  // ━━━ Step 9: MCP Servers ━━━
+  stepHeader(9, TOTAL_STEPS, "MCP Tool Servers");
 
   p.note(
     [
@@ -973,8 +1114,8 @@ export async function runSetupWizard() {
     p.log.info("No MCP servers configured. Use `daemora mcp add` anytime to add one.");
   }
 
-  // ━━━ Step 8: Secret Vault ━━━
-  stepHeader(9, TOTAL_STEPS, "Secret Vault");
+  // ━━━ Step 10: Secret Vault ━━━
+  stepHeader(10, TOTAL_STEPS, "Secret Vault");
 
   p.note(
     [
@@ -1060,6 +1201,52 @@ export async function runSetupWizard() {
     p.log.info("Vault skipped. API keys will be stored in .env (plaintext).");
   }
 
+  // ━━━ Step 10: Multi-Tenant Mode ━━━
+  stepHeader(11, TOTAL_STEPS, "Multi-Tenant Mode");
+
+  let multiTenantMode = "personal";
+
+  p.note(
+    `  ${S.info}  Personal  — single user, global config (default)\n` +
+    `  ${S.info}  Multi-Tenant — per-user isolation, cost limits, model overrides`,
+    "Deployment mode"
+  );
+
+  const mtChoice = guard(await p.select({
+    message: "How will you use Daemora?",
+    options: [
+      { value: "personal",    label: "Personal",     hint: "Single user, no tenant isolation" },
+      { value: "multitenant", label: "Multi-Tenant",  hint: "Multiple users via channels, per-user config" },
+    ],
+  }));
+
+  if (mtChoice === "multitenant") {
+    multiTenantMode = "multitenant";
+    envConfig.MULTI_TENANT_ENABLED = "true";
+
+    const autoReg = guard(await p.confirm({
+      message: "Auto-register tenants on first message?",
+      initialValue: true,
+    }));
+    envConfig.AUTO_REGISTER_TENANTS = autoReg ? "true" : "false";
+
+    const isolateFs = guard(await p.confirm({
+      message: "Isolate each tenant's filesystem? (recommended for shared deployments)",
+      initialValue: true,
+    }));
+    envConfig.TENANT_ISOLATE_FILESYSTEM = isolateFs ? "true" : "false";
+
+    const setKey = guard(await p.confirm({
+      message: "Generate a tenant encryption key? (encrypts per-tenant API keys at rest)",
+      initialValue: true,
+    }));
+    if (setKey) {
+      const { randomBytes: rb } = await import("crypto");
+      envConfig.DAEMORA_TENANT_KEY = rb(16).toString("hex");
+      p.log.success(`${S.check}  DAEMORA_TENANT_KEY generated (32 hex chars)`);
+    }
+  }
+
   // ━━━ Write Config ━━━
   const spin = p.spinner();
   spin.start("Writing configuration");
@@ -1077,8 +1264,12 @@ export async function runSetupWizard() {
     "Filesystem": ["ALLOWED_PATHS", "BLOCKED_PATHS", "RESTRICT_COMMANDS"],
     "Telegram": ["TELEGRAM_BOT_TOKEN"],
     "WhatsApp": ["TWILIO_ACCOUNT_SID", "TWILIO_AUTH_TOKEN", "TWILIO_WHATSAPP_FROM"],
-    "Email": ["EMAIL_USER", "EMAIL_PASSWORD", "EMAIL_IMAP_HOST", "EMAIL_SMTP_HOST"],
+    "Email (Resend)": ["RESEND_API_KEY", "RESEND_FROM"],
+    "Email (IMAP/SMTP)": ["EMAIL_USER", "EMAIL_PASSWORD", "EMAIL_IMAP_HOST", "EMAIL_SMTP_HOST"],
+    "Voice Calls": ["TWILIO_PHONE_FROM", "VOICE_WEBHOOK_BASE_URL"],
     "Daemon": ["DAEMON_MODE", "HEARTBEAT_INTERVAL_MINUTES"],
+    "Tool Keys": ["ELEVENLABS_API_KEY", "GOOGLE_PLACES_API_KEY", "GOOGLE_CALENDAR_API_KEY", "GOOGLE_CALENDAR_ID", "DATABASE_URL", "MYSQL_URL", "NTFY_URL", "NTFY_TOPIC", "NTFY_TOKEN", "PUSHOVER_API_TOKEN", "PUSHOVER_USER_KEY", "HUE_BRIDGE_IP", "HUE_API_KEY", "SONOS_SPEAKER_IP"],
+    "Multi-Tenant": ["MULTI_TENANT_ENABLED", "AUTO_REGISTER_TENANTS", "TENANT_ISOLATE_FILESYSTEM", "DAEMORA_TENANT_KEY"],
   };
 
   for (const [category, keys] of Object.entries(categories)) {
@@ -1139,6 +1330,9 @@ export async function runSetupWizard() {
     ["Daemon",      daemonMode ? t.success("Enabled") : t.muted("Disabled")],
     ["MCP Servers", allEnabled.length > 0 ? t.bold(allEnabled.join(", ")) : t.muted("None")],
     ["Vault",       vaultPassphrase ? t.success("Encrypted") : t.warning("Plaintext (.env)")],
+    ["Multi-Tenant", multiTenantMode === "multitenant"
+      ? (envConfig.TENANT_ISOLATE_FILESYSTEM === "true" ? t.success("Enabled (isolated)") : t.accent("Enabled"))
+      : t.muted("Disabled (personal)")],
   ]);
 
   // ━━━ Next Steps ━━━

package/src/tenants/TenantManager.js

@@ -127,6 +127,43 @@ class TenantManager {
    * Update tenant config (partial update - only provided keys are changed).
    */
   set(tenantId, updates) {
+    // Validate path arrays before applying
+    for (const field of ["allowedPaths", "blockedPaths"]) {
+      if (updates[field] !== undefined) {
+        if (!Array.isArray(updates[field])) {
+          throw new Error(`${field} must be an array`);
+        }
+        for (const p of updates[field]) {
+          if (typeof p !== "string") {
+            throw new Error(`${field} must contain strings`);
+          }
+          // Must be absolute — Unix (/...) or Windows (C:\...)
+          const isUnixAbs = p.startsWith("/");
+          const isWinAbs = /^[A-Za-z]:[\\\/]/.test(p);
+          if (!isUnixAbs && !isWinAbs) {
+            throw new Error(`${field} must contain absolute paths (got "${p}")`);
+          }
+          // Block null bytes (path injection)
+          if (p.includes("\0")) {
+            throw new Error(`${field} must not contain null bytes`);
+          }
+          // Block path traversal via /../ or \..\ sequences
+          const normalized = p.replace(/\\/g, "/");
+          if (/(^|\/)\.\.(\/|$)/.test(normalized)) {
+            throw new Error(`${field} must not contain ".." path traversal (got "${p}")`);
+          }
+          // Max length — OS limits are typically 260 (Win) or 4096 (Unix)
+          if (p.length > 4096) {
+            throw new Error(`${field} path too long (max 4096 chars)`);
+          }
+          // Block control characters (0x00-0x1F except nothing — all blocked)
+          if (/[\x00-\x1f]/.test(p)) {
+            throw new Error(`${field} must not contain control characters`);
+          }
+        }
+      }
+    }
+
     const tenants = this._load();
     if (!tenants[tenantId]) {
       tenants[tenantId] = _defaultTenant(tenantId);

package/src/tools/_paths.js

@@ -0,0 +1,39 @@
+/**
+ * Tenant-aware temp/workspace directory helper.
+ *
+ * TENANT_ISOLATE_FILESYSTEM=true + tenant context active
+ *   → data/tenants/{safeId}/workspace/{subdir}
+ * Otherwise
+ *   → os.tmpdir()/{subdir}
+ *
+ * Auto-creates the directory.
+ */
+import { mkdirSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { config } from "../config/default.js";
+import tenantContext from "../tenants/TenantContext.js";
+
+const TENANTS_DIR = join(config.dataDir, "tenants");
+
+/**
+ * @param {string} [subdir] - e.g. "daemora-images", "daemora-tts"
+ * @returns {string} absolute directory path (already created)
+ */
+export function getTenantTmpDir(subdir) {
+  const store = tenantContext.getStore();
+  const tenantId = store?.tenant?.id;
+
+  if (tenantId && config.multiTenant?.isolateFilesystem) {
+    const safeId = tenantId.replace(/[^a-zA-Z0-9_-]/g, "_");
+    const dir = subdir
+      ? join(TENANTS_DIR, safeId, "workspace", subdir)
+      : join(TENANTS_DIR, safeId, "workspace");
+    mkdirSync(dir, { recursive: true });
+    return dir;
+  }
+
+  const dir = subdir ? join(tmpdir(), subdir) : tmpdir();
+  if (subdir) mkdirSync(dir, { recursive: true });
+  return dir;
+}

package/src/tools/applyPatch.js

@@ -5,6 +5,7 @@
  */
 import { readFileSync, writeFileSync } from "node:fs";
 import { existsSync } from "node:fs";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 
 /**
  * Parse a unified diff string into an array of hunks.
@@ -105,6 +106,11 @@ function applyHunk(fileLines, hunk, offset) {
 
 export function applyPatch(filePath, patch) {
   try {
+    const readCheck = filesystemGuard.checkRead(filePath);
+    if (!readCheck.allowed) return `Error: ${readCheck.reason}`;
+    const writeCheck = filesystemGuard.checkWrite(filePath);
+    if (!writeCheck.allowed) return `Error: ${writeCheck.reason}`;
+
     if (!existsSync(filePath)) {
       return `Error: File not found: ${filePath}`;
     }

package/src/tools/browserAutomation.js

@@ -13,9 +13,11 @@
  * - Localhost allowed, private ranges blocked
  */
 
-import { join } from "path";
+import { join, basename } from "path";
 import { mkdirSync, existsSync } from "fs";
 import { config } from "../config/default.js";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
 
 let browser = null;
 let browserContext = null;
@@ -419,7 +421,7 @@ export async function browserAction(action, param1, param2) {
       case "screenshot": {
         const p = await ensureBrowser();
         const opts = { fullPage: false };
-        let path = `/tmp/screenshot-${Date.now()}.png`;
+        let path = join(getTenantTmpDir("daemora-browser"), `screenshot-${Date.now()}.png`);
 
         if (param1 && param1.startsWith("/")) {
           path = param1;
@@ -428,6 +430,8 @@ export async function browserAction(action, param1, param2) {
           try {
             const locator = await getLocator(p, param1);
             path = param2 || path;
+            const sc = filesystemGuard.checkWrite(path);
+            if (!sc.allowed) return `Error: ${sc.reason}`;
             await locator.screenshot({ path });
             return `Element screenshot saved: ${path}`;
           } catch {
@@ -435,13 +439,17 @@ export async function browserAction(action, param1, param2) {
             path = param1;
           }
         }
+        const sc2 = filesystemGuard.checkWrite(path);
+        if (!sc2.allowed) return `Error: ${sc2.reason}`;
         if (param2 === "full") opts.fullPage = true;
         await p.screenshot({ path, ...opts });
         return `Screenshot saved: ${path}`;
       }
 
       case "pdf": {
-        const path = param1 || `/tmp/page-${Date.now()}.pdf`;
+        const path = param1 || join(getTenantTmpDir("daemora-browser"), `page-${Date.now()}.pdf`);
+        const pc = filesystemGuard.checkWrite(path);
+        if (!pc.allowed) return `Error: ${pc.reason}`;
         await currentPage().pdf({ path, format: "A4", printBackground: true });
         return `PDF saved: ${path}`;
       }
@@ -638,9 +646,13 @@ export async function browserAction(action, param1, param2) {
           page.waitForEvent("download", { timeout: 30000 }),
           (await getLocator(page, param1)).click(),
         ]);
-        const path = join(downloadDir, download.suggestedFilename());
-        await download.saveAs(path);
-        return `Downloaded: ${path} (${download.suggestedFilename()})`;
+        // Sanitize filename — strip path traversal, use only basename
+        const safeName = basename(download.suggestedFilename()).replace(/[^a-zA-Z0-9._-]/g, "_") || "download";
+        const dlPath = join(downloadDir, safeName);
+        const dc = filesystemGuard.checkWrite(dlPath);
+        if (!dc.allowed) return `Error: ${dc.reason}`;
+        await download.saveAs(dlPath);
+        return `Downloaded: ${dlPath} (${safeName})`;
       }
 
       // ── Viewport ────────────────────────────────────────────────────────

package/src/tools/createDocument.js

@@ -1,5 +1,6 @@
 import { writeFileSync, mkdirSync, readFileSync } from "fs";
 import { dirname } from "path";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 
 /**
  * Create Document - creates Markdown, text, PDF, or DOCX documents.
@@ -15,6 +16,9 @@ export async function createDocument(filePath, content, format) {
     return "Error: filePath and content are required.";
   }
 
+  const writeCheck = filesystemGuard.checkWrite(filePath);
+  if (!writeCheck.allowed) return `Error: ${writeCheck.reason}`;
+
   try {
     mkdirSync(dirname(filePath), { recursive: true });
 

package/src/tools/executeCommand.js

@@ -56,7 +56,10 @@ export async function executeCommand(cmd, optionsJson) {
   // ──────────────────────────────────────────────────────────────────────────
 
   // ── Filesystem scope enforcement ───────────────────────────────────────────
-  const allowedPaths = config.filesystem?.allowedPaths || [];
+  // Prefer per-tenant resolved config (set by TaskRunner), fall back to global
+  const store = tenantContext.getStore();
+  const resolvedConfig = store?.resolvedConfig;
+  const allowedPaths = resolvedConfig?.allowedPaths || config.filesystem?.allowedPaths || [];
   if (allowedPaths.length > 0) {
     // Always check that the cwd is inside an allowed directory
     const cwdGuard = filesystemGuard.checkRead(cwd);
@@ -93,7 +96,6 @@ export async function executeCommand(cmd, optionsJson) {
 
   // ── Docker sandbox mode — route through container ──
   if (config.sandbox?.mode === "docker" && dockerSandbox.isAvailable() && !background) {
-    const store = tenantContext.getStore();
     const scope = config.sandbox.docker?.scope === "shared" ? "shared" : (store?.sessionId || "shared");
     return dockerSandbox.exec(scope, cmd, { timeout, cwd });
   }

package/src/tools/generateImage.js

@@ -4,8 +4,9 @@
  */
 import { writeFileSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
 import tenantContext from "../tenants/TenantContext.js";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
 
 export async function generateImage(prompt, optionsJson) {
   if (!prompt) return "Error: prompt is required.";
@@ -48,13 +49,16 @@ export async function generateImage(prompt, optionsJson) {
     if (images.length === 0) return "Error: No images returned.";
 
     const saved = [];
-    const dir = join(tmpdir(), "daemora-images");
-    mkdirSync(dir, { recursive: true });
+    const dir = getTenantTmpDir("daemora-images");
 
     for (let i = 0; i < images.length; i++) {
       const b64 = images[i].b64_json;
       const revised = images[i].revised_prompt || prompt;
       const filePath = outputPath || join(dir, `image-${Date.now()}-${i}.png`);
+      if (outputPath) {
+        const wc = filesystemGuard.checkWrite(outputPath);
+        if (!wc.allowed) return `Error: ${wc.reason}`;
+      }
       writeFileSync(filePath, Buffer.from(b64, "base64"));
       saved.push({ path: filePath, revisedPrompt: revised });
     }

package/src/tools/replyWithFile.js

@@ -11,6 +11,7 @@
 import tenantContext from "../tenants/TenantContext.js";
 import channelRegistry from "../channels/index.js";
 import { existsSync, statSync } from "node:fs";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 
 const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
 
@@ -18,6 +19,9 @@ export async function replyWithFile(filePath, caption) {
   try {
     if (!filePath) return "Error: filePath is required.";
 
+    const readCheck = filesystemGuard.checkRead(filePath);
+    if (!readCheck.allowed) return `Error: ${readCheck.reason}`;
+
     if (!existsSync(filePath)) {
       return `Error: File not found: ${filePath}`;
     }

package/src/tools/screenCapture.js

@@ -15,15 +15,20 @@ import { execSync } from "node:child_process";
 import { existsSync, mkdirSync, statSync } from "node:fs";
 import { platform } from "node:os";
 import { join } from "node:path";
+import filesystemGuard from "../safety/FilesystemGuard.js";
+import { getTenantTmpDir } from "./_paths.js";
 
 export function screenCapture(optionsJson) {
   try {
     const opts = optionsJson ? JSON.parse(optionsJson) : {};
-    const outputDir = opts.outputDir || "/tmp";
+    const outputDir = opts.outputDir || getTenantTmpDir("daemora-captures");
     const region    = opts.region;                   // { x, y, width, height } - screenshot only
     const mode      = (opts.mode || "screenshot").toLowerCase();
     const duration  = parseInt(opts.duration || "10", 10); // seconds - video only
 
+    const wc = filesystemGuard.checkWrite(outputDir);
+    if (!wc.allowed) return `Error: ${wc.reason}`;
+
     if (!existsSync(outputDir)) {
       mkdirSync(outputDir, { recursive: true });
     }

package/src/tools/sendFile.js

@@ -15,6 +15,7 @@
  */
 import channelRegistry from "../channels/index.js";
 import { existsSync, statSync } from "node:fs";
+import filesystemGuard from "../safety/FilesystemGuard.js";
 
 const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB - most platforms limit around this
 
@@ -24,6 +25,9 @@ export async function sendFile(channel, target, filePath, caption) {
     if (!target)  return "Error: target is required (chat ID, user ID, phone, or email)";
     if (!filePath) return "Error: filePath is required";
 
+    const readCheck = filesystemGuard.checkRead(filePath);
+    if (!readCheck.allowed) return `Error: ${readCheck.reason}`;
+
     if (!existsSync(filePath)) {
       return `Error: File not found: ${filePath}`;
     }

package/src/tools/sshTool.js

@@ -7,8 +7,8 @@
 import { execFileSync } from "node:child_process";
 import { writeFileSync, unlinkSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
-import { tmpdir } from "node:os";
 import { randomBytes } from "node:crypto";
+import { getTenantTmpDir } from "./_paths.js";
 
 export async function sshTool(action, paramsJson) {
   if (!action) return "Error: action required. Valid: exec, upload, download, tunnel";
@@ -97,7 +97,7 @@ export async function sshTool(action, paramsJson) {
 
   if (action === "keygen") {
     // Generate a new SSH key pair for the agent's use
-    const keyDir = join(tmpdir(), `daemora-ssh-${randomBytes(4).toString("hex")}`);
+    const keyDir = join(getTenantTmpDir("daemora-ssh"), `keygen-${randomBytes(4).toString("hex")}`);
     mkdirSync(keyDir, { recursive: true });
     const keyFile = join(keyDir, "id_ed25519");
     try {